[PATCH] Allow http_auth_request_module to forward 302 responses

Maxim Khitrov max at mxcrypt.com
Sat Feb 18 14:19:18 UTC 2012

Hello Maxim,

The attached patch allows your http_auth_request_module to forward a
302 response and the associated "Location" header to the client. The
goal is to allow the authentication back end to redirect the client to
a login page instead of using WWW-Authenticate header.

I'm currently attempting to use your module to authenticate users
against an Active Directory server. I have a PHP script that can
perform the necessary security checks and cache user credentials for
better performance. The problem is that if I rely on HTTP Basic
authentication, I lose control over the client's session (timeout,
logout, etc.). I know that it is possible to force some browsers to
"forget" the credentials in order to log out, but it's a hack that I'd
rather avoid.

The best solution is to use cookies, but for this I need to be able to
redirect the user to the login page when authentication fails. The
current behavior of the auth_request module is to return an Internal
Server Error for any response code other than 401, 403, or 200.

To make this patch, I simply copied your handling of the
www_authenticate header. If there is a more elegant solution or some
additional logic required, please feel free to change the code as

- Max
-------------- next part --------------
A non-text attachment was scrubbed...
Name: ngx_http_auth_request_module-location.patch
Type: application/octet-stream
Size: 890 bytes
Desc: not available
URL: <http://mailman.nginx.org/pipermail/nginx-devel/attachments/20120218/6e0c3c43/attachment.obj>

More information about the nginx-devel mailing list