Trying to show http password for only certain IP blocks

Dobai-Pataky_BSSSSl · November 12, 2010, 12:31am

Below is our (scrubbed) configuration…

What we are trying to do is show an HTTP password prompt for people
from IPs that are not “whitelisted”

We had found a blog post that had said this was possible using
allow/deny/satisfy but it’s not working.

Basically, can we get it so that it will show an HTTP auth prompt for
all IPs other than:

10.10.10.0/24
10.10.11.0/24

?

Thanks!

server {
listen 80;
server_name mysweetsite.com;
root /home/agate/web/mysweetsite;
index index.php index.html;

access_log /home/awesome/log/access.log;
error_log /home/awesome/log/error.log debug;

set error_pages

error_page 500 /500.html;
error_page 501 /501.html;
error_page 502 /502.html;
error_page 503 /503.html;
error_page 504 /504.html;
error_page 550 /550.html;

set $translated_error_page en-us;

if ($request_uri ~ ^/fr-fr) { set $translated_error_page fr-fr; }
if ($request_uri ~ ^/ru-ru) { set $translated_error_page ru-ru; }

location = /500.html { try_files
/error_page/$translated_error_page$uri /error_page/en-us$uri; }
location = /501.html { try_files
/error_page/$translated_error_page$uri /error_page/en-us$uri; }
location = /502.html { try_files
/error_page/$translated_error_page$uri /error_page/en-us$uri; }
location = /503.html { try_files
/error_page/$translated_error_page$uri /error_page/en-us$uri; }
location = /504.html { try_files
/error_page/$translated_error_page$uri /error_page/en-us$uri; }
location = /550.html { try_files
/error_page/$translated_error_page$uri /error_page/en-us$uri; }

#set_real_ip_from 0.0.0.0/0;
real_ip_header X-Real-IP;

location / {
log_not_found off;
server_name_in_redirect off;

# try_files doesn’t work properly with drupal 6, so for now we use

this
if (!-e $request_filename) {
rewrite ^/(.*)$ /index.php?q=$1 last;
}

location ~ /\.ht { deny all; }
location ~*

.(engine|inc|info|install|module|profile|po|sh|.sql|theme|tpl(.php)?|xtmpl)$|^(code-style.pl|Entries.|Repository|Root|Tag|Template)$
{
internal;
}

location ~ /blocked3/.* { internal; }
location ~ /blocked2/.* { internal; }
location ~ /blocked1/.* { internal; }

# expires
location ~* \.(jpg|jpeg|gif|css|png|js|ico|html)$ {
  expires max;
  access_log off;
}

location /.hidden {
  auth_basic "hidden";
  auth_basic_user_file /etc/nginx/confs/htpasswd.hidden;
  expires epoch;
  add_header Cache-Control private;
}

satisfy any;
deny all;
allow 10.10.10.0/24;
allow 10.10.11.0/24;
auth_basic "test”
auth_basic_user_file /etc/nginx/confs/htpasswd.test;

}

location ~ .php$ {
include /etc/nginx/confs/fastcgi.conf;
fastcgi_pass 127.0.0.1:11039;
}

rewrite ^/awesome$ /awesome/ permanent;
rewrite ^/$ /en-us/ permanent;
}

wickie · November 12, 2010, 1:24am

Hello!

On Thu, Nov 11, 2010 at 03:30:19PM -0800, Michael S. wrote:

10.10.10.0/24
10.10.11.0/24

?

[…]

satisfy any;
deny all;

deny all;
allow 10.10.10.0/24;
allow 10.10.11.0/24;

```
deny all;
```

Access module instructions are executed in order, so “deny all”
specified first will just deny all. If you want to allow some
addresses - you have to do “allow” before “deny all”.

allow 10.10.10.0/24;
allow 10.10.11.0/24;
auth_basic "test”
auth_basic_user_file /etc/nginx/confs/htpasswd.test;

}

Maxim D.