I'm setting up an auth-before-proxy_pass config.

The following works now:

location / {
root /dev/null;
auth_basic "Restricted Remote";
auth_basic_user_file
/data/etc/security/auth/passwd.basic;
proxy_pass https://mail-secure;
proxy_set_header Host $host:12345;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
}

Now, if a visitor:

(1) enters bad (or no) crendentials
(2) clicks "Cancel" on the BASIC auth dialog box

the site displays a

"401 Authorization Required"

page.

Instead, I want to add a rewrite on failed authorization.

If I try:

location / {
root /dev/null;
auth_basic "Restricted Remote";
auth_basic_user_file
/data/etc/security/auth/passwd.basic;
+ error_page 401 = @redirect;
proxy_pass https://mail-secure;
proxy_set_header Host $host:12345;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
}

+ location @redirect {
+ rewrite ^(.*)$ http://someothersite.com permanent;
+ }

I get the redirect on EVERY visit -- never even getting the chance to
enter credentials; i.e., the rewrite happens apparently BEFORE the auth
step.

I think this may be because:

@
http://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_Error

401 UnauthorizedSimilar to 403 Forbidden, but
specifically for use when authentication is required and
has failed or **HAS NOT YET BEEN PROVIDED**.[2] The
response must include a WWW-Authenticate header field
containing a challenge applicable to the requested
resource. See Basic access authentication and Digest
access authentication.

and that I may have do the @redirect only if some header says "failed".

How do I redirect ONLY if there's been a failed AUTH?

_______________________________________________
nginx mailing list
nginx@nginx.org
http://mailman.nginx.org/mailman/listinfo/nginx