auth_request, HTTP 401 and missing header WWW-Authenticate

Maxim Dounin mdounin at
Wed Feb 2 10:45:03 MSK 2011


On Tue, Feb 01, 2011 at 03:09:07PM +0000, Pavel Kolla wrote:


> I can see from source code for auth_request that it should produce "WWW-
> Authenticate" headers, however it never does for me... would really appreciate 
> any suggestions helping me to resolve this.
> Thanks in advance.

Auth request module shouldn't produce WWW-Authenticate header by 
itself.  Instead, you should return WWW-Authenticate header with 401 reply 
from your auth backend, auth_request will pass it to client.

This is explicitly documented, see here:

(and this is the only way how it may work, as auth request 
module doesn't know anything about authentication mechanism 

It may not be trivial to add such header within nginx itself 
though, as add_header a) doesn't work on subrequests and b) 
doesn't work on 401 replies.

Maxim Dounin

More information about the nginx mailing list