Nginx - Forward HTTP AUTH - User

Question

I have some trouble with Nginx and Jenkins (Hudson). I am trying to use Nginx as Reverse Proxy for the Jenkins instance with HTTP Basic Authentication.

It works so far, but i have no idea how to pass the Header with the Authentication Username.

location / {
  auth_basic "Restricted";
  auth_basic_user_file /usr/share/nginx/.htpasswd;
  sendfile off;

  proxy_pass         http://192.168.178.102:8080;
  proxy_redirect     default;
  proxy_set_header   Host             $http_host;
  proxy_set_header   X-Real-IP        $remote_addr;
  proxy_set_header   X-Forwarded-For  $proxy_add_x_forwarded_for;
  proxy_set_header   X-Forwarded-User $http_authorization; 
  proxy_max_temp_file_size 0;

  #this is the maximum upload size
  client_max_body_size       10m;
  client_body_buffer_size    128k;

  proxy_connect_timeout      90;
  proxy_send_timeout         90;
  proxy_read_timeout         90;             
  proxy_buffer_size          4k;
  proxy_buffers              4 32k;
  proxy_busy_buffers_size    64k;
  proxy_temp_file_write_size 64k;
}

Note you probably want an extra 'd' in "X-Forwared-User". – Paul Jan 29 '15 at 16:44 — Paul, Jan 29 '15 at 16:44

score 28 · Accepted Answer · answered May 29 '13 at 09:28

28

Try adding this directives to your location block

proxy_set_header Authorization $http_authorization;
proxy_pass_header  Authorization;

answered May 29 '13 at 09:28

Andrei Mikhaltsov

2,987
1
22
31

This header is passing: Username: Basic YXJuZTpraWxsZXI, not the correct name from http auth (; – opHASnoNAME May 29 '13 at 17:32
6

This must be base64 encoded string http://en.wikipedia.org/wiki/Basic_access_authentication#cite_note-8 try to decoding it – Andrei Mikhaltsov May 31 '13 at 13:11
Authorization header must be base64 encoded header, yes. But that is not what the question is about. The question is about passing auth username in headers, not full authorization header. – Olli Apr 02 '18 at 13:37
1

``YXJuZTpraWxsZXI`` decodes to ``arne:killer`` - nice example @opHASnoNAME :-) – Enda Farrell Jul 24 '19 at 15:51
1

pass_header and set_header...? isn't this two times more or less the same effect? Both should work, shouldn't it? – phip1611 Nov 28 '19 at 16:40
i think proxy_pass_header is not required, but it should be tested again. – Andrei Mikhaltsov May 12 '22 at 14:27

score 8 · Answer 2 · answered Apr 02 '18 at 13:36

8

To get this to work with Jenkins reverse proxy auth plugin:

proxy_set_header Authorization "";
proxy_set_header X-Forwarded-User $remote_user;

If you don't reset Authorization header, nginx will forward that by default, and when enabling reverse proxy auth plugin, Jenkins (jetty) will try to re-authenticate the user, and fails on that.

nginx version 1.12.1, Jenkins 2.113.

answered Apr 02 '18 at 13:36

Olli

768
6
16

1

THANK YOU! This is exactly what I was looking for. MUCH appreciated. – Erutan409 Jan 06 '19 at 19:34

Nginx - Forward HTTP AUTH - User

2 Answers2

Linked