No basic auth from outside network

dubstep · May 21, 2012, 12:32am

Hi - first post here… I’ve built an nginx server with SSL and basic
auth. Basic auth works great from within my network but when I try to
come in from outside (via port forwarding on my router) my http pages
work fine, but the protected pages with SSL just hang.

I’m thinking of 2 possibilities:

I’ve messed up something in my nginx.conf, or
I’m blocking a port that’s needed other than 80 or 443.

Any ideas?

Thanks,

Mike

Posted at Nginx Forum:

rattus · May 21, 2012, 12:59am

After further testing, it’s not the basic auth that’s causing the
problem… it’s simply trying to access subdirectories from outside.
Makes me thing I’ve messed something up in my nginx.conf:

worker_processes 1;
events {
worker_connections 64;
}
http {
ssl_ciphers
ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:AES256-GCM-SHA384:AES256-SHA256:AES256-SHA:AES128-SHA;
ssl_prefer_server_ciphers on;
ssl_protocols SSLv3 TLSv1 TLSv1.1 TLSv1.2;
ssl_session_timeout 5m;

Timeouts

keepalive_timeout 300 300;

General Options

charset utf-8;
default_type application/octet-stream;
ignore_invalid_headers on;
types {
text/html html;
image/gif gif;
image/jpeg jpg;
}
keepalive_requests 20;
max_ranges 0;
recursive_error_pages on;
sendfile on;
server_tokens off;
source_charset utf-8;

Request limits

limit_req_zone $binary_remote_addr zone=fred:1m rate=60r/m;

Compression

gzip on;
gzip_static on;
gzip_vary on;

Log Format

log_format main ‘$remote_addr $host $remote_user [$time_local]
“$request” $status $body_bytes_sent “$http_referer” “$http_user_agent”
$ssl_cipher $request_time’;

http .:. redirect to https

server {
access_log /var/log/nginx/access.log main buffer=32k;
error_log /var/log/nginx/error.log error;
expires 0;
limit_req zone=fred burst=200 nodelay;
listen 80;
root /var/empty;
rewrite ^ https://192.168.1.100$request_uri permanent;
}

https .:. (www.)example.com

server {
add_header Cache-Control “public”;
add_header Strict-Transport-Security “max-age=315360000;
includeSubdomains”;
access_log /var/log/nginx/access.log main buffer=32k;
error_log /var/log/nginx/error.log error;
expires max;
index index.html;
limit_req zone=fred burst=200 nodelay;
listen 443;
root /var/www/htdocs;
server_name 192.168.1.100;

 ## Basic auth on test
  location / {
  }

  location ^~ /test/ {
    index  index.html;
    auth_basic "Admin Login";
    auth_basic_user_file .htpasswd;
  }

  #!!! IMPORTANT !!! We need to hide the password file from prying

eyes
# This will deny access to any hidden file (beginning with a
.period)
location ~ /. { deny all; }

 ## SSL Certs
  ssl on;
  ssl_session_cache shared:SSL:10m;
  ssl_certificate /home/root/ssl/test.crt;
  ssl_certificate_key /home/root/ssl/test.key;
  ssl_ecdh_curve secp521r1;

 ## Stop Image and Document Hijacking
  location ~* (\.jpg|\.gif|\.png|example\.css)$ {
    if ($http_referer !~ ^(https://192.168.1.100) ) {
      return 404;
    }
  }

 ## All other errors get the generic error page
  error_page 400 401 402 403 404 405 406 407 408 409 410 411 412 413

414 415 416 417 495 496 497 500 501 502 503 504 505 506 507
/error_page.html;
location /example_error_page.html {
internal;
}
}
}

…again, it just hangs accessing subdirectories like “test”, while
everything works well from within the local network. The www root
directory index.html serves up fine, even redirected to 443.

TIA,

Mike

Posted at Nginx Forum:

rattus · May 21, 2012, 3:31am

-------- Original-Nachricht --------

Datum: Sun, 20 May 2012 18:58:53 -0400 (EDT)
Von: “rattus” [email protected]
An: [email protected]
Betreff: Re: no basic auth from outside network

ssl_ciphers
default_type application/octet-stream;
server_tokens off;

Log Format
  listen      80;
  root        /var/empty;
  rewrite ^ https://192.168.1.100$request_uri permanent;

Are you sure you want this rewrite to go from outside (aka: Internet) to
an internal (aka: private network) address?

  index       index.html;
    index  index.html;
 ## SSL Certs
    }
}

…again, it just hangs accessing subdirectories like “test”, while
everything works well from within the local network. The www root
directory index.html serves up fine, even redirected to 443.

What? Are you telling that using your external IP (lets say it is
1.2.3.4) is working properly?

This here works from external? Really?

http://1.2.3.4/ will get redirected to https://192.168.1.100/
http://1.2.3.4/index.html will get redirected to
https://192.168.1.100/index.html

You know that 192.168.0.0/16 is a class c private address range that is
not routed on the Internet?

IMHO you should rewrite your http config to:

server {
…
rewrite ^ https://$host$request_uri permanent;
…
}

And IMHO you should change the server_name in the https part to be:

server_name 192.168.1.100 “”;

nginx Info Page
–
Empfehlen Sie GMX DSL Ihren Freunden und Bekannten und wir
belohnen Sie mit bis zu 50,- Euro! https://freundschaftswerbung.gmx.de