On Wed, Jul 15, 2015 at 02:45:48AM +0000, Jonathon Anderson wrote:
Package: nginx-extras
Version: 1.6.2-5
Severity: normal
Dear Maintainer,
* What led up to the situation?
I recently upgraded to debian 8 and, after doing so, realized that auth_pam in
nginx no longer
prompted me for a password to edit my internal wiki. I noticed that auth_pam
appears to have
been moved to nginx-extras, so I installed that (replacing nginx-full) but the
problem persists.
* What exactly did you do (or not do) that was effective (or
ineffective)?
I've checked my config, and can't find anything wrong with it. I've added
allow/deny rules for
the time being, and those have successfully isolated access to my IP for now.
I thought that perhaps the default for auth_pam_service_name had changed, so I
set it explicitly,
but to no avail.
ldd reveals that nginx *is* linked against pam. nginx -V reveals
--add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-auth-pam
* What was the outcome of this action?
Navigating to a path protected by this config:
location /auth
{
auth_pam "example.net";
auth_pam_service_name "nginx";
include fastcgi_params;
fastcgi_pass unix:/var/run/fcgiwrap.socket;
fastcgi_index ikiwiki.cgi;
fastcgi_param REMOTE_USER $remote_user;
}
Does not prompt for any username or password.
* What outcome did you expect instead?
I expect it to prompt for a username and password.
-- System Information:
Hello Jonathon,
I am not able to reproduce your case, here is my setup:
# grep /private -A 4 /etc/nginx/sites-enabled/reprepro
location /private {
auth_pam "example";
auth_pam_service_name "nginx";
proxy_pass http://IP/;
}
# cat /etc/pam.d/nginx
auth required pam_permit.so
account required pam_permit.so
# curl -o /dev/null -v localhost/private/resource
* Connected to localhost (127.0.0.1) port 80 (#0)
GET /private/resource HTTP/1.1
User-Agent: curl/7.38.0
Host: localhost
Accept: */*
< HTTP/1.1 401 Unauthorized
* Server nginx/1.6.2 is not blacklisted
< Server: nginx/1.6.2
< Date: Thu, 16 Jul 2015 07:49:22 GMT
< Content-Type: text/html
< Content-Length: 194
< Connection: keep-alive
< WWW-Authenticate: Basic realm="example"
<
{ [data not shown]
* Connection #0 to host localhost left intact
# curl -o /dev/null -v localhost/private/resource -u username:pass
* Connected to localhost (127.0.0.1) port 80 (#0)
* Server auth using Basic with user 'username'
GET /private/resource HTTP/1.1
Authorization: Basic dXNlcm5hbWU6cGFzcw==
User-Agent: curl/7.38.0
Host: localhost
Accept: */*
< HTTP/1.1 404 Not Found
* Server nginx/1.6.2 is not blacklisted
< Server: nginx/1.6.2
< Date: Thu, 16 Jul 2015 07:49:29 GMT
< Content-Type: text/html
< Content-Length: 168
< Connection: keep-alive
<
{ [data not shown]
* Connection #0 to host localhost left intact
# nginx -V
nginx version: nginx/1.6.2
...
I am getting a 401 ana a 'WWW-Authenticate' header on the first
request which is valid. Perhaps there is something else going on with your
setup. You could also check /var/log/auth.log for relevant messages.
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
