Hello! On Fri, Jan 01, 2021 at 08:39:01PM +0100, A. Schulze wrote:
> Hello & happy new year! > > my goal is to configure nginx to deny access from most client-ip but allow > access from special ip's > for authenticated users. This work for basic_authentication as expect but > behave different with auth_ldap > I use https://github.com/kvspb/nginx-auth-ldap. > > simplified configuration with no allowed IPs at all: > > server { > listen *:80; > deny all; > location /auth_basic { > auth_basic "auth_basic"; > auth_basic_user_file /path/to/auth_basic_user_file; > } > } > > $ curl -v http://nginx/auth_basic > $ curl -v -u user:pass http://nginx/auth_basic > $ curl -v -u user:wrong http://nginx/auth_basic > > all three calls return "403 Forbidden", which is ok and acceptable to me. > > switching to auth_ldap the results are different: > > ldap_server ldap-server { > url ldap://ldap-server/dc=example?cn?sub?(objectclass=top); > require valid_user; > } > server { > listen *:80; > deny all; > location /auth_ldap { > auth_ldap "auth_ldap"; > auth_ldap_servers "ldap-server"; > } > } > > $ curl -v http://nginx/auth_ldap > $ curl -v -u user:wrong http://nginx/auth_ldap > return "401 Unauthorized" expected: "403 Forbidden" > > $ curl -v -u user:pass http://nginx/auth_ldap > return "403 Forbidden" > > Is there anything wrong with my configuration or is the unexpected request > for authentication > a result of how https://github.com/kvspb/nginx-auth-ldap is written? This is a result of how nginx-auth-ldap is written. Or, more strictly, how it adds itself into nginx request processing pipeline - it simply adds itself as an HTTP module, and ends up called before the access module. It is relatively easily to fix assuming dynamic module linking (that is, if you are using the "load_module" directive to load the module), just using ngx_module_order="ngx_http_auth_ldap_module ngx_http_access_module" should do the trick. For static linking it wouldn't be that easy though, as static linking does not support module order selection via ngx_module_order, and appropriate configure variables with lists of modules needs to be adjusted directly instead. Quick-and-dirty workaround would be to use auth_request as a "proxy" for auth_ldap. -- Maxim Dounin http://mdounin.ru/ _______________________________________________ nginx mailing list nginx@nginx.org http://mailman.nginx.org/mailman/listinfo/nginx
