Nginx auth_basic with proxy pass to tomcat

aris · November 7, 2012, 2:44am

Hi Guys,

I need to add basic auth to my home page (index.html) (Served by
nginx) and other directories resides on tomcat7. is there anyway i
can add only authentication to index.html . i was using the following
nginx configuration.

server {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
index index.html;
root /var/www/;
server_name xxxxxxxx;
}

  location / {
    auth_basic "Restricted";
    auth_basic_user_file /var/www/.htpass;
  }

location /next {
proxy_pass http://localhost:8080/next;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
}

when i try to add the above config, it asks for the user/pass, but it
asks for the user/pass when i try to access /next. but i need to add
authentication only to index.html. problem is using the root
directory, so all requests will be tunneled through root and prompted
for a password. but is there any way i can restrict access only to
index.html, once it authenticated, users will be able to access tomcat
paths .

Thanks in advance,
Tharanga

Tharanga_Abeyseela · November 7, 2012, 2:48am

Yeah use /index.HTML for the location block
On Nov 6, 2012 8:43 PM, “Tharanga Abeyseela”
[email protected]

Tharanga_Abeyseela · November 7, 2012, 2:53am

Thanks David, i tried it. but it still asks the user/pass when i hit
the /next inside index.html
any idea why ?

thanks,
tharanga

Tharanga_Abeyseela · November 7, 2012, 10:01am

On Wed, Nov 07, 2012 at 12:43:40PM +1100, Tharanga Abeyseela wrote:

Hi there,

I need to add basic auth to my home page (index.html) (Served by
nginx) and other directories resides on tomcat7. is there anyway i
can add only authentication to index.html .

“location = /index.html” will only apply to /index.html. Put your
configuration in there.

i was using the following
nginx configuration.

server {
access_log /var/log/nginx/access.log;
error_log /var/log/nginx/error.log;
index index.html;
root /var/www/;
server_name xxxxxxxx;
}

Are you sure?

server{}, and then location{} outside it?

    proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
    proxy_max_temp_file_size 0;
}

when i try to add the above config, it asks for the user/pass, but it
asks for the user/pass when i try to access /next.

When I try the above config, it does what you say you want.

(It should challenge for authentication only for any request that does
not
begin “/next”.)

What is the output you get for

curl -i http://xxxxxxxx/

and

curl -i http://xxxxxxxx/next

? Are you sure that you are using this server{} block in nginx? Are you
sure that the server on localhost:8080 is not redirecting you to /?

but i need to add
authentication only to index.html. problem is using the root
directory, so all requests will be tunneled through root and prompted
for a password. but is there any way i can restrict access only to
index.html, once it authenticated, users will be able to access tomcat
paths .

I’m not quite sure what you mean by that last bit. If you require
authentication for /index.html, then you can’t expect authentication
credentials to be sent for the tomcat paths. So the user will get to
the tomcat paths whether or not they first authenticated, at least as
far as nginx is concerned.

f

Francis D. [email protected]

Tharanga_Abeyseela · November 8, 2012, 2:40pm

On Thu, Nov 08, 2012 at 11:04:39AM +1100, Tharanga Abeyseela wrote:

Hi there,

thanks for the reply. actually it inside the server block ,

Good to hear.

    rewrite ^/demo/(.*)$ http://x.x.x.x/$1 permanent;
  }

That seems very complicated.

I’m a bit unclear on what issue this configuration resolves. It looks
to me like it will (a) insist that anyone accessing things below /demo/
are challenged for credentials; and (b) allow anyone access to anything
other than /demo/ without providing credentials.

Can you describe what it is that you want, and what it is that you do
not want? I’m not sure whether the x.x.x.x above is “this server” or
“some other server”; and I’m not sure what happened to “/next” from the
original configuration.

is it possible to enable nginx authentication before proxy_pass to tomcat ?

Yes. Put the “auth_basic” in the same location as the “proxy_pass”.

If that doesn’t do what you want, then I’m afraid that I don’t
understand
what it is that you want.

f

Francis D. [email protected]

Tharanga_Abeyseela · November 8, 2012, 1:05am

Hi Francis,

thanks for the reply. actually it inside the server block ,

i managed to resolve the issue using a rewrite rule as follows

location /demo/ {
auth_basic “Restricted”;
auth_basic_user_file /var/www/demo/.htpass;
error_page 404 = @redirect;

rewrite ^/demo/(.*)$ http://x.x.x.x/$1 permanent;

  }

  location @redirect {
    rewrite ^/demo/(.*)$ http://x.x.x.x/$1 permanent;
  }

is it possible to enable nginx authentication before proxy_pass to
tomcat ?

cheers,
Tharanga

Tharanga_Abeyseela · November 9, 2012, 12:07am

Hi,

when the user enter http:///x.x.x.x/ - it will give forbidden message.
(i removed index.html to demo directory)

im giving the url to users as follows

http://x.x.x.x/demo/ - so this will ask for user/pass - thats what
i wanted to do
after entering to above url - user will be landed to my index.html -
it has all tomcat paths to connect (just hyper links)

x.x.x.x is the same server - not a different server

i’m not redirecting to different server. everything is done on the same
server.

i agree. the rewrite is complicated for a small authentication
handling. but other methods didn’t work for me

thanks for your help and suggestions

cheers,
Tharanga

now issue is when the user enter http://x.x.x.x/next it bypass the
nginx auth and going to tomcat path with out any authentication. may
be i need to configure that on web.xml. i prefer to configure nginx
auth for all tomcat and nginx paths. actually tomcat is the front-end
server hadnles/redirects client request to appropriate server.