Satistfy any not working as expected

Hi,

I’m facing an issue using the “satisfy any” directive. What I’m trying
to
achieve is quite simple:

  • have an auth_request directive protecting the entire website (hence
    set at
    the server level in the config file)
  • have no such authentication for the local network

I’ve put the following lines in my nginx config file, under the ‘server’
directive:


server {

satisfy any;
allow 192.168.0.0/24;
deny all;

auth_request /path/to/authRequestScript.php;
[…]
}

Although that works well for the local network (ie: no authentication
required anymore), I get a “403 Forbidden” message when I’m connecting
from
the outside network where I would expect the usual authentication
mecanism
to be triggered.

All the exemples I found rely on the “location /” directive, but I’d
like it
to be at the server level.

What am I doing wrong ?

Thanks for any help,
Arno

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,258955,258955#msg-258955

Hi Maxim,

Thanks for your answer. I’m actually using a proper URI in the
auth_request
parameter and the PHP script works fine
(https://github.com/Arno0x/TwoFactorAuth), my example was dumb.

For the records, here’s what I did to make it work exactly as I expect:
simply remove the “deny all;” statement.

As a result :

  • Any local network IP gets a straight access
  • Any other IP has to go through the auth_request

This makes sense to me as a “satisfy any” coupled with a “deny all;”
would
always match “all” and refuse access.

Not sure why all configuration examples we can find on the web mention
the
“deny all;” statement, but this fails for me.

By the way, many thanks for all the work done on Nginx !

Cheers,
Arno

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,258955,258993#msg-258993

Hello!

On Mon, May 18, 2015 at 04:48:40AM -0400, Arno0x0x wrote:


Although that works well for the local network (ie: no authentication
required anymore), I get a “403 Forbidden” message when I’m connecting from
the outside network where I would expect the usual authentication mecanism
to be triggered.

All the exemples I found rely on the “location /” directive, but I’d like it
to be at the server level.

What am I doing wrong ?

There is no real difference between configuring this at location
or at server level - as long as requests to
“/path/to/authRequestScript.php” are properly handled. In your
case, “403 Forbidden” suggests they aren’t handled properly - this
may happen, e.g., because you incorrecly specified URI (note that
the parameter of auth_request is URI, not file path), or because
the php script isn’t properly run, or because the script itself
does a wrong thing. The error log may have some details for you,
try looking into it.

Note well that if you want “the usual authentication mecanism”,
then auth_request is probably not for you, and you should use
auth_basic instead, see here:

http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html

The auth request module is only needed when you want to code some
custom authentication yourself.


Maxim D.
http://nginx.org/

Hello!

On Tue, May 19, 2015 at 02:20:39PM -0400, Arno0x0x wrote:

  • Any local network IP gets a straight access
  • Any other IP has to go through the auth_request

This makes sense to me as a “satisfy any” coupled with a “deny all;” would
always match “all” and refuse access.

Not sure why all configuration examples we can find on the web mention the
“deny all;” statement, but this fails for me.

The “deny all;” statement shouldn’t change anything. With “satisfy
any;” access is allowed as long as one of the modules allows
access, and restrictions imposed by other modules are ignored.

The idea is that you configure several independent access checks
and then combine them: either with AND (“satisfy all”, all checks
have to succeed) or with OR (“satisfy any”, any successful check
is sufficient).

Simple config for testing:

server {
    listen 8080;

    satisfy any;
    deny all;
    auth_request /auth;

    location / {
        # index.html expected under root
    }

    location = /auth {
        return 204;
    }
}

If removing “deny all;” works for you, it means that you are
testing something wrong. In particular, make sure that the config
you are testing is actually loaded, it does contain “satisfy
any”, and it’s not overwritten somewhere in locations.


Maxim D.
http://nginx.org/

Hi Maxim,

Thanks again for your explanations, they make sense. So I’ve put back
the
“deny all;” statement. I get the 403 unauthorized message back. And
there’s
indeed some good indication in the error log, showing that my
auth_request
script does the job, and then the login page returns the 403 status
code.

So I added an “allow all;” statement just on the login page which is the
only one that needs to be reachable in any case.

Let me paste a more real and complete example of my config (I hid some
personal stuff), I hope this one makes sense:

server {
listen 443;
server_name hidden;

ssl on;
ssl_certificate /hidden;
ssl_certificate_key /hidden;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ‘AES256+EECDH:AES256+EDH’;
ssl_prefer_server_ciphers on;
ssl_session_cache shared:SSL:10m;

root /var/www/hidden;
index index.php index.html index.htm;

satisfy any;
allow 192.168.0.0/24;
deny all;

auth_request /twofactorauth/nginx/auth.php;

error_page 401 = @error401;

location @error401 {
return 302
$scheme://$host/twofactorauth/login/login.php?from=$uri;
}

location / {
try_files $uri $uri/ /index.html;
}

location = /twofactorauth/nginx/auth.php {
fastcgi_pass unix:/var/run/php5-fpm.sock;
include fastcgi.conf;
fastcgi_param CONTENT_LENGTH “”;
}

location = /twofactorauth/login/login.php {
allow all;
auth_request off;

            fastcgi_pass unix:/var/run/php5-fpm.sock;
            include fastcgi.conf;

}
[…]
}

See the “allow all;” statement under the login.php location ? This make
everyhting work as I expect, but I hope i makes sense.

Thanks and kind regards,
Arno

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,258955,259020#msg-259020

Thank you !

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,258955,259026#msg-259026

Hello!

On Wed, May 20, 2015 at 01:12:26PM -0400, Arno0x0x wrote:

Thanks again for your explanations, they make sense. So I’ve put back the
“deny all;” statement. I get the 403 unauthorized message back. And there’s
indeed some good indication in the error log, showing that my auth_request
script does the job, and then the login page returns the 403 status code.

So I added an “allow all;” statement just on the login page which is the
only one that needs to be reachable in any case.

Let me paste a more real and complete example of my config (I hid some
personal stuff), I hope this one makes sense:

[…]

location = /twofactorauth/login/login.php {
allow all;
auth_request off;

[…]

See the “allow all;” statement under the login.php location ? This make
everyhting work as I expect, but I hope i makes sense.

Yes, this looks correct. Obviously enough you shouldn’t restrict
access to the login page, and 403 is perfectly explained by the
fact that previously it was restricted due to “deny all;” at
server{} level.


Maxim D.
http://nginx.org/

This forum is not affiliated to the Ruby language, Ruby on Rails framework, nor any Ruby applications discussed here.

| Privacy Policy | Terms of Service | Remote Ruby Jobs