Location regex + if + basic auth to restrict directory access

Server NGINX
1

Hello,

I am using basic auth + $remote_user variable send to the back-end
application to change context depending on the logged-in user.

The thing is, even if the page rendered by the back-end uses nginx user
authentication, resources from a directory are still allowed for
everyone.

My ‘documents’ directory is sorted as follows:
documents/
abc/ --> stores content for user ‘abc’
def/ --> stores content for user ‘def’

I tried the following:
location ^~ /documents/(\w+) {
if ($1 != $remote_user) {
return 503;
}
}

But Nginx refuses to validate configuration:
nginx: [emerg] unknown “1” variable
nginx: configuration file /etc/nginx/nginx.conf test failed

Does the ‘if’ directive have an environment isolated for the on of the
‘location’ directive?
Am I using wrong syntax?
Is there a ‘IfIsEvil’ case corresponding to my needs to avoid the use of
the ‘if’ directive?

Thanks,

B. R.

2

I’ll answer to my own question there:

Apparently, yes, evaluating something with the ‘if’ directive doesn’t
propagate the environment containing the variables from the ‘location’
directive.
All explained on
StackOverflowhttp://stackoverflow.com/questions/10876252/nginx-given-custom-subdomain-location-regex-matching-with-http-user-agent-con
.

The incorrect way:

location ^~ /documents/(\w+) {
if ($1 != $remote_user) {
return 503;
}
}
→ $1 variable is unknown

The correct way:
location ^~ /documents/(\w+) {
set $user $1;
if ($user != $remote_user) {
return 503;
}
}

Although the syntax is now OK and the configuration is able to be
reloaded,
it doesn’t seem to work at all…

When connecting with the user ‘abc’, I am still able to access
/documents/def/mydoc.txt.
What’s wrong with my way of restricting access?

Thanks for any help,

B. R.

3

On Sun, Mar 10, 2013 at 05:29:18AM -0400, B.R. wrote:

Hi there,

The correct way:
location ^~ /documents/(\w+) {
set $user $1;
if ($user != $remote_user) {
return 503;
}
}

Although the syntax is now OK and the configuration is able to be reloaded,
it doesn’t seem to work at all…

I haven’t tested the “if” part; but in this case it’s mostly likely that
this location{} block is not being used at all.

Your configuration is syntactically correct, so nginx can load it.

But it is not semantically correct, as in “it does not mean what you
want
it to mean”.

http://nginx.org/r/location

“^~” does not mean “this is a regex location”

f

Francis D. [email protected]

4

Hello,

Thanks for that… I thought the ^~ was meaning ‘starting with regex’…
My bad!

I changed the symbol for some of the ones relly meaning ‘regex’ (~*)
and it works! :o)

If there is no better way than sticking with
‘if’, then it’s all good.

Thanks again, problem solved,

B. R.