0

I am having a problem with satisfy any in a server or location block causing all clients to be permitted access, which afaik is not the expected behavior.

server {
  listen       80;
  server_name  raar.my.domain;

  satisfy any;
  allow 192.168.1.0/24;
  deny all;
  auth_basic "Private";
  auth_basic_user_file /etc/nginx/conf.d/avs.creds;

  location / {
    proxy_pass   http://192.168.1.13:8085;
  }
}

In this state, I can curl from an external host and it will pass the request to the proxy. If I change any to all then it actually starts invoking the access mechanisms.

It's doing my head in because neither the allow nor deny keyword appears anywhere else within /etc/nginx, so I don't know what the other access handlers could even exist to meet the satisfy any.

Debug log shows nothing.

-V:

nginx -V
nginx version: nginx/1.2.7
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-http_ssl_module --with-http_realip_module --with-http_addition_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gzip_static_module --with-http_random_index_module --with-http_secure_link_module --with-http_stub_status_module --with-mail --with-mail_ssl_module --with-file-aio --with-ipv6 --add-module=/tmp/pubcookie_src/src/nginx
az_
  • 133
  • 1
  • 8
  • How do you want access control to work? – Michael Hampton Mar 29 '13 at 01:08
  • @MichaelHampton If the user comes from one of the listed networks, permit access, otherwise try basic auth, otherwise fail. – az_ Mar 29 '13 at 01:12
  • You don't actually have the basic auth stuff in your config! You'll have to actually put it in before `satisfy any` will work. – Michael Hampton Mar 29 '13 at 02:52
  • @MichaelHampton I purposefully omitted the basic auth directives because I was having problems with satisfy even when it wasn't there (I've put it back now). Nginx does not invoke either access mechanism for any client. – az_ Mar 29 '13 at 03:00

1 Answers1

1

Hrm, turns out it was the pubcookie module misbehaving.

It was returning NGX_OK in the access phase for sites it wasn't responsible for, when the correct answer was NGX_DECLINED (as well as returning it as int instead of ngx_int_t).

For this reason satisfy any was being satisfied.

az_
  • 133
  • 1
  • 8