Enforcing authentication requests for all resources under specific path

Hi,

I’m working on an application independent authentication and
authorization layer that utilizes nginx with auth request module. The
two are working great for me, but I run into an issue that I don’t
know how to solve, maybe you can help?

Is there a way to enforce auth requests for all resources under a
specific path? Say I want to protect all resources in /protected:

location /protected/ {
auth_request /auth/is_authenticated/;
error_page 403 /auth/login/;
error_page 401 /auth/noauthorized/;
}

This works but only until more specific location is added:

location /protected/blog {
#…
}

Which, due to location matching rules, takes precedence over the
‘/protected’ location, and auth requests for blog are not issued.

Is there any way around it other than repeating auth_request
configuration for each location?

I can think of two solutions, but each has quite substantial
limitations:

  1. configure auth_request in server {} section, but this authorizes
    all requests, not only ones in ‘/protected’
  2. Run separate nginx instance configured to do authorization only and
    passing all allowed requests downstream. This would introduce
    additional performance and maintenance overhead.

Is there any better way?

thanks,
Jan

On Thu, Mar 29, 2012 at 04:32:32PM +0200, Jan Wrobel wrote:

location /protected/ {

passing all allowed requests downstream. This would introduce
additional performance and maintenance overhead.

Is there any better way?

I believe the best way to configure is to set explicitly necessery
directives in all locations where they are required. This leads to
maintainable configuration.


Igor S.

On Thu, Mar 29, 2012 at 4:44 PM, Igor S. [email protected] wrote:

On Thu, Mar 29, 2012 at 04:32:32PM +0200, Jan Wrobel wrote:

Is there any better way?

I believe the best way to configure is to set explicitly necessery
directives in all locations where they are required. This leads to
maintainable configuration.

In my case this is not too good option. I need authentication layer
configuration to be independent from applications configuration. In
case of authentication (not only auth request but also auth basic)
repeating configuration for each location, without ‘catch them all’
rule could lead to holes that are hard to notice. For example if I
configure authentication correctly for blog/html but forget to do it
for blog/
.png the mistake will likely be unnoticed :confused:

Anyway, if there are no other options, I’ll try using auth_request in
server{} section.

Thanks,
Jan

On Thu, Mar 29, 2012 at 07:21:05PM +0200, Jan Wrobel wrote:

Hi there,

In my case this is not too good option. I need authentication layer
configuration to be independent from applications configuration. In

Because of the way nginx configuration works, they can’t be completely
independent.

But you could try nesting locations:

location /protected/ {
auth_request etc…

location /protected/blog {
blog config…
}

location ~ png {
png config…
}

}

(And of course you’ll want no top-level regex locations; but that’s good
practice anyway.)

Quick testing suggests that the auth request module does inherit these
configurations.

f

Francis D. [email protected]

On Thu, Mar 29, 2012 at 10:29 PM, Francis D. [email protected]
wrote:

But you could try nesting locations:
}

}

(And of course you’ll want no top-level regex locations; but that’s good
practice anyway.)

Quick testing suggests that the auth request module does inherit these
configurations.

Thanks, this works!

Jan

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs