diff --git a/site-modules/profile/templates/varnish/vhost.vcl.erb b/site-modules/profile/templates/varnish/vhost.vcl.erb
index 96861ce8..f4e026a6 100644
--- a/site-modules/profile/templates/varnish/vhost.vcl.erb
+++ b/site-modules/profile/templates/varnish/vhost.vcl.erb
@@ -1,69 +1,84 @@
 # vhost_<%= @servername %>.vcl
 #
 # Settings for the <%= @servername %> vhost
 #
 # File managed by puppet. All modifications will be lost.
 
 sub vcl_recv {
     if (
 <% @aliases.each do |alias_| -%>
         req.http.host ~ "^(?i)<%= Regexp.escape(alias_) %>(:[0-9]+)?$" ||
 <% end -%>
         req.http.host ~ "^(?i)<%= Regexp.escape(@servername) %>(:[0-9]+)?$"
     ) {
         var.set("known-vhost", "yes");
         if (std.port(server.ip) == <%= scope['::profile::varnish::http_port'] %>) {
             set req.http.x-redir = "https://" + req.http.host + req.url;
             return(synth(850, "Moved permanently"));
         } else {
 <%- if @basic_auth -%>
             if ( 1 == 1  # noop expression to be syntactically correct with the following &&
     <%- @basic_auth_strings.each do | basic_auth_string | -%>
                     && ! req.http.Authorization ~ "Basic <%= basic_auth_string %>"
     <%- end -%>
             ) {
                 return(synth(401, "Restricted"));
             }
 <%- end -%>
 <% if @websocket_support -%>
             if (req.http.upgrade ~ "(?i)websocket") {
                 return (pipe);
             }
 <% end -%>
             set req.http.X-Forwarded-Proto = "https";
             set req.backend_hint = <%= @backend_name %>;
         }
 <% if @vcl_recv_extra -%>
         <%= @vcl_recv_extra %>
 <% end -%>
     }
 }
 
 <% if @websocket_support -%>
 sub vcl_pipe {
     if (req.http.upgrade) {
         set bereq.http.upgrade = req.http.upgrade;
         set bereq.http.connection = req.http.connection;
     }
 }
 
 <% end -%>
 <% if @hsts_max_age or @vcl_deliver_extra -%>
 sub vcl_deliver {
     if (
 <% @aliases.each do |alias_| -%>
         req.http.host ~ "^(?i)<%= Regexp.escape(alias_) %>(:[0-9]+)?$" ||
 <% end -%>
         req.http.host ~ "^(?i)<%= Regexp.escape(@servername) %>(:[0-9]+)?$"
     ) {
 <% if @hsts_max_age -%>
         if (std.port(server.ip) != <%= scope['::profile::varnish::http_port'] %>) {
             set resp.http.Strict-Transport-Security = "max-age=<%= @hsts_max_age %>;";
         }
 <% end -%>
 <% if @vcl_deliver_extra -%>
         <%= @vcl_deliver_extra %>
 <% end -%>
     }
 }
+
+sub vcl_synth {
+    if (
+<% @aliases.each do |alias_| -%>
+        req.http.host ~ "^(?i)<%= Regexp.escape(alias_) %>(:[0-9]+)?$" ||
 <% end -%>
+        req.http.host ~ "^(?i)<%= Regexp.escape(@servername) %>(:[0-9]+)?$"
+    ) {
+        if (resp.status == 401) {
+            set resp.http.WWW-Authenticate = "Basic";
+            return(deliver);
+        }
+    }
+}
+<% end -%>
+