Basic Auth only for external IPs and not localhost or LAN networks

Hi all,

I have a location directive with basic auth in it.

    location / {

               auth_basic "Admin Login";

               auth_basic_user_file /etc/nginx/.htpasswd;

How do I specify a rule such that the basic auth is applied only to
external IPs and not to 127.0.0.x, 192.0.x & 10.0.x?

I run Jenkins from a sub-domain and my git post-commit-hook needs to hit
a
URL under this location directive to trigger continuous integration. But
this Jenkins cannot handle basic auth that blocks the URL submit.

-Quintin

On 15 Fev 2012 04h33 WET, [email protected] wrote:

Hi all,

I have a location directive with basic auth in it.

location / {

auth_basic “Admin Login”;

auth_basic_user_file /etc/nginx/.htpasswd;
}

How do I specify a rule such that the basic auth is applied only to
external IPs and not to 127.0.0.x, 192.0.x & 10.0.x?

I run Jenkins from a sub-domain and my git post-commit-hook needs to
hit a URL under this location directive to trigger continuous
integration. But this Jenkins cannot handle basic auth that blocks
the URL submit.

At the http level:

geo $is_authorized {
default 0;
127.0.0.1 1;
192.0.0.0/16 1;
10.0.0.0/16 1;
}

On the vhost:

location / {
error_page 418 @no-auth;

if ($is_authorized) {
    return 418;
}

auth_basic "Admin Login";
auth_basic_user_file .htpasswd;

# ... content handler directives here or default (static)

}

location @no-auth {
# … content handler directives here or default (static)
}

— appa

Hello!

On Wed, Feb 15, 2012 at 10:03:13AM +0530, Quintin P. wrote:

How do I specify a rule such that the basic auth is applied only to
external IPs and not to 127.0.0.x, 192.0.x & 10.0.x?

Use “satisfy any”, see
http://www.nginx.org/en/docs/http/ngx_http_core_module.html#satisfy

location / {
    satisfy any;

    auth_basic "Admin Login";
    auth_basic_user_file /etc/nginx/.htpasswd;

    allow 127.0.0.0/24;
    allow 192.0.0.0/16;
    allow 10.0.0.0/16;
    deny all;
}

Just a side note: the “192.0.x” should probably be “192.168.x”
instead, but you should get the idea anyway.

Maxim D.

On 15 Fev 2012 05h01 WET, [email protected] wrote:

auth_basic_user_file /etc/nginx/.htpasswd;

At the http level:

geo $is_authorized {
default 0;
127.0.0.1 1;
192.0.0.0/16 1;
10.0.0.0/16 1;
}

Also using auth_request (avoids duplicating the location):

location / {
auth_basic “Admin Login”;
auth_basic_user_file .htpasswd;
satisfy any;
auth_request /auth;

# ... content handler directives here or default (static)

}

location /auth {
if ($is_authorized) {
return 200;
}
return 403;
}

— appa

Ha!

What a simple solution.

Thanks a lot!

-Quintin