4

Nginx (docker image, 1.17.2) requires a basic authentication for a subpath. Although my config says otherwise for https://example.org/subpath:

//  /etc/nginx/conf.d/mysetup.conf

ssl_session_cache shared:SSL:10m;
ssl_session_timeout 10m;

server {
    listen 443 ssl;
    server_name example.org;
    server_tokens off;

    ssl_certificate /etc/letsencrypt/live/example.org/fullchain.pem;
    ssl_certificate_key /etc/letsencrypt/live/example.org/privkey.pem;
    include /etc/letsencrypt/options-ssl-nginx.conf;
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem;

    access_log /var/logs/nginx/example.org.access.log;
    error_log /var/logs/nginx/example.org.error.log info;

    root /var/www/domains/example.org/stage_root/;        

    location / {
        auth_basic "example.org server";
        auth_basic_user_file /var/htaccess/htaccess_example.org;
    }
    location /subpath {
        auth_basic off;
        root /var/www/domains/example.org/;
    }
}

Some Facts:

  • nignx accepts my conf without warnings
  • There are more domains served (all in similar server directives) and an upstream plex.
  • the docker image is part of docker-compose setup with its own network (nginx is the gate)
  • The correct content is served: /var/www/domains/example.org/subpath/
  • Commenting-out the global auth_basic disables the auth request

What I've tried so far:

  • Moving the auth_basic setup from the location / block up to the server block.
  • off with double-quotes (suggested, although not required in the docs)
  • searched for invalid chars/whitespaces
  • removing the complete location / block

IMHO this is standard use case, hence I guess something small slipped my eye or I am missing out some context knowledge.

Maybe nginx has a problem with a location block root that higher than the global root? It serves the content though..

What I haven't tried, yet:

  • Working with allow / deny, as it should work without

Possible duplicate question:

Specifically this question is quite similar. However it does not have the 'twist' with the different root dir and the answers haven't helped: 1st not working, 2nd seems to be quite a workaround.

pico_prob
  • 1,105
  • 10
  • 14

1 Answers1

5

The solution is to set the auth_basic_user_file directive within the server block and the auth_basic directive within the various location blocks.

I have only included the relevant configuration, for clarity. The document root and other mandatory settings are omitted on purpose.

server {
    auth_basic_user_file /path/to/auth.txt;
    location /other {
        auth_basic off;
    }
    location / {
        auth_basic "Restricted";
    }
}
zoot
  • 304
  • 2
  • 7
  • But why? It should work as the docs says: "The special value off allows cancelling the effect of the auth_basic directive inherited from the previous configuration level.", see http://nginx.org/en/docs/http/ngx_http_auth_basic_module.html#auth_basic – Roy Jul 07 '20 at 12:15
  • @Roy - In the example above, the location `/other` is a "child" path of `/`, so that in order to disable it, one would have to specify `auth_basic off`, because the "parent" path `/`has it enabled. As per the docs, "The special value off allows cancelling the effect of the auth_basic directive inherited from the previous configuration level. ". The `auth_basic_user_file` directive has to be outside of both "levels" in order to apply to both of them. – zoot Jul 08 '20 at 14:15