HTTP authentication information is stored in the browser cache and should only be requested again if authentication fails or from another area (in auth_basic "Restricted"; it is limited).
Your configuration is fine, given that your password is correct and the Nginx user has access to read the password file (the case when it always fails, but sends an error message to the log file indicating this error). This is the most likely reason, mainly if you have only one authentication location.
Another possible reason is that there are several auth_basic directives, and they use different realms or passwords. This is the same for the WWW-Authenticate headers created by the application (say, if your backend application requests HTTP authentication in addition to Nginx). When a failure occurs in different areas or a password, your browser will ask for it again. There is no browser that I know about authentication on every URL, it is always a combination of realm + hostname.
If you need different spheres or passwords in different places, make sure that they do not overlap for one page (for example, if you use a different password for your assets: images, styles or javascript). Or use different hosts - a password will be requested once for each host / area combination.
Update
It is unusual to use 0.0.0.0 since server_name is listen 80; already forces your server to listen on all interfaces / IP addresses.
Use server_name _; if you want to use any host request.
Capilé
source share