Hi,
I have nginx as a reverse proxy. The proxy require authentication with Authorization Basic.
I can access the proxied server fine, until it gets to the request /api/config/config_entries/flow.
The request from the browser contains an Authorization Bearer header, and the proxy refuse the request (code 401).
How can I make nginx pass the Bearer token and ignore it itself ?
Nginx show those logs :
2024/11/24 20:08:46 [info] 55109#100183: *26059 no user/password was provided for basic authentication, client: xxx.xxx.xxx.xxx, server: myserver.com, request: "POST /api/config/config_entries/flow HTTP/1.1", host: "myserver.com", referrer: "https://myserver.com/config/integrations/dashboard"
2024/11/24 20:08:46 [info] 55109#100183: *26059 delaying unauthorized request, client: xxx.xxx.xxx.xxx, server: myserver.com, request: "POST /api/config/config_entries/flow HTTP/1.1", host: "myserver.com", referrer: "https://myserver.com/config/integrations/dashboard"
2024/11/24 20:11:50 [info] 55109#100183: *26086 client closed connection while waiting for request, client: xxx.xxx.xxx.xxx, server: 0.0.0.0:443
My nginx.conf is:
server {
listen 443 ssl;
server_name myserver.com;
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
ssl_certificate /path/fullchain.pem;
ssl_certificate_key /path/privkey.pem;
ssl_session_cache shared:SSL:1m;
ssl_session_timeout 5m;
ssl_protocols TLSv1.2 TLSv1.3;
ssl_ciphers CDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:DHE-RSA-CHACHA20-POLY1305;
ssl_prefer_server_ciphers off;
auth_basic "Nope";
auth_basic_user_file htpasswd;
auth_delay 5s;
location / {
proxy_pass http://proxied_server/;
proxy_http_version 1.1;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}