Conditionally removing a proxy header

eckern nginx-forum at
Thu May 21 20:38:18 UTC 2020

Thanks so much Francis, yes that seems to be have worked.  When the
application is accessed outside our domain, it doesn't try to negotiate
which would pop up the Windows authentication prompt and would never work
anyways, but if the user is inside our domain either by being physically
inside the building or through a VPN, the negotiate header is there to allow
for automatic sign-in using their Windows credentials.

As you suggested I used a map:

map $external_traffic $negotiate {
    1	'';
    0	$upstream_http_www_authenticate;

Then inside the location block I removed and conditionally added the
WWW-Authenticate header:

proxy_hide_header WWW-Authenticate; # Remove negotiate header
add_header WWW-Authenticate $negotiate always; #Add negotiate header for
internal addresses

Thanks again!

Posted at Nginx Forum:,288015,288091#msg-288091

More information about the nginx mailing list