我有几个子域运行Atlassian Tomcat应用程序(jira.example.com,confluence.example.com,stash.example.com),我想知道是否可以使用.htpasswd使用basic_auth密码保护所有这些应用程序.
Nginx在没有basic_auth指令的情况下工作正常,但如果我尝试在Nginx.conf中这样介绍它…
user Nginx;
worker_processes 1;
error_log /var/log/Nginx/error.log;
pid /var/run/Nginx.pid;
events {
worker_connections 1024;
}
http {
include /etc/Nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] $request '
'"$status" $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log /var/log/Nginx/access.log main;
sendfile on;
#tcp_nopush on;
#keepalive_timeout 0;
keepalive_timeout 65;
#gzip on;
# Load config files from the /etc/Nginx/conf.d directory
include /etc/Nginx/conf.d/*.conf;
# Our self-signed cert
ssl_certificate /etc/ssl/certs/fissl.crt;
ssl_certificate_key /etc/ssl/private/fissl.key;
# Password
auth_basic "Restricted";
auth_basic_user_file /home/passwd/.htpasswd;
# redirect non-ssl Confluence to ssl
server {
listen 80;
server_name confluence.example.com;
rewrite ^(.*) https://confluence.example.com$1 permanent;
}
# redirect non-ssl Jira to ssl
server {
listen 80;
server_name jira.example.com;
rewrite ^(.*) https://jira.example.com$1 permanent;
}
#
# The Confluence server
#
server {
listen 443;
server_name confluence.example.com;
ssl on;
access_log /var/log/Nginx/confluence.access.log main;
error_log /var/log/Nginx/confluence.error.log;
location / {
proxy_pass http://127.0.0.1:8080;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/Nginx/html;
}
redirect server error pages to the static page /50x.html
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/Nginx/html;
}
}
#
# The Jira server
#
server {
listen 443;
server_name jira.example.com;
ssl on;
access_log /var/log/Nginx/jira.access.log main;
error_log /var/log/Nginx/jira.error.log;
location / {
proxy_pass http://127.0.0.1:9090/;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header Host $http_host;
}
error_page 404 /404.html;
location = /404.html {
root /usr/share/Nginx/html;
}
# redirect server error pages to the static page /50x.html
#
error_page 500 502 503 504 /50x.html;
location = /50x.html {
root /usr/share/Nginx/html;
}
}
}
.. ..要求凭证,但然后它返回一个
HTTP Status 401 – Basic Authentication Failure – Reason :
AUTHENTICATION_DENIED
http://oi43.tinypic.com/30l1c2u.jpg
看起来有人设法通过作为反向代理http://jira.10933.n7.nabble.com/mod-proxy-and-password-protecting-td17279.html运行的apache来修复此问题,但该线程中的那些链接已经死了……
编辑:
显然,在Apache添加tomcatAuthentication =“false”并在Tomcat的server.xml连接器中使用protocol =“AJP / 1.3”时,可以轻松解决此问题.或者,您可以使用指令RequestHeader unset authorization阻止apache转发auth.事情是,如何用Nginx做到这一点?我想我必须研究更多……任何见解?
最佳答案
好的,刚刚在nginx mailing list上找到了解决方案.我只是告诉Nginx不要将auth头转发给tomcat.在Nginx.conf中向位置块添加几行就可以了:
location / {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://127.0.0.1:8090/;
proxy_redirect off;
# Password
auth_basic "Restricted";
auth_basic_user_file /home/passwd/.htpasswd;
# Don't forward auth to Tomcat
proxy_set_header Authorization "";
}
现在我只需要弄清楚如何防止Nginx在每个子域(jira,confluence,stash等)上要求auth.必须为所有这些证书仅提供一次凭证将是完美的,但这是另一个问题.
希望这可以帮助!
干杯.