diff options
| author | Lunny Xiao <xiaolunwen@gmail.com> | 2023-02-03 18:37:25 +0800 |
|---|---|---|
| committer | GitHub <noreply@github.com> | 2023-02-03 18:37:25 +0800 |
| commit | 1410e13dc51030340e280b4637aeafa52defb359 (patch) | |
| tree | 825196059ae3c69e43ccae13d92f3e6453b002b0 /docs/content/doc/features/authentication.en-us.md | |
| parent | 891391689a26e0bc3dcb1558512d3c2b6857232d (diff) | |
| download | gitea-1410e13dc51030340e280b4637aeafa52defb359.tar.gz gitea-1410e13dc51030340e280b4637aeafa52defb359.zip | |
Add missed reverse proxy authentication documentation (#22250)
Co-authored-by: KN4CK3R <admin@oldschoolhack.me>
Co-authored-by: Jason Song <i@wolfogre.com>
Diffstat (limited to 'docs/content/doc/features/authentication.en-us.md')
| -rw-r--r-- | docs/content/doc/features/authentication.en-us.md | 19 |
1 files changed, 19 insertions, 0 deletions
diff --git a/docs/content/doc/features/authentication.en-us.md b/docs/content/doc/features/authentication.en-us.md index f25065d9c4..c27a09b00b 100644 --- a/docs/content/doc/features/authentication.en-us.md +++ b/docs/content/doc/features/authentication.en-us.md @@ -329,3 +329,22 @@ Before activating SSPI single sign-on authentication (SSO) you have to prepare y - You have added the URL of the web app to the `Local intranet zone` - The clocks of the server and client should not differ with more than 5 minutes (depends on group policy) - `Integrated Windows Authentication` should be enabled in Internet Explorer (under `Advanced settings`) + +## Reverse Proxy + +Gitea supports Reverse Proxy Header authentication, it will read headers as a trusted login user name or user email address. This hasn't been enabled by default, you can enable it with + +```ini +[service] +ENABLE_REVERSE_PROXY_AUTHENTICATION = true +``` + +The default login user name is in the `X-WEBAUTH-USER` header, you can change it via changing `REVERSE_PROXY_AUTHENTICATION_USER` in app.ini. If the user doesn't exist, you can enable automatic registration with `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION=true`. + +The default login user email is `X-WEBAUTH-EMAIL`, you can change it via changing `REVERSE_PROXY_AUTHENTICATION_EMAIL` in app.ini, this could also be disabled with `ENABLE_REVERSE_PROXY_EMAIL` + +If set `ENABLE_REVERSE_PROXY_FULL_NAME=true`, a user full name expected in `X-WEBAUTH-FULLNAME` will be assigned to the user when auto creating the user. You can also change the header name with `REVERSE_PROXY_AUTHENTICATION_FULL_NAME`. + +You can also limit the reverse proxy's IP address range with `REVERSE_PROXY_TRUSTED_PROXIES` which default value is `127.0.0.0/8,::1/128`. By `REVERSE_PROXY_LIMIT`, you can limit trusted proxies level. + +Notice: Reverse Proxy Auth doesn't support the API. You still need an access token or basic auth to make API requests. |