-
Notifications
You must be signed in to change notification settings - Fork 13
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
satisfy any; will always allow #61
Comments
Hello, This is because the bouncer checks if the IP is allowed during the `NGX_HTTP_ACCESS_PHASE ' which is the phase where the auth basic module performs the credentials check.
If you only need basic auth (ie, not Another solution would be to move the bouncer to an earlier phase to ensure no conflict with any other access handler. The rewrite phase is a good candidate for this as it runs before the access phase (but it's not semantically correct). You can try this for yourself if you want: you can edit the file I did a very quick test, and it seems to work, but keep in mind that this might have some unintended side effects (for example, if you are using the appsec component, there's a risk the bouncer will run before the rewrite (this depends on which order nginx will load the modules, which depends on either the compile options when using static modules, or the module itself when using dynamic modules) and thus pass a potentially wrong URL to crowdsec) |
I think I found a much better fix: our handler does not explicitly decline to handle the request so nginx (or mod_lua, not sure) seems to assume that we allow it by default. Making the handler return |
Thanks! |
when will it be released? |
We are preparing the release, so most likely this afternoon or tomorrow at the latest. |
thanks |
@Zoey2936 Looking at your Dockerfile, it looks like you are cloning the nginx bouncer main branch directly. |
when having the following auth_basic and access configuration inside nginx, while also using crowdsec, it will always return 200 and not 401/403
if I disable crowdsec it will return 401 and ask for a password and username
The text was updated successfully, but these errors were encountered: