使用NGINX根据子请求结果（使用SSL）重定向socket.io（红色节点）流量

Question

NGINX充当许多Node-Red实例的反向代理，并且应基于子请求的结果允许/拒绝访问请求。当客户端请求访问特定的红色节点实例时，NGINX使用http_auth_request_module将请求转发到身份验证服务器。然后，身份验证服务器根据cookie内容允许/拒绝访问。

如果允许访问（子请求以200状态回复），NGINX使用proxy_pass将请求转发到Node-Red实例。如果访问被拒绝（子请求以401状态回复），NGINX将请求重定向到登录页面。这可以正常工作。

如果允许客户端访问特定实例并且cookie过期/或者被删除，NGINX应该拒绝该请求并将客户端重定向到登录页面。这不能正常工作。查看Chrome中的开发者控制台，该请求在302和304状态之间切换，并特别提到了socket.io轮询。如果用户访问被拒绝，如何将socket.io通信重定向到登录屏幕？

Node-Red实例正在Docker容器中运行。我没有提供docker-compose文件，因为它对问题没有影响。身份验证服务器正常工作，因为它会为允许和拒绝的请求提供正确的状态答复。

nginx.conf文件下面。

worker_processes 2;

events {
  worker_connections 1024;
}

http {
  server {
    listen 80;
    listen [::]:80;
    server_name foo.bar;
    return 302 https://foo.bar$request_uri;
  }

  server {
    listen 443 ssl;
    listen [::]:443 ssl;
    server_name foo.bar;

    ssl on;

    ssl_certificate       /etc/nginx/ssl/fullchain.pem;
    ssl_certificate_key   /etc/nginx/ssl/privkey.pem;

    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:20m;
    ssl_session_tickets off;

    ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
    ssl_prefer_server_ciphers on;

    ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!3DES:!MD5:!PSK';

    ssl_stapling on;
    ssl_stapling_verify on;

    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forwarded-SSL on;
    proxy_set_header X-Forwarded-Proto $scheme;
    proxy_set_header X-NginX-Proxy true;

    #Upgrade websockets to work over http
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "Upgrade";

    #Redirect unauthorized attempts to login URL
    location @login {
        return 302 https://$server_name;
    }

    #NR instance for login page
    location / {
        proxy_pass http://nodered0:1880/;
        proxy_intercept_errors on;
        auth_request_set $auth_status $upstream_status;
        error_page 401 = @login;
        error_page 404 = @login;
    }

    #Admin interface of login page
    location /admin/0/ {
        proxy_pass http://nodered0:1880/admin;
        auth_request /auth;
    }

    #Authentication route
    location /auth {
        proxy_pass http://nodered1:1880/auth/;
        proxy_pass_request_body off; # no need to send the POST body
        proxy_set_header Content-Length "";
        proxy_set_header X-Original-URI $request_uri;

        proxy_set_header Content-Length "";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }

    #Admin interface of authentication route
    location /admin/1/ {
        proxy_pass http://nodered1:1880/;
        auth_request /auth;
        error_page 401 = @login;
        error_page 404 = @login;
    }

    location /user1/ui/  {
        proxy_pass http://nodered100001:1880/ui/;
        auth_request /auth;
        proxy_intercept_errors on;
        auth_request_set $auth_status $upstream_status;
        error_page 401 = @login;
        error_page 404 = @login;
    }

    location /user1/worldmap/ {
        proxy_pass http://nodered100001:1880/worldmap/;
        auth_request /auth;
        proxy_intercept_errors on;
        auth_request_set $auth_status $upstream_status;
        error_page 401 = @login;
        error_page 404 = @login;
    }

    location /admin/100001/ {
        proxy_pass http://nodered100001:1880/;
        auth_request /auth;
        proxy_intercept_errors on;
        auth_request_set $auth_status $upstream_status;
        error_page 401 = @login;
        error_page 404 = @login;
    }
  }
}