When NGINX is action as a reverse proxy, i.e. performs HTTP (port) forwarding it requires additional configuration to correctly work with the SSO state machine.
For Apache and IIS it is described on pages 3-4 of the IOPLEX Jespa Operators Manual and is mentioned in our install instructions.
The page from Atlassian - Integrating JIRA with NGINX, can serve as a reference for general configuration of NGINX when used with Atlassian products.
The configuration requires an additional line (#8 in the example below) to be added. The purpose of the line - add a "Jespa-Connection-Id" header that has a value combining remote client's IP address and port.
Also Kerberos-based Single Sign-On can cause large header values being sent so line #11 is recommended
Once you reconfigured your NGINX this way the telltale sign of it working will be in jespa.log at log level 4 - see *bold values*, showing the remote client's IP address and port as opposed to proxy's one. Some values have been obscured with ****
2015-03-13 19:44:37: HttpSecurityService: C: GET /rest/mywork/latest/status/notification/count
2015-03-13 19:44:37: HttpSecurityService: Loading session state from session 592AF09B33C01304B1D068007FA41E93
2015-03-13 19:44:37: HttpSecurityService: Importing provider state
2015-03-13 19:44:37: HttpSecurityService: Authorization: NTLM TlRMTVNTUAABAAAAB4IIogAAAAAAAAAAAAAAAAAAAAAGAbEdAAAADw==
2015-03-13 19:44:37: HttpSecurityService: 172.16.9.39:62624: token.length=40
2015-03-13 19:44:37: HttpSecurityService: AuthContext: 172.16.9.39:62624