Currently when proxying to an AWS S3 backed remote such as Git package registries, the request to the remote will fail due to S3 returning the following HTTP 400 response:
When a successfully authenticated request is sent to the Git package registry a redirect to an S3 location occurs. This location URL includes an X-Amz-Algorithm query param, however Nexus also includes the Authorization header in the redirected request to S3 as well. As S3 expects only one auth method (X-Amz-Algorithm param or Auth header), it fails the request with the above message.
As an example of this issue, please refer to https://issues.sonatype.org/browse/NEXUS-23750
For these types of remotes, an option should exist across formats that allows an admin to select if headers such as Authorization should/should not be included in redirected requests e.g. Through an allow/deny list.
NEXUS-23750 implements a solution for npm proxies where the auth header is removed, however the potential could exist for a redirected location to require an auth header, as such the option should be made configurable.