使用Nginx作为反向代理的Tomcat应用程序(JIRA)的基本身份验证

前端之家收集整理的这篇文章主要介绍了使用Nginx作为反向代理的Tomcat应用程序(JIRA)的基本身份验证前端之家小编觉得挺不错的,现在分享给大家,也给大家做个参考。

我有几个子域运行Atlassian Tomcat应用程序(jira.example.com,confluence.example.com,stash.example.com),我想知道是否可以使用.htpasswd使用basic_auth密码保护所有这些应用程序.

Nginx在没有basic_auth指令的情况下工作正常,但如果我尝试在Nginx.conf中这样介绍它…

user              Nginx;
worker_processes  1;

error_log         /var/log/Nginx/error.log;
pid               /var/run/Nginx.pid;

events {
    worker_connections  1024;
}


http {

    include       /etc/Nginx/mime.types;
    default_type  application/octet-stream;

    log_format  main  '$remote_addr - $remote_user [$time_local] $request '
                      '"$status" $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for"';

    access_log  /var/log/Nginx/access.log  main;

    sendfile        on;
    #tcp_nopush     on;

    #keepalive_timeout  0;
    keepalive_timeout  65;

    #gzip  on;

    # Load config files from the /etc/Nginx/conf.d directory
    include /etc/Nginx/conf.d/*.conf;

    # Our self-signed cert
    ssl_certificate     /etc/ssl/certs/fissl.crt;
    ssl_certificate_key /etc/ssl/private/fissl.key;

    # Password
    auth_basic "Restricted";
    auth_basic_user_file /home/passwd/.htpasswd;

    # redirect non-ssl Confluence to ssl
    server {
        listen 80;
        server_name  confluence.example.com;
        rewrite ^(.*) https://confluence.example.com$1 permanent;
    }

    # redirect non-ssl Jira to ssl
    server {
        listen 80;
        server_name  jira.example.com;
        rewrite ^(.*) https://jira.example.com$1 permanent;
    }

    #
    # The Confluence server
    #
    server {
        listen       443;
        server_name  confluence.example.com;

        ssl on;

        access_log  /var/log/Nginx/confluence.access.log  main;
        error_log   /var/log/Nginx/confluence.error.log;

        location / {
            proxy_pass http://127.0.0.1:8080;
            proxy_set_header X-Forwarded-Proto  https;
            proxy_set_header Host $http_host;            
        }

        error_page  404              /404.html;
        location = /404.html {
           root   /usr/share/Nginx/html;
        }

        redirect server error pages to the static page /50x.html

        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
           root   /usr/share/Nginx/html;
        }

    }

    #
    # The Jira server
    #
    server {
        listen       443;
        server_name  jira.example.com;

        ssl on;

        access_log  /var/log/Nginx/jira.access.log  main;
        error_log   /var/log/Nginx/jira.error.log;

        location / {
            proxy_pass http://127.0.0.1:9090/;
            proxy_set_header X-Forwarded-Proto  https;
            proxy_set_header Host $http_host;
        }

        error_page  404              /404.html;
        location = /404.html {
            root   /usr/share/Nginx/html;
        }

        # redirect server error pages to the static page /50x.html
        #
        error_page   500 502 503 504  /50x.html;
        location = /50x.html {
            root   /usr/share/Nginx/html;
        }

    }
}

.. ..要求凭证,但然后它返回一个

HTTP Status 401 – Basic Authentication Failure – Reason :
AUTHENTICATION_DENIED

http://oi43.tinypic.com/30l1c2u.jpg

看起来有人设法通过作为反向代理http://jira.10933.n7.nabble.com/mod-proxy-and-password-protecting-td17279.html运行的apache来修复此问题,但该线程中的那些链接已经死了……

编辑:
显然,在Apache添加tomcatAuthentication =“false”并在Tomcat的server.xml连接器中使用protocol =“AJP / 1.3”时,可以轻松解决此问题.或者,您可以使用指令RequestHeader unset authorization阻止apache转发auth.事情是,如何用Nginx做到这一点?我想我必须研究更多……任何见解?

最佳答案
好的,刚刚在nginx mailing list上找到了解决方案.我只是告诉Nginx不要将auth头转发给tomcat.在Nginx.conf中向位置块添加几行就可以了:

  location / {
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Server $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass http://127.0.0.1:8090/;
        proxy_redirect off;

        # Password
        auth_basic "Restricted";
        auth_basic_user_file /home/passwd/.htpasswd;

        # Don't forward auth to Tomcat
        proxy_set_header   Authorization "";
    }

现在我只需要弄清楚如何防止Nginx在每个子域(jira,confluence,stash等)上要求auth.必须为所有这些证书仅提供一次凭证将是完美的,但这是另一个问题.

希望这可以帮助!

干杯.

猜你在找的Nginx相关文章