Status 401 Behaviour Issue

Francis Daly francis at daoine.org
Sun Mar 20 05:07:45 MSK 2011


On Sat, Mar 19, 2011 at 03:03:11PM -0400, Dayo wrote:

Hi there,

> I noticed a certain behaviour of the 401 status code response I will like to change.

> With Nginx however, if I define an html page error_page for 401, this gets served every time a user requests the protected directory and there is no opportunity to fill in the authentication details.

That sounds odd to me.

What *should* happen is the web server returns http 401 with some body
content; the web browser chooses whether to display that body content,
or to request authentication credentials, as it sees fit.

What is your error_page config?

Quick testing here shows that

  error_page 401 /401.html;

returns the right content with the right status, as I would expect.

  error_page 401 = /401.html;

returns the right content, but with a http 200 status, which sounds like
it matches what you are seeing.

As per http://wiki.nginx.org/HttpCoreModule#error_page, adding the
"=" means "handle this (sub)request, and change the return status to
whatever it generates instead of what we started with". For 401, you
probably don't want that.

> Is it possible to set it up such that it behaves like Apache does? I.E. only return the html error_page if the authentication fails? This seems like a better implementation to me.

Leave out the "="?

> Running 0.8.54

I tested with 0.9.4, but I don't see any obvious code fixes that would
have changed this.

All the best,

	f
-- 
Francis Daly        francis at daoine.org



More information about the nginx mailing list