Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Support within limit_except - is it possible? #16

Open
col-panic opened this issue Dec 3, 2024 · 9 comments
Open

Support within limit_except - is it possible? #16

col-panic opened this issue Dec 3, 2024 · 9 comments
Labels
enhancement New feature or request

Comments

@col-panic
Copy link

col-panic commented Dec 3, 2024
edited
Loading

According to the nginx documentation, their version of the jwt auth as delivered with the commercial subscription is usable within the limit_except configuration part.

This is very useful, if for example, I want to generally allow GET request, but want to limit PUT requests, which would be configured like this

 location ^~ /somelocation/ {
        dav_methods PUT DELETE;
        dav_access user:rw group:rw all:r;
        client_max_body_size 1M;

        autoindex on;
        autoindex_format json;

        limit_except GET {
                auth_jwt_key_request /jwks_uri;
		auth_jwt_require_claim realm_access.roles intersect json=["somlocation-put-right"];
        }
}

is this module capable of being used this way?
@col-panic
Copy link
Author

Using it like this fails with

nginx: [emerg] "auth_jwt" directive is not allowed here in /etc/nginx/conf.d/cockpit.conf:32

is this a hard-coded limitation? Is it implemented in open-source nginx like this? Is their commercial
version a patched instance that allows jwt? If yes, why is it documented in the open-source part documentation?

@col-panic
Copy link
Author

I raised an issue in nginx nginx/nginx#368 for a more generic solution to limit_except depending on their feedback, there might be a connection to this plugin opening it up via an internal auth_request call.

@kjdev
Copy link
Owner

kjdev commented Dec 3, 2024

document

I wonder if I should add NGX_HTTP_LMT_CONF to Configuration Directives.

NGX_HTTP_LMT_CONF — In a limit_except block within the http block.

I haven't tested it yet, but it seems to pass the test configuration by adding it.

@col-panic
Copy link
Author

Looks promising! It seems that there are no specific reasons for why the other auth types are simply not available within this block?!

@kjdev kjdev added the enhancement New feature or request label Dec 8, 2024
@kjdev
Copy link
Owner

kjdev commented Dec 9, 2024

bb676de: add limit_except to the following directive context

  • auth_jwt
  • auth_jwt_key_file
  • auth_jwt_key_request
  • auth_jwt_require
  • auth_jwt_require_claim
  • auth_jwt_require_header
  • auth_jwt_revocation_list_kid
  • auth_jwt_revocation_list_sub
  • auth_jwt_validate_exp
  • auth_jwt_validate_sig

@col-panic
Copy link
Author

thank you very much - very nice! I will have to wait for it becoming part of the alpine release though to fully roll it out!

@kjdev
Copy link
Owner

kjdev commented Dec 16, 2024

Create a new version and request an update of the alpine package

@col-panic
Copy link
Author

I'm sorry @kjdev is this a question or a statement? Can I do this, or help you with it?

@kjdev
Copy link
Owner

kjdev commented Dec 16, 2024

Statement.
I am planning to respond on my end.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kjdev @col-panic