How to redirect only if/after a FAILED basic authentication?

[jen142 at promessage.com]

I'm setting up an auth-before-proxy_pass config.

The following works now:

	location / {
		root /dev/null;
		auth_basic "Restricted Remote";
		auth_basic_user_file
		/data/etc/security/auth/passwd.basic;
		proxy_pass        https://mail-secure;
		proxy_set_header  Host $host:12345;
		proxy_set_header  X-Real-IP $remote_addr;
		proxy_set_header  X-Forwarded-For
		$proxy_add_x_forwarded_for;
	}

Now, if a visitor:

	(1) enters bad (or no) crendentials
	(2) clicks "Cancel" on the BASIC auth dialog box

the site displays a

	"401 Authorization Required"

page.

Instead, I want to add a rewrite on failed authorization.

If I try:

	location / {
		root /dev/null;
		auth_basic "Restricted Remote";
		auth_basic_user_file
		/data/etc/security/auth/passwd.basic;
+               error_page 401 = @redirect;
		proxy_pass        https://mail-secure;
		proxy_set_header  Host $host:12345;
		proxy_set_header  X-Real-IP $remote_addr;
		proxy_set_header  X-Forwarded-For
		$proxy_add_x_forwarded_for;
	}

+       location @redirect {
+               rewrite ^(.*)$ http://someothersite.com permanent;
+       }

I get the redirect on EVERY visit -- never even getting the chance to
enter credentials; i.e., the rewrite happens apparently BEFORE the auth
step.

I think this may be because:

	@
	http://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_Error

		401 UnauthorizedSimilar to 403 Forbidden, but
		specifically for use when authentication is required and
		has failed or **HAS NOT YET BEEN PROVIDED**.[2] The
		response must include a WWW-Authenticate header field
		containing a challenge applicable to the requested
		resource. See Basic access authentication and Digest
		access authentication.

and that I may have do the @redirect only if some header says "failed".

How do I redirect ONLY if there's been a failed AUTH?