allow/deny and auth_basic_user_file should be in the location

[gdlx]

Affected Puppet, Ruby, OS and module versions/distributions

• Puppet: 4.10
• Ruby: 2.1.9
• Distribution: CentOS 7
• Module version: 0.9.0

How to reproduce (e.g Puppet code you use)

  nginx::resource::server { "my.domain.com":
    listen_port          => 80,
    www_root             =>"/var/www/html",
    location_satisfy     => any,
    location_allow       => ["1.2.3.4"],
    location_deny        => ['all'],
    auth_basic_user_file => "/var/www/.htpasswd",
  }

What are you seeing

auth_basic_user_file is in the server root, while IP rules are in the location:

server {
  listen *:80;

  server_name           my.domain.com;
  auth_basic_user_file /var/www/.htpasswd;

  index  index.html index.htm index.php;

  access_log            /var/log/nginx/my.domain.com.access.log combined;
  error_log             /var/log/nginx/my.domain.com.error.log;

  location / {
    satisfy any;
    allow 1.2.3.4;
    deny all;
    root      /var/www/html;

    autoindex on;
    index     index.html index.htm index.php;
  }
}

Basic auth is required even when coming from the allowed IP address.

What behaviour did you expect instead

auth_basic_user_file should be in the location or allow/deny/satisfy in the root, but I didn't find a way to put them in the same section, as expected for satisfy any to work.

Did I miss something ?

Output log

N/A

Any additional information you'd like to impart

Example here shows they both should be in the location: https://www.nginx.com/resources/admin-guide/restricting-access-auth-basic/#combine

[gdlx]

I've found the way:

    location_cfg_append  => {
      auth_basic_user_file => /var/www/.htpasswd,
    },