diff --git a/devenv/docker/blocks/auth/nginx_proxy/Dockerfile b/devenv/docker/blocks/auth/nginx_proxy/Dockerfile
deleted file mode 100644
index d781d286364..00000000000
--- a/devenv/docker/blocks/auth/nginx_proxy/Dockerfile
+++ /dev/null
@@ -1,4 +0,0 @@
-FROM nginx:1.19.3-alpine
-
-COPY nginx.conf /etc/nginx/nginx.conf
-COPY htpasswd /etc/nginx/htpasswd
diff --git a/devenv/docker/blocks/auth/nginx_proxy/docker-compose.yaml b/devenv/docker/blocks/auth/nginx_proxy/docker-compose.yaml
index 8fefdd0cf32..56421e3ccc2 100644
--- a/devenv/docker/blocks/auth/nginx_proxy/docker-compose.yaml
+++ b/devenv/docker/blocks/auth/nginx_proxy/docker-compose.yaml
@@ -5,5 +5,11 @@
 # root_url = %(protocol)s://%(domain)s:10080/grafana/
 
   nginxproxy:
-    build: docker/blocks/auth/nginx_proxy
-    network_mode: host
+    image: nginx:1.24-alpine
+    volumes:
+      - "./docker/blocks/auth/nginx_proxy/nginx.conf:/etc/nginx/nginx.conf"
+      - "./docker/blocks/auth/nginx_proxy/htpasswd:/etc/nginx/htpasswd"
+    ports:
+      - "8090:8090"
+    extra_hosts:
+      - "host.docker.internal:host-gateway"
diff --git a/devenv/docker/blocks/auth/nginx_proxy/nginx.conf b/devenv/docker/blocks/auth/nginx_proxy/nginx.conf
index 860d3d0b89f..7805926d451 100644
--- a/devenv/docker/blocks/auth/nginx_proxy/nginx.conf
+++ b/devenv/docker/blocks/auth/nginx_proxy/nginx.conf
@@ -4,14 +4,20 @@ http {
   sendfile on;
 
   proxy_redirect     off;
-  proxy_set_header   Host $host;
+  proxy_set_header   Host $host:$server_port;
   proxy_set_header   X-Real-IP $remote_addr;
   proxy_set_header   X-Forwarded-For $proxy_add_x_forwarded_for;
   proxy_set_header   X-Forwarded-Host $server_name;
 
   server {
-    listen 10080;
+    listen 8090;
 
+    ###############################################################
+    #  Location is under the sub path /grafana/. We need to update the
+    #  config.ini file accordingly.
+    #  [server]
+    #  root_url = %(protocol)s://%(domain)s:%(http_port)s/grafana/
+    ###############################################################
     location /grafana/ {
       ################################################################
       # Enable these settings to test with basic auth and an auth proxy header
@@ -19,8 +25,10 @@ http {
       # user1: grafana and user2: grafana
       ################################################################
 
-      # auth_basic "Restricted Content";
-      # auth_basic_user_file /etc/nginx/htpasswd;
+      auth_basic "Restricted Content";
+      auth_basic_user_file /etc/nginx/htpasswd;
+      # Remove the authentication header meant for NGINX
+      proxy_set_header "Authorization" "";
 
       ################################################################
       # To use the auth proxy header, set the following in custom.ini:
@@ -28,11 +36,12 @@ http {
       # enabled = true
       # header_name = X-WEBAUTH-USER
       # header_property = username
+      # enable_login_token = false
       ################################################################
 
-      # proxy_set_header X-WEBAUTH-USER $remote_user;
+      proxy_set_header X-WEBAUTH-USER $remote_user;
 
-      proxy_pass http://localhost:3000/;
+      proxy_pass http://host.docker.internal:3000/;
     }
   }
-}
+}
\ No newline at end of file
diff --git a/devenv/docker/blocks/auth/nginx_proxy/nginx_login_only.conf b/devenv/docker/blocks/auth/nginx_proxy/nginx_login_only.conf
index 6044efd88e3..0abb3854e69 100644
--- a/devenv/docker/blocks/auth/nginx_proxy/nginx_login_only.conf
+++ b/devenv/docker/blocks/auth/nginx_proxy/nginx_login_only.conf
@@ -10,7 +10,7 @@ http {
   proxy_set_header   X-Forwarded-Host $server_name;
 
   server {
-    listen 10080;
+    listen 8090;
 
     location /grafana/ {
       ################################################################
@@ -26,17 +26,18 @@ http {
       # enabled = true
       # header_name = X-WEBAUTH-USER
       # header_property = username
+      # enable_login_token = true
       ################################################################
 
       location /grafana/login {
         auth_basic "Restricted Content";
         auth_basic_user_file /etc/nginx/htpasswd;
         proxy_set_header X-WEBAUTH-USER $remote_user;
-        proxy_pass http://localhost:3000/login;
+        proxy_pass http://host.docker.internal:3000/login;
       }
 
