40

I have a relatively straight forward config:

upstream appserver-1 {
    server unix:/var/www/example.com/app/tmp/gunicorn.sock fail_timeout=0;
}
server {
    listen  80;
    server_name  example.com;

    location / {
        proxy_pass http://appserver-1;
        proxy_redirect              off;
        proxy_set_header            Host $host;
        proxy_set_header            X-Real-IP $remote_addr;
        proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;

        auth_basic                  "Restricted";
        auth_basic_user_file        /path/to/htpasswd;

    }

    location /api/ {
        auth_basic          off;
    }
}

The goal is to use basic auth on the whole website, except on the /api/ subtree. While it does work with respect to basic auth, other directives like proxy_pass are not in effect on /api/ as well.

Is it possible to just disable basic auth while retaining the other directives without copy&pasting everything?

Adrian Heine
  • 328
  • 4
  • 22
Benjamin Wohlwend
  • 729
  • 2
  • 7
  • 14
  • I would like to know if there's an "official" way to do this for `certbot renew` -- I tried a few examples but ultimately had to comment out my "auth_basic" config to get certbot working, in other words my config will break in 90 days. In any case, I think Nginx should add some extra option like `auth_basic_certbot "allow";` where "allow" is the default. That would make this a no-brainer. – PJ Brunet Jan 10 '20 at 03:23

4 Answers4

43

How about two files?

includes/proxy.conf would be:

proxy_pass http://appserver-1;
proxy_redirect              off;
proxy_set_header            Host $host;
proxy_set_header            X-Real-IP $remote_addr;
proxy_set_header            X-Forwarded-For $proxy_add_x_forwarded_for;

And your current conf file:

upstream appserver-1 {
    server unix:/var/www/example.com/app/tmp/gunicorn.sock fail_timeout=0;
}
server {
    listen  80;
    server_name  example.com;

    location / {
        auth_basic                  "Restricted";
        auth_basic_user_file        /path/to/htpasswd;
        include includes/proxy.conf;
    }

    location /api/ {
        auth_basic          off;
        include includes/proxy.conf;
    }
}
cjc
  • 24,533
  • 2
  • 49
  • 69
  • Additional info: the reason the config in the question doesn't work is that "If there are several matching location blocks nginx selects the one with the longest prefix." cf http://nginx.org/en/docs/beginners_guide.html – Adrian Leonhard Apr 25 '22 at 09:58
15

Config file

In Nginx 1.4.4 you need quotes around off for the auth_basic setting.

location / {
    auth_basic "Restricted";
    auth_basic_user_file /etc/nginx/passwd;
        include /etc/nginx/uwsgi_params;
        uwsgi_pass unix:/tmp/app.sock;
}

location /api {
    auth_basic "off";
        include /etc/nginx/uwsgi_params;
        uwsgi_pass unix:/tmp/app.sock;
}

Creating your htpasswd/passwd file

Install apache2-utils, there is a nice helper app that creates the htpasswd file for you very quickly. http://httpd.apache.org/docs/2.2/programs/htpasswd.html

htpasswd -c -m <filename> <username>
Nick Woodhams
  • 261
  • 2
  • 5
  • This does exclude a specific location and prompt for a password for the rest of the site. **However**, if I click cancel, instead of the 401 error page, it shows me the actual page I requested, but without any static files. – mehov Dec 24 '16 at 15:37
5

Below config works for me for sharing a folder from my disk without any authentication for share folder and rest of the site required authentication

server {
        listen       80;
        server_name  localhost;
        root C:\\Users\\Work\\XYZ\\;
        autoindex on;
        autoindex_exact_size off;
        autoindex_localtime on;
        auth_basic "Administrator Login";
        auth_basic_user_file C:\\Users\\Work\\.htpasswd;

        location /share {
            auth_basic "off";
            allow all; # Allow all to see content 
            alias C:\\Users\\sg32884\\Work\\share\\;
        }
}
sharad-garg
  • 51
  • 1
  • 1
2

Nginx location

This can be achieved with a sub location:

upstream appserver-1 {
    server unix:/var/www/example.com/app/tmp/gunicorn.sock fail_timeout=0;
}
server {
    listen  80;
    server_name  example.com;

    location / {
        location /api/ {
            auth_basic          off;
            include includes/proxy.conf;
        }
        auth_basic                  "Restricted";
        auth_basic_user_file        /path/to/htpasswd;
        include includes/proxy.conf;
    }
}

Note that proxy.conf contains the proxy conf

intika
  • 369
  • 2
  • 11