Re: NGINX multiple authentication methods (one or the other) AND an IP check seems impossible
That works wonderfully, thank you! On May 27, 2024 6:48:40 AM UTC, J Carter wrote: >Hello, > >[...] > >> ``` >> The goal is to bypass SSO if a correct HTTP Basic Auth header is present >> while making sure connections are only from said IPs. >> >> When I disable the IP check it works flawlessly. How could I separate these >> requirements? >> >> So (SSO or Basic Auth) and Correct IP > >Just use the geo module and "if" to reject unwanted IPs. > >"If" is evaluated prior to access & post_access phases, where auth_basic >and co are evaluated. > >geo $allowed_ip { >xxx.xxx.xxx.xxx/24 1; >default0; >} > >... > >location / { >if ($allowed_ip = 0) { >return 403; >} > >rest of config without allow/deny. >} >___ >nginx mailing list >nginx@nginx.org >https://mailman.nginx.org/mailman/listinfo/nginx ___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx
NGINX multiple authentication methods (one or the other) AND an IP check seems impossible
``` location / { proxy_pass $forward_auth_target; allow x/24; deny all; satisfy any; # This gets satisfied by the IP check, and auth is completely bypassed auth_basic ""; auth_basic_user_file "/etc/nginx/basic_auth/$forward_auth_bypass"; auth_request /outpost.goauthentik.io/auth/nginx; error_page 401 = @goauthentik_proxy_signin; auth_request_set $auth_cookie $upstream_http_set_cookie; add_header Set-Cookie $auth_cookie; proxy_set_header X-authentik-username $authentik_username; auth_request_set $authentik_username $upstream_http_x_authentik_username; auth_request_set $authentik_groups $upstream_http_x_authentik_groups; proxy_set_header X-authentik-groups $authentik_groups; auth_request_set $authentik_email $upstream_http_x_authentik_email; proxy_set_header X-authentik-email $authentik_email; auth_request_set $authentik_name $upstream_http_x_authentik_name; proxy_set_header X-authentik-name $authentik_name; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-uid $authentik_uid; auth_request_set $authentik_uid $upstream_http_x_authentik_uid; proxy_set_header X-authentik-uid $authentik_uid; auth_request_set $authentik_auth $upstream_http_authorization; proxy_set_header Authorization $authentik_auth; } location /outpost.goauthentik.io { proxy_pass http:///outpost.goauthentik.io; proxy_set_headerHost $host; proxy_set_headerX-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set$auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; proxy_set_headerContent-Length ""; proxy_ssl_verify off; } location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; } ``` The goal is to bypass SSO if a correct HTTP Basic Auth header is present while making sure connections are only from said IPs. When I disable the IP check it works flawlessly. How could I separate these requirements? So (SSO or Basic Auth) and Correct IP___ nginx mailing list nginx@nginx.org https://mailman.nginx.org/mailman/listinfo/nginx