auth_request, HTTP 401 and missing header WWW-Authenticate
Pavel Kolla
pavelkolla at gmail.com
Tue Feb 1 18:09:07 MSK 2011
Hello
I've got an issue more challenging than i can come up with an answer for -
I am trying to use nginx to power authentication & validation of some client-
server business web application. Using ngx_postgress for DB connectivity it
seems possible and i have following config functional on logic level: http://
dpaste.com/hold/374783/
The issue I am puzzled with is most likely relevant to auth_request and
presents itself in missing "WWW-Authenticate" header in 401 response returned
to client in order to initiate authentication challenge. Not only auth_request
does not send this header to clientside, it is also not possible to use
add_header directive to manually insert it (also auth_request is ignoring if
statements in same context block next to it, so it does not seem feasible to
trap only the situation when client failed to pass cridentials with
"Authenticate:" header even if add_header would be possible)
This is another illustration of same issue:
$ curl -I http://pkolla:88/t1/
HTTP/1.1 200 OK
Server: nginx/0.8.54
Date: Tue, 01 Feb 2011 14:15:31 GMT
Content-Type: application/octet-stream
Transfer-Encoding: chunked
Connection: keep-alive
Keep-Alive: timeout=20
WWW-Authenticate: pkolla
$ curl -I http://pkolla:88/t2/
HTTP/1.1 401 Unauthorized
Server: nginx/0.8.54
Date: Tue, 01 Feb 2011 14:15:34 GMT
Content-Type: text/html; charset=utf-8
Content-Length: 195
Connection: keep-alive
Keep-Alive: timeout=20
Where config looks like:
location /t1/
{
set $app test1;
add_header "WWW-Authenticate" $host;
echo "test1";
}
location /t2/
{
set $app test2;
add_header "WWW-Authenticate" $host;
return 401;
echo "test2";
}
I can see from source code for auth_request that it should produce "WWW-
Authenticate" headers, however it never does for me... would really appreciate
any suggestions helping me to resolve this.
Thanks in advance.
More information about the nginx
mailing list