When NGINX acts as a reverse proxy, i.e. performs HTTP (port) forwarding it requires additional configuration to correctly work with the SSO state machine.
If you are running Apache - see Configuring Apache as a reverse proxy for EasySSO. If you are running IIS - see Configuring IIS as reverse proxy for EasySSO.
The page from Atlassian - Integrating JIRA with NGINX, can serve as a reference for the general configuration of NGINX when used with Atlassian products.
The configuration requires an additional line (#9 in the example below) to be added. The purpose of the line - add a "Jespa-Connection-Id" header that has a value combining the remote client's IP address and port.
Also, Kerberos-based Single Sign-On can cause large header values to be sent so line #4 is recommended.
server {
listen www.atlassian.com:80;
server_name www.atlassian.com;
large_client_header_buffers 4 32k;
location /jira {
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header Jespa-Connection-Id $remote_addr:$remote_port;
proxy_pass http://jira-hostname:8080/jira;
client_max_body_size 10M;
}
}Once you reconfigured your NGINX this way the telltale sign of it working will be in jespa.log at log level 4 - see *bold values*, showing the remote client's IP address and port as opposed to the proxy's one. Some values have been obscured with ****
2015-03-13 19:44:37: HttpSecurityService: C: GET /rest/mywork/latest/status/notification/count
2015-03-13 19:44:37: HttpSecurityService: Request Headers: host=********* | x-requested-with=XMLHttpRequest | accept=application/json, text/javascript, /; q=0.01 | referer=******* | accept-language=en-AU | accept-encoding=gzip, deflate | user-agent=Mozilla/5.0 (compatible; MSIE 10.0; Windows NT 6.1; WOW64; Trident/6.0) | dnt=1 | cookie=confluence-sidebar.width=55; confluence.browse.space.cookie=space-blogposts; JSESSIONID=592AF09B33C01304B1D068007FA41E93 | authorization=NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw== | jespa-connection-id=172.16.9.39:62624 | x-forwarded-for=172.16.9.39 | x-forwarded-host=******* | x-forwarded-server=******** | connection=Keep-Alive
2015-03-13 19:44:37: HttpSecurityService: Loading session state from session 592AF09B33C01304B1D068007FA41E93
2015-03-13 19:44:37: HttpSecurityService: Importing provider state
2015-03-13 19:44:37: HttpSecurityService: Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
2015-03-13 19:44:37: HttpSecurityService: 172.16.9.39:62624: token.length=40
2015-03-13 19:44:37: HttpSecurityService: AuthContext: 172.16.9.39:62624