Kobo Install with Basic Auth on Nginx

roemhildtg · September 11, 2020, 8:27pm

I’m running Kobo behind Nginx as. a reverse proxy. All is working, but I want to protect the API with Basic Authentication - so I enabled nginx Basic auth using this:

        satisfy any;
        
        allow 127.0.0.1;        # localhost
        allow 10.0.1.0/24;      # local traffic
        deny all;

        auth_basic              "Authenticated Users";
        auth_basic_user_file    htpasswd;

The issue is that the basic Authorization header is proxied to Kobo. No big deal, I remove the header using:

proxy_set_header Authorization "";

Now though - I get a weird situation. Whenever I navigate to ANY kobo page, I get Status 204 No-Content. Am I missing something obvious here? Could this in any way be a problem with Kobo?

Thank you for any suggestions, I’ve been staring at this for far too long and just wanted a second set of eyes.

Elie · September 13, 2020, 2:45pm

aren’t you supposed to add
order allow,deny
first?

roemhildtg · September 14, 2020, 2:06pm

Aha - I found the problem.

It was just a silly config on my end. I had some proxy_set_header references in my server block, and I was setting the Authorization header in my location block. So I think that was incorrect. I moved all the proxy_set_header items to the server block and it started working. Here is my working config:

events {}

http {
    client_max_body_size 100M;

    log_format compression '$remote_addr - $remote_user [$time_local] '
                           '"$request" $status "$http_referer" '
                           '"$http_host" "$http_authorization"';

    # generated 2020-07-17, Mozilla Guideline v5.4, nginx 1.17.7, OpenSSL 1.1.1d, intermediate configuration
    # https://ssl-config.mozilla.org/#server=nginx&version=1.17.7&config=intermediate&openssl=1.1.1d&guideline=5.4
    server {
        listen 80 default_server;
        listen [::]:80 default_server;

        return 301 https://$host$request_uri;
    }

    server {
        include ssl.conf;
    }

    # map the $authorization property to $http_authorization if
    # remote user is not our custom user
    map $remote_user $authorization {
        default                 $http_authorization;
        "nginx-basic-external-user"     "";
    }


    # kobo toolbox
    server {
        server_name 
            kf.domain.com
            kc.domain.com;
        include ssl.conf;
        include proxy_pass.conf;

        # replace authorization header with empty
        proxy_set_header Authorization $authorization;

        access_log /var/log/nginx/kobo.access.log  compression;

        location / {
            proxy_pass http://{{ kobo_frontend_ip }}:8080;
        }

    }
    
    server {
        server_name ee.domain.com;
        include ssl.conf;

        include proxy_pass.conf;

        # replace authorization header
        proxy_set_header Authorization $authorization;

        satisfy any;
        
        allow 127.0.0.1;        # localhost
        allow x.x.x.x;  # NAT gateway
        allow 10.0.1.0/24;      # local traffic
        deny all;

        auth_basic              "Authenticated Users";
        auth_basic_user_file    htpasswd;

        access_log /var/log/nginx/ee.access.log  compression;

        location / {
            proxy_pass              http://{{ kobo_frontend_ip }}:8080;
        }

    }

}

with regards to the allow,deny comment - see here: