Geek Answers Handbook

Jenkins / Nginx - Double request for basic out, why? Why is there an internal Jenkins auth?

Below is my nginx configuration file for Jenkins. Most of them exactly match what I read in the documentation.

Configuration file:

upstream app_server { server 127.0.0.1:8080 fail_timeout=0; } server { listen 80; listen [::]:80 default ipv6only=on; server_name sub.mydomain.net; location ^~ /jenkins/ { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; if (!-f $request_filename) { proxy_pass http://app_server; break; } auth_basic "[....] Please confirm identity..."; auth_basic_user_file /etc/nginx/.htpasswd; }

}

When going to http://sub.mydomain.net/jenkins I will be asked to indicate my main file with the server: [....] Please confirm the identification ...

This is correct, but as soon as I enter the correct credentials, I again get PROMPTED AGAIN for basic auth, but this time: Server says: Jenkins.

Where is this second hidden basic_auth? That makes no sense to me.

By clicking CANCEL at the first prompt, I then correctly get the 401 required authorization .

Pressing CANCEL on the second base auth ("Server says: Jenkins") I get:

 HTTP ERROR 401 Problem accessing /jenkins/. Reason: Invalid password/token for user: _____ Powered by Jetty://

Does anyone know what is going on?

+6
source share
2 answers

I found a solution to my problem by searching for Nginx used as a reverse proxy for any other application with basic_auth.

The solution was found here: https://serverfault.com/questions/511846/basic-auth-for-a-tomcat-app-jira-with-nginx-as-reverse-proxy

The line that I was missing in my nginx configuration was:

  # Don't forward auth to Tomcat proxy_set_header Authorization "";

By default, it turns out that after basic auth, Nginx additionally redirects auth headers to Jenkins, and this is what led to my problem. Jenkins gets redirected auth headers and then thinks he needs to log in too ?!

If we set up our reverse proxy to not forward the authority headers as shown above, everything works as it should. Nginx will offer basic_auth and after successful auth we will explicitly clear (reset?) The auth headers when forwarding to our reverse proxy.

+19
source

I also had this problem, in my case it was caused by the fact that protection was enabled in jenkins, disabling protection, resolving the problem.

According to their docs:

If you perform access control in Apache, do not enable security in Jenkins, as these two things will interfere with each other.

https://wiki.jenkins-ci.org/display/JENKINS/Apache+frontend+for+security

What seems to be happening is that nginx redirects the auth_basic response to jenkins, which attempts to execute auth_basic in response. I have not yet found a satisfactory solution to the problem.

+1
source

More articles:


All Articles