Fix IP access list control regression

IP access list control was implemented as default success for an
empty access control list - but this had the effect of an empty list
default allowing if "Satisfy Any" was set.

Fortunately this was bugged, so empty lists default failed - but this
broke empty lists for "Satisfy All".

This patch is the correct fix: lists now always default fail, but an
empty list removes the check from access control considerations.

This restores the original implementations behavior and fixes the bug.

Author: wrouesnel

backend/templates/_access.conf

@@ -2,17 +2,24 @@
     set $auth_basic "Authorization required";
     {% if access_list.satisfy_any == 1 %}
     # Satisfy Any - any check can succeed - so look for success
+        {% if access_list.clients.size != 0 %}
     if ( $access_list_{{ access_list_id }} = 1) {
-    set $auth_basic off;
+        set $auth_basic off;
     }
+        {% endif %}
     if ( $ssl_client_verify = "SUCCESS" ) {
-    set $auth_basic off;
+        set $auth_basic off;
     }
     {% else %}
     # Satisfy All - all checks must succeed (so handle fails)
+        {% if access_list.clients.size != 0 %}
+    # {{ access_list.clients.size }} IP rules
     if ( $access_list_{{ access_list_id }} = 0) {
         return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
     }
+        {% else %}
+    # Empty IP rules list so no client IP check
+        {% endif %}
     if ( $ssl_client_verify != "SUCCESS" ) {
         return {% if drop_unauthorized == 1 %}444{% else %}403{% endif %};
     }

backend/templates/access.conf

@@ -1,10 +1,6 @@
 # Access List Clients for {{ access_list.id }} - {{ access_list.name }}
 geo $realip_remote_addr $access_list_{{ access_list.id }} {
-{% if access_list.client.size == 0 %}
-    default 1;
-{% else %}
     default 0;
-{% endif %}
 {% for client in access_list.clients %}
 {% if client.directive == "allow" %}
     {{client.address}} 1;