Basic auth for a Tomcat app (JIRA) with Nginx as reverse proxy

Ok just found the solution on the nginx mailing list. I just had to tell nginx to not forward the auth headers to tomcat. Adding a couple of lines to the location blocks in nginx.conf did the trick:

  location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_redirect off;

        # Password
        auth_basic "Restricted";
        auth_basic_user_file /home/passwd/.htpasswd;

        # Don't forward auth to Tomcat
        proxy_set_header   Authorization "";

Now i just have to figure out how to prevent nginx from asking for auth on each subdomain (jira, confluence, stash, etc). Having to introduce the credentials just once for all of them would be perfect, but that's another issue.

Hope this helps!


I had the same problem with Confluence. This was very useful (both the updated question and SDude's answer). I have the proxy params on each sub-path level ("/jira", "/wiki" for Confluence, etc.), so I added proxy_set_header Authorization ""; to each location container in nginx config which fixed the problem. It also cured a weird problem with Stash where Stash was prompting for login password through a browser auth box rather than its own login screen. With the above it now displays the actual login screen.