0

We want our entire server to be protected from anonymous access except for one endpoint /public. However we are seeing the location /ping accessed anonymously with status 200.

Why?

Surely we do not need to put authentication directives on each location block?

server {

  location /ping {
    return 200 'OK'; # Should not be available anonymously!
  }

  location = /public {
    auth_basic off;
    return 200 'OK'; # Should be available anonymously
  }

  # Users must authenticate in general
  satisfy any;
  auth_basic "Authentication";
  auth_basic_user_file /etc/my/.htpasswd;


}

According to the docs this should work:

Alternatively, you you can limit access to the whole website with basic authentication but still make some website areas public. In this case, specify the off parameter of the auth_basic directive that cancels inheritance from upper configuration levels:

server {
    ...
    auth_basic           "Administrator’s Area";
    auth_basic_user_file conf/htpasswd;

    location /public/ {
        auth_basic off;
    }
}
Marc
  • 13,011
  • 11
  • 78
  • 98
  • 1
    If you want to use `return 200 'OK';` - see [this answer](https://stackoverflow.com/a/40463578/4862445). For anything that's not part of the rewrite module - it should work ok. – Richard Smith Jun 03 '21 at 14:15
  • Maybe the location blocks should follow the authorization config - not precede ? – IVO GELOV Jun 03 '21 at 15:45
  • Thanks @RichardSmith I've posted a working answer - feel free to answer and I'll mark yours. – Marc Jun 03 '21 at 17:27

1 Answers1

0

Thanks to @Richard Smith for the tip - we need a workaround as return is executed before any other directives.

location = /ping {
  try_files DUMMY @return200;
}
location @return200 {
  return 200 'OK';
}
Marc
  • 13,011
  • 11
  • 78
  • 98