> What actual requests are made that are challenged for
> authentication? Check your access_log for http 401.
>
> At a guess, it is just /analytics/piwik.js that you care about here.
>
> So: add
>
> location = /analytics/piwik.js {auth_basic off;}
>
> inside your "location /analytics {}" block.
>
> (This will try to serve the file "/var/www/piwik//piwik.js", given the
> above configuration.)

Wow. I feel so dumb. That worked perfectly! Below is the config I'm using to turn off authentication for piwik.js as well as .php files.

location /analytics {
alias /var/www/piwik/;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/pass;
try_files $uri $uri/ /index.php;
location = /analytics/piwik.js{
auth_basic off;
}
location ~* ^/analytics(.+\.php)$ {
auth_basic off;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_pass unix:/var/run/php5-fpm.sock;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
include fastcgi_params;
}
}

Thank you!!!