Jenkins/Nginx - Double prompted for basic auth, why? Why is there an internal Jenkins auth?

Question

Below is my nginx configuration file for Jenkins. Most of it is exactly as per I've read in the documentation.

Config file:

upstream app_server {
    server 127.0.0.1:8080 fail_timeout=0;
}

server {
    listen 80;
    listen [::]:80 default ipv6only=on;
    server_name sub.mydomain.net;

location ^~ /jenkins/ {

    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header Host $http_host;
    proxy_redirect off;

    if (!-f $request_filename) {
        proxy_pass http://app_server;
        break;
    }

    auth_basic "[....] Please confirm identity...";
    auth_basic_user_file /etc/nginx/.htpasswd;
}

}

When navigating to http://sub.mydomain.net/jenkins I get prompted for my basic auth with Server says: [....] Please confirm identify....

This is correct, but as soon a I enter the proper credentials I then get PROMPTED AGAIN for basic auth once again, but this time: Server says: Jenkins.

Where is this second hidden basic_auth coming from?! It's not making any sense to me.

Hitting CANCEL on the first prompt I then correctly receive a 401 authorization required error.

Hitting CANCEL on the second basic auth ("Server says: Jenkins") I get:

HTTP ERROR 401

Problem accessing /jenkins/. Reason:

Invalid password/token for user: _____
Powered by Jetty://

Does anyone know what's possibly going on?

score 39 · Accepted Answer · edited Apr 13 '17 at 12:13

Found the solution to my issue by searching for Nginx used as a reverse proxy for any other application with basic_auth.

Solution was the answer found here: https://serverfault.com/questions/511846/basic-auth-for-a-tomcat-app-jira-with-nginx-as-reverse-proxy

The line I was missing from my nginx configuration was:

 # Don't forward auth to Tomcat
 proxy_set_header   Authorization "";

By default, it appears that after basic auth Nginx will additionally forward the auth headers to Jenkins and this is what was leading to my issue. Jenkins receives the forwarded auth headers and then thinks it needs to authorize itself too?!

If we set our reverse proxy to not forward any authorization headers as shown above then everything works as it should. Nginx will prompt basic_auth and after successful auth we explicitly clear (reset?) the auth headers when forwarding to our reverse proxy.

Thank you very much That solved my problem . After hours of searching and googling ... — sh0umik, Jun 10 '16 at 19:59
Saved my day! Thank you! BTW, for apache it will be `RequestHeader set Authorization ""`. — liberborn, Dec 07 '18 at 14:30

score 0 · Answer 2 · answered Feb 24 '16 at 21:50

0

I had this issue as well, in my case it was caused by having security enabled in jenkins itself, disabling security resolved the issue.

According to their docs:

If you do access control in Apache, do not enable security in Jenkins, as those two things will interfere with each other.

https://wiki.jenkins-ci.org/display/JENKINS/Apache+frontend+for+security

What seems to be happening is that nginx forwards the auth_basic response to jenkins, which attempts to perform auth_basic in response. I have not yet found a satisfying solution to the issue.

answered Feb 24 '16 at 21:50

Ohm

9
1

Thanks for the response! As you'll see below I found the resolution to our issue, but I think your doc link may actually prove to show future issues and glad for the insight. Preceding your doc link it says, _"This approach is suitable if the access control need is simplistic (such as hiding Jenkins from everyone but a few people), but it tends to break down if you start doing more complex set up...."_ - which what we're going for? I want to allow people in the org to still access Jenkins (through nginx basic auth), but not modify it. – skålfyfan Feb 26 '16 at 23:56

Jenkins/Nginx - Double prompted for basic auth, why? Why is there an internal Jenkins auth?

2 Answers2