NGINX_multiple_authentication_methods_(one_o

location / { proxy_pass $forward_auth_target;

    allow xxxxx/24;
    deny all;

    satisfy any; # This gets satisfied by the IP check, and auth is completely bypassed

    auth_basic "xxxx";
    auth_basic_user_file "/etc/nginx/basic_auth/$forward_auth_bypass";

    auth_request     /outpost.goauthentik.io/auth/nginx;
    error_page       401 = @goauthentik_proxy_signin;

    auth_request_set $auth_cookie $upstream_http_set_cookie;
    add_header       Set-Cookie $auth_cookie;
    proxy_set_header X-authentik-username $authentik_username;

    auth_request_set $authentik_username $upstream_http_x_authentik_username;
    auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
    proxy_set_header X-authentik-groups $authentik_groups;

    auth_request_set $authentik_email $upstream_http_x_authentik_email;
    proxy_set_header X-authentik-email $authentik_email;

    auth_request_set $authentik_name $upstream_http_x_authentik_name;
    proxy_set_header X-authentik-name $authentik_name;

    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
    proxy_set_header X-authentik-uid $authentik_uid;

    auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
    proxy_set_header X-authentik-uid $authentik_uid;

    auth_request_set $authentik_auth $upstream_http_authorization;
    proxy_set_header Authorization $authentik_auth;

}

location /outpost.goauthentik.io { proxy_pass http://xxxx/outpost.goauthentik.io; proxy_set_header Host $host; proxy_set_header X-Original-URL $scheme://$http_host$request_uri; add_header Set-Cookie $auth_cookie; auth_request_set $auth_cookie $upstream_http_set_cookie; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_ssl_verify off; }

location @goauthentik_proxy_signin { internal; add_header Set-Cookie $auth_cookie; return 302 /outpost.goauthentik.io/start?rd=$request_uri; }

The goal is to bypass SSO if a correct HTTP Basic Auth header is present while making sure connections are only from said IPs.

When I disable the IP check it works flawlessly. How could I separate these requirements?

So (SSO or Basic Auth) and Correct IP
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240526/af314263/attachment.htm>

Hello,

[...]

> ```
> The goal is to bypass SSO if a correct HTTP Basic Auth header is present while making sure connections are only from said IPs.
> 
> When I disable the IP check it works flawlessly. How could I separate these requirements?
> 
> So (SSO or Basic Auth) and Correct IP

Just use the geo module and "if" to reject unwanted IPs.

"If" is evaluated prior to access & post_access phases, where auth_basic
and co are evaluated.

geo $allowed_ip {
    xxx.xxx.xxx.xxx/24 1;
    default            0;
}

...

location / {
    if ($allowed_ip = 0) {
        return 403;
    }

    ....rest of config without allow/deny.
}

That works wonderfully, thank you!

On May 27, 2024 6:48:40 AM UTC, J Carter <jordanc.carter at outlook.com> wrote:
>Hello,
>
>[...]
>
>> ```
>> The goal is to bypass SSO if a correct HTTP Basic Auth header is present while making sure connections are only from said IPs.
>> 
>> When I disable the IP check it works flawlessly. How could I separate these requirements?
>> 
>> So (SSO or Basic Auth) and Correct IP
>
>Just use the geo module and "if" to reject unwanted IPs.
>
>"If" is evaluated prior to access & post_access phases, where auth_basic
>and co are evaluated.
>
>geo $allowed_ip {
>    xxx.xxx.xxx.xxx/24 1;
>    default            0;
>}
>
>...
>
>location / {
>    if ($allowed_ip = 0) {
>        return 403;
>    }
>
>    ....rest of config without allow/deny.
>}
>_______________________________________________
>nginx mailing list
>nginx at nginx.org
>https://mailman.nginx.org/mailman/listinfo/nginx
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mailman.nginx.org/pipermail/nginx/attachments/20240527/c2a806b2/attachment.htm>