Menu
The Authorization Header is not sent with an HTTP OPTIONS Request. I would like disable this authentication only when the request is OPTIONS and leave it on for other requests. Here is the relevant piece of config code I have at the moment. cannot seem to see why it does not work. I always get a 401 Unauthorized Error on OPTIONS request.
location ~ /foo/bar
{
if ($request_method = OPTIONS) {
set $auth_basic "off";
}
if ($request_method != OPTIONS)
{
set $auth_basic "Resctricted";
set $auth_basic_user_file /var/www/.htpasswd;
}
auth_basic $auth_basic;
auth_basic_user_file $auth_basic_user_file;
}
681
Configure HTTP Authentication for Nginx 1 auth_basic – turns on validation of user name and password using the “ HTTP Basic Authentication ” protocol. 2 auth_basic_user_file – specifies the password file. More ...
NGINX and NGINX Plus can authenticate each request to your website with an external server or service. To perform authentication, NGINX makes an HTTP subrequest to an external server where the subrequest is verified.
Authenticate clients during request processing by making a subrequest to an external authentication service, such as LDAP or OAuth. NGINX and NGINX Plus can authenticate each request to your website with an external server or service. To perform authentication, NGINX makes an HTTP subrequest to an external server where the subrequest is verified.
The ngx_http_auth_request_module module (1.5.4+) implements client authorization based on the result of a subrequest. If the subrequest returns a 2xx response code, the access is allowed. If it returns 401 or 403, the access is denied with the corresponding error code. Any other response code returned by the subrequest is considered an error.
It looks like it is an old post, but found this solution :
Put the following configuration inside "location" and remove any auth_basic from server. This will work
location / {
# Your node proxy configuration for example #
# Make options requests work #
limit_except OPTIONS {
auth_basic "Restricted access zone";
auth_basic_user_file /etc/nginx/pass/protected;
}
}
The simplest way to deal with this is allow nginx to handle the OPTIONS request:
server {
listen 80;
server_name example.com;
root /var/www;
auth_basic "Resctricted";
auth_basic_user_file /var/www/.htpasswd;
location / {
if ($request_method = OPTIONS) {
add_header Access-Control-Allow-Origin "http://example.com";
add_header Access-Control-Allow-Methods "GET, OPTIONS";
add_header Access-Control-Allow-Headers "Authorization";
add_header Access-Control-Allow-Credentials "true";
add_header Content-Length 0;
add_header Content-Type text/plain;
return 200;
}
}
}
This will allow OPTIONS to get a response without requiring authentication:
scott@Carl www $ curl -i -X OPTIONS http://example.com
HTTP/1.1 200 OK
Server: nginx
Date: Sat, 17 Jun 2017 00:09:52 GMT
Content-Type: application/octet-stream
Content-Length: 0
Connection: keep-alive
Access-Control-Allow-Origin: http://example.com
Access-Control-Allow-Methods: GET, OPTIONS
Access-Control-Allow-Headers: Authorization
Access-Control-Allow-Credentials: true
Content-Length: 0
Content-Type: text/plain
scott@Carl www $ curl -i http://example.com
HTTP/1.1 401 Unauthorized
Server: nginx
Date: Sat, 17 Jun 2017 00:09:59 GMT
Content-Type: text/html
Content-Length: 188
Connection: keep-alive
WWW-Authenticate: Basic realm="Resctricted"
<html>
<head><title>401 Authorization Required</title></head>
<body bgcolor="white">
<center><h1>401 Authorization Required</h1></center>
<hr><center>nginx</center>
</body>
</html>
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
