aca8206c30
IP access list control was implemented as default success for an empty access control list - but this had the effect of an empty list default allowing if "Satisfy Any" was set. Fortunately this was bugged, so empty lists default failed - but this broke empty lists for "Satisfy All". This patch is the correct fix: lists now always default fail, but an empty list removes the check from access control considerations. This restores the original implementations behavior and fixes the bug.
44 lines
1.5 KiB
Text
44 lines
1.5 KiB
Text
{% if access_list_id > 0 %}
|
|
set $auth_basic "Authorization required";
|
|
{% if access_list.satisfy_any == 1 %}
|
|
# Satisfy Any - any check can succeed - so look for success
|
|
{% if access_list.clients.size != 0 %}
|
|
if ( $access_list_{{ access_list_id }} = 1) {
|
|
set $auth_basic off;
|
|
}
|
|
{% endif %}
|
|
if ( $ssl_client_verify = "SUCCESS" ) {
|
|
set $auth_basic off;
|
|
}
|
|
{% else %}
|
|
# Satisfy All - all checks must succeed (so handle fails)
|
|
{% if access_list.clients.size != 0 %}
|
|
# {{ access_list.clients.size }} IP rules
|
|
if ( $access_list_{{ access_list_id }} = 0) {
|
|
return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
|
|
}
|
|
{% else %}
|
|
# Empty IP rules list so no client IP check
|
|
{% endif %}
|
|
if ( $ssl_client_verify != "SUCCESS" ) {
|
|
return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
|
|
}
|
|
{% endif %}
|
|
|
|
{% if access_list.items.length > 0 %}
|
|
# Basic Auth is enabled
|
|
# Authorization
|
|
auth_basic $auth_basic;
|
|
auth_basic_user_file /data/access/{{ access_list_id }};
|
|
{% if access_list.pass_auth == 0 %}
|
|
proxy_set_header Authorization "";
|
|
{% endif %}
|
|
{% else %}
|
|
{% if access_list.satisfy_any == 1 %}
|
|
# Satisfy Any without Basic Auth
|
|
if ( $auth_basic != "off" ) {
|
|
return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
|
|
}
|
|
{% endif %}
|
|
{% endif %}
|
|
{% endif %}
|