What is a correct way(s) to allow login to an IIS site through a reverse proxy?
The problem is NTLM authentication (note WWW-Authenticate: NTLM ...
), AKA Windows Authentication.
NTLM authentication authenticates connections instead of requests, and this is somewhat contradicts HTTP protocol, which is expected to be stateless. As a result it doesn't generally work through proxies, including nginx.
Simplest solution would be to change authentication to "Basic" on IIS side. If this not an option for some reason, other possibilities include:
Use stream proxy as available in nginx 1.9.x. This will map connections from clients to upstream server, and thus NTLM authentication will work.
Use ntlm feature as available in commercial nginx version.
Note that there are some recommendations to use upstream with keepalive for NTLM authentication to work. These recommendations are incorrect and harmful - unless you are using the proxy for just one user. And the worst thing is that it may appear to work correctly. The problem is that keepalive connections to upstream server are kept in a common cache, and these connections can be used for all clients. So if there is an authenticated connection in the cache, an unrelated client who happens to use this connection will be able to bypass authentication.