59

How can I setup an nginx proxy_pass directive that will also include HTTP Basic authentication information sent to the proxy host?

This is an example of the URL I need to proxy to:

http://username:password@192.168.0.5/export?uuid=1234567890

The end goal is to allow 1 server present files from another server (the one we're proxying to) without exposing the URI of the proxy server. I have this working 90% correct now from following the Nginx config found here:

http://kovyrin.net/2010/07/24/nginx-fu-x-accel-redirect-remote/

I just need to add in the HTTP Basic authentication to send to the proxy server

bwizzy
  • 1,265
  • 4
  • 14
  • 17
  • 1
    @all: Be sure you need HTTP Basic authentication when using this solution - not HTTP Digest Authentication ;) Had quite a hard time debugging around until I figured it out ... http://stackoverflow.com/questions/9534602/what-is-the-different-between-digest-and-basic-authentication – SimonSimCity Jun 06 '13 at 09:27

4 Answers4

68

I did a writeup on this a while ago. See the details here:

http://shairosenfeld.blogspot.com/2011/03/authorization-header-in-nginx-for.html

For example:

 location / {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_pass http://6.6.6.6:80;
    proxy_set_header Authorization "Basic a2luZzppc25ha2Vk";
 }

"a2luZzppc25ha2Vk" is "king:isnaked" base64 encoded, so that would work for

http://king:isnaked@6.6.6.6

Feel free to check out blog post for more details.

Jon-Eric
  • 163
  • 8
Shai
  • 907
  • 1
  • 7
  • 7
  • 2
    The link is broken – Alex Jul 26 '13 at 06:30
  • 1
    Link is now here: http://shairosenfeld.blogspot.com/search?q=nginx in case anyone is wondering – ckm Oct 22 '14 at 22:25
  • 1
    I need something more difficult – Ilja Jul 04 '15 at 00:02
  • 7
    Your solution is not flexible enough. It could be very useful to encode username:password on the fly. First, nginx must parse username:password from URL, secondly, nginx must encode this data and set in appropriate header. I don't want to hardcode encoded credentials. – Johnny Aug 26 '15 at 16:42
  • I get "bad request" when trying it on my setup.. any idea? – Spock Oct 09 '15 at 21:45
  • 1
    lol @Alex, you tried the 6.6.6.6 link? – caub Jul 10 '18 at 07:09
26

I got this working with alvosu's answer but I had to enter the word "Basic" inside the quotation of the base64 string so it looked like this:

proxy_set_header Authorization "Basic dGVzdHN0cmluZw==";
bwizzy
  • 1,265
  • 4
  • 14
  • 17
  • 2
    Do you know how to encode username:password on the fly with nginx? Hardcoded credentials is not flexible, because I want to authenticate user with credentials specified by him in URL. – Johnny Aug 26 '15 at 16:46
  • 1
    I've found how to encode to base64 with nginx http://wiki.nginx.org/HttpSetMiscModule#set_encode_base64. This is more useful than hardcoded credentials. – Johnny Aug 26 '15 at 16:53
  • @Johnny links to those docs are now here: https://github.com/openresty/set-misc-nginx-module#set_encode_base64 – Al Dass Jan 28 '17 at 04:24
6

Set

proxy_set_header Authorization "Basic USER_AND_PASS"

where USER_AND_PASS = base64(user:pass).

Per Henrik Lausten
  • 535
  • 2
  • 12
alvosu
  • 8,357
  • 24
  • 22
5

Remove the authorization header that gets passed forwarded by nginx with proxy_set_header Authorization "";.

I configured nginx to do basic auth but the Authorization header was getting passed along in the proxy_pass directive and the receiving end couldn't handle the token.

# Basic Auth
auth_basic "Private Stuff";
auth_basic_user_file /etc/nginx/.htpasswd;

location /server {
    proxy_pass http://172.31.31.140:9090;
    proxy_set_header Authorization "";
}

(Specific to my case, this error was returned Reason: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken)

sunapi386
  • 161
  • 1
  • 3