Status 401 Behaviour Issue

dubstep · March 19, 2011, 8:04pm

Hi all.

I noticed a certain behaviour of the 401 status code response I will
like to change.

Firstly, in Apache, there is an html page for 401 that is defined in the
error_page equivalent. When the request for a protected directory comes
in, the user gets the form for the authentication and only if the
authentication fails is that html page served.

With Nginx however, if I define an html page error_page for 401, this
gets served every time a user requests the protected directory and there
is no opportunity to fill in the authentication details.

Is it possible to set it up such that it behaves like Apache does? I.E.
only return the html error_page if the authentication fails? This seems
like a better implementation to me.

Running 0.8.54

Thanks

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,184007,184007#msg-184007

Dayo · March 19, 2011, 8:32pm

Do u mean a 403?

On 3/19/11, Dayo [email protected] wrote:

With Nginx however, if I define an html page error_page for 401, this gets

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,184007,184007#msg-184007

nginx mailing list
[email protected]
http://nginx.org/mailman/listinfo/nginx

–
Sent from my mobile device

Payam Tarverdyan Chychi
Network Security Specialist / Network Engineer

Dayo · March 19, 2011, 8:58pm

Do u mean a 403?
No, 401 as written.

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,184007,184015#msg-184015

Dayo · March 20, 2011, 3:09am

On Sat, Mar 19, 2011 at 03:03:11PM -0400, Dayo wrote:

Hi there,

I noticed a certain behaviour of the 401 status code response I will like to
change.

With Nginx however, if I define an html page error_page for 401, this gets
served every time a user requests the protected directory and there is no
opportunity to fill in the authentication details.

That sounds odd to me.

What should happen is the web server returns http 401 with some body
content; the web browser chooses whether to display that body content,
or to request authentication credentials, as it sees fit.

What is your error_page config?

Quick testing here shows that

error_page 401 /401.html;

returns the right content with the right status, as I would expect.

error_page 401 = /401.html;

returns the right content, but with a http 200 status, which sounds like
it matches what you are seeing.

As per http://wiki.nginx.org/HttpCoreModule#error_page, adding the
“=” means “handle this (sub)request, and change the return status to
whatever it generates instead of what we started with”. For 401, you
probably don’t want that.

Is it possible to set it up such that it behaves like Apache does? I.E. only
return the html error_page if the authentication fails? This seems like a better
implementation to me.

Leave out the “=”?

Running 0.8.54

I tested with 0.9.4, but I don’t see any obvious code fixes that would
have changed this.

All the best,

f

Francis D. [email protected]

Dayo · March 20, 2011, 5:22am

status, which sounds like

code fixes that would
have changed this.

Hi. Thanks for that.

Yep, the second config was what was causing it for me. It didn’t
“matter” with the other codes as there is no further processing to be
done and users saw the right pages for the circumstances. Does also
explain why my caching config for error pages did no quite work
properly.

In summary, after rereading the docs properly

“error_page code url” means return “code” and show “url”
“error_page code =anycode url” means return “anycode” and show “url”
“error_page code = url” means redirect to this url whenever “code” is
encountered. A “200 OK” response is returned if “url” is found.

Thanks again for helping me get to understand this better

Posted at Nginx Forum:
http://forum.nginx.org/read.php?2,184007,184098#msg-184098