Nginx

使用 Nginx 作為反向代理的 Tomcat 應用程序 (JIRA) 的基本身份驗證

  • October 21, 2019

我有幾個執行 Atlassian Tomcat 應用程序的子域(jira.example.com、confluence.example.com、stash.example.com),我想知道是否可以basic_auth使用.htpasswd.

Nginx 在沒有 basic_auth 指令的情況下可以正常工作,但是如果我嘗試在nginx.conf

user              nginx;
worker_processes  1;

error_log         /var/log/nginx/error.log;
pid               /var/run/nginx.pid;

events {
   worker_connections  1024;
}


http {

   include       /etc/nginx/mime.types;
   default_type  application/octet-stream;

   log_format  main  '$remote_addr - $remote_user [$time_local] $request '
                     '"$status" $body_bytes_sent "$http_referer" '
                     '"$http_user_agent" "$http_x_forwarded_for"';

   access_log  /var/log/nginx/access.log  main;

   sendfile        on;
   #tcp_nopush     on;

   #keepalive_timeout  0;
   keepalive_timeout  65;

   #gzip  on;

   # Load config files from the /etc/nginx/conf.d directory
   include /etc/nginx/conf.d/*.conf;

   # Our self-signed cert
   ssl_certificate     /etc/ssl/certs/fissl.crt;
   ssl_certificate_key /etc/ssl/private/fissl.key;

   # Password
   auth_basic "Restricted";
   auth_basic_user_file /home/passwd/.htpasswd;

   # redirect non-ssl Confluence to ssl
   server {
       listen 80;
       server_name  confluence.example.com;
       rewrite ^(.*) https://confluence.example.com$1 permanent;
   }

   # redirect non-ssl Jira to ssl
   server {
       listen 80;
       server_name  jira.example.com;
       rewrite ^(.*) https://jira.example.com$1 permanent;
   }

   #
   # The Confluence server
   #
   server {
       listen       443;
       server_name  confluence.example.com;

       ssl on;

       access_log  /var/log/nginx/confluence.access.log  main;
       error_log   /var/log/nginx/confluence.error.log;

       location / {
           proxy_pass http://127.0.0.1:8080;
           proxy_set_header X-Forwarded-Proto  https;
           proxy_set_header Host $http_host;            
       }

       error_page  404              /404.html;
       location = /404.html {
          root   /usr/share/nginx/html;
       }

       redirect server error pages to the static page /50x.html

       error_page   500 502 503 504  /50x.html;
       location = /50x.html {
          root   /usr/share/nginx/html;
       }

   }

   #
   # The Jira server
   #
   server {
       listen       443;
       server_name  jira.example.com;

       ssl on;

       access_log  /var/log/nginx/jira.access.log  main;
       error_log   /var/log/nginx/jira.error.log;

       location / {
           proxy_pass http://127.0.0.1:9090/;
           proxy_set_header X-Forwarded-Proto  https;
           proxy_set_header Host $http_host;
       }

       error_page  404              /404.html;
       location = /404.html {
           root   /usr/share/nginx/html;
       }

       # redirect server error pages to the static page /50x.html
       #
       error_page   500 502 503 504  /50x.html;
       location = /50x.html {
           root   /usr/share/nginx/html;
       }

   }
}

..它要求提供憑據,但隨後返回一個

HTTP 狀態 401 - 基本身份驗證失敗 - 原因:AUTHENTICATION_DENIED

看起來有人設法通過 apache 作為反向代理執行來解決這個問題http://jira.10933.n7.nabble.com/mod-proxy-and-password-protecting-td17279.html但該執行緒中的那些連結已經死了.. .

編輯: 顯然這個問題可以在 Apache 添加tomcatAuthentication="false"和使用protocol="AJP/1.3"Tomcat 的 server.xml 連接器中輕鬆解決。或者您可以使用指令阻止 apache 轉發 auth RequestHeader unset authorization。問題是,如何用 Nginx 做到這一點?我想我必須研究更多..有什麼見解嗎?

好的,剛剛在nginx 郵件列表上找到了解決方案。我只需要告訴 nginx 不要將 auth 標頭轉發給 tomcat。在其中的位置塊中添加幾行就可以了nginx.conf

 location / {
       proxy_set_header X-Forwarded-Host $host;
       proxy_set_header X-Forwarded-Server $host;
       proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
       proxy_pass http://127.0.0.1:8090/;
       proxy_redirect off;

       # Password
       auth_basic "Restricted";
       auth_basic_user_file /home/passwd/.htpasswd;

       # Don't forward auth to Tomcat
       proxy_set_header   Authorization "";
   }

現在我只需要弄清楚如何防止 nginx 在每個子域(jira、confluence、stash 等)上請求身份驗證。只需為所有這些證書介紹一次就完美了,但這是另一個問題。

希望這可以幫助!

乾杯。

引用自:https://serverfault.com/questions/511846