0

I am trying to configure Digest Auth in nginx, I am using the unoffical module for that, NGINX Digest module, and for the most part I can get it to work just fine, I am able to lock down an endpoint, unless it's a GET, here is my location config.

location /config {
    proxy_pass http://internal_config_service/config;
    
    limit_except GET {
        auth_digest "peek a boo";
    }
}

However, I have a scenario, where I to allow localhost unchallenged, and I'm not really finding a great way to do that.

Things I've explored, I've tried allow 127.0.0.1; I've even looked into trying to do something with if and checking $host is local, and not adding the digest directives, but I don't think that's even possible, because my understanding is config is pretty static.

The one solution I can think of that might work, but requires a fair amount of work, and extra confusion to someone new, is to basically create 2 servers, one that is accessible by localhost only, and allows localhost through unchallenged, and cannot be accessed externally. And then a 2nd server that is publicly accessible and is locked down with digest.

I'm hoping for a better solution, but I am still kind of learning the intricacies of NGINX as I go, but not optimistic of a better solution.

nagates
  • 620
  • 13
  • 40

1 Answers1

0

you can use the satisfy directive: http://nginx.org/en/docs/http/ngx_http_core_module.html#satisfy

The problem: I dont know if the auth_digest (unofficial module) will be part auf the Auth-Face in the NGINX request processing. But, if this is the case you can make use of auth_request in addition. But give this a try:

...
location /authreq {

  satisfy any;
  allow 127.0.0.1;
  deny all;
  auth_digest "something";
  # If auth_digest is not working try
  auth_request /_authdigest;

}

location = /_authdigest {
  internal;
  auth_digest "something";
}

Update to your question regarding allow 127.0.0.1; deny all

This will NOT block all other clients / traffic. Its telling NGINX in combination with satisfy any that if the IP is not 127.0.0.1 any other auth function (auth_basic, auth_jwt, auth_request) has to be successfull to let the request pass. In my demo: If I am not send a request to localhost I will have to go through the auth_request location. If the auth_request is something like 200 it satisfies my configuration and I am allowed to be connected to the proxy upstream.

I have build a little njs script disabling the auth_digest for the user and authenticating the proxy request against an digest auth protected backend. But thats not what you need, isnt't it?

If you want to split up the configuration one for localhost and the other one for the public ip your server configuration could look like this:

server {
  listen 127.0.0.1:80;

  ## do localhost configuration here
}

server {
   listen 80;
 ## apply configuration for the IP of nic eth0 (for example) here.
}
Timo Stark
  • 2,721
  • 1
  • 10
  • 23
  • So this would lock it down for everything? this wouldn't allow external GET (s) through? – nagates Feb 26 '21 at 19:54
  • 1
    So GET should always work from all hosts. Digest Auth challenge for everything != GET AND != localhost? Am I right? – Timo Stark Feb 26 '21 at 20:44
  • Yep, exactly right. The thought being if your on the machine already, you are authorized to do whatever it is you are doing, or you've tunneled in from a higher level have permission. – nagates Feb 26 '21 at 20:55
  • Will work on a simple config but what if you change the listen directive in a server block. Means you have one config for `{listen 127.0.0.1:80}` and one for `{listen ETH0-IP:80}`. In your external server block you can configure the auth_digest parsts and in your `localhost` server block not. You can do this on a single NGINX instance. Not saying this is the final solution but will work. – Timo Stark Feb 26 '21 at 21:28
  • Yea, I had a similar thought, but I wonder if opening twice on 80 would conflict? – nagates Feb 27 '21 at 00:23
  • 1
    No that will not be an issue at all. Will update my answer with an example config. – Timo Stark Mar 01 '21 at 13:44
  • is there a way to not have to specify the exact external IP? – nagates Mar 01 '21 at 14:42
  • 1
    Sure. Just set the "internal" or localhost `127.0.0.1` and for the other listener just set your port. This will do the exact same thing without the need of having the specific IP in the listener directive. – Timo Stark Mar 01 '21 at 15:00
  • 1
    so doing something similar to what you suggested end up working for us, 2 servers, one with the digest user file, and one without. – nagates Mar 05 '21 at 21:43