auth_basic within location block doesn't work when return is specified?

Igor A. Ippolitov iippolitov at
Mon Nov 7 08:37:49 UTC 2016

This behavior is cause by general request processing logic. You may look 
at ngx_http_core_module.h which defines request processing phases.
You may notice that a rewrite phase ('return' acts as a rewrite, 
actually) is run before access phase. So you have your request returned 
before access rules are checked.
At the same time, try_files phase as after the access phase. So you may 
try using:

location /auth {

     auth_basic_user_file /etc/nginx/.htpasswd;

     auth_basic "Secret";

     # try_files will be used only for a valid authenticated user

     try_files @redir =403; #403 will never be returned from here.


location @redir {

     return 200 'hello';


This looks a little bit hacky, but is pretty reasonable e.g. if you want 
to return 404.

Just curious, why won't you auth protect your final destination?

On 06.11.2016 18:09, Scott McGillivray wrote:
> i thought this would work but for some reason it doesn't.
> |location /auth { auth_basic_user_file /etc/nginx/.htpasswd; auth_basic 
> "Secret"; return 200 'hello'; } |
> When i specify the return, 200 or 301, it just skips the auth_basic 
> and processes the return statement.
> If i comment out the return statement it works OK. Ideally i want just 
> an |/auth| endpoint that once authenticated it will 301 redirect to 
> $host, e.g. return 301 http://$host <http://$host>
> Can someone explain why this behaves this way and what is the correct 
> configuration.
> many thanks
> _______________________________________________
> nginx mailing list
> nginx at

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <>

More information about the nginx mailing list