diff --git a/controllers/nginx/pkg/template/template.go b/controllers/nginx/pkg/template/template.go
index 943c436312..d4778ca3c9 100644
--- a/controllers/nginx/pkg/template/template.go
+++ b/controllers/nginx/pkg/template/template.go
@@ -22,7 +22,6 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
-	"net/url"
 	"os"
 	"os/exec"
 	"strconv"
@@ -150,7 +149,6 @@ var (
 		"serverConfig": func(all config.TemplateConfig, server *ingress.Server) interface{} {
 			return struct{ First, Second interface{} }{all, server}
 		},
-		"buildAuthSignURL":            buildAuthSignURL,
 		"isValidClientBodyBufferSize": isValidClientBodyBufferSize,
 		"buildForwardedFor":           buildForwardedFor,
 	}
@@ -567,22 +565,6 @@ func buildNextUpstream(input interface{}) string {
 	return strings.Join(nextUpstreamCodes, " ")
 }
 
-func buildAuthSignURL(input interface{}) string {
-	s, ok := input.(string)
-	if !ok {
-		glog.Errorf("expected an 'string' type but %T was returned", input)
-		return ""
-	}
-
-	u, _ := url.Parse(s)
-	q := u.Query()
-	if len(q) == 0 {
-		return fmt.Sprintf("%v?rd=$request_uri", s)
-	}
-
-	return fmt.Sprintf("%v&rd=$request_uri", s)
-}
-
 // buildRandomUUID return a random string to be used in the template
 func buildRandomUUID() string {
 	s := uuid.New()
diff --git a/controllers/nginx/pkg/template/template_test.go b/controllers/nginx/pkg/template/template_test.go
index 62d0342f49..9bed3d3ac4 100644
--- a/controllers/nginx/pkg/template/template_test.go
+++ b/controllers/nginx/pkg/template/template_test.go
@@ -310,24 +310,6 @@ func TestBuildResolvers(t *testing.T) {
 	}
 }
 
-func TestBuildAuthSignURL(t *testing.T) {
-	urlOne := "http://google.com"
-	validUrlOne := "http://google.com?rd=$request_uri"
-
-	urlTwo := "http://google.com?cat"
-	validUrlTwo := "http://google.com?cat&rd=$request_uri"
-
-	authSignURLOne := buildAuthSignURL(urlOne)
-	if authSignURLOne != validUrlOne {
-		t.Errorf("Expected '%v' but returned '%v'", validUrlOne, authSignURLOne)
-	}
-
-	authSignURLTwo := buildAuthSignURL(urlTwo)
-	if authSignURLTwo != validUrlTwo {
-		t.Errorf("Expected '%v' but returned '%v'", validUrlTwo, authSignURLTwo)
-	}
-}
-
 func TestBuildNextUpstream(t *testing.T) {
 	nextUpstream := "timeout http_500 http_502 non_idempotent"
 	validNextUpstream := "timeout http_500 http_502"
diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index e6270da3de..19c0947c55 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -684,7 +684,7 @@ stream {
             {{ end }}
 
             {{ if not (empty $location.ExternalAuth.SigninURL) }}
-            error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }};
+            error_page 401 = $location.ExternalAuth.SigninURL;
             {{ end }}
 
             {{/* if the location contains a rate limit annotation, create one */}}
@@ -743,6 +743,9 @@ stream {
             proxy_set_header X-Original-URI         $request_uri;
             proxy_set_header X-Scheme               $pass_access_scheme;
 
+            {{/* This header is used for external authentication */}}
+            proxy_set_header X-Auth-Request-Redirect $request_uri;
+
             # mitigate HTTPoxy Vulnerability
             # https://www.nginx.com/blog/mitigating-the-httpoxy-vulnerability-with-nginx/
             proxy_set_header Proxy                  "";