NGINX multiple authentication methods (one or the other) AND an IP check seems impossible

Sun, 26 May 2024 01:17:43 -0700 

```
location / {
        proxy_pass $forward_auth_target;

        allow xxxxx/24;
        deny all;

        satisfy any; # This gets satisfied by the IP check, and auth is 
completely bypassed

        auth_basic "xxxx";
        auth_basic_user_file "/etc/nginx/basic_auth/$forward_auth_bypass";

        auth_request     /outpost.goauthentik.io/auth/nginx;
        error_page       401 = @goauthentik_proxy_signin;

        auth_request_set $auth_cookie $upstream_http_set_cookie;
        add_header       Set-Cookie $auth_cookie;
        proxy_set_header X-authentik-username $authentik_username;

        auth_request_set $authentik_username 
$upstream_http_x_authentik_username;
        auth_request_set $authentik_groups $upstream_http_x_authentik_groups;
        proxy_set_header X-authentik-groups $authentik_groups;

        auth_request_set $authentik_email $upstream_http_x_authentik_email;
        proxy_set_header X-authentik-email $authentik_email;

        auth_request_set $authentik_name $upstream_http_x_authentik_name;
        proxy_set_header X-authentik-name $authentik_name;

        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
        proxy_set_header X-authentik-uid $authentik_uid;

        auth_request_set $authentik_uid $upstream_http_x_authentik_uid;
        proxy_set_header X-authentik-uid $authentik_uid;

        auth_request_set $authentik_auth $upstream_http_authorization;
        proxy_set_header Authorization $authentik_auth;
}

location /outpost.goauthentik.io {
        proxy_pass              http://xxxx/outpost.goauthentik.io;
        proxy_set_header        Host $host;
        proxy_set_header        X-Original-URL $scheme://$http_host$request_uri;
        add_header              Set-Cookie $auth_cookie;
        auth_request_set        $auth_cookie $upstream_http_set_cookie;
        proxy_pass_request_body off;
        proxy_set_header        Content-Length "";
        proxy_ssl_verify off;
}

location @goauthentik_proxy_signin {
        internal;
        add_header Set-Cookie $auth_cookie;
        return 302 /outpost.goauthentik.io/start?rd=$request_uri;
}
```
The goal is to bypass SSO if a correct HTTP Basic Auth header is present while 
making sure connections are only from said IPs.

When I disable the IP check it works flawlessly. How could I separate these 
requirements?

So (SSO or Basic Auth) and Correct IP
_______________________________________________
nginx mailing list
nginx@nginx.org
https://mailman.nginx.org/mailman/listinfo/nginx

Reply via email to