From 9f1d791991176566842d43e0b344e64b30ccb5de Mon Sep 17 00:00:00 2001 From: foosinn Date: Thu, 5 Jun 2025 22:53:18 +0200 Subject: [PATCH] docs(subrequest-auth): document required policy changes (#613) * docs(subrequest-auth): document required policy changes Signed-off-by: foosinn * chore: spelling Signed-off-by: Xe Iaso --------- Signed-off-by: foosinn Signed-off-by: Xe Iaso Co-authored-by: Xe Iaso --- .github/actions/spelling/expect.txt | 3 +++ docs/docs/admin/configuration/subrequest-auth.mdx | 14 ++++++++++++++ 2 files changed, 17 insertions(+) diff --git a/.github/actions/spelling/expect.txt b/.github/actions/spelling/expect.txt index c20a304..478e203 100644 --- a/.github/actions/spelling/expect.txt +++ b/.github/actions/spelling/expect.txt @@ -9,6 +9,7 @@ anubistest Applebot archlinux badregexes +bdba berr bingbot bitcoin @@ -27,6 +28,7 @@ caninetools Cardyb celchecker CELPHASE +cerr certresolver CGNAT cgr @@ -183,6 +185,7 @@ prebaked privkey promauto promhttp +proofofwork pwcmd pwuser qualys diff --git a/docs/docs/admin/configuration/subrequest-auth.mdx b/docs/docs/admin/configuration/subrequest-auth.mdx index 6664cac..3685d5a 100644 --- a/docs/docs/admin/configuration/subrequest-auth.mdx +++ b/docs/docs/admin/configuration/subrequest-auth.mdx @@ -10,6 +10,20 @@ Anubis can act in one of two modes: 1. Reverse proxy (the default): Anubis sits in the middle of all traffic and then will reverse proxy it to its destination. This is the moral equivalent of a middleware in your favorite web framework. 2. Subrequest authentication mode: Anubis listens for requests and if they don't pass muster then they are forwarded to Anubis for challenge processing. This is the equivalent of Anubis being a sidecar service. +:::note + +Subrequest authentication requires changing the default policy because nginx interprets the default `DENY` status code `200` as successful authentication and allows the request. + +```yaml +status_codes: + CHALLENGE: 200 + DENY: 403 +``` + +[See policy definitions](../policies.mdx). + +::: + ## Nginx Anubis can perform [subrequest authentication](https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-subrequest-authentication/) with the `auth_request` module in Nginx. In order to set this up, keep the following things in mind: