Safari keeps prompting for basic authentication (apache / nginx)

[jpmens]

Cannot reproduce on either Firefox or Chrome (on Mac). Safari periodically asks for basic auth credentials in spite of saving them.

[jpmens]

Occurs on iPadOS as well.

[jpmens]

<ip-address> - jip [03/Feb/2024:18:32:25 +0000] "GET /owntracks/ws/last HTTP/1.1" 101 130363 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15"

<ip-address> - - [03/Feb/2024:18:33:35 +0000] "GET /owntracks/ws/last HTTP/1.1" 401 4970 "-" "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.6 Safari/605.1.15"

From one second to the next.

[jpmens]

Possibly solved with a Satisfy in spite of it not making much sense to me.

                AuthType Basic
                AuthName "My OwnTracks"
                AuthBasicProvider file
                AuthUserFile "/usr/local/owntracks/userdata/htpasswd"
                Require valid-user
                Satisfy any

[jpmens]

Solved.

[jpmens]

That wasn't the solution; I didn't notice that authentication didn't work at all. Back to square 1.

[jpmens]

I could really use some help here. This is the config. Firefox and Chrome (on Macos) behave the way I think they should. Safari (on Macos, iPadOS, and iOS) prompt for re-authentication after a minute or two, in spite of checking the "Save Password" box.

I think it has something to do with the websocket connection from frontend/ and from last/.

It shouldn't be a TLS issue; disabling, i.e. configuring for port 80, doesn't solve the issue. It's proxy related.

[jpmens]

(screenshot as my toots are autodeleted.)

[jpmens]

Michael says: Continuous authentication prompts on Safari on iOS when using Windows auth

[jpmens]

Dirk says:

this configuration works for the websockets in confluence: Edit: yes, also with Safari, but it doesn’t use BasicAuth. So it may help or not.

        <Location /synchrony>
              Require all granted
              RewriteEngine on
              RewriteCond %{HTTP:UPGRADE} ^WebSocket$ [NC]
              RewriteCond %{HTTP:CONNECTION} Upgrade$ [NC]
              RewriteRule .* ws://localhost:1111%{REQUEST_URI} [P]
        </Location>

It doesn't work.

[jpmens]

zimpenfish says:

Had the same problem with Hugo’s livereload websocket. Solved it by creating a cookie after the first successful login and using that as an alternate authentication method. Not ideal at all but the only way I could find to avoid this with Safari.

This is my nginx configuration.\

map $cookie_thingauth $mysite_hascookie {
  "COOKIE_VALUE" "off";
  default "auth/realm";
}
...
location /xyz/ {
  auth_basic $mysite_hascookie;
  auth_basic_user_file "/pw/file";
  add_header Set-Cookie "thingauth=COOKIE_VALUE;max-age=86400;path=/;secure";
  ...
}

thingauth and COOKIE_VALUE have to match between the two blocks. Hopefully that helps and if there’s a better solution, I’d love to know myself.

This is looking promising...

[jpmens]

zimpenfish's solution appears to be working, and thank so much for that!

Cookies are being replaced when they expire, and I've not had Safari prompt for credentials since yesterday's launch.