booklore-app/booklore
1
0
Fork 0
mirror of https://github.com/booklore-app/booklore.git synced 2026-02-18 00:17:53 +01:00
Code Issues Packages Projects Releases Wiki Activity
Files
43b4e6cb7a00e0f9e22468b44ad6fc48612e4da5
booklore/docs/forward-auth-with-proxy.md
Louis-André Labadie 7d006355c7 Feat: ForwardAuth user creation follows OIDC library attribution preferences (#805) 
* ForwardAuth user provisioning: Assign default permissions when available

* Add forward auth mention in README + details in a separate doc

Add Forward Auth docs

* Fix: PermissionDeleteBooks → PermissionDeleteBook

---------

Co-authored-by: Aditya Chandel <8075870+adityachandelgit@users.noreply.github.com>
2025-08-06 11:30:46 -06:00

69 lines
2.3 KiB
Markdown
Raw Blame History

# Forward Auth with Reverse Proxy
BookLore supports **Forward Auth**, allowing you to specify when a user is logged in using a reverse proxy and existing SSO provider.
## ⚠️ Security
** Important**: Enabling forward auth means BookLore will **fully trust headers sent by the reverse proxy**. Never expose BookLore directly to the internet when using forward auth - always route through your authenticated proxy, otherwise outsiders can attempt to impersonate any username they know about.
## Configuration
Provide BookLore with the following environment variables:
```bash
# Allows Forward Auth
REMOTE_AUTH_ENABLED=true
# Enable automatic user creation (recommended)
REMOTE_AUTH_CREATE_NEW_USERS=true
# Header names (your proxy will specify what header names to use)
REMOTE_AUTH_HEADER_USER=Remote-User # Username (required)
REMOTE_AUTH_HEADER_NAME=Remote-Name # Display name
REMOTE_AUTH_HEADER_EMAIL=Remote-Email # Email address
REMOTE_AUTH_HEADER_GROUPS=Remote-Groups # Groups/roles
# Admin group name (optional)
REMOTE_AUTH_ADMIN_GROUP=admin # Specify this if you want a group to automatically get admin rights
```
### Docker Compose Example
```yaml
services:
booklore:
image: ghcr.io/adityachandelgit/booklore-app:latest
environment:
# Forward Auth Configuration
- REMOTE_AUTH_ENABLED=true
- REMOTE_AUTH_CREATE_NEW_USERS=true
- REMOTE_AUTH_HEADER_NAME=Remote-Name
- REMOTE_AUTH_HEADER_USER=Remote-User
- REMOTE_AUTH_HEADER_EMAIL=Remote-Email
- REMOTE_AUTH_HEADER_GROUPS=Remote-Groups
- REMOTE_AUTH_ADMIN_GROUP=admin
# ... rest of configuration ...
```
## Setting Up Defaults Permissions
1. **Access Admin Settings**: Log in to Booklore as an admin user
2. **Navigate to Authentication Settings**: Go to Settings → Authentication
3. **Configure OIDC Auto-Provision** (even if not using OIDC):
- Enable "Auto User Provisioning". You might need to enter a bogus URL to enable it temporarily.
- Select the default permissions and libraries for new users.
4. **Save Settings**
## Example: Caddyfile for Authelia Forward Auth
```caddyfile
books.example.com {
forward_auth authelia:9091 {
uri /api/authz/forward-auth
copy_headers Remote-User Remote-Name Remote-Email Remote-Groups
}
reverse_proxy booklore:6060
}
```
Reference in New Issue View Git Blame Copy Permalink