diff --git a/roles/nagios_server/templates/httpd/nagios.conf.j2 b/roles/nagios_server/templates/httpd/nagios.conf.j2
index f73480de88..a3091c9137 100644
--- a/roles/nagios_server/templates/httpd/nagios.conf.j2
+++ b/roles/nagios_server/templates/httpd/nagios.conf.j2
@@ -4,41 +4,18 @@ ScriptAlias /tac.cgi         /usr/lib64/nagios/cgi-bin/tac.cgi
 
 # Set up the authorization
 
-{% if vars['nagios_location'] == 'internal' %}
-
-<Location />
+<Location /nagios>
   AuthName "Nagios GSSAPI Login"
+{% if vars['nagios_location'] == 'internal' %}
   GssapiCredStore keytab:/etc/krb5.HTTP_nagios{{env_suffix}}.fedoraproject.org.keytab
-  AuthType GSSAPI
   # This is off because Apache (and thus mod_auth_gssapi) doesn't know this is proxied over TLS
   GssapiSSLonly Off
-  GssapiLocalName on
-  Require valid-user
-</Location>
-
-<Location ~ "/(nagios)/cgi-bin/">
-  Options ExecCGI
-</Location>
-
-RewriteEngine on
-RewriteRule ^/$ /nagios/ [R]
-
-Alias /nagios /usr/share/nagios/html/
-<Directory "/usr/share/nagios/html">
-  Options None
-</Directory>
-
 {% else %}
-
-Alias /nagios "/usr/share/nagios/html"
-
-<Location ~ /nagios/>
-  AuthName "Nagios GSSAPI Login"
   GssapiCredStore keytab:/etc/krb5.HTTP_nagios-external{{env_suffix}}.fedoraproject.org.keytab
-  AuthType GSSAPI
   GssapiSSLonly On
+{% endif %}
   GssapiLocalName on
-  GssapiPublishErrors On
+  AuthType GSSAPI
   Require valid-user
 </Location>
 
@@ -46,12 +23,12 @@ Alias /nagios "/usr/share/nagios/html"
   Options ExecCGI
 </Location>
 
+{% if vars['nagios_location'] == 'internal' %}
+RewriteEngine on
+RewriteRule ^/$ /nagios/ [R]
+{% endif %}
+
+Alias /nagios /usr/share/nagios/html/
 <Directory "/usr/share/nagios/html">
   Options None
 </Directory>
-
-
-{% endif %}
-
-
-