I’m configuring an Nginx server to display a directory listing at the root (/). I want to allow access without authentication for certain IP addresses, while requiring basic authentication for everyone else.
Here’s what I’m trying to achieve:
- Users from specific IP addresses should be able to access the directory without seeing the auth prompt
- All other users should be required to enter a username and password.
- Access should work via HTTPS only, with HTTP redirecting to HTTPS.
I’ve used satisfy any; to allow access via either IP allowlist or basic authentication, but users from allowed IPs still see the authentication prompt.
My Current Nginx Configuration (Simplified)
server {
listen 443 ssl;
server_name example.com;
ssl_certificate /etc/ssl/example.crt;
ssl_certificate_key /etc/ssl/example.key;
root /var/www/repec;
# Redirect HTTP requests with wrong scheme to HTTPS
error_page 497 https://$host$request_uri;
location / {
autoindex on; # Enable directory listing
autoindex_exact_size off; # Human-readable file sizes
autoindex_localtime on; # Display local times
# Allow access from specific IPs (real IPs omitted here)
allow 1.2.3.4; # Example IP
allow 5.6.7.8; # Example IP
# Deny everyone else
deny all;
# Require authentication for non-allowed IPs
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/passwords;
# Grant access if IP is allowed OR authentication is valid
satisfy any;
}
}
server {
listen 80;
server_name example.com;
return 301 https://$host$request_uri; # Redirect HTTP to HTTPS
}
Issue:
Despite using satisfy any;, users from the allowed IPs are still prompted for basic authentication. How can I ensure they bypass the auth prompt entirely while others are required to authenticate?
What I’ve Tried:
- Rearranging the
allow,deny, andsatisfydirectives. - Confirming that the IP detection is correct.
- Checking Nginx logs for any misconfigurations.
