Jenkins/Nginx - Double prompted for basic auth, why? Why is there an internal Jenkins auth?

Found the solution to my issue by searching for Nginx used as a reverse proxy for any other application with basic_auth.

Solution was the answer found here: https://serverfault.com/questions/511846/basic-auth-for-a-tomcat-app-jira-with-nginx-as-reverse-proxy

The line I was missing from my nginx configuration was:

 # Don't forward auth to Tomcat
 proxy_set_header   Authorization "";

By default, it appears that after basic auth Nginx will additionally forward the auth headers to Jenkins and this is what was leading to my issue. Jenkins receives the forwarded auth headers and then thinks it needs to authorize itself too?!

If we set our reverse proxy to not forward any authorization headers as shown above then everything works as it should. Nginx will prompt basic_auth and after successful auth we explicitly clear (reset?) the auth headers when forwarding to our reverse proxy.