Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#1980 closed defect (worksforme)

custom 401 error_page with auth_basic never shows the custom 401 page

Reported by: mmattel@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.17.x
Keywords: Cc: mmattel@…
uname -a: Linux mm-eddie 4.15.0-99-generic #100-Ubuntu SMP Wed Apr 22 20:32:56 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.17.10
built by gcc 7.4.0 (Ubuntu 7.4.0-1ubuntu1~18.04.1)
built with OpenSSL 1.1.1 11 Sep 2018 (running with OpenSSL 1.1.1g 21 Apr 2020)
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --sbin-path=/usr/sbin/nginx --modules-path=/usr/lib/nginx/modules --conf-path=/etc/nginx/nginx.conf --error-log-path=/var/log/nginx/error.log --http-log-path=/var/log/nginx/access.log --pid-path=/var/run/nginx.pid --lock-path=/var/run/nginx.lock --http-client-body-temp-path=/var/cache/nginx/client_temp --http-proxy-temp-path=/var/cache/nginx/proxy_temp --http-fastcgi-temp-path=/var/cache/nginx/fastcgi_temp --http-uwsgi-temp-path=/var/cache/nginx/uwsgi_temp --http-scgi-temp-path=/var/cache/nginx/scgi_temp --user=nginx --group=nginx --with-compat --with-file-aio --with-threads --with-http_addition_module --with-http_auth_request_module --with-http_dav_module --with-http_flv_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_mp4_module --with-http_random_index_module --with-http_realip_module --with-http_secure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub_status_module --with-http_sub_module --with-http_v2_module --with-mail --with-mail_ssl_module --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-cc-opt='-g -O2 -fdebug-prefix-map=/data/builder/debuild/nginx-1.17.10/debian/debuild-base/nginx-1.17.10=. -fstack-protector-strong -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fPIC' --with-ld-opt='-Wl,-Bsymbolic-functions -Wl,-z,relro -Wl,-z,now -Wl,--as-needed -pie'

Description

When using auth_basic (works great) and defining a custom 401 error page, the custom error page is never shown, only the default nginx version.
auth_basic and error_page are in the serverblock, no other 401 error pages defined somewhere else. Imho when pressing cancel on authentication, the custom 401 page should be shown, not the default one. The location =/401.html has auth_basic_off; as directive included.

Everything fine with nginx -t

Seached the internet without success.

Change History (4)

comment:1 by mmattel@…, 3 months ago

Not a documentation ticket -> core

comment:2 by Maxim Dounin, 3 months ago

Resolution: worksforme
Status: newclosed

Works fine here. Example configuration:

server {
    listen 8080;

    error_page 401 /401.html;

    location / {
        auth_basic "closed site";
        auth_basic_user_file htpasswd;
    }

    location = /401.html {
        return 200 "custom 401 page\n";
    }
}

Test request:

$ curl -v http://127.0.0.1:8080/
*   Trying 127.0.0.1:8080...
* TCP_NODELAY set
* Connected to 127.0.0.1 (127.0.0.1) port 8080 (#0)
> GET / HTTP/1.1
> Host: 127.0.0.1:8080
> User-Agent: curl/7.67.0
> Accept: */*
> 
* Mark bundle as not supporting multiuse
< HTTP/1.1 401 Unauthorized
< Server: nginx/1.19.0
< Date: Sun, 17 May 2020 16:09:10 GMT
< Content-Type: text/html
< Content-Length: 16
< Connection: keep-alive
< WWW-Authenticate: Basic realm="closed site"
< 
custom 401 page
* Connection #0 to host 127.0.0.1 left intact

Most likely the problem is in your configuration. Note that "no other 401 error pages defined somewhere else" is not enough to ensure that the error_page defined at the server level will be used when processing a particular request. Much like all other directives, error_page directives defined the server level will be only inherited to a location if no error_page directives are defined in the location, see docs.

comment:3 by mmattel@…, 3 months ago

Your example works. I do not know what went wrong on my side that this failed.

One thing pop´s up. When changing:

error_page 401 /401.html;

to

error_page 401 =307 https://www.example.com;

You do not get the auth shown, but immediately get redirected to https://www.example.com.
Is there something I miss?

Background, having a dev and live site based on subdomains. When login to dev gets cancelled, you should get redirected to live.

in reply to:  3 comment:4 by Maxim Dounin, 3 months ago

Replying to mmattel@…:

One thing pop´s up. When changing:

error_page 401 /401.html;

to

error_page 401 =307 https://www.example.com;

You do not get the auth shown, but immediately get redirected to https://www.example.com.
Is there something I miss?

It is expected that you are redirected if you change 401 to 307. It's 401 which triggers the auth dialog in browsers. Please refer to https://en.wikipedia.org/wiki/Basic_access_authentication for information about HTTP authentication.

Background, having a dev and live site based on subdomains. When login to dev gets cancelled, you should get redirected to live.

Probably this is something which you can get by constructing a special 401 page with HTML-level redirects, such as <meta http-equiv="Refresh" content="0; URL=..." /> or a javascript code. Alternatively, you can simply put appropriate link on the 401 page instead.

Note: See TracTickets for help on using tickets.