|
OpenBSD General Other questions regarding OpenBSD which do not fit in any of the categories below. |
|
Thread Tools | Display Modes |
|
|||
Nginx w/ basic auth fails due to permissions
Hello,
Running 5.9 with nginx installed. Runs just fine under normal conditions with root:www, but utterly refuses to load the basic auth file regardless of permissions. I'm presented with the opportunity to log in with a test user name and password, but I'm presented with a 403 afterwards for all requests. Looking in the errors log I find: Code:
[error] 28120#0: *1 open() "/etc/nginx/auth_acs" failed (2: No such file or directory), client: 10.0.0.50, server: 10.0.0.2, request: "GET /gs/index.html HTTP/1.1", host: "10.0.0.2" Code:
auth_basic "Dev ACS Server"; auth_basic_user_file auth_acs; Permissions: Code:
drwxr-xr-x 26 root wheel 2.0K Jun 21 19:05 etc drwxrwxr-x 2 root www 512B Jun 22 14:49 nginx -rwxrwxrwx 1 root www 209B Jun 22 15:00 auth_acs While it's a very bad idea, I can't even change the user name of the nginx process to root to see if it work. Nginx refuses to start with it, which is probably a good thing. Any advice on getting HTTP auth up and running? |
|
|||
Well, that's the only thing that has worked. Is that my only option?
Full paths don't seem to work either, even to a file that exists within the chroot '/var/www'. Is that a limitation of the auth directive itself? It doesn't matter what you put there, it will prefix '/etc/nginx/' to it. Using the following still gives the load error, even though the path works otherwise: Code:
/etc/nginx/../../var/www/conf/auth_acs Do you think this is a bug, or that I'm just misconfiguring nginx? |
|
|||
When a program is run in a chroot, that directory becomes / to that program. So if nginx in chrooted into /var/www, all nginx sees is /. So your path in the nginx config can't include /var/www/something. It has to be just /something.
So if nginx looks at a hardcoded path of /etc/nginx/conf/auth_acs then you have to put the file in /var/www/etc/nginx/conf/auth_acs for nginx to find it in the chroot. Disclaimer: I don't use nginx, I'm assuming nginx needs to access this file from inside the chroot and it doesn't have a helper process outside passing things in nor reads the file before chrooting. Tim. |
|
|||
@TronDD
There is no way to load the password file from within the chroot. Here's the part you're missing: Code:
/etc/nginx/conf/auth_acs If I put the password file in '/var/www/conf/', there is no way to fool the configuration line into loading it. Using '../../var/www' can't work to escape out of the '/etc/nginx' back to root and then back into the chroot directory '/var/www/'. If nginx would stop prefixing the path this might have a chance at working. If I put the file where you suggest, then the configuration line will be mangled into this non-working line: Code:
/etc/nginx/var/www/etc/nginx/conf/auth_acs |
|
||||
Disclaimer: I use nginx, but not with auth.
The application begins with an unchrooted process, in order to read its configuration file. It then starts chrooted operational processes. If the chrooted processes need to find the specific path /etc/nginx/conf/auth_acs, the path must actually be /var/www/etc/nginx/conf/auth_acs due to the chroot resolution. You can't use symbolic links back to /etc; the chrooted process has no access to any paths outside /var/www, which it sees as "/" as trondd noted above. |
|
|||
Thank you, it's up and running now.
I needed to take the -u flag out of the init script (I had forgotten it there), make /var/www/etc/nginx with correct permissions, and have the just the filename in the configuration file. On another note, openssl did not seem to generate working passwords, but htpasswd did. Thanks again, guys. |
Tags |
openbsd nginx auth conf |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
openvpn-auth-ldap on openbsd 4.7 | jespada | OpenBSD General | 2 | 26th August 2010 09:05 PM |
Postfix and Dovecot SMTP auth configuration hints | J65nko | OpenBSD Packages and Ports | 0 | 5th February 2010 02:53 AM |
Courier IMAP/POP3 can't auth to mysql db | revzalot | OpenBSD Packages and Ports | 5 | 6th September 2009 05:44 AM |
Smtp Auth Help needed | roundkat | OpenBSD General | 4 | 8th May 2009 08:25 PM |
Problem with Postfix and Sasl auth | unixbsd | OpenBSD General | 1 | 27th April 2009 03:26 AM |