idp: docs

2025-10-03 09:49:29 +02:00 · 2024-03-13 22:50:50 +00:00 · 2024-03-13 22:50:50 +00:00 · 78919e65d6
commit 78919e65d6
parent 84b52ea8c5
4 changed files with 20 additions and 3 deletions
--- a/docs/examples/docker/idp-authelia-traefik/cpp/copyparty.conf
+++ b/docs/examples/docker/idp-authelia-traefik/cpp/copyparty.conf
@ -25,7 +25,7 @@
  # (meaning copyparty is only accessible through traefik, and
  #  traefik makes sure that all requests go through authelia),
  # then disable the reverse-proxy source-ip safety check like this:
-  #xff-src: any
+  xff-src: any

  # enable IdP support by expecting username/groupname in
  # http-headers provided by the reverse-proxy; header "X-IdP-User"
--- a/docs/examples/docker/idp/copyparty.conf
+++ b/docs/examples/docker/idp/copyparty.conf
@ -26,6 +26,21 @@
  idp-h-usr: x-idp-user
  idp-h-grp: x-idp-group

+  # but copyparty will refuse to accept those headers unless you
+  # tell it the LAN IP of the reverse-proxy to expect them from,
+  # preventing malicious users from pretending to be the proxy;
+  # pay attention to the warning message in the logs and then
+  # adjust the following config option accordingly:
+  xff-src: 192.168.
+
+  # an additional, optional security measure is to expect a
+  # secret header name from the reverse-proxy; you can enable
+  # this feature by setting the header-name to expect here:
+  #idp-h-key: shangala-bangala
+
+  # convenient debug option:
+  # log all incoming request headers from the proxy
+  #ihead: *

 [/]      # create a volume at "/" (the webroot), which will
  /w     # share /w (the docker data volume)