#2023 closed defect (invalid)
401 when not authenticated yet
| Reported by: | Owned by: | ||
|---|---|---|---|
| Priority: | minor | Milestone: | |
| Component: | documentation | Version: | 1.18.x |
| Keywords: | 401 | Cc: | |
| uname -a: | Linux zbox 5.7.9-1-MANJARO #1 SMP PREEMPT Thu Jul 16 08:20:05 UTC 2020 x86_64 GN U/Linux | ||
| nginx -V: |
nginx version: nginx/1.18.0
built with OpenSSL 1.1.1g 21 Apr 2020 TLS SNI support enabled configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbi n-path=/usr/bin/nginx --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --user=http --group=http --http-log-path=/var/log/nginx/access.log --error-log- path=stderr --http-client-body-temp-path=/var/lib/nginx/client-body --http-proxy -temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/ uwsgi --with-cc-opt='-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -D_FORTIFY_ SOURCE=2' --with-ld-opt=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now --with -compat --with-debug --with-file-aio --with-http_addition_module --with-http_aut h_request_module --with-http_dav_module --with-http_degradation_module --with-ht tp_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzi p_static_module --with-http_mp4_module --with-http_realip_module --with-http_sec ure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub _status_module --with-http_sub_module --with-http_v2_module --with-mail --with-m ail_ssl_module --with-pcre-jit --with-stream --with-stream_geoip_module --with-s tream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module -- with-threads |
||
Description (last modified by )
Hi,
Firstly, thank you very much for nginx.
I find a strange behavior while using HTTP authentication :
I log 401 attempts with this settings :
..
error_page 400 404 401 /error.html;
..
location = /error.html {
internal;
access_log /var/log/nginx/4xxerror.log;
}
..
All work fine but i still have a 401 error when i first request a page so it's while i get the prompt (i haven't click ok or cancel yet).
Of course i'am not authenticated at this stage but i don't think it's normal, it should only return a 401 if there is a wrong user/passwd or pressed the cancel button.
Could you avoid this 401 when no login have been entered yet ?
Cheers
Change History (7)
comment:1 by , 4 years ago
| Description: | modified (diff) |
|---|
comment:2 by , 4 years ago
| Resolution: | → invalid |
|---|---|
| Status: | new → closed |
comment:3 by , 4 years ago
I'am not lead to error.html yet at prompt and i still have a 401 logging into 4xxerror.log
comment:4 by , 4 years ago
i found a trick :
location = /error401.html {
internal;
if ($remote_user) {
access_log /var/log/nginx/401error.log;
}
}
thanks
comment:5 by , 4 years ago
It is not clear what you are trying to do with your "trick", but you may want to read the linked Wikipedia article instead. In particular, the Protocol part. It is completely normal that nginx responds with 401 to unauthenticated requests, this is how the server asks the user agent to authenticate itself.
comment:6 by , 4 years ago
Maybe i'am not clear enough, i try again: nginx issue a 401 even when no user:password have been enterred yet => It log a 401 while still at prompt.
I use the log file to ban attack attempts via fail2ban.
So far, using if ($remote_user) allow to log only when a value is entered.
Thanks
comment:7 by , 4 years ago
I read section-3.1 : "The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource."
While still at the prompt the credentials are missing not "lacking a valid one", maybe i am wrong but i don't think it is a normal nginx behavior.
This is how HTTP Authentication works: for unauthenticated requests the web server returns a 401 response with the WWW-Authenticate header to request authentication.