tinyauthapp
diff --git a/‎public/screenshots/npm/whoami-advanced.png‎
-248 KB b/‎public/screenshots/npm/whoami-advanced.png‎
-248 KB
diff --git a/‎src/content/docs/docs/guides/nginx-proxy-manager.mdx‎
Lines changed: 8 additions & 27 deletions b/‎src/content/docs/docs/guides/nginx-proxy-manager.mdx‎
Lines changed: 8 additions & 27 deletions
@@ -26,6 +26,7 @@ services:
       - npm-data:/data
       - npm-letsencrypt:/etc/letsencrypt
 
+  # Whoami is not required, but serves as a simple example app to demonstrate Tinyauth integration. You can replace it with any app of your choice.
   whoami:
     image: traefik/whoami:latest
     restart: unless-stopped
@@ -79,36 +80,31 @@ Add the following configuration in the Advanced tab to enable Tinyauth authentic
 # Root location
 location / {
   # Pass the request to the app
-  proxy_pass          $forward_scheme://$server:$port;
+  proxy_pass          http://whoami:80; # Replace with your app URL, e.g. http://10.10.10.25:80
 
   # Add other app-specific config here
 
   # Tinyauth auth request
   auth_request /tinyauth;
-  error_page 401 = @tinyauth_login;
+  auth_request_set $redirection_url $upstream_http_x_tinyauth_location;
+  error_page 401 =302 $redirection_url;
 }
 
 # Tinyauth auth request
 location /tinyauth {
-  # Pass request to Tinyauth
+  # Mark the location as internal to prevent direct access
+  internal;
+
+  # Pass request to Tinyauth, do not use the Tinyauth domain here, use the internal Docker network name and port or the IP and port of the Tinyauth instance
   proxy_pass http://tinyauth:3000/api/auth/nginx;
 
   # Pass the request headers
   proxy_set_header x-forwarded-proto $scheme;
   proxy_set_header x-forwarded-host $http_host;
   proxy_set_header x-forwarded-uri $request_uri;
 }
-
-# Tinyauth login redirect
-location @tinyauth_login {
-  return 302 http://tinyauth.example.com/login?redirect_uri=$scheme://$http_host$request_uri; # Replace with your app URL
-}
 ```
 
-It should look like this:
-
-![Whoami Host Advanced](/screenshots/npm/whoami-advanced.png)
-
 :::note
   The `/tinyauth` path can be renamed for convenience.
 :::
@@ -118,19 +114,4 @@ It should look like this:
   technologies like WebSockets.
 :::
 
-:::note
-  Due to the way Nginx handles forward auth, Tinyauth cannot automatically redirect to the unauthorized page. Thus, users may be redirected to a blank 403 Forbidden page in case of a failed authentication. This can be somehow mitigated by configuring a custom error page for the 403 status code:
-
-  ```sh
-  location / {
-    # Rest of your configuration
-    error_page 403 = @tinyauth_unauthorized;
-  }
-
-  location @tinyauth_unauthorized {
-    return 302 http://tinyauth.example.com/unauthorized?username=unavailable; # Replace with your app URL
-  }
-  ```
-:::
-
 Save the host configuration. Accessing the protected host will redirect to the Tinyauth login page if not already logged in. Repeat this process for each host to be protected by Tinyauth.