We're running Jenkins behind an instance of bitly's oauth2_proxy, to control access using Google accounts. We recently updated to a newer version, and as soon as security was enabled we got an NPE from the plugin:

{{java.lang.NullPointerException
at org.jenkinsci.plugins.reverse_proxy_auth.ReverseProxySecurityRealm$1.doFilter(ReverseProxySecurityRealm.java:435)
at hudson.security.HudsonFilter.doFilter(HudsonFilter.java:171)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
at org.kohsuke.stapler.compression.CompressionFilter.doFilter(CompressionFilter.java:49)
at org.eclipse.jetty.servlet.ServletHandler$CachedChain.doFilter(ServletHandler.java:1482)
...}}

Looking at the code, it became clear that the proxy was sending a basic auth header, as well as the X-Forwarded ones, which caused the error after looking up a non-existent user.

I'm reporting this as a bug because of the NPE, but I don't really know what the "correct" behaviour should be. Obviously, from my perspective, I'd prefer the duff header to be ignored, and the other headers used. But I can accept the viewpoint that if the header is sent, and invalid, it is treated as an unauthorised request.

Please let me know if you need any more info.