Support 407 code in "satisfy any" and "auth_delay"

author Roman Arutyunyan <arut@nginx.com>

Thu, 7 May 2026 10:08:25 +0000 (14:08 +0400)

committer Roman Arutyunyan <arutyunyan.roman@gmail.com>

Fri, 8 May 2026 05:42:58 +0000 (09:42 +0400)
author Roman Arutyunyan <arut@nginx.com>
Thu, 7 May 2026 10:08:25 +0000 (14:08 +0400)
committer Roman Arutyunyan <arutyunyan.roman@gmail.com>
Fri, 8 May 2026 05:42:58 +0000 (09:42 +0400)
diff --git a/src/http/ngx_http_core_module.c b/src/http/ngx_http_core_module.c

index 4c51f7edf3ebf040cd166c609197c411be4dd113..4e1c67282c5150c9f6f1d8a55421def10349e42c 100644 (file)
--- a/src/http/ngx_http_core_module.c
+++ b/src/http/ngx_http_core_module.c
@@ -1155,8 +1155,13 @@ ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph)
              return NGX_AGAIN;
          }
  
-        if (rc == NGX_HTTP_FORBIDDEN || rc == NGX_HTTP_UNAUTHORIZED) {
-            if (r->access_code != NGX_HTTP_UNAUTHORIZED) {
+        if (rc == NGX_HTTP_FORBIDDEN
+            || rc == NGX_HTTP_UNAUTHORIZED
+            || rc == NGX_HTTP_PROXY_AUTH_REQUIRED)
+        {
+            if (r->access_code != NGX_HTTP_UNAUTHORIZED
+                && r->access_code != NGX_HTTP_PROXY_AUTH_REQUIRED)
+            {
                  r->access_code = rc;
              }
  
@@ -1167,7 +1172,8 @@ ngx_http_core_access_phase(ngx_http_request_t *r, ngx_http_phase_handler_t *ph)
  
      /* rc == NGX_ERROR || rc == NGX_HTTP_...  */
  
-    if (rc == NGX_HTTP_UNAUTHORIZED) {
+    if (rc == NGX_HTTP_UNAUTHORIZED || rc == NGX_HTTP_PROXY_AUTH_REQUIRED) {
+        r->access_code = rc;
          return ngx_http_core_auth_delay(r);
      }
  
@@ -1188,17 +1194,19 @@ ngx_http_core_post_access_phase(ngx_http_request_t *r,
      access_code = r->access_code;
  
      if (access_code) {
-        r->access_code = 0;
-
          if (access_code == NGX_HTTP_FORBIDDEN) {
              ngx_log_error(NGX_LOG_ERR, r->connection->log, 0,
                            "access forbidden by rule");
          }
  
-        if (access_code == NGX_HTTP_UNAUTHORIZED) {
+        if (access_code == NGX_HTTP_UNAUTHORIZED
+            || access_code == NGX_HTTP_PROXY_AUTH_REQUIRED)
+        {
              return ngx_http_core_auth_delay(r);
          }
  
+        r->access_code = 0;
+
          ngx_http_finalize_request(r, access_code);
          return NGX_OK;
      }
@@ -1211,12 +1219,16 @@ ngx_http_core_post_access_phase(ngx_http_request_t *r,
  static ngx_int_t
  ngx_http_core_auth_delay(ngx_http_request_t *r)
  {
+    ngx_int_t                  access_code;
      ngx_http_core_loc_conf_t  *clcf;
  
      clcf = ngx_http_get_module_loc_conf(r, ngx_http_core_module);
  
      if (clcf->auth_delay == 0) {
-        ngx_http_finalize_request(r, NGX_HTTP_UNAUTHORIZED);
+        access_code = r->access_code;
+        r->access_code = 0;
+
+        ngx_http_finalize_request(r, access_code);
          return NGX_OK;
      }
  
@@ -1252,6 +1264,7 @@ ngx_http_core_auth_delay(ngx_http_request_t *r)
  static void
  ngx_http_core_auth_delay_handler(ngx_http_request_t *r)
  {
+    ngx_int_t     access_code;
      ngx_event_t  *wev;
  
      ngx_log_debug0(NGX_LOG_DEBUG_HTTP, r->connection->log, 0,
@@ -1268,7 +1281,10 @@ ngx_http_core_auth_delay_handler(ngx_http_request_t *r)
          return;
      }
  
-    ngx_http_finalize_request(r, NGX_HTTP_UNAUTHORIZED);
+    access_code = r->access_code;
+    r->access_code = 0;
+
+    ngx_http_finalize_request(r, access_code);
  }
author	Roman Arutyunyan <arut@nginx.com>
	Thu, 7 May 2026 10:08:25 +0000 (14:08 +0400)
committer	Roman Arutyunyan <arutyunyan.roman@gmail.com>
	Fri, 8 May 2026 05:42:58 +0000 (09:42 +0400)