Opened 3 months ago

Closed 3 months ago

Last modified 3 months ago

#2023 closed defect (invalid)

401 when not authenticated yet

Reported by: jeanmarc77@… Owned by:
Priority: minor Milestone:
Component: documentation Version: 1.18.x
Keywords: 401 Cc:
uname -a: Linux zbox 5.7.9-1-MANJARO #1 SMP PREEMPT Thu Jul 16 08:20:05 UTC 2020 x86_64 GN U/Linux
nginx -V: nginx version: nginx/1.18.0
built with OpenSSL 1.1.1g 21 Apr 2020
TLS SNI support enabled
configure arguments: --prefix=/etc/nginx --conf-path=/etc/nginx/nginx.conf --sbi n-path=/usr/bin/nginx --pid-path=/run/nginx.pid --lock-path=/run/lock/nginx.lock --user=http --group=http --http-log-path=/var/log/nginx/access.log --error-log- path=stderr --http-client-body-temp-path=/var/lib/nginx/client-body --http-proxy -temp-path=/var/lib/nginx/proxy --http-fastcgi-temp-path=/var/lib/nginx/fastcgi --http-scgi-temp-path=/var/lib/nginx/scgi --http-uwsgi-temp-path=/var/lib/nginx/ uwsgi --with-cc-opt='-march=x86-64 -mtune=generic -O2 -pipe -fno-plt -D_FORTIFY_ SOURCE=2' --with-ld-opt=-Wl,-O1,--sort-common,--as-needed,-z,relro,-z,now --with -compat --with-debug --with-file-aio --with-http_addition_module --with-http_aut h_request_module --with-http_dav_module --with-http_degradation_module --with-ht tp_flv_module --with-http_geoip_module --with-http_gunzip_module --with-http_gzi p_static_module --with-http_mp4_module --with-http_realip_module --with-http_sec ure_link_module --with-http_slice_module --with-http_ssl_module --with-http_stub _status_module --with-http_sub_module --with-http_v2_module --with-mail --with-m ail_ssl_module --with-pcre-jit --with-stream --with-stream_geoip_module --with-s tream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module -- with-threads

Description (last modified by jeanmarc77@…)

Hi,
Firstly, thank you very much for nginx.
I find a strange behavior while using HTTP authentication :

I log 401 attempts with this settings :

..
error_page 400 404 401 /error.html;
..
location = /error.html {
 internal;
 access_log /var/log/nginx/4xxerror.log;
}
..

All work fine but i still have a 401 error when i first request a page so it's while i get the prompt (i haven't click ok or cancel yet).
Of course i'am not authenticated at this stage but i don't think it's normal, it should only return a 401 if there is a wrong user/passwd or pressed the cancel button.
Could you avoid this 401 when no login have been entered yet ?
Cheers

Change History (7)

comment:1 by jeanmarc77@…, 3 months ago

Description: modified (diff)

comment:2 by Maxim Dounin, 3 months ago

Resolution: invalid
Status: newclosed

This is how HTTP Authentication works: for unauthenticated requests the web server returns a 401 response with the WWW-Authenticate header to request authentication.

comment:3 by jeanmarc77@…, 3 months ago

I'am not lead to error.html yet at prompt and i still have a 401 logging into 4xxerror.log

comment:4 by jeanmarc77@…, 3 months ago

i found a trick :

			location = /error401.html {
 				internal;
				if ($remote_user) {
				  access_log /var/log/nginx/401error.log;
				}
			}

thanks

comment:5 by Maxim Dounin, 3 months ago

It is not clear what you are trying to do with your "trick", but you may want to read the linked Wikipedia article instead. In particular, the Protocol part. It is completely normal that nginx responds with 401 to unauthenticated requests, this is how the server asks the user agent to authenticate itself.

comment:6 by jeanmarc77@…, 3 months ago

Maybe i'am not clear enough, i try again: nginx issue a 401 even when no user:password have been enterred yet => It log a 401 while still at prompt.

I use the log file to ban attack attempts via fail2ban.
So far, using if ($remote_user) allow to log only when a value is entered.

Thanks

comment:7 by jeanmarc77@…, 3 months ago

I read section-3.1 : "The 401 (Unauthorized) status code indicates that the request has not been applied because it lacks valid authentication credentials for the target resource."

While still at the prompt the credentials are missing not "lacking a valid one", maybe i am wrong but i don't think it is a normal nginx behavior.

Note: See TracTickets for help on using tickets.