satisfy any; will always allow

[Zoey2936]

when having the following auth_basic and access configuration inside nginx, while also using crowdsec, it will always return 200 and not 401/403

    auth_basic "Authorization required";
    auth_basic_user_file /data/etc/access/3;
    allow 127.0.0.1;
    deny all;
    satisfy any;

if I disable crowdsec it will return 401 and ask for a password and username

[blotus]

Hello,

This is because the bouncer checks if the IP is allowed during the `NGX_HTTP_ACCESS_PHASE ' which is the phase where the auth basic module performs the credentials check.

satisfy any will allow the request if any of the access handlers let the request through.
So because the bouncer accepts the request, it's enough for nginx, and the credentials are not checked.

If you only need basic auth (ie, not allow 1.2.3.4;), I think satisfy all should work.

Another solution would be to move the bouncer to an earlier phase to ensure no conflict with any other access handler. The rewrite phase is a good candidate for this as it runs before the access phase (but it's not semantically correct).

You can try this for yourself if you want: you can edit the file /etc/nginx/conf.d/crowdsec_nginx.conf (or the equivalent one if using openresty) and replace the access_by_lua_block line with rewrite_by_lua_block, then reload nginx.

I did a very quick test, and it seems to work, but keep in mind that this might have some unintended side effects (for example, if you are using the appsec component, there's a risk the bouncer will run before the rewrite (this depends on which order nginx will load the modules, which depends on either the compile options when using static modules, or the module itself when using dynamic modules) and thus pass a potentially wrong URL to crowdsec)

[blotus]

I think I found a much better fix: our handler does not explicitly decline to handle the request so nginx (or mod_lua, not sure) seems to assume that we allow it by default.

Making the handler return ngx.DECLINED if there's no decision for the IP seems to solve the issue, I'll investigate more tomorrow.

[Zoey2936]

Thanks!

[Zoey2936]

when will it be released?

[blotus]

We are preparing the release, so most likely this afternoon or tomorrow at the latest.

[Zoey2936]

thanks

[blotus]

@Zoey2936 Looking at your Dockerfile, it looks like you are cloning the nginx bouncer main branch directly.
You don't have to wait for a proper github release, calling make will clone the main branch of cs-lua-bouncer, and the version has already been updated for cs-nginx-bouncer, so you should be good to go.

[Zoey2936]

I've pinned the version: https://github.com/ZoeyVid/NPMplus/blob/dae82bd96669a562017667bdc8a2e627e1edbef2/Dockerfile#L39