mirror of
https://github.com/NginxProxyManager/nginx-proxy-manager.git
synced 2025-08-04 16:33:32 +00:00
4d491b2d76
This commit changes access-list IP directives to be implemented using the nginx "geo" directive. This allows IP-based blocks to return 444 (drop connection) on authorization failure when the "Drop Unauthorized" is enabled. It also allows the implementation of "Satisfy Any" with the new client CA certificate support - i.e. Satisfy Any can allow clients from the local network to skip client certificate challenge, or drop down to requesting basic authentication. It should be noted that including basic authentication requirements in Satisfy Any mode does prevent a 444 response from being sent, as the basic auth challenge requires the server to respond.
38 lines
1.2 KiB
Plaintext
38 lines
1.2 KiB
Plaintext
{% if access_list_id > 0 %}
|
|
set $auth_basic "Authorization required";
|
|
{% if access_list.satisfy_any == 1 %}
|
|
# Satisfy Any - any check can succeed - so look for success
|
|
if ( $access_list_{{ access_list_id }} = 1) {
|
|
set $auth_basic off;
|
|
}
|
|
if ( $ssl_client_verify = "SUCCESS" ) {
|
|
set $auth_basic off;
|
|
}
|
|
{% else %}
|
|
# Satisfy All - all checks must succeed (so handle fails)
|
|
if ( $access_list_{{ access_list_id }} = 0) {
|
|
return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
|
|
}
|
|
if ( $ssl_client_verify != "SUCCESS" ) {
|
|
return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
|
|
}
|
|
{% endif %}
|
|
|
|
{% if access_list.items.length > 0 %}
|
|
# Basic Auth is enabled
|
|
# Authorization
|
|
auth_basic $auth_basic;
|
|
auth_basic_user_file /data/access/{{ access_list_id }};
|
|
{% if access_list.pass_auth == 0 %}
|
|
proxy_set_header Authorization "";
|
|
{% endif %}
|
|
{% else %}
|
|
{% if access_list.satisfy_any == 1 %}
|
|
# Satisfy Any without Basic Auth
|
|
if ( $auth_basic != "off" ) {
|
|
return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
|
|
}
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endif %}
|