HTTP Basic Auth question

Russ Lavoy ussray_00 at
Thu May 9 19:55:22 UTC 2013


Sorry for the long delay.  

I have tried the following configuration which does not seem to work at all.

proxy_hide_header Authorization;

proxy_set_header Authorization "$remote_user";|

I can still sniff the traffic on lo and get the base64 user:pass.  The interesting thing is I do not see the Authorization header being sent to the django app whatsoever.  Is there a way I can totally remove the header even at the loop back level so it is not able to get intercepted?



----- Original Message -----

From: Francis Daly <francis at>
To: nginx at
Sent: Wednesday, May 1, 2013 4:45 PM
Subject: Re: HTTP Basic Auth question

On Wed, May 01, 2013 at 01:17:41PM -0400, B.R. wrote:

Hi there,

> To pass the nginx user to a fastcgi backend (PHP), I have to explicitly
> specify it using the following directive:
> fastcgi_param   MY_USER      $remote_user;
> I suppose you can do the same with proxy_pass?

That's how I'd do it -- probably proxy_set_header if the python
application is accessed using proxy_pass.

> I dunno how to remove an automatically forwarded parameter though... Maybe
> overwriting it with an empty string?

The password is in the http header Authorization, so using
proxy_hide_header to avoid sending that should be enough.

> On Wed, May 1, 2013 at 10:26 AM, Russ Lavoy <ussray_00 at> wrote:

> > I am running nginx as a reverse proxy to a python application.  I am
> > wondering how I would be able to pass ONLY the user account and not the
> > password.  Can this be done?

As above: how are the user and pass currently sent? It will be by
"fastcgi_pass" or "proxy_pass" or something similar. Use the matching
"_hide_header" directive on the correct header to avoid sending it.

How do you want the user to be sent? Use the variable $remote_user and
the matching "_set_header" or "_param" directive to send the provided

Francis Daly        francis at

nginx mailing list
nginx at

More information about the nginx mailing list