satisfy
The 'satisfy' directive controls how access to resources is granted based on multiple access control methods.
Description
The 'satisfy' directive allows you to combine different access control mechanisms to determine whether a request should be granted or denied. It takes a single argument that can be either 'all', 'any', or 'none', which dictate how the access rules are evaluated. If set to 'all', all access rules must be satisfied for access to be granted. When set to 'any', only one of the access rules needs to be satisfied, enabling more lenient access policies. Conversely, the 'none' option effectively disables any predefined access control, allowing unrestricted access where no other rules apply.
This directive is particularly useful in complex authorization scenarios where multiple conditions must be satisfied, such as integrating both IP-based restrictions through 'allow' and 'deny' directives and additional methods like authentication. Care should be taken to define clear and well-structured rules, as misconfigured directives can lead to unintended access issues. It's important to note that if no applicable rules are defined, the default access granted to a resource applies, which can vary based on server configurations.
Config Example
location /secure {
allow 192.168.1.0/24;
deny all;
satisfy any;
auth_basic "Restricted Area";
auth_basic_user_file /etc/nginx/.htpasswd;
}Ensure that the logical AND/OR conditions defined by 'all' and 'any' do not contradict each other for clarity and security.
Using 'satisfy none' without further directive specifications may lead to unintended public access to sensitive locations.