Nginx密码验证不断提示输入密码 [英] Nginx password authentication keeps prompting for password
问题描述
我想上传我的网站的开发分支,以便我可以将它显示给客户端,并在尽可能接近生产的环境中进行测试(使用可能尚未准备好生产的代码)。所以我想密码保护这个网站。
I want to upload a development branch of my website so that I can show it to clients and make tests in an environment as close to production as possible (with code that may not be ready for production). Thus I would like to password protect this site.
我正在使用Django开发一个网站,并使用nginx为网站提供服务(带有uWsgi)。我设法得到提示输入以下指令的密码:
I'm developing a website using Django and use nginx for serving the website (with uWsgi). I manage to get prompted for password applying the following directives:
auth_basic "Restricted Content"; # also tried "Private Property"
auth_basic_user_file /etc/nginx/.htpasswd;
但问题是,正确输入第一个密码后,它会不断提示用户和再次输入密码好像每个API调用都需要进行身份验证。
But the problem is that after entering the first password properly, it keeps prompting me for the user & password again; as if every API call would need to be authenticated.
我认为问题可能与我的配置文件有关,所以这里是我的site.conf文件:
I think the issue might be with my configuration file, so here's my site.conf file:
server {
listen 80;
server_name panel.mysite.dev;
root /path/to/my/app/front/dist;
### I've also tried 'auth_basic' here
location / {
root /path/to/my/app/front/dist;
index index.html;
auth_basic "Private Property";
auth_basic_user_file /etc/nginx/.htpasswd;
}
location /media {
rewrite ^(.*)$ http://media.mysite.dev$1;
}
location /static {
rewrite ^(.*)$ http://static.mysite.dev$1;
}
}
server {
listen 80;
server_name api.mysite.dev;
### I've also tried 'auth_basic' here
location /api {
client_max_body_size 25m;
uwsgi_pass unix:/tmp/api.mysite.dev.sock;
include /path/to/my/app/back/uwsgi_params;
}
}
server {
listen 80;
server_name media.mysite.dev;
root /path/to/my/app/media;
add_header 'Access-Control-Allow-Origin' '.*\.mysite\.[com|dev]';
location / {
root /path/to/my/app/media;
}
}
server {
listen 80;
server_name static.mysite.dev;
root /path/to/my/app/static;
if ($http_origin ~* (https?://.*\.mysite\.[com|dev](:[0-9]+)?)) {
set $cors "true";
}
location / {
if ($cors = "true") {
add_header 'Access-Control-Allow-Origin' "$http_origin";
}
}
}
我的问题:有没有一旦输入密码便可以记住密码,并允许经过身份验证的用户轻松导航?或者我错过了一些小事?
My question: Is there any way to remember the password once entered and allow authenticated users to navigate easily? Or am I missing something trivial?
编辑:
在我的django settings.py p>
In my django settings.py:
AUTHENTICATION_BACKENDS = (
'oauth2_provider.backends.OAuth2Backend',
'django.contrib.auth.backends.ModelBackend',
'allauth.account.auth_backends.AuthenticationBackend',
)
...
REST_FRAMEWORK = {
...
DEFAULT_AUTHENTICATION_CLASSES': (
'rest_framework.authentication.TokenAuthentication',
'oauth2_provider.ext.rest_framework.OAuth2Authentication',
),
提前非常感谢你。任何帮助将不胜感激
Thank you very much in advance. Any help would be much appreciated
推荐答案
基本身份验证使用授权标题传输用户和密码。 Django REST 还在授权标题,所以如果您尝试同时登录和使用令牌认证,则会中断。
Basic authentication uses the Authorization header to transmit user and password. Django REST also uses this header in the TokenAuthentication authentication backend. Nginx does not support multiple Authorization headers, so if you try to login and use Token authentication simultaneously, things will break.
解决方案不需要更改Django应用程序将在nginx中使用另一种身份验证方式,例如客户端证书< a>,或者您可以使用 ngx_http_auth_request_module 来检查签名的会话cookie是否设置/有效,或者请求IP是否在(临时)白名单中,否则将用户重定向到具有登录表单的页面。
A solution requiring no changes to the Django app would be to use another means of authentication in nginx, e.g., client certificates, or, you can use the ngx_http_auth_request_module to check whether a signed session cookie is set/valid or if the request IP is in a (temporary) whitelist, and redirect the user to a page with a login form otherwise.
这篇关于Nginx密码验证不断提示输入密码的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
