I'm not certain why you want to do the specific example that you want
to do; but if I were doing the general "conditionally remove header"
thing, I would probably use "map" to set a new variable "$my_value"
based on your variable "$external_traffic".
If $external_traffic is 1, set $my_value to blank.
Otherwise, set $my_value to $upstream_http_www_authenticate.
And then always "proxy_hide_header WWW-Authenticate;" and
"add_header WWW-Authenticate $my_value always;"
If the value is blank, add_header does not write the header. And "always"
is because you probably only get the WWW-Authenticate on a 401 response.
Thanks so much Francis, yes that seems to be have worked. When the
application is accessed outside our domain, it doesn't try to negotiate
which would pop up the Windows authentication prompt and would never work
anyways, but if the user is inside our domain either by being physically
inside the building or through a VPN, the negotiate header is there to allow
for automatic sign-in using their Windows credentials.