diff --git a/controllers/nginx/pkg/template/template.go b/controllers/nginx/pkg/template/template.go
index a3cc83840e..a5192d3965 100644
--- a/controllers/nginx/pkg/template/template.go
+++ b/controllers/nginx/pkg/template/template.go
@@ -22,6 +22,7 @@ import (
 	"encoding/json"
 	"fmt"
 	"net"
+	"net/url"
 	"os"
 	"os/exec"
 	"strings"
@@ -149,6 +150,7 @@ var (
 		"serverConfig": func(all config.TemplateConfig, server *ingress.Server) interface{} {
 			return struct{ First, Second interface{} }{all, server}
 		},
+		"buildAuthSignURL": buildAuthSignURL,
 	}
 )
 
@@ -502,3 +504,18 @@ func buildNextUpstream(input interface{}) string {
 
 	return strings.Join(nextUpstreamCodes, " ")
 }
+
+func buildAuthSignURL(input interface{}) string {
+	s, ok := input.(string)
+	if !ok {
+		glog.Errorf("expected an string type but %T was returned", input)
+	}
+
+	u, _ := url.Parse(s)
+	q := u.Query()
+	if len(q) == 0 {
+		return fmt.Sprintf("%v?rd=$request_uri", s)
+	}
+
+	return fmt.Sprintf("%v&rd=$request_uri", s)
+}
diff --git a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
index 1ee7bc9bf0..65c61c7e70 100644
--- a/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
+++ b/controllers/nginx/rootfs/etc/nginx/template/nginx.tmpl
@@ -585,7 +585,7 @@ stream {
         {{ end }}
 
         {{ if not (empty $location.ExternalAuth.SigninURL) }}
-        error_page 401 = {{ $location.ExternalAuth.SigninURL }}?rd=$request_uri;
+        error_page 401 = {{ buildAuthSignURL $location.ExternalAuth.SigninURL }};
         {{ end }}
 
         {{/* if the location contains a rate limit annotation, create one */}}