Skip to content

Commit c036571

Browse files
steveiliop56steveiliop56
committed
feat: add new config options
1 parent 5b73a51 commit c036571

2 files changed

Lines changed: 40 additions & 17 deletions

File tree

docs/reference/configuration.md

Lines changed: 17 additions & 15 deletions
Original file line numberDiff line numberDiff line change
@@ -8,21 +8,23 @@ Every configuration option that has a `FILE` equivalent (e.g. `USERS` and `USERS
88

99
## General
1010

11-
| Name | Description | Default | Required |
12-
| --------------------------------------- | -------------------------------------------------------------- | ---------- | -------- |
13-
| `PORT`/`--port` | The port the UI and API listens on. | 3000 | no |
14-
| `ADDRESS`/`--address` | The address the UI and API listens on. | `0.0.0.0` | no |
15-
| `APP_URL`/`--app-url` | The URL tinyauth uses for the redirects and the cookie domain. | - | yes |
16-
| `SECRET`/`--secret` | The secret tinyauth uses to encrypt the cookies. | - | yes |
17-
| `USERS`/`--users` | A comma separated list of tinyauth users. | - | yes |
18-
| `USERS_FILE`/`--users-file` | A file containing a list of tinyauth users. | - | no |
19-
| `SECRET_FILE`/`--secret-file` | A file containing the cookie secret. | - | no |
20-
| `COOKIE_SECURE`/`--cookie-secure` | Send cookie only with HTTPS. | `false` | no |
21-
| `DISABLE_CONTINUE`/`--disable-continue` | Disable the continue screen. | `false` | no |
22-
| `OAUTH_WHITELIST`/`--oauth-whitelist` | A list of usernames that are allowed to login with OAuth. | - | no |
23-
| `SESSION_EXPIRY`/`--session-expiry` | Set cookie and session expiry in seconds. | 86400 | no |
24-
| `LOG_LEVEL`/`--log-level` | Set the log level for the app (-1 through 6). | 1 | no |
25-
| `APP_TITLE`/`--app-title` | Set the login screen title. | `Tinyauth` | no |
11+
| Name | Description | Default | Required |
12+
| ----------------------------------------- | -------------------------------------------------------------- | ---------- | -------- |
13+
| `PORT`/`--port` | The port the UI and API listens on. | 3000 | no |
14+
| `ADDRESS`/`--address` | The address the UI and API listens on. | `0.0.0.0` | no |
15+
| `APP_URL`/`--app-url` | The URL tinyauth uses for the redirects and the cookie domain. | - | yes |
16+
| `SECRET`/`--secret` | The secret tinyauth uses to encrypt the cookies. | - | yes |
17+
| `USERS`/`--users` | A comma separated list of tinyauth users. | - | yes |
18+
| `USERS_FILE`/`--users-file` | A file containing a list of tinyauth users. | - | no |
19+
| `SECRET_FILE`/`--secret-file` | A file containing the cookie secret. | - | no |
20+
| `COOKIE_SECURE`/`--cookie-secure` | Send cookie only with HTTPS. | `false` | no |
21+
| `DISABLE_CONTINUE`/`--disable-continue` | Disable the continue screen. | `false` | no |
22+
| `OAUTH_WHITELIST`/`--oauth-whitelist` | A list of usernames that are allowed to login with OAuth. | - | no |
23+
| `SESSION_EXPIRY`/`--session-expiry` | Set cookie and session expiry in seconds. | 86400 | no |
24+
| `LOG_LEVEL`/`--log-level` | Set the log level for the app (-1 through 6). | 1 | no |
25+
| `APP_TITLE`/`--app-title` | Set the login screen title. | `Tinyauth` | no |
26+
| `LOGIN_MAX_RETRIES`/`--login-max-retries` | The max retries to login after which the account gets locked. | 5 | no |
27+
| `LOGIN_TIMEOUT`/`--login-timeout` | The timeout in seconds for the locked accounts. | 300 | no |
2628

2729
## Github OAuth
2830

docs/reference/headers.md

Lines changed: 23 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -8,6 +8,20 @@ Tinyauth adds the following headers in the authentication response to make authe
88

99
The `Remote-User` is a header set by tinyauth in the response containing the email address/username of the currently logged in user, this can be helpful in some apps that allow authentication from the reverse proxy.
1010

11+
### Custom headers
12+
13+
You can set the `tinyauth.headers` label on any container that uses the tinyauth middleware and it will automatically add them to its response. For example, you can have the following line in your app's labels:
14+
15+
```yaml
16+
tinyauth.headers: My-Header=cool
17+
```
18+
19+
And when you authenticate to your app through tinyauth, your app will receive the `My-Header` header.
20+
21+
::: warning
22+
Make sure to create a list of trusted proxy URLs that your app accepts headers from. If your app trusts all proxies then anyone can just send the header to your app and possibly bypass any authentication you have set.
23+
:::
24+
1125
## Adding headers to proxy
1226

1327
You firstly need to tell your proxy to forward the header. This varies from proxy to proxy.
@@ -17,15 +31,15 @@ You firstly need to tell your proxy to forward the header. This varies from prox
1731
Just add the following in the tinyauth lables:
1832

1933
```yaml
20-
traefik.http.middlewares.tinyauth.forwardauth.authResponseHeaders: Remote-User
34+
traefik.http.middlewares.tinyauth.forwardauth.authResponseHeaders: Remote-User # This can be a comma separated list of more headers you will like to copy like the custom ones you set
2135
```
2236

2337
### Caddy
2438

2539
Just add the following label in the caddy labels:
2640

2741
```yaml
28-
caddy.forward_auth.copy_headers: Remote-User
42+
caddy.forward_auth.copy_headers: Remote-User # This can be a comma separated list of more headers you will like to copy like the custom ones you set
2943
```
3044

3145
### Nginx/Nginx Proxy Manager
@@ -36,3 +50,10 @@ Add the following lines after the `error_page 401 = @tinyauth_login;`:
3650
auth_request_set $remote_user $upstream_http_remote_user;
3751
proxy_set_header Remote-User $remote_user;
3852
```
53+
54+
You can repeat this step multiple times to add more headers, for example:
55+
56+
```shell
57+
auth_request_set $my_header $upstream_my_header;
58+
proxy_set_header My-Header $my_header;
59+
```

0 commit comments

Comments
 (0)