Forum: NGINX nginx auth_basic with proxy pass to tomcat

Hi Guys,

I need to add basic auth to my home page (index.html)  (Served by
nginx)  and other directories resides on tomcat7. is there anyway i
can add only authentication to index.html . i was using the following
nginx configuration.

server {
      access_log  /var/log/nginx/access.log;
      error_log   /var/log/nginx/error.log;
      index       index.html;
      root        /var/www/;
      server_name xxxxxxxx;
}

      location / {
        auth_basic "Restricted";
        auth_basic_user_file /var/www/.htpass;
      }



 location /next {
        proxy_pass             http://localhost:8080/next;
        proxy_redirect         off;
        proxy_set_header   Host             $host;
        proxy_set_header   X-Real-IP        $remote_addr;
        proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
        proxy_max_temp_file_size 0;
}

when i try to add the above config, it asks for the user/pass, but it
asks for the user/pass when i try to access /next. but i need to add
authentication only to index.html. problem is  using the root
directory, so all requests will be tunneled through root and prompted
for a password. but is there any way i can restrict access only to
index.html, once it authenticated, users will be able to access tomcat
paths .

Thanks in advance,
Tharanga

Yeah use /index.HTML for the location block
On Nov 6, 2012 8:43 PM, "Tharanga Abeyseela" 
<tharanga.abeyseela@gmail.com>

Thanks David, i tried it. but it still asks the user/pass when i hit
the /next inside index.html
any idea why ?

thanks,
tharanga

On Wed, Nov 07, 2012 at 12:43:40PM +1100, Tharanga Abeyseela wrote:

Hi there,

> I need to add basic auth to my home page (index.html)  (Served by
> nginx)  and other directories resides on tomcat7. is there anyway i
> can add only authentication to index.html .

"location = /index.html" will only apply to /index.html. Put your
configuration in there.

> i was using the following
> nginx configuration.
>
> server {
>       access_log  /var/log/nginx/access.log;
>       error_log   /var/log/nginx/error.log;
>       index       index.html;
>       root        /var/www/;
>       server_name xxxxxxxx;
> }

Are you sure?

server{}, and then location{} outside it?

>         proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
>         proxy_max_temp_file_size 0;
> }
>
> when i try to add the above config, it asks for the user/pass, but it
> asks for the user/pass when i try to access /next.

When I try the above config, it does what you say you want.

(It should challenge for authentication only for any request that does 
not
begin "/next".)

What is the output you get for

  curl -i http://xxxxxxxx/

and

  curl -i http://xxxxxxxx/next

? Are you sure that you are using this server{} block in nginx? Are you
sure that the server on localhost:8080 is not redirecting you to /?

> but i need to add
> authentication only to index.html. problem is  using the root
> directory, so all requests will be tunneled through root and prompted
> for a password. but is there any way i can restrict access only to
> index.html, once it authenticated, users will be able to access tomcat
> paths .

I'm not quite sure what you mean by that last bit. If you require
authentication for /index.html, then you can't expect authentication
credentials to be sent for the tomcat paths. So the user will get to
the tomcat paths whether or not they first authenticated, at least as
far as nginx is concerned.

  f
--
Francis Daly        francis@daoine.org

Hi Francis,

thanks for the reply. actually it inside the server block :-) ,

i managed to resolve the issue using a rewrite rule as follows

   location /demo/ {
        auth_basic "Restricted";
        auth_basic_user_file /var/www/demo/.htpass;
        error_page 404 = @redirect;
#       rewrite ^/demo/(.*)$ http://x.x.x.x/$1 permanent;
      }

      location @redirect {
        rewrite ^/demo/(.*)$ http://x.x.x.x/$1 permanent;
      }

is it possible to enable nginx authentication before proxy_pass to 
tomcat ?

cheers,
Tharanga

On Thu, Nov 08, 2012 at 11:04:39AM +1100, Tharanga Abeyseela wrote:

Hi there,

> thanks for the reply. actually it inside the server block :-) ,

Good to hear.

>         rewrite ^/demo/(.*)$ http://x.x.x.x/$1 permanent;
>       }

That seems very complicated.

I'm a bit unclear on what issue this configuration resolves. It looks
to me like it will (a) insist that anyone accessing things below /demo/
are challenged for credentials; and (b) allow anyone access to anything
other than /demo/ without providing credentials.

Can you describe what it is that you want, and what it is that you do
not want? I'm not sure whether the x.x.x.x above is "this server" or
"some other server"; and I'm not sure what happened to "/next" from the
original configuration.

> is it possible to enable nginx authentication before proxy_pass to tomcat ?

Yes. Put the "auth_basic" in the same location as the "proxy_pass".

If that doesn't do what you want, then I'm afraid that I don't 
understand
what it is that you want.

  f
--
Francis Daly        francis@daoine.org

Hi,

when the user enter http:///x.x.x.x/ - it will give forbidden message.
(i removed index.html to demo directory)

im giving the url to users as follows

http://x.x.x.x/demo/   - so this will ask for user/pass -   thats what
i wanted to do
after entering to above url - user will be landed to my index.html  -
it has all tomcat paths to connect (just hyper links)

x.x.x.x is the same  server - not a different server

i'm not redirecting to different server. everything is done on the same 
server.

i agree. the rewrite is complicated for a small authentication
handling. but other methods didn't work for me :)

thanks for your help and suggestions :)

cheers,
Tharanga


now issue is when the user enter http://x.x.x.x/next  it bypass the
nginx auth and going to tomcat path with out any authentication. may
be i need to configure that on web.xml. i prefer to configure nginx
auth for all tomcat and nginx paths. actually tomcat is the  front-end
server hadnles/redirects client request to appropriate server.