Forum: NGINX How to redirect only if/after a FAILED basic authentication?

Cd29dda6a3f0227f89495f2279c9cec0?d=identicon&s=25 unknown (Guest)
on 2013-09-22 23:15
(Received via mailing list)
I'm setting up an auth-before-proxy_pass config.

The following works now:

  location / {
    root /dev/null;
    auth_basic "Restricted Remote";
    auth_basic_user_file
    /data/etc/security/auth/passwd.basic;
    proxy_pass        https://mail-secure;
    proxy_set_header  Host $host:12345;
    proxy_set_header  X-Real-IP $remote_addr;
    proxy_set_header  X-Forwarded-For
    $proxy_add_x_forwarded_for;
  }

Now, if a visitor:

  (1) enters bad (or no) crendentials
  (2) clicks "Cancel" on the BASIC auth dialog box

the site displays a

  "401 Authorization Required"

page.

Instead, I want to add a rewrite on failed authorization.

If I try:

  location / {
    root /dev/null;
    auth_basic "Restricted Remote";
    auth_basic_user_file
    /data/etc/security/auth/passwd.basic;
+               error_page 401 = @redirect;
    proxy_pass        https://mail-secure;
    proxy_set_header  Host $host:12345;
    proxy_set_header  X-Real-IP $remote_addr;
    proxy_set_header  X-Forwarded-For
    $proxy_add_x_forwarded_for;
  }

+       location @redirect {
+               rewrite ^(.*)$ http://someothersite.com permanent;
+       }

I get the redirect on EVERY visit -- never even getting the chance to
enter credentials; i.e., the rewrite happens apparently BEFORE the auth
step.

I think this may be because:

  @
  http://en.wikipedia.org/wiki/List_of_HTTP_status_c...

    401 UnauthorizedSimilar to 403 Forbidden, but
    specifically for use when authentication is required and
    has failed or **HAS NOT YET BEEN PROVIDED**.[2] The
    response must include a WWW-Authenticate header field
    containing a challenge applicable to the requested
    resource. See Basic access authentication and Digest
    access authentication.

and that I may have do the @redirect only if some header says "failed".

How do I redirect ONLY if there's been a failed AUTH?
36a8284995fa0fb82e6aa2bede32adac?d=identicon&s=25 Francis Daly (Guest)
on 2013-09-23 00:05
(Received via mailing list)
On Sun, Sep 22, 2013 at 02:14:55PM -0700, jen142@promessage.com wrote:

Hi there,

> Now, if a visitor:
>
>   (1) enters bad (or no) crendentials
>   (2) clicks "Cancel" on the BASIC auth dialog box
>
> the site displays a
>
>   "401 Authorization Required"
>
> page.

For accuracy: at point (1), the server sends the 401 response. At point
(2), the browser chooses to display the 401 response that the server had
previously sent.

> Instead, I want to add a rewrite on failed authorization.

Doing that will break http on your server.

Probably not a good idea.

But if you really want to, you can probably configure nginx to do it
for you.

> +               error_page 401 = @redirect;

> I get the redirect on EVERY visit -- never even getting the chance to
> enter credentials; i.e., the rewrite happens apparently BEFORE the auth
> step.

Not quite. Think about the different outputs from

  curl -v http://your-site/

and

  curl -v -u user:pass http://your-site/

and why they happen.

> and that I may have do the @redirect only if some header says "failed".
>
> How do I redirect ONLY if there's been a failed AUTH?

You get to define what you mean by "failed AUTH", since you don't want
the "no valid credentials were provided" that nginx (and http) uses.

Experiment with something like:

===
  location @needauth {
    auth_basic "Restricted Remote";
    auth_basic_user_file htpasswd;
  }
  location / {
    if ($http_authorization = "") {
      error_page 490 = @needauth;
      return 490;
    }
    auth_basic "Restricted Remote";
    auth_basic_user_file htpasswd;
    error_page 401 = @redirect;
    # and the rest here
  }
===

to see if is close to what you want.

But be aware that when you choose to break http on your server, you get
to deal with any complaints from clients.

Good luck with it,

  f
--
Francis Daly        francis@daoine.org
Please log in before posting. Registration is free and takes only a minute.
Existing account

NEW: Do you have a Google/GoogleMail, Yahoo or Facebook account? No registration required!
Log in with Google account | Log in with Yahoo account | Log in with Facebook account
No account? Register here.