auth_request, HTTP 401 and missing header WWW-Authenticate

Pavel Kolla pavelkolla at
Tue Feb 1 18:09:07 MSK 2011


I've got an issue more challenging than i can come up with an answer for -

I am trying to use nginx to power authentication & validation of some client-
server business web application. Using ngx_postgress for DB connectivity it 
seems possible and i have following config functional on logic level: http://

The issue I am puzzled with is most likely relevant to auth_request and 
presents itself in missing "WWW-Authenticate" header in 401 response returned 
to client  in order to initiate authentication challenge. Not only auth_request 
does not send this header to clientside, it is also not possible to use 
add_header directive to manually insert it (also auth_request is ignoring if 
statements in same context block next to it, so it does not seem feasible to 
trap only the situation when client failed to pass cridentials with 
"Authenticate:" header even if add_header would be possible)

This is another illustration of same issue:

 $ curl -I  http://pkolla:88/t1/
HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Tue, 01 Feb 2011 14:15:31 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
WWW-Authenticate: pkolla

 $ curl -I  http://pkolla:88/t2/
HTTP/1.1 401 Unauthorized
Server: nginx/0.8.54
Date: Tue, 01 Feb 2011 14:15:34 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 195
Connection: keep-alive
Keep-Alive: timeout=20

Where config looks like:

location /t1/
 set   $app test1;
 add_header   "WWW-Authenticate" $host;
 echo "test1";

location /t2/
 set   $app test2;
 add_header   "WWW-Authenticate" $host;
 return   401;
 echo   "test2";

I can see from source code for auth_request that it should produce "WWW-
Authenticate" headers, however it never does for me... would really appreciate 
any suggestions helping me to resolve this.
Thanks in advance.

More information about the nginx mailing list