Nginx forcing auth for IP in allowed subnet

Question

I'm implementing authentication for the sites hosted inside the office, I have a PAM auth module that authenticates the users, that's working good so far.

The problem is that I need to authenticate ONLY the users that come from the Internet (external), in this case the IP 192.168.12.1 which is the gateway device that routes all external traffic to the internal web server.

The relevant config I have so far is this:

server {
    listen   80;
    server_name  xxxxxxxxxx;

    access_log  /var/log/nginx/xxxxxxxx.log;

    location / {

          satisfy any;

          allow 192.168.1.0/24; ##Office subnet
          allow 192.168.11.0/24; ##Office subnet

          ##Inside this subnet is the IP that needs to have auth 192.160.12.1
          allow 192.168.12.0/24; ## Office subnet

          auth_pam    "XXXXXXXXXX";
          auth_pam_service_name   "nginx";

          proxy_pass      http://xx.xx.xx.xx/; ## Redirects to desired web server
    }   
}

If I use

satisfy all;

That will require every user (internal and external) to auth, that's not what I need

If I put deny 192.168.12.1 like this:

          deny 192.168.12.1;
          allow 192.168.1.0/24; ##Office subnet
          allow 192.168.11.0/24; ##Office subnet
          allow 192.168.12.0/24; ## Office subnet

I get 403 forbidden instantly

If I put deny 192.168.12.1 like this:

          allow 192.168.1.0/24; ##Office subnet
          allow 192.168.11.0/24; ##Office subnet
          allow 192.168.12.0/24; ## Office subnet
          deny 192.168.12.1;

It just bypass the authentication

I need a way to force 192.168.12.1 to go through authentication but without blocking the whole subnet 192.168.12.0/24 since there are other devices there that should be able to log without auth.

themisterunknown · Answer 1 · 2019-01-10T14:14:00.423

1

The accepted answer is not correct anymore. The behaviour was a bug, which was fixed in nginx 1.5.7 (2013). You can do the following to force a basic authentication for 1.2.3.4 while granting access for all other IPs:

location / {
    satisfy any;

    deny 1.2.3.4;
    allow 0.0.0.0/0;

    auth_basic "Access denied";
    auth_basic_user_file /etc/nginx/htpasswd;
}

This is also documented here. Please note that nginx processes the allow and deny directives in a first-match manner.

edited Jan 10 '19 at 14:14

answered Jan 10 '19 at 10:18

themisterunknown

113
1
5

you seem to have missed pasting the link, please add it as well. – Dennis Nolte Jan 10 '19 at 10:37
Thanks for the hint, apparently the comment editor uses a different syntax. The preview looked good. I fixed the syntax flaws now. – themisterunknown Jan 10 '19 at 14:15

score 0 · Accepted Answer · edited Oct 12 '16 at 10:20

0

It's expected that you are getting 403 for a deny. The trick is to omit the 192.168.12.1, not to mention it explicitly in the allow/deny statements. Try this.

satisfy any;

allow 192.168.1.0/24;
allow 192.168.11.0/24;

allow 192.168.12.2/32;
allow 192.168.12.3/32;
allow 192.168.12.4/30;
allow 192.168.12.8/29;
allow 192.168.12.16/28;
allow 192.168.12.32/27;
allow 192.168.12.64/26;
allow 192.168.12.128/25;

auth_pam "XXXXXXXXXX";
auth_pam_service_name "nginx";

edited Oct 12 '16 at 10:20

Drifter104

3,773
2
25
39

answered Oct 11 '16 at 15:36

drookie

8,625
1
19
29

It definitely seems it would work. But, shouldn't there be a more elegant solution to this? – Alonimus Oct 12 '16 at 22:40
1

Yup, put the 192.168.12.1 into another network by assigning it's port to another vlan. – drookie Oct 13 '16 at 15:48

Nginx forcing auth for IP in allowed subnet

2 Answers2