From b4f1425032ba6f2a34fd64c27f6e1f4b55cf4f8d Mon Sep 17 00:00:00 2001 From: Igor Rzegocki Date: Sat, 7 Oct 2023 04:57:21 +0200 Subject: [PATCH] documentation for support for auth forwarding proxy (#20) --- mkdocs/docs/configuration/forward-auth.md | 16 ++++++++++++++++ mkdocs/mkdocs.yml | 1 + 2 files changed, 17 insertions(+) create mode 100644 mkdocs/docs/configuration/forward-auth.md diff --git a/mkdocs/docs/configuration/forward-auth.md b/mkdocs/docs/configuration/forward-auth.md new file mode 100644 index 0000000..f9ca9b9 --- /dev/null +++ b/mkdocs/docs/configuration/forward-auth.md @@ -0,0 +1,16 @@ +You can enable support for authentication proxies such as Authelia. + +This effectively disables credentials-based authentication and instead authenticates users if a specific request header contains a known username. +You must make sure that your proxy (nginx, Traefik, Caddy, ...) forwards this header from your auth proxy to tubearchivist. +Check the documentation of your auth proxy and your reverse proxy on how to correctly set this up. + +Note that this automatically creates new users in the database if they do not already exist. + +- `TA_ENABLE_AUTH_PROXY` (ex: `true`) - Set to anything besides empty string to use forward proxy authentication. +- `TA_AUTH_PROXY_USERNAME_HEADER` - The name of the request header that the auth proxy passes to the proxied application (tubearchivist in this case), so that the application can identify the user. + Check the documentation of your auth proxy to get this information. + Note that the request headers are rewritten in tubearchivist: all HTTP headers are prefixed with `HTTP_`, all letters are in uppercase, and dashes are replaced with underscores. + For example, for Authelia, which passes the `Remote-User` HTTP header, the `TA_AUTH_PROXY_USERNAME_HEADER` needs to be configured as `HTTP_REMOTE_USER`. +- `TA_AUTH_PROXY_LOGOUT_URL` - The URL that tubearchivist should redirect to after a logout. + By default, the logout redirects to the login URL, which means the user will be automatically authenticated again. + Instead, you might want to configure the logout URL of the auth proxy here. diff --git a/mkdocs/mkdocs.yml b/mkdocs/mkdocs.yml index 95b594e..b14c88c 100644 --- a/mkdocs/mkdocs.yml +++ b/mkdocs/mkdocs.yml @@ -27,6 +27,7 @@ nav: - 'Helm Charts': 'installation/helm-charts.md' - Configuration: - 'LDAP Authentication': 'configuration/ldap.md' + - 'Forward Authentication': 'configuration/forward-auth.md' - 'Cast Support': 'configuration/cast.md' - API: - 'Introduction': 'api/introduction.md'