使用 Nginx 作為反向代理的 Tomcat 應用程序 (JIRA) 的基本身份驗證
我有幾個執行 Atlassian Tomcat 應用程序的子域(jira.example.com、confluence.example.com、stash.example.com),我想知道是否可以
basic_auth
使用.htpasswd
.Nginx 在沒有 basic_auth 指令的情況下可以正常工作,但是如果我嘗試在
nginx.conf
…user nginx; worker_processes 1; error_log /var/log/nginx/error.log; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] $request ' '"$status" $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; sendfile on; #tcp_nopush on; #keepalive_timeout 0; keepalive_timeout 65; #gzip on; # Load config files from the /etc/nginx/conf.d directory include /etc/nginx/conf.d/*.conf; # Our self-signed cert ssl_certificate /etc/ssl/certs/fissl.crt; ssl_certificate_key /etc/ssl/private/fissl.key; # Password auth_basic "Restricted"; auth_basic_user_file /home/passwd/.htpasswd; # redirect non-ssl Confluence to ssl server { listen 80; server_name confluence.example.com; rewrite ^(.*) https://confluence.example.com$1 permanent; } # redirect non-ssl Jira to ssl server { listen 80; server_name jira.example.com; rewrite ^(.*) https://jira.example.com$1 permanent; } # # The Confluence server # server { listen 443; server_name confluence.example.com; ssl on; access_log /var/log/nginx/confluence.access.log main; error_log /var/log/nginx/confluence.error.log; location / { proxy_pass http://127.0.0.1:8080; proxy_set_header X-Forwarded-Proto https; proxy_set_header Host $http_host; } error_page 404 /404.html; location = /404.html { root /usr/share/nginx/html; } redirect server error pages to the static page /50x.html error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } # # The Jira server # server { listen 443; server_name jira.example.com; ssl on; access_log /var/log/nginx/jira.access.log main; error_log /var/log/nginx/jira.error.log; location / { proxy_pass http://127.0.0.1:9090/; proxy_set_header X-Forwarded-Proto https; proxy_set_header Host $http_host; } error_page 404 /404.html; location = /404.html { root /usr/share/nginx/html; } # redirect server error pages to the static page /50x.html # error_page 500 502 503 504 /50x.html; location = /50x.html { root /usr/share/nginx/html; } } }
..它要求提供憑據,但隨後返回一個
HTTP 狀態 401 - 基本身份驗證失敗 - 原因:AUTHENTICATION_DENIED
看起來有人設法通過 apache 作為反向代理執行來解決這個問題http://jira.10933.n7.nabble.com/mod-proxy-and-password-protecting-td17279.html但該執行緒中的那些連結已經死了.. .
編輯: 顯然這個問題可以在 Apache 添加
tomcatAuthentication="false"
和使用protocol="AJP/1.3"
Tomcat 的 server.xml 連接器中輕鬆解決。或者您可以使用指令阻止 apache 轉發 authRequestHeader unset authorization
。問題是,如何用 Nginx 做到這一點?我想我必須研究更多..有什麼見解嗎?
好的,剛剛在nginx 郵件列表上找到了解決方案。我只需要告訴 nginx 不要將 auth 標頭轉發給 tomcat。在其中的位置塊中添加幾行就可以了
nginx.conf
:location / { proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass http://127.0.0.1:8090/; proxy_redirect off; # Password auth_basic "Restricted"; auth_basic_user_file /home/passwd/.htpasswd; # Don't forward auth to Tomcat proxy_set_header Authorization ""; }
現在我只需要弄清楚如何防止 nginx 在每個子域(jira、confluence、stash 等)上請求身份驗證。只需為所有這些證書介紹一次就完美了,但這是另一個問題。
希望這可以幫助!
乾杯。