Re: NGINX multiple authentication methods (one or the other) AND an IP check seems impossible
That works wonderfully, thank you!
On May 27, 2024 6:48:40 AM UTC, J Carter wrote:
>Hello,
>
>[...]
>
>> ```
>> The goal is to bypass SSO if a correct HTTP Basic Auth header is present
>> while making sure connections are only from said IPs.
>>
>> When I disable the IP check it works flawlessly. How could I separate these
>> requirements?
>>
>> So (SSO or Basic Auth) and Correct IP
>
>Just use the geo module and "if" to reject unwanted IPs.
>
>"If" is evaluated prior to access & post_access phases, where auth_basic
>and co are evaluated.
>
>geo $allowed_ip {
>xxx.xxx.xxx.xxx/24 1;
>default0;
>}
>
>...
>
>location / {
>if ($allowed_ip = 0) {
>return 403;
>}
>
>rest of config without allow/deny.
>}
>___
>nginx mailing list
>nginx@nginx.org
>https://mailman.nginx.org/mailman/listinfo/nginx
___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
NGINX multiple authentication methods (one or the other) AND an IP check seems impossible
```
location / {
proxy_pass $forward_auth_target;
allow x/24;
deny all;
satisfy any; # This gets satisfied by the IP check, and auth is
completely bypassed
auth_basic "";
auth_basic_user_file "/etc/nginx/basic_auth/$forward_auth_bypass";
auth_request /outpost.goauthentik.io/auth/nginx;
error_page 401 = @goauthentik_proxy_signin;
auth_request_set $auth_cookie $upstream_http_set_cookie;
add_header Set-Cookie $auth_cookie;
proxy_set_header X-authentik-username $authentik_username;
auth_request_set $authentik_username
$upstream_http_x_authentik_username;
auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
proxy_set_header X-authentik-groups $authentik_groups;
auth_request_set $authentik_email $upstream_http_x_authentik_email;
proxy_set_header X-authentik-email $authentik_email;
auth_request_set $authentik_name $upstream_http_x_authentik_name;
proxy_set_header X-authentik-name $authentik_name;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-uid $authentik_uid;
auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
proxy_set_header X-authentik-uid $authentik_uid;
auth_request_set $authentik_auth $upstream_http_authorization;
proxy_set_header Authorization $authentik_auth;
}
location /outpost.goauthentik.io {
proxy_pass http:///outpost.goauthentik.io;
proxy_set_headerHost $host;
proxy_set_headerX-Original-URL $scheme://$http_host$request_uri;
add_header Set-Cookie $auth_cookie;
auth_request_set$auth_cookie $upstream_http_set_cookie;
proxy_pass_request_body off;
proxy_set_headerContent-Length "";
proxy_ssl_verify off;
}
location @goauthentik_proxy_signin {
internal;
add_header Set-Cookie $auth_cookie;
return 302 /outpost.goauthentik.io/start?rd=$request_uri;
}
```
The goal is to bypass SSO if a correct HTTP Basic Auth header is present while
making sure connections are only from said IPs.
When I disable the IP check it works flawlessly. How could I separate these
requirements?
So (SSO or Basic Auth) and Correct IP___
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
