1

I'm running an installation of a webapp running on a self-hosted server which is on my main network along with all our company PCs and a couple of other servers.

We've decided we want to add HTTP basic authentication as an extra layer of security, but we want people who are connected to the local network to be exempt from this.

After initially trying to use allow and deny directives, I've instead been convinced by a Stack Overflow user to instead use geo. I've made progress but I've hit a frustrating problem. I don't seem to be able to make an exception for the IP address range 192.168.1.1-192.168.1.255.

To show what I've been doing I'll add the snippet below with address ranges and then explain further.

geo $authentication {
   default "Authentication required";
   127.0.0.1 "off";
   192.168.1.0/24 "off";
   10.8.0.0/24 "off";
   78.432.xx.xx/0 "off";
   0.0.0.0/0 "off"
}

server {
    location / {
        auth_basic $authentication;
        auth_basic_user_file /etc/nginx/.htpasswd;
    }
}

I've got all of the IP address ranges commented out (apart from 127.0.0.1) and this is what happens in each scenario:

  • If I leave all commented, when accessing the web page I get prompted for credentials first as expected
  • If I uncomment 0.0.0.0/0 I can connect to the page with no credentials as expected.
  • If I uncomment the 78.432.xx.xx/0 (which is my real public address, redacted), I can access the page with no credentials as expected.
  • If I uncomment 10.8.0.0/24 (these are the IP addresses users are assigned when using our VPN) while connected to the VPN and therefore assigned the address 10.8.0.5, when accessing the web page I get prompted for credentials , which is not what I would expect.
  • If I uncomment 192.168.1.0/24, when accessing the web page I get prompted for credentials, which is not what I would expect. Note that my local IP address is 192.168.1.22.

I can see when accessing the page this from the nginx logs:

78.432.xx.xx - - [23/Jan/2018:13:58:57 +0000] "GET / HTTP/1.1" 401 195 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64; rv:58.0) Gecko/20100101 Firefox/58.0"

This suggests that nginx is correctly detecting my external IP address and asking for credentials based on that, but that the entry for internal IP addresses is having no impact. This is confirmed by the fact that if I enter 192.168.1.102 in the browser instead of the domain name, I can gain access with no credentials required.

The basic auth is working and so is the IP control to an extent but clearly I'm doing something wrong, but I cannot figure out what it is.

The question is, how do I tell nginx to skip authentication if it detects a local IP address?

shaneoh
  • 414
  • 3
  • 7
  • 19

0 Answers0