66

How can I setup an nginx proxy_pass directive that will also include HTTP Basic authentication information sent to the proxy host?

This is an example of the URL I need to proxy to:

http://username:[email protected]/export?uuid=1234567890 

The end goal is to allow 1 server present files from another server (the one we're proxying to) without exposing the URI of the proxy server. I have this working 90% correct now from following the Nginx config found here:

http://kovyrin.net/2010/07/24/nginx-fu-x-accel-redirect-remote/

I just need to add in the HTTP Basic authentication to send to the proxy server

1
  • 1
    @all: Be sure you need HTTP Basic authentication when using this solution - not HTTP Digest Authentication ;) Had quite a hard time debugging around until I figured it out ... stackoverflow.com/questions/9534602/… Commented Jun 6, 2013 at 9:27

4 Answers 4

78

I did a writeup on this a while ago. See the details here:

http://shairosenfeld.blogspot.com/2011/03/authorization-header-in-nginx-for.html

For example:

 location / { proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://6.6.6.6:80; proxy_set_header Authorization "Basic a2luZzppc25ha2Vk"; } 

"a2luZzppc25ha2Vk" is "king:isnaked" base64 encoded, so that would work for

http://king:[email protected]

Feel free to check out blog post for more details.

6
  • 2
    The link is broken Commented Jul 26, 2013 at 6:30
  • 1
    Link is now here: shairosenfeld.blogspot.com/search?q=nginx in case anyone is wondering Commented Oct 22, 2014 at 22:25
  • 1
    I need something more difficult Commented Jul 4, 2015 at 0:02
  • 7
    Your solution is not flexible enough. It could be very useful to encode username:password on the fly. First, nginx must parse username:password from URL, secondly, nginx must encode this data and set in appropriate header. I don't want to hardcode encoded credentials. Commented Aug 26, 2015 at 16:42
  • 1
    lol @Alex, you tried the 6.6.6.6 link? Commented Jul 10, 2018 at 7:09
27

I got this working with alvosu's answer but I had to enter the word "Basic" inside the quotation of the base64 string so it looked like this:

proxy_set_header Authorization "Basic dGVzdHN0cmluZw=="; 
3
  • 3
    Do you know how to encode username:password on the fly with nginx? Hardcoded credentials is not flexible, because I want to authenticate user with credentials specified by him in URL. Commented Aug 26, 2015 at 16:46
  • 1
    I've found how to encode to base64 with nginx wiki.nginx.org/HttpSetMiscModule#set_encode_base64. This is more useful than hardcoded credentials. Commented Aug 26, 2015 at 16:53
  • @Johnny links to those docs are now here: github.com/openresty/set-misc-nginx-module#set_encode_base64 Commented Jan 28, 2017 at 4:24
6

Set

proxy_set_header Authorization "Basic USER_AND_PASS" 

where USER_AND_PASS = base64(user:pass).

1
  • 6
    missing the keyword Basic. Commented Sep 8, 2016 at 9:11
5

Remove the authorization header that gets passed forwarded by nginx with proxy_set_header Authorization "";.

I configured nginx to do basic auth but the Authorization header was getting passed along in the proxy_pass directive and the receiving end couldn't handle the token.

# Basic Auth auth_basic "Private Stuff"; auth_basic_user_file /etc/nginx/.htpasswd; location /server { proxy_pass http://172.31.31.140:9090; proxy_set_header Authorization ""; } 

(Specific to my case, this error was returned Reason: No AuthenticationProvider found for org.springframework.security.authentication.UsernamePasswordAuthenticationToken)

You must log in to answer this question.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.