> [error] 11#11: *49 access forbidden by rule, client: 10.48.11.9, server: _,
> request: "GET /auth/ HTTP/1.1", host: "http://my.domain.info";, referrer:
> "https://my.domain.info";
It seems that the rule is working but at some wrong place, I am not sure how to
organise or set the right sequence here.
Just from the log it seems correct - you have a rule to allow 10.48.0.0/24; but
the ip 10.48.11.9 doesn't go within that subnet (/24 subnet mask is just a
single C subnet 10.48.0.1-254).
Then again, your whole configuration would be simpler with just a single
location block (since it doesn't seem you have an application which uses /auth
without a trailing slash):
location /auth/ {
allow 172.20.0.0/24;
allow 10.48.0.0/24;
#allow vpn1.ip.here;
allow vpn2.ip.here;
deny all;
proxy_pass http://127.0.0.1:8080;
auth_basic "Restricted area";
auth_basic_user_file /etc/nginx/.htpasswd;
}
If you wanted to get the basic http auth for those who are not within allowed
ip ranges you need to add 'satisfy any;' directive [1]
Also:
error_page 403 /usr/share/nginx/html/403.html; <- error_page needs a relative
uri not a full path in filesystem this is why nginx also returns 404 (as it
can't find the error page) instead of 403 forbidden.
If /usr/share/nginx/html is your default nginx webroot you can just specify:
error_page 403 /403.html;
If you store your error pages in different webroot add something like this:
location /403.html {
root /usr/share/nginx/html;
}
Also your attached configuration has duplicate 'location /' directives. Nginx
should complain about invalid configuration. Are you sure you are testing
correctly?
[1] http://nginx.org/en/docs/http/ngx_http_core_module.html#satisfy
rr
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx
