A
A
Alex M.2015-11-23 23:22:42
Nginx
Alex M., 2015-11-23 23:22:42

How to properly implement user authorization logic?

Hello!
I ran into a problem and need help.
The task is this:

  • https://site.com -> GoogleImageProxy Agent do not require authorization
  • https://site.com -> Require authorization from everyone except admin and localhost, user file htAdminPasswds and "Site in developing" messages
  • https://site.com/mail/ -> Require user eMail authorization, htUserPasswds user file and "Corporate eMail" messages
  • https://site.com/share/ -> Do not require authorization
  • https://site.com/Microsoft-Server-ActiveSync -> Do not require authorization

Partially solved the problem, but as always there is a "BUT!"
In some requests (examples below), nginx gives two lines "WWW-Authenticate: Basic realm" in the header
. In principle, the implementation works even with two lines, but I still want to fix it.
curl -v https://site.com/
*   Trying 1.1.1.1...
* Connected to site.com (1.1.1.1) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
....
> GET / HTTP/1.1
> Host: site.com
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Server: nginx
< Date: Mon, 23 Nov 2015 19:56:35 GMT
< Content-Type: text/html
< Content-Length: 590
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Site in developing"
< WWW-Authenticate: Basic realm="Site in developing" <----- проблема
<
<html>
....
############################################################################################################################################

$ curl -v https://site.com/mail/
*   Trying 1.1.1.1...
* Connected to site.com (1.1.1.1) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
....
> GET /mail/ HTTP/1.1
> Host: site.com
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Server: nginx
< Date: Mon, 23 Nov 2015 19:58:38 GMT
< Content-Type: text/html
< Content-Length: 590
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Corporate eMail"
< WWW-Authenticate: Basic realm="Site in developing"<----- проблема
<
<html>
....
############################################################################################################################################

$ curl -v https://site.com/nonexistentpage
*   Trying 1.1.1.1...
* Connected to site.com (1.1.1.1) port 443 (#0)
* TLS 1.2 connection using TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
....
> GET /nonexistentpage HTTP/1.1
> Host: site.com
> User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Trident/5.0)
> Accept: */*
>
< HTTP/1.1 401 Unauthorized
< Server: nginx
< Date: Mon, 23 Nov 2015 20:08:10 GMT
< Content-Type: text/html
< Content-Length: 590
< Connection: keep-alive
< WWW-Authenticate: Basic realm="Site in developing"
< WWW-Authenticate: Basic realm="Site in developing" <----- проблема
<
<html>
....

######################################################################
# * * * * * * * * * * * * * Логика авторизации * * * * * * * *  * * *
#-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--=-=-=-=-=-=-=-=-=-=-=-=-=-=--=
# * Переменные
set $realm "off";
set $user_file "";
set $switcher "";
# * Требуем пароль но пропускаем администратора и локалхост
if ($remote_addr !~ "^(127.0.0.1|х.х.х.х)$"){
  set $switcher "A";
}
# * Требуем пароль eMail ползователей
if ($uri ~ "/mail") {
  set $switcher "${switcher}B";
}
# * Объявляем Админ ползователей
if ($switcher = A) {
  set $realm "Site in developing";
  set $user_file "htAdminPasswds";
}
# * Объявляем eMail ползователей
if ($switcher = AB) {
  set $realm "Corporate eMail";
  set $user_file "htUserPasswds";
}
# * Пропускаем без запроса пароля
location /share/ {
  set $realm "off";
}
if ( $http_user_agent ~ GoogleImageProxy ){
  set $realm "off";
}
if ($uri ~ "/Microsoft-Server-ActiveSync"){
  set $realm "off";
}
# * Запрос пароля
auth_basic $realm;
auth_basic_user_file $user_file;
######################################################################

$ nginx -V
nginx version: nginx/1.4.6 (Ubuntu)
built by gcc 4.8.4 (Ubuntu 4.8.4-2ubuntu1~14.04)
TLS SNI support enabled
configure arguments: --with-cc-opt='-g -O2 -fstack-protector --param=ssp-buffer-size=4 -Wformat -Werror=format-security -D_FORTIFY_SOURCE=2' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro' --prefix=/usr/share/nginx --conf-path=/etc/nginx/nginx.conf --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --lock-path=/var/lock/nginx.lock --pid-path=/run/nginx.pid --http-client-body-temp-path=/var/lib/nginx/body --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-proxy-temp-path=/var/lib/nginx/proxy --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/uwsgi --with-debug --with-pcre-jit --with-ipv6 --with-http_ssl_module --with-http_stub_status_module --with-http_realip_module --with-http_addition_module --with-http_dav_module --with-http_geoip_module --with-http_gzip_static_module --with-http_image_filter_module --with-http_spdy_module --with-http_sub_module --with-http_xslt_module --with-mail --with-mail_ssl_module

Answer the question

In order to leave comments, you need to log in

2 answer(s)
A
alegzz, 2015-11-23
@alegzz

https://www.nginx.com/resources/wiki/start/topics/...
nginx.org/ru/docs/http/ngx_http_map_module.html
ps. not playable on 1.9.6

V
Vlad Zhivotnev, 2015-11-24
@inkvizitor68sl

P*t, I'm sorry.

location / {
set $root_access "Site in developing"; 
if ( $http_user_agent ~ GoogleImageProxy ){ set $root_access off; }
if ($remote_addr ~ "^(127.0.0.1|х.х.х.х)$"){ set $root_access off; }
auth_basic $root_access;
auth_basic_user_file htUserPasswds;
}
location /mail/ {
auth_basic "Corporate eMail";
auth_basic_user_file htUserPasswds;
}
location /share/ {}
location /Microsoft-Server-ActiveSync {}

All authorization logic for each location is inside location. All variables are there.

Didn't find what you were looking for?

Ask your question

Ask a Question

731 491 924 answers to any question