Nginx – Require Basic Auth for Specific IPs

http-authenticationhttp-basic-authenticationnginx

I have a whitelist of IPs for nginx, but in addition to this I want to require basic authentication for specific IP.

For example, allow access for these IPs:

198.51.100.1
198.51.100.2

require basic authentication for this IP:

198.51.100.3

and deny for anyone else.

How is this possible? satisfy directive doesn't seem to solve this problem

Best Answer

You could implement this with the GEO directive: http://nginx.org/en/docs/http/ngx_http_geo_module.html#geo

Just a sketch using your ip address examples:

geo $authentication {
default "Authentication required";
198.51.100.1 "off";
198.51.100.2 "off";
198.51.100.3 "on";
...
}

server {
    ...
    location / {
        satisfy any;

    # basic auth referencing to geo with $authentication
    auth_basic $authentication;
    auth_basic_user_file /etc/nginx/.htpasswd;

    # whitelist for the inital ip address restrictions
    include /etc/nginx/conf.d/ip-whitelist.conf.include;
    deny all;
}}

Related Solutions

Apache redirect to https for basic auth

I don't think it is possible to automatically redirect HTTP requests with Basic Authentication to a certain location - at least not with Apache httpd alone.

But you can use the SSLRequireSSL directive inside a Location block to force the clients to use HTTPS, otherwise they'll get an error 403.

NGINX basic auth only for POST

You should use limit_except:

limit_except GET HEAD {
    auth_basic 'Restricted';
    auth_basic_user_file /path/to/userfile;
}

It works since nginx 0.8.48, in older versions there was a bug where fastcgi_pass was not inherited inside the limit_except block.

Best Answer

Related Solutions

Apache redirect to https for basic auth

NGINX basic auth only for POST

Related Topic