Nginx reverse proxy - passthrough basic authenication

This exact situation took me forever to figure out, but OSS is like that I guess. This post is a year old so maybe the original poster figured it out, or gave up?

Anyway, the problem for me at least was caused by a few things:

1. IIS expects the realm string to be the same as what it sent to Nginx, but if your Nginx server_name is listening on a different address than the upstream then the server side WWW-Authenticate is not going to be what IIS was expecting and ignore it.
2. The builtin header module doesn't clear the other WWW-Authenticate headers, particularly the problematic WWW-Authenticate: Negotiate. Using the headers-more module clears the old headers, and adds whatever you tell it to.

After this, I was able to finally push Sharepoint 2010 through Nginx.

Thanks stackoverflow.

server {    listen 80;    server_name your.site.com;    location / {            proxy_http_version      1.1;            proxy_pass_request_headers on;            proxy_set_header        Host            $host;            proxy_set_header        X-Real-IP       $remote_addr;            proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;            #proxy_pass_header      Authorization; //This didnt work for me            more_set_input_headers  'Authorization: $http_authorization';            proxy_set_header  Accept-Encoding  "";            proxy_pass              https://sharepoint/;            proxy_redirect          default;            #This is what worked for me, but you need the headers-more mod            more_set_headers        -s 401 'WWW-Authenticate: Basic realm="intranet.example.com"';    }}

I had these same symptoms with nginx/1.10.3. I have a service secured under basic authentication, and nginx as a reverse proxy between the clients and the server. The requirement was that nginx would passthrough the authorization.

First request to the server did pass through the Authorization header. Second request simply blocked this header, which meant the client was only able to make one request per session.

This was somehow related to cookies. If I cleared the browser cookies, then the cycle repeated. The client was able to authenticate but just for the first request. Closing the browser had the same effect.

The solution for me was to change the upstream server from https to http, using:

proxy_pass http://$upstream;

instead of:

proxy_pass https://$upstream;