Nginx config: multiple locations, authentication in one, triggered for both?

luislavena · November 7, 2011, 9:49am

I originally posted this question on SO, but it might of course be more
logical to ask here;

I’m flummoxed.

I have a server that is primarily running couchdb over ssl (using nginx
to proxy the ssl connection) but also has to serve some apache stuff.

Basically I want everything that DOESN’T start /www to be sent to the
couchdb backend. If a url DOES start /www then it should be mapped to
the local apache server on port 8080.

My config below works with the exception that I’m getting prompted for
authentication on the /www paths as well. I’m a bit more used to
configuring Apache than nginx, so I suspect I’m mis-understanding
something, but if anyone can see what is wrong from my configuration
(below) I’d be most grateful.

To clarify my use scenario;

https://my-domain.com/www/script.cgi should be proxied to
http://localhost:8080/script.cgi
https://my-domain.com/anythingelse should be proxied to
http://localhost:5984/anythingelse

ONLY the second should require authentication. It is the authentication
issue that is causing problems - as I mentioned, I am being challenged
on https://my-domain.com/www/anything as well

Here’s the config, thanks for any insight.

server {
listen 443;
ssl on;

    # Any url starting /www needs to be mapped to the root
    # of the back end application server on 8080

    location ^~ /www/ {
    proxy_pass http://localhost:8080/;
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }

    # Everything else has to be sent to the couchdb server running

on
# port 5984 and for security, this is protected with auth_basic
# authentication.

    location / {

    auth_basic "Restricted";
    auth_basic_user_file /path-to-passwords;

    proxy_pass http://localhost:5984;
    proxy_redirect off;
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Ssl on;

    }
}

Thanks for some pointers - I’m not sure how I can resolve this
correctly.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,217906,217906#msg-217906

roger.moffatt · November 7, 2011, 11:26am

Hello!

On Mon, Nov 07, 2011 at 03:48:53AM -0500, roger.moffatt wrote:

Basically I want everything that DOESN’T start /www to be sent to the

https://my-domain.com/www/script.cgi should be proxied to
http://localhost:8080/script.cgi
https://my-domain.com/anythingelse should be proxied to
http://localhost:5984/anythingelse

ONLY the second should require authentication. It is the authentication
issue that is causing problems - as I mentioned, I am being challenged
on https://my-domain.com/www/anything as well

Most likely, the authentication request appears due to your
browser doing automatic requests to /favicon.ico or something
like. Try adding

location = /favicon.ico {
    return 404;
}

to see if it helps.

    location ^~ /www/ {
    # port 5984 and for security, this is protected with auth_basic
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-Ssl on;

    }
}

Thanks for some pointers - I’m not sure how I can resolve this
correctly.

Config looks correct and should work. Try testing it by hand
(e.g. nc/telnet/fetch/wget/curl) to see if it actually works. See
above for a possible cause of the authentication request.

Maxim D.

roger.moffatt · November 7, 2011, 12:49pm

Doh! Of course … I had a note on my list about favicon showing the
wrong thing, and of course it was showing the wrong thing on my logged
in system precisely because of this!

Most likely, the authentication request appears due to your
browser doing automatic requests to /favicon.ico or something
like.

I can’t test it at present but I’m certain this will be the problem, It
makes me think that perhaps my config is a little dangerous so now I
know the approach is correct, I’ll perhaps swap things around so that I
can keep / unprotected completely just in case and add the auth for
known paths to the couch back end. That should work fine in my case as I
only have a couple of databases to secure.

Many thanks Maxim!

Roger

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,217906,217918#msg-217918