Forgejo supports Reverse Proxy Header authentication, it will read headers as a trusted login user name or user email address. This hasn’t been enabled by default, you can enable it with
[service] ENABLE_REVERSE_PROXY_AUTHENTICATION = true
The default login user name is in the
X-WEBAUTH-USER header, you can change it via changing
REVERSE_PROXY_AUTHENTICATION_USER in app.ini. If the user doesn’t exist, you can enable automatic registration with
The default login user email is
X-WEBAUTH-EMAIL, you can change it via changing
REVERSE_PROXY_AUTHENTICATION_EMAIL in app.ini, this could also be disabled with
ENABLE_REVERSE_PROXY_FULL_NAME=true, a user full name expected in
X-WEBAUTH-FULLNAME will be assigned to the user when auto creating the user. You can also change the header name with
You can also limit the reverse proxy’s IP address range with
REVERSE_PROXY_TRUSTED_PROXIES which default value is
REVERSE_PROXY_LIMIT, you can limit trusted proxies level.
Notice: Reverse Proxy Auth doesn’t support the API. You still need an access token or basic auth to make API requests.