       proxy_set_header Authorization "";
-      proxy_pass http://localhost:3000/;
+      proxy_pass http://host.docker.internal:3000/;
     }
   }
 }
diff --git a/packages/grafana-data/src/types/config.ts b/packages/grafana-data/src/types/config.ts
index 12ed9138ed8..fc6a5fec548 100644
--- a/packages/grafana-data/src/types/config.ts
+++ b/packages/grafana-data/src/types/config.ts
@@ -240,4 +240,5 @@ export interface AuthSettings {
   GoogleSkipOrgRoleSync?: boolean;
   GenericOAuthSkipOrgRoleSync?: boolean;
   DisableSyncLock?: boolean;
+  AuthProxyEnableLoginToken?: boolean;
 }
diff --git a/pkg/api/dtos/frontend_settings.go b/pkg/api/dtos/frontend_settings.go
index f551121de8f..51316aba193 100644
--- a/pkg/api/dtos/frontend_settings.go
+++ b/pkg/api/dtos/frontend_settings.go
@@ -18,6 +18,7 @@ type FrontendSettingsAuthDTO struct {
 	GitLabSkipOrgRoleSync       bool `json:"GitLabSkipOrgRoleSync"`
 	OktaSkipOrgRoleSync         bool `json:"OktaSkipOrgRoleSync"`
 	DisableSyncLock             bool `json:"DisableSyncLock"`
+	AuthProxyEnableLoginToken   bool `json:"AuthProxyEnableLoginToken"`
 }
 
 type FrontendSettingsBuildInfoDTO struct {
diff --git a/pkg/api/dtos/models.go b/pkg/api/dtos/models.go
index b092cc75022..b1154cfe401 100644
--- a/pkg/api/dtos/models.go
+++ b/pkg/api/dtos/models.go
@@ -46,6 +46,7 @@ type CurrentUser struct {
 	Language                   string             `json:"language"`
 	HelpFlags1                 user.HelpFlags1    `json:"helpFlags1"`
 	HasEditPermissionInFolders bool               `json:"hasEditPermissionInFolders"`
+	AuthenticatedBy            string             `json:"authenticatedBy"`
 	Permissions                UserPermissionsMap `json:"permissions,omitempty"`
 	Analytics                  AnalyticsSettings  `json:"analytics"`
 }
diff --git a/pkg/api/frontendsettings.go b/pkg/api/frontendsettings.go
index 0d62d559679..a90ce8c6308 100644
--- a/pkg/api/frontendsettings.go
+++ b/pkg/api/frontendsettings.go
@@ -166,6 +166,7 @@ func (hs *HTTPServer) getFrontendSettings(c *contextmodel.ReqContext) (*dtos.Fro
 			GitLabSkipOrgRoleSync:       hs.Cfg.GitLabSkipOrgRoleSync,
 			OktaSkipOrgRoleSync:         hs.Cfg.OktaSkipOrgRoleSync,
 			DisableSyncLock:             hs.Cfg.DisableSyncLock,
+			AuthProxyEnableLoginToken:   hs.Cfg.AuthProxyEnableLoginToken,
 		},
 
 		BuildInfo: dtos.FrontendSettingsBuildInfoDTO{
diff --git a/pkg/api/index.go b/pkg/api/index.go
index e12ae6bd2a1..b87ba900854 100644
--- a/pkg/api/index.go
+++ b/pkg/api/index.go
@@ -105,6 +105,7 @@ func (hs *HTTPServer) setIndexViewData(c *contextmodel.ReqContext) (*dtos.IndexV
 			HelpFlags1:                 c.HelpFlags1,
 			HasEditPermissionInFolders: hasEditPerm,
 			Analytics:                  hs.buildUserAnalyticsSettings(c.Req.Context(), c.SignedInUser),
+			AuthenticatedBy:            c.SignedInUser.AuthenticatedBy,
 		},
 		Settings:                            settings,
 		ThemeType:                           theme.Type,
diff --git a/public/app/core/services/context_srv.ts b/public/app/core/services/context_srv.ts
index cddbc01ca76..502d6fa72e8 100644
--- a/public/app/core/services/context_srv.ts
+++ b/public/app/core/services/context_srv.ts
@@ -34,6 +34,7 @@ export class User implements Omit<CurrentUserInternal, 'lightTheme'> {
   permissions?: UserPermission;
   analytics: AnalyticsSettings;
   fiscalYearStartMonth: number;
+  authenticatedBy: string;
 
   constructor() {
     this.id = 0;
@@ -59,6 +60,7 @@ export class User implements Omit<CurrentUserInternal, 'lightTheme'> {
     this.analytics = {
       identifier: '',
     };
+    this.authenticatedBy = '';
 
     if (config.bootData.user) {
       extend(this, config.bootData.user);
@@ -262,6 +264,11 @@ export class ContextSrv {
       return false;
     }
 
+    // skip if the user has been authenticated by authproxy and does not have a login token
+    if (this.user.authenticatedBy === 'authproxy' && !config.auth.AuthProxyEnableLoginToken) {
+      return false;
+    }
+
     return true;
   }
 
diff --git a/public/app/types/config.ts b/public/app/types/config.ts
index 118fbea278a..ec9c25717b1 100644
--- a/public/app/types/config.ts
+++ b/public/app/types/config.ts
@@ -6,4 +6,5 @@ import { CurrentUserDTO } from '@grafana/data';
 export interface CurrentUserInternal extends CurrentUserDTO {
   helpFlags1: number;
   hasEditPermissionInFolders: boolean;
+  authenticatedBy: string;
 }