正常配置nginx的auth_basic模块,但是访问的时候填写完认证账号和密码之后无限提示要求认证,查到相关问题解决方法:
Found the solution to my issue by searching for Nginx used as a reverse proxy for any other application with basic_auth.
Solution was the answer found here: [https://serverfault.com/questions/511846/basic-auth-for-a-tomcat-app-jira-with-nginx-as-reverse-proxy](https://serverfault.com/questions/511846/basic-auth-for-a-tomcat-app-jira-with-nginx-as-reverse-proxy)
The line I was missing from my nginx configuration was:
# Don't forward auth to Tomcat
proxy_set_header Authorization "";
By default, it appears that after basic auth Nginx will additionally forward
the auth headers to Jenkins and this is what was leading to my issue.
Jenkins receives the forwarded auth headers and then thinks it needs to
authorize itself too?!
If we set our reverse proxy to not forward any authorization headers as
shown above then everything works as it should. Nginx will prompt
basic_auth and after successful auth we explicitly clear (reset?) the auth
headers when forwarding to our reverse proxy.
正确的配置,需要在header里设置 Authorization为空,即:
proxy_set_header Authorization "";
upstream jenkins_server {
server 127.0.0.1:8081;
}
server {
listen 80;
listen 443 ;
server_name jenkins.abc.com;
charset utf-8;
access_log logs/access_jenkins.log main;
auth_basic "Protect Jenkins";
auth_basic_user_file /usr/local/nginx/jenkins_passwd.db;
ssl_certificate cert/abc.com.pem;
ssl_certificate_key cert/abc.com.key;
ssl_session_timeout 5m;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:ECDHE:ECDH:AES:HIGH:!NULL:!aNULL:!MD5:!ADH:!RC4:!3DES;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
allow 1.2.3.432;
allow 1.2.3.5/32;
deny all;
gzip on;
gzip_comp_level 6;
gzip_min_length 1k;
gzip_types text/plain text/css text/xml text/javascript text/x-component application/json application/javascript application/x-javascript application/xml application/xhtml+xml application/rss+xml application/atom+xml application/x-font-ttf application/vnd.ms-fontobject image/svg+xml image/x-icon font/opentype;
if ($scheme = http) {
return 301 https://$host$request_uri;
}
location @jenkins {
sendfile off;
proxy_pass http://jenkins_server;
proxy_redirect off;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_max_temp_file_size 0;
client_max_body_size 10m;
client_body_buffer_size 128k;
# Don't forward auth to Tomcat
proxy_set_header Authorization "";
proxy_connect_timeout 90;
proxy_send_timeout 90;
proxy_read_timeout 90;
proxy_buffer_size 4k;
proxy_buffers 4 32k;
proxy_busy_buffers_size 64k;
proxy_temp_file_write_size 64k;
}
location / {
root /home/jenkins/jenkins_home/war/;
try_files $uri @jenkins;
}
}
网友评论