I owe you guys an apology. Turns out that Apple Safari, when a basic
auth password is saved in the keychain, doesn't even prompt you to
send your saved password; it just sends it automatically. So I didn't
see an authentication prompt because safari was silently
authenticating on my behalf. :/
Your advice to check auth.log was spot on, and I don't know how I
missed it before. (It was pretty late, so I'll blame it on lack of
sleep.) Seeing that successful authentication was happening
behind-the-scenes led me to track down where the invisible
authentication credentials were coming from.
Thanks for your help.
~jonathon
On Sat, Jul 25, 2015 at 8:40 PM, Jonathon Anderson
<jander...@civilfritz.net> wrote:
> I've definitely already been checking /var/log/auth.log, and haven't
> been able to discern the problem; but I'll duplicate your testcase in
> my environment to see if it works correctly for me, and then do a
> binary-search from there.
>
> Thanks for your responsiveness, and sorry for my delay in getting back to you.
>
> ~jonathon
>
>
> On Thu, Jul 16, 2015 at 2:05 AM, Christos Trochalakis
> <yati...@ideopolis.gr> wrote:
>> On Wed, Jul 15, 2015 at 02:45:48AM +0000, Jonathon Anderson wrote:
>>>
>>> Package: nginx-extras
>>> Version: 1.6.2-5
>>> Severity: normal
>>>
>>> Dear Maintainer,
>>>
>>> * What led up to the situation?
>>>
>>> I recently upgraded to debian 8 and, after doing so, realized that
>>> auth_pam in nginx no longer
>>> prompted me for a password to edit my internal wiki. I noticed that
>>> auth_pam appears to have
>>> been moved to nginx-extras, so I installed that (replacing nginx-full) but
>>> the problem persists.
>>>
>>> * What exactly did you do (or not do) that was effective (or
>>> ineffective)?
>>>
>>> I've checked my config, and can't find anything wrong with it. I've added
>>> allow/deny rules for
>>> the time being, and those have successfully isolated access to my IP for
>>> now.
>>>
>>> I thought that perhaps the default for auth_pam_service_name had changed,
>>> so I set it explicitly,
>>> but to no avail.
>>>
>>> ldd reveals that nginx *is* linked against pam. nginx -V reveals
>>>
>>> --add-module=/tmp/buildd/nginx-1.6.2/debian/modules/nginx-auth-pam
>>>
>>> * What was the outcome of this action?
>>>
>>> Navigating to a path protected by this config:
>>>
>>> location /auth
>>> {
>>> auth_pam "example.net";
>>> auth_pam_service_name "nginx";
>>> include fastcgi_params;
>>> fastcgi_pass unix:/var/run/fcgiwrap.socket;
>>> fastcgi_index ikiwiki.cgi;
>>> fastcgi_param REMOTE_USER $remote_user;
>>> }
>>>
>>> Does not prompt for any username or password.
>>>
>>> * What outcome did you expect instead?
>>>
>>> I expect it to prompt for a username and password.
>>>
>>>
>>> -- System Information:
>>
>>
>> Hello Jonathon,
>>
>> I am not able to reproduce your case, here is my setup:
>>
>> # grep /private -A 4 /etc/nginx/sites-enabled/reprepro
>> location /private {
>> auth_pam "example";
>> auth_pam_service_name "nginx";
>> proxy_pass http://IP/;
>> }
>>
>> # cat /etc/pam.d/nginx
>>
>> auth required pam_permit.so
>> account required pam_permit.so
>>
>> # curl -o /dev/null -v localhost/private/resource
>> * Connected to localhost (127.0.0.1) port 80 (#0)
>>>
>>> GET /private/resource HTTP/1.1
>>> User-Agent: curl/7.38.0
>>> Host: localhost
>>> Accept: */*
>>>
>> < HTTP/1.1 401 Unauthorized
>> * Server nginx/1.6.2 is not blacklisted
>> < Server: nginx/1.6.2
>> < Date: Thu, 16 Jul 2015 07:49:22 GMT
>> < Content-Type: text/html
>> < Content-Length: 194
>> < Connection: keep-alive
>> < WWW-Authenticate: Basic realm="example"
>> <
>> { [data not shown]
>> * Connection #0 to host localhost left intact
>>
>> # curl -o /dev/null -v localhost/private/resource -u username:pass
>> * Connected to localhost (127.0.0.1) port 80 (#0)
>> * Server auth using Basic with user 'username'
>>>
>>> GET /private/resource HTTP/1.1
>>> Authorization: Basic dXNlcm5hbWU6cGFzcw==
>>> User-Agent: curl/7.38.0
>>> Host: localhost
>>> Accept: */*
>>>
>> < HTTP/1.1 404 Not Found
>> * Server nginx/1.6.2 is not blacklisted
>> < Server: nginx/1.6.2
>> < Date: Thu, 16 Jul 2015 07:49:29 GMT
>> < Content-Type: text/html
>> < Content-Length: 168
>> < Connection: keep-alive
>> <
>> { [data not shown]
>> * Connection #0 to host localhost left intact
>>
>> # nginx -V
>> nginx version: nginx/1.6.2
>> ...
>>
>>
>> I am getting a 401 ana a 'WWW-Authenticate' header on the first
>> request which is valid. Perhaps there is something else going on with your
>> setup. You could also check /var/log/auth.log for relevant messages.
>>
>>
--
To UNSUBSCRIBE, email to debian-bugs-dist-requ...@lists.debian.org
with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org
