nginx auth_basic" Restricted"提示登录每个请求 [英] nginx auth_basic "Restricted" prompting login on every request

问题描述

我已经设置了一个简单的nginx服务器，将位置块配置为指向我想要服务的相应目录，并使用auth_basic模块设置基本身份验证。

I've set up a simple nginx server, configured the location block to point to the respective directories I want served, and setup basic authentication using the auth_basic module.

但是， 我的服务器在位置块 下的每个页面请求上请求用户名：密码凭据，即使多次向位置块下的不同页面提供这些凭据，包括根位置目录。

However, my server requests username : password credentials on every single page request under the location block, even after providing them multiple times to different pages under the location block, including the root location directory.

如何配置它来存储身份验证？这是nginx问题还是浏览器/请求标题问题？

How can I configure it to store the authentication? Is this an nginx issue or a browser / request headers issue?

这是nginx配置：

server {
    listen 80;
    server_name 0.0.0.0;

    location /path/to/dir {
        alias /var/www/dir/;
        index   index.html index.htm;
        auth_basic "Restricted";
        auth_basic_user_file /etc/nginx/.htpasswd;
        try_files $uri $uri/ =404;
    }
}

在Ubuntu上运行nginx 1.4.6。

Running nginx 1.4.6 on Ubuntu.

推荐答案

HTTP身份验证信息存储在浏览器缓存中，只有在身份验证失败或来自不同领域时才会再次请求（在 auth_basic受限制; 它是受限制的）。

HTTP authentication information is stored on your browser cache, and should only be requested again if the authentication fails or it's from a different realm (in auth_basic "Restricted"; it's Restricted).

您的配置很好，考虑到您的密码是正确的，并且Nginx用户具有对密码文件的读取权限（在这种情况下它始终会失败 - 但在日志文件中发送错误消息指示此错误）。这是最可能的原因，主要是如果您只有一个位置具有身份验证。

Your configuration is fine, considering your password is correct and Nginx user has read access to the password file (case in which it'll always fail — but send an error message at the log file indicating this error). This is the most probable reason, mainly if you have only one location with authentication.

另一个可能的原因是多个 auth_basic 指令，它们使用不同的域或密码。这与应用程序生成的 WWW-Authenticate 标头相同（例如，如果您的后端应用程序除了Nginx之外还请求HTTP身份验证）。当有不同的领域或密码失败时，您的浏览器将再次请求它。我不知道每个URL存储身份验证的浏览器，它始终是领域+主机名的组合。

Another possible reason is having multiple auth_basic directives and they use different realms or passwords. This is the same for application-generated WWW-Authenticate headers (say, if your backend application requests for HTTP authentication in addition to Nginx). When there's a different realm or a password fails, your browser will request it again. No browser that I know of stores authentication per URL, it's always a combination of realm+hostname.

如果您确实需要在不同位置使用不同的域或密码，请确保它们不要为单个页面重叠（例如，如果您为资产使用不同的密码：图像，样式或javascript）。或者使用不同的主机 - 但是每个主机/领域组合都会请求一次密码。

If you do need different realms or passwords on different locations, make sure they don't overlap for a single page (for example, if you use a different password for your assets: images, styles or javascript). Or use different hosts — the password would be requested once for each host/realm combination, though.

更新

使用 0.0.0.0 作为 server_name - listen 80; 已使您的服务器监听所有接口/ IP地址。

It's unusual to use 0.0.0.0 as a server_name — listen 80; already makes your server to listen to all interfaces/IP addresses.

使用 server_name _; 如果您的意思是使用任何请求主机。

Use server_name _; in case you mean to use any request host.

这篇关于nginx auth_basic" Restricted"提示登录每个请求的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！