Add missed reverse proxy authentication documentation (#22250)
Co-authored-by: KN4CK3R <admin@oldschoolhack.me> Co-authored-by: Jason Song <i@wolfogre.com>
This commit is contained in:
parent
891391689a
commit
1410e13dc5
|
@ -329,3 +329,22 @@ Before activating SSPI single sign-on authentication (SSO) you have to prepare y
|
||||||
- You have added the URL of the web app to the `Local intranet zone`
|
- You have added the URL of the web app to the `Local intranet zone`
|
||||||
- The clocks of the server and client should not differ with more than 5 minutes (depends on group policy)
|
- The clocks of the server and client should not differ with more than 5 minutes (depends on group policy)
|
||||||
- `Integrated Windows Authentication` should be enabled in Internet Explorer (under `Advanced settings`)
|
- `Integrated Windows Authentication` should be enabled in Internet Explorer (under `Advanced settings`)
|
||||||
|
|
||||||
|
## Reverse Proxy
|
||||||
|
|
||||||
|
Gitea supports Reverse Proxy Header authentication, it will read headers as a trusted login user name or user email address. This hasn't been enabled by default, you can enable it with
|
||||||
|
|
||||||
|
```ini
|
||||||
|
[service]
|
||||||
|
ENABLE_REVERSE_PROXY_AUTHENTICATION = true
|
||||||
|
```
|
||||||
|
|
||||||
|
The default login user name is in the `X-WEBAUTH-USER` header, you can change it via changing `REVERSE_PROXY_AUTHENTICATION_USER` in app.ini. If the user doesn't exist, you can enable automatic registration with `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION=true`.
|
||||||
|
|
||||||
|
The default login user email is `X-WEBAUTH-EMAIL`, you can change it via changing `REVERSE_PROXY_AUTHENTICATION_EMAIL` in app.ini, this could also be disabled with `ENABLE_REVERSE_PROXY_EMAIL`
|
||||||
|
|
||||||
|
If set `ENABLE_REVERSE_PROXY_FULL_NAME=true`, a user full name expected in `X-WEBAUTH-FULLNAME` will be assigned to the user when auto creating the user. You can also change the header name with `REVERSE_PROXY_AUTHENTICATION_FULL_NAME`.
|
||||||
|
|
||||||
|
You can also limit the reverse proxy's IP address range with `REVERSE_PROXY_TRUSTED_PROXIES` which default value is `127.0.0.0/8,::1/128`. By `REVERSE_PROXY_LIMIT`, you can limit trusted proxies level.
|
||||||
|
|
||||||
|
Notice: Reverse Proxy Auth doesn't support the API. You still need an access token or basic auth to make API requests.
|
||||||
|
|
|
@ -15,4 +15,21 @@ menu:
|
||||||
|
|
||||||
# 认证
|
# 认证
|
||||||
|
|
||||||
## TBD
|
## 反向代理认证
|
||||||
|
|
||||||
|
Gitea 支持通过读取反向代理传递的 HTTP 头中的登录名或者 email 地址来支持反向代理来认证。默认是不启用的,你可以用以下配置启用。
|
||||||
|
|
||||||
|
```ini
|
||||||
|
[service]
|
||||||
|
ENABLE_REVERSE_PROXY_AUTHENTICATION = true
|
||||||
|
```
|
||||||
|
|
||||||
|
默认的登录用户名的 HTTP 头是 `X-WEBAUTH-USER`,你可以通过修改 `REVERSE_PROXY_AUTHENTICATION_USER` 来变更它。如果用户不存在,可以自动创建用户,当然你需要修改 `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION=true` 来启用它。
|
||||||
|
|
||||||
|
默认的登录用户 Email 的 HTTP 头是 `X-WEBAUTH-EMAIL`,你可以通过修改 `REVERSE_PROXY_AUTHENTICATION_EMAIL` 来变更它。如果用户不存在,可以自动创建用户,当然你需要修改 `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION=true` 来启用它。你也可以通过修改 `ENABLE_REVERSE_PROXY_EMAIL` 来启用或停用这个 HTTP 头。
|
||||||
|
|
||||||
|
如果设置了 `ENABLE_REVERSE_PROXY_FULL_NAME=true`,则用户的全名会从 `X-WEBAUTH-FULLNAME` 读取,这样在自动创建用户时将使用这个字段作为用户全名,你也可以通过修改 `REVERSE_PROXY_AUTHENTICATION_FULL_NAME` 来变更 HTTP 头。
|
||||||
|
|
||||||
|
你也可以通过修改 `REVERSE_PROXY_TRUSTED_PROXIES` 来设置反向代理的IP地址范围,加强安全性,默认值是 `127.0.0.0/8,::1/128`。 通过 `REVERSE_PROXY_LIMIT`, 可以设置最多信任几级反向代理。
|
||||||
|
|
||||||
|
注意:反向代理认证不支持认证 API,API 仍旧需要用 access token 来进行认证。
|
||||||
|
|
Loading…
Reference in a new issue