How to redirect only if/after a FAILED basic authentication?

Server NGINX
1

I’m setting up an auth-before-proxy_pass config.

The following works now:

location / {
root /dev/null;
auth_basic “Restricted Remote”;
auth_basic_user_file
/data/etc/security/auth/passwd.basic;
proxy_pass https://mail-secure;
proxy_set_header Host $host:12345;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For
$proxy_add_x_forwarded_for;
}

Now, if a visitor:

(1) enters bad (or no) crendentials
(2) clicks “Cancel” on the BASIC auth dialog box

the site displays a

“401 Authorization Required”

page.

Instead, I want to add a rewrite on failed authorization.

If I try:

location / {
root /dev/null;
auth_basic “Restricted Remote”;
auth_basic_user_file
/data/etc/security/auth/passwd.basic;

  •           error_page 401 = @redirect;

    proxy_pass https://mail-secure;
    proxy_set_header Host $host:12345;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For
    $proxy_add_x_forwarded_for;
    }

  •   location @redirect {

  •           rewrite ^(.*)$ http://someothersite.com permanent;

  •   }

I get the redirect on EVERY visit – never even getting the chance to
enter credentials; i.e., the rewrite happens apparently BEFORE the auth
step.

I think this may be because:

@
http://en.wikipedia.org/wiki/List_of_HTTP_status_codes#4xx_Client_Error

401 UnauthorizedSimilar to 403 Forbidden, but
specifically for use when authentication is required and
has failed or **HAS NOT YET BEEN PROVIDED**.[2] The
response must include a WWW-Authenticate header field
containing a challenge applicable to the requested
resource. See Basic access authentication and Digest
access authentication.

and that I may have do the @redirect only if some header says “failed”.

How do I redirect ONLY if there’s been a failed AUTH?

2

On Sun, Sep 22, 2013 at 02:14:55PM -0700, [email protected] wrote:

Hi there,

Now, if a visitor:

(1) enters bad (or no) crendentials
(2) clicks “Cancel” on the BASIC auth dialog box

the site displays a

“401 Authorization Required”

page.

For accuracy: at point (1), the server sends the 401 response. At point
(2), the browser chooses to display the 401 response that the server had
previously sent.

Instead, I want to add a rewrite on failed authorization.

Doing that will break http on your server.

Probably not a good idea.

But if you really want to, you can probably configure nginx to do it
for you.

  •           error_page 401 = @redirect;

I get the redirect on EVERY visit – never even getting the chance to
enter credentials; i.e., the rewrite happens apparently BEFORE the auth
step.

Not quite. Think about the different outputs from

curl -v http://your-site/

and

curl -v -u user:pass http://your-site/

and why they happen.

and that I may have do the @redirect only if some header says “failed”.

How do I redirect ONLY if there’s been a failed AUTH?

You get to define what you mean by “failed AUTH”, since you don’t want
the “no valid credentials were provided” that nginx (and http) uses.

Experiment with something like:

===
location @needauth {
auth_basic “Restricted Remote”;
auth_basic_user_file htpasswd;
}
location / {
if ($http_authorization = “”) {
error_page 490 = @needauth;
return 490;
}
auth_basic “Restricted Remote”;
auth_basic_user_file htpasswd;
error_page 401 = @redirect;
# and the rest here
}

to see if is close to what you want.

But be aware that when you choose to break http on your server, you get
to deal with any complaints from clients.

Good luck with it,

f

Francis D. [email protected]