Nginx basic auth stopped working

dwidmann · January 23, 2023, 5:26pm

Hi all!

My YunoHost server

Hardware:: NUC
YunoHost version: testing
I have access to my server : Through SSH, through the webadmin
Are you in a special context or did you perform some particular tweaking on your YunoHost instance ? : no

Description of my issue

Recentlyish, within the last couple of weeks, noticed that nginx basic_auth for creating password protected areas has stopped working.

Applies to a fodler in a “My Webapp” instance.
Added password access as follows in the /etc/nginx/conf.d/ file for that instance:

    location /packages/rms-public/ {
        fancyindex on; 
        fancyindex_exact_size off;
        auth_basic "Access to RMS Public Packages is restricted.";
        auth_basic_user_file /etc/nginx/auth/apt-packages_rms-public;
    }

I’ve noticed the password popup doesn’t show the “auth_basic” message anymore, and regardless of password supplies, gives a 401 error.

This is what I see in the log

2023/01/23 12:04:34 [error] 369823#369823: *1 [lua] helpers.lua:386: authenticate(): Connection failed for: rms_public, client: 199.111.240.162, server: apt.dustin-widmann.com, request: "GET /packages/rms-public/ HTTP/2.0", host: "apt.dustin-widmann.com", referrer: "https://apt.dustin-widmann.com/packages/"

I was pointed here by another user, and followed the recommendation (e.g. upgrade to testing), but it didn’t resolve this issue.

Aleks · January 23, 2023, 6:11pm

“testing” is not helpful … The testing version changes regularly … What “testing” version are you on exactly …

I’m pretty sure this is related to the changes in SSOwat to improve security … I think maybe this could be fixed by tweaking the SSOwat permission for your app, maybe setting the “auth_header” key to false. You can try by editing /etc/ssowat/conf.json and refreshing your browser (no need to reload nginx), though this will be overwritten by any yunohost app ssowatconf so you need to edit properly the permission in yunohost after this, but we can discuss this once we validate the hypothesis

dwidmann · January 23, 2023, 7:31pm

Hi Aleks.

Sorry I wasn’t more specific. It looks like the yunohost debian package installed is version 11.1.3.
I tried tweaking ‘auth_header’, as suggested, but didn’t see any change in behavior. The current config for it is as follows:

        "my_webapp__2.main": {
            "auth_header": false,
            "label": "Debian Packages Server",
            "public": true,
            "show_tile": true,
            "uris": [
                "apt.dustin-widmann.com"
            ],
            "use_remote_user_var_in_nginx_conf": true,
            "users": [
                "testtest",
                "rms_developer",
                "yunoadmin"
            ]
        },