How to avoid basic authentication for AWS ELB health-check with nginx configuration

Asked 30/9, 2017 at 6:41 Answered 22/5, 2023 at 19:47

Solved amazon-web-services nginx passenger amazon-elb

I'm having a trouble trying to implement basic authentication for ELB healthcheck. I've searched quite a bit to figure out the nginx file configuration to avoid 401 error shown below, which ELB returns due to basic authentication

unhealthy in target-group hogehoge due to (reason Health checks failed with these codes: [401])

I've tried to modify nginx.conf so as to avoid it, but it doesn't work. The code below gives me [emerg] "server" directive is not allowed here error.

http {
    server {
        location / {
            if (!$http_x_forwarded_for) {
                auth_basic           'Please enter ID and password';
                auth_basic_user_file /usr/src/redmine/.htpasswd;
            }
        }
    }
}

How can I avoid 401 error by ELB healthcheck due to basic authentication?

Thanks for the help.

Federalist answered 30/9, 2017 at 6:41 Comment(1)

You must have added it in the custom config for enabling Basic Auth? How did you enable the auth in first place? – Lou 30/9, 2017 at 7:3

The easiest approach would be to create a location for the ELB, for example:

location /elb-status {
  access_log off;
  return 200;
}

You will just need to change the Ping Path to be /elb-status

If you want to see something on your browser while testing you may need to change the content-type since defaults to application/octet-stream and the browser will offer to save the file, so something like this should work:

location /elb-status {
   access_log off;
   return 200 'your text goes here';
   add_header Content-Type text/plain;
}

If you would like to check against the user-agent something like this could be used:

set $block 1;

# Allow all the ELB health check agents.
if ($http_user_agent ~* '^ELB-HealthChecker\/.*$') {
    set $block 0;
}
if (!$http_x_forwarded_for) {
    set $block 1
}

if ($block = 1) {
    auth_basic           'Please enter ID and password';
    auth_basic_user_file /usr/src/redmine/.htpasswd;
}

Westbrooks answered 30/9, 2017 at 8:23 Comment(4)

Since I also wanted to enable/disable basic authentication based on ip-address, I used your 2nd option, and it worked. Thank you so much! – Federalist 2/10, 2017 at 23:51

Be careful ifs are evil in nginx (google it you'll see), you should use a map directive instead to set $block – Ninette 22/2, 2018 at 13:58

Although if's are evil as @CyrilDuchon-Doris mentioned (because they are imperative constructs inside Nginx's declarative style), they are quite safe to use inside server blocks... see [Nginx on ifs] (nginx.com/resources/wiki/start/topics/depth/ifisevil) and in particular where they say: > "What to do instead Use try_files if it suits your needs. Use the “return ...” or “rewrite ... last” in other cases. In some cases, it’s also possible to move ifs to server level (where it’s safe as only other rewrite module directives are allowed within it)." – Mcphail 6/8, 2018 at 21:20

Thanks @nbari. How to modify this to return 200 only when the upstream server is up? – Cooky 2/8, 2022 at 11:16

why not use the 401 status code as your success health-check ??

that means your service is asking for the basic auth ... in other words the service is available.

ELB allow you to specify what https status code expect. "Advanced health check settings"

Secant answered 22/5, 2023 at 19:47 Comment(0)

Recommended topics

Hot tags