在Nginx配置文件中禁用特定端点上的基本身份验证无效。

huangapple go评论142阅读模式
英文:

disabling basic auth on certain endpoints in nginx conf file does not work

问题

我正在尝试禁用网站特定端点的基本身份验证,因为一些第三方服务会发送请求到该站点。

我有两个EC2实例和一个位于它们后面的应用负载均衡器(ALB)。这是我的nginx配置文件。如您所见,在服务器块中启用了身份验证,并针对特定端点禁用了身份验证。但是,当我尝试访问特定端点时,例如https://website.domain/api/providers/bgaming/rollback,我仍然被提示输入用户名和密码,但实际上不应该。

    upstream fpm_backend {
        server unix:/run/php/php8.1-fpm.sock;
    
        keepalive 256;
    }
    
    server {
        listen 80 default_server;
        server_name _;
    
        root /home/xxxx/xxxx/public;
    
        add_header X-Frame-Options "SAMEORIGIN";
        add_header X-XSS-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";
    
        index index.html index.htm index.php;
    
        charset utf-8;
    
        error_page 404 /index.php;
        
        auth_basic "Restricted access";
        auth_basic_user_file /etc/nginx/.htpasswd;
    
        location / {
            try_files $uri $uri/ /index.php?$query_string;
        }
    
        location /api/provider/aleaplay/callback/transactions {
            auth_basic off;
        }
        location /api/provider/aleaplay/callback/players/ {
            auth_basic off;
        }
        location /callback {
            auth_basic off;
        }
        location /api/providers/bgaming/play {
            auth_basic off;
        }
        location /api/providers/bgaming/rollback {
            auth_basic off;
        }
    
        location = /favicon.ico { access_log off; log_not_found off; }
        location = /robots.txt  { access_log off; log_not_found off; }
    
        location /web.config {
            return 404;
        }
    
        location ~ \.php$ {
            fastcgi_pass fpm_backend;
            fastcgi_index index.php;
            fastcgi_split_path_info ^(.+\.php)(/.+)$;
            include fastcgi_params;
        }
    
        location ~ /\.(?!well-known).* {
            deny all;
        }
    
        client_max_body_size 20M;
    }
英文:

I am attempting to disable basic authentication for certain endpoints on my website, as some third-party services send requests to the site.

I have two EC2 instances and an Application Load Balancer (ALB) behind them. This is my nginx configuration file. As you can see, I have enabled authentication in the server block and disabled it for certain endpoints. However, when I try to access certain endpoints, such as https://website.domain/api/providers/bgaming/rollback, I am still prompted to enter a username and password, when I should not be.

upstream fpm_backend {
    server unix:/run/php/php8.1-fpm.sock;

    keepalive 256;
}

server {
    listen 80 default_server;
    server_name _;

    root /home/xxxx/xxxx/public;

    add_header X-Frame-Options "SAMEORIGIN";
    add_header X-XSS-Protection "1; mode=block";
    add_header X-Content-Type-Options "nosniff";

    index index.html index.htm index.php;

    charset utf-8;

    error_page 404 /index.php;
    
    auth_basic "Restricted access";
    auth_basic_user_file /etc/nginx/.htpasswd;

    location / {
        try_files $uri $uri/ /index.php?$query_string;
    }

    location /api/provider/aleaplay/callback/transactions {
        auth_basic off;
    }
    location /api/provider/aleaplay/callback/players/ {
        auth_basic off;
    }
    location /callback {
        auth_basic off;
    }
    location /api/providers/bgaming/play {
        auth_basic off;
    }
    location /api/providers/bgaming/rollback {
        auth_basic off;
    }

    location = /favicon.ico { access_log off; log_not_found off; }
    location = /robots.txt  { access_log off; log_not_found off; }

    location /web.config {
        return 404;
    }

    location ~ \.php$ {
        fastcgi_pass fpm_backend;
        fastcgi_index index.php;
        fastcgi_split_path_info ^(.+\.php)(/.+)$;
        include fastcgi_params;
    }

    location ~ /\.(?!well-known).* {
        deny all;
    }

    client_max_body_size 20M;
}

答案1

得分: 0

根据您的配置,一切都由根index.php文件处理。/index.php URI由location ~ \.php$块处理,并需要身份验证。

要禁用/api/providers/bgaming/rollback的身份验证,您需要使用auth_basic off 在同一位置块内处理整个请求。

例如:

location ^~ /api/providers/bgaming/rollback {
    auth_basic off;

    try_files /index.php =404;

    fastcgi_pass fpm_backend;
    include fastcgi_params;
}

^~操作符使此位置具有优先权(在这种特定情况下可能不是必需的)。try_files语句将请求更改为index.php,但由于它不是最后一个参数,因此请求仍在同一位置块中处理。最后两个语句处理请求作为PHP文件。

英文:

Looking at your configuration, everything ends up being handled by the root index.php file. The /index.php URI is handled by the location ~ \.php$ block and requires authentication.

To disable authentication for /api/providers/bgaming/rollback, you will need to use auth_basic off and handle the entire request within the same location block.

For example:

location ^~ /api/providers/bgaming/rollback {
    auth_basic off;

    try_files /index.php =404;

    fastcgi_pass fpm_backend;
    include fastcgi_params;
}

The ^~ operator causes this location to take precedence (which is probably not required in this particular case). The try_files statement changes the request to index.php but as it is not the last parameter, the request continues to be handled within the same location block. The final two statements processes the request as a PHP file.

huangapple
  • 本文由 发表于 2023年3月7日 20:53:11
  • 转载请务必保留本文链接:https://go.coder-hub.com/75662228.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定