diff --git a/oauthproxy.go b/oauthproxy.go
index e2d20ed6..fb6ef0bc 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -265,7 +265,9 @@ func (p *OAuthProxy) setupServer(opts *options.Options) error {
 }
 
 func (p *OAuthProxy) buildServeMux(proxyPrefix string) {
-	r := mux.NewRouter()
+	// Use the encoded path here so we can have the option to pass it on in the upstream mux.
+	// Otherwise something like /%2F/ would be redirected to / here already.
+	r := mux.NewRouter().UseEncodedPath()
 	// Everything served by the router must go through the preAuthChain first.
 	r.Use(p.preAuthChain.Then)
 
diff --git a/oauthproxy_test.go b/oauthproxy_test.go
index cb1dceed..3a795f18 100644
--- a/oauthproxy_test.go
+++ b/oauthproxy_test.go
@@ -915,6 +915,15 @@ func TestUserInfoEndpointUnauthorizedOnNoCookieSetError(t *testing.T) {
 	assert.Equal(t, http.StatusUnauthorized, test.rw.Code)
 }
 
+func TestEncodedUrlsStayEncoded(t *testing.T) {
+	encodeTest, err := NewSignInPageTest(false)
+	if err != nil {
+		t.Fatal(err)
+	}
+	code, _ := encodeTest.GetEndpoint("/%2F/test1/%2F/test2")
+	assert.Equal(t, 403, code)
+}
+
 func NewAuthOnlyEndpointTest(querystring string, modifiers ...OptionsModifier) (*ProcessCookieTest, error) {
 	pcTest, err := NewProcessCookieTestWithOptionsModifiers(modifiers...)
 	if err != nil {