1

Can't find a way to build the next scheme.

  • A whitelist of IPs ever allowed. Ban for most of the net.
  • A sublist of whitelisted IPs allowed to bypass auth. A part of a local net, for example.
  • Basic auth for the rest, allowed but not bypassing it IPs.

The logic doesn't look that complicated. However, I only was able to write a config with two out of the three simultaneously (basic auth + no auth whitelist, etc.) because of tricky basic auth and all/any match interactions.

Any nginx's config example for the case?

Les
  • 13
  • 4

1 Answers1

0

First of all, nice question, you got me there, I had to search for a decent way of doing it, but I could not find it. (so I will try to give you a "cowboy" answer for your problem that may work).

What I think it may work, is to map the ips,and giving them a value depending on which one of the 3 groups you stated it belongs.

map $remote_addr $perm_group {
1.1.1.1.1    2; #ips that don't need basic_auth
1.1.1.1.2    1; #Basic_auth ips
default    0; #Banned ips
}

Then at the server bracket:

server{
    listen 80;
    server_name example.com;

    if ( $perm_group = 0 ){
      return 403; # ips blacklisted return a 403;
    }

    if ( $perm_group = 1 ){
          auth_basic "Restricted";
    }

    if ( $perm_group = 2 ){
          auth_basic off;
    }
              auth_basic_user_file /etc/nginx/yourAuthFile; #make a file with user/password
    # anything else will mean that are allowed, so we go with the normal handling.

    location / {
        #do what you need to do here
    }

}

This is the first time I make this kind of code, but it should work,comment any error and we'll debut it if anything wrong happens.

If it's a big number of ips that you want to sort in groups, in the map you can include the file where the ips will be sorted, so you can mantain your configuration of nginx clean.

Hope I helped.

flaixman
  • 211
  • 1
  • 4
  • I think your maps are inverted. It should be that the default is '0', those bypassing auth should be '2', and those that require auth being '1'. OP indicated they want to *block* most of the 'net by default. "Whitelist of all IPs allowed in", "Subset of those IPs which can bypass auth", "Block the rest" <-- my interpretation of their statements. – Thomas Ward Jan 14 '19 at 15:29
  • Oopsie, you are right! Will edit it in a moment. Edit: Canged! Thanks man, I was too much into how to do it that I forgot basic things. – flaixman Jan 14 '19 at 15:30
  • Will this map convert correctly something like "7.7.0.0/16" or other IP ranges? – Les Jan 15 '19 at 03:52
  • it should, if you don't do it, try it with GEO https://serverfault.com/questions/743414/how-can-i-check-if-remote-addr-ip-is-not-in-cidr-range-in-nginx in this answer it works, so mapping the ip should not be a problem, no matter the ip. – flaixman Jan 15 '19 at 08:39
  • It's a working mechanism, but you must use regexps for ranges (didn't check the geo way), this may be slow. The right code will be (auth_basic under if won't work) `if ($perm_group = 1) { set $auth_basic off; } if ($perm_group != 1) { set $auth_basic Restricted; } auth_basic $auth_basic;` – Les Jan 15 '19 at 09:10
  • Okay, Just changed the ifs, did you manage to read the ip/xx ? – flaixman Jan 15 '19 at 09:35
  • I didn't try, $perm_group = 0 code was gone as redundant, top whitelist works without it and group bypassing auth is quite small. – Les Jan 16 '19 at 03:11