I've definitely already been checking /var/log/auth.log, and haven't
been able to discern the problem; but I'll duplicate your testcase in
my environment to see if it works correctly for me, and then do a
binary-search from there.
Thanks for your responsiveness, and sorry for my delay in getting back to you.
~jonathon
On Thu, Jul 16, 2015 at 2:05 AM, Christos Trochalakis
<yati...@ideopolis.gr> wrote:
> On Wed, Jul 15, 2015 at 02:45:48AM +0000, Jonathon Anderson wrote:
>>
>> Package: nginx-extras
>> Version: 1.6.2-5
>> Severity: normal
>>
>> Dear Maintainer,
>>
>> * What led up to the situation?
>>
>> I recently upgraded to debian 8 and, after doing so, realized that
>> auth_pam in nginx no longer
>> prompted me for a password to edit my internal wiki. I noticed that
>> auth_pam appears to have
>> been moved to nginx-extras, so I installed that (replacing nginx-full) but
>> the problem persists.
>>
>> * What exactly did you do (or not do) that was effective (or
>> ineffective)?
>>
>> I've checked my config, and can't find anything wrong with it. I've added
>> allow/deny rules for
>> the time being, and those have successfully isolated access to my IP for
>> now.
>>
>> I thought that perhaps the default for auth_pam_service_name had changed,
>> so I set it explicitly,
>> but to no avail.
>>
>> ldd reveals that nginx *is* linked against pam. nginx -V reveals
>>
>> --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-auth-pam
>>
>> * What was the outcome of this action?
>>
>> Navigating to a path protected by this config:
>>
>> location /auth
>> {
>> auth_pam "example.net";
>> auth_pam_service_name "nginx";
>> include fastcgi_params;
>> fastcgi_pass unix:/var/run/fcgiwrap.socket;
>> fastcgi_index ikiwiki.cgi;
>> fastcgi_param REMOTE_USER $remote_user;
>> }
>>
>> Does not prompt for any username or password.
>>
>> * What outcome did you expect instead?
>>
>> I expect it to prompt for a username and password.
>>
>>
>> -- System Information:
>
>
> Hello Jonathon,
>
> I am not able to reproduce your case, here is my setup:
>
> # grep /private -A 4 /etc/nginx/sites-enabled/reprepro
> location /private {
> auth_pam "example";
> auth_pam_service_name "nginx";
> proxy_pass http://IP/;
> }
>
> # cat /etc/pam.d/nginx
>
> auth required pam_permit.so
> account required pam_permit.so
>
> # curl -o /dev/null -v localhost/private/resource
> * Connected to localhost (127.0.0.1) port 80 (#0)
>>
>> GET /private/resource HTTP/1.1
>> User-Agent: curl/7.38.0
>> Host: localhost
>> Accept: */*
>>
> < HTTP/1.1 401 Unauthorized
> * Server nginx/1.6.2 is not blacklisted
> < Server: nginx/1.6.2
> < Date: Thu, 16 Jul 2015 07:49:22 GMT
> < Content-Type: text/html
> < Content-Length: 194
> < Connection: keep-alive
> < WWW-Authenticate: Basic realm="example"
> <
> { [data not shown]
> * Connection #0 to host localhost left intact
>
> # curl -o /dev/null -v localhost/private/resource -u username:pass
> * Connected to localhost (127.0.0.1) port 80 (#0)
> * Server auth using Basic with user 'username'
>>
>> GET /private/resource HTTP/1.1
>> Authorization: Basic dXNlcm5hbWU6cGFzcw==
>> User-Agent: curl/7.38.0
>> Host: localhost
>> Accept: */*
>>
> < HTTP/1.1 404 Not Found
> * Server nginx/1.6.2 is not blacklisted
> < Server: nginx/1.6.2
> < Date: Thu, 16 Jul 2015 07:49:29 GMT
> < Content-Type: text/html
> < Content-Length: 168
> < Connection: keep-alive
> <
> { [data not shown]
> * Connection #0 to host localhost left intact
>
> # nginx -V
> nginx version: nginx/1.6.2
> ...
>
>
> I am getting a 401 ana a 'WWW-Authenticate' header on the first
> request which is valid. Perhaps there is something else going on with your
> setup. You could also check /var/log/auth.log for relevant messages.
>
>
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
