# Deployment Instructions ## Prerequisites - Docker (v19+) - Docker Compose (v2+) - NGINX (with auth_request module) ## Build ```bash docker build -t db123/auth-proxy:latest . ``` or ```bash docker pull git.yejayekhoob.com/db123/auth-proxy:latest ``` ## Run ```bash docker-compose up -d ``` ## NGINX integration ### 1. Create the auth-proxy include file ```nginx # /etc/nginx/snippets/auth-proxy.conf # # This is the shared auth_request configuration. Include it in any # server block that needs authentication. # # Important: we use X-Real-IP (set by NGINX) rather than # X-Forwarded-For. X-Forwarded-For is client-controlled and can be # spoofed. If you need a CDN, configure the realip module instead # of trusting the header. location = /_auth_proxy { internal; proxy_pass http://auth-proxy:8080/auth; proxy_pass_request_body off; proxy_set_header Content-Length ""; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Original-Host $host; proxy_set_header X-Original-URI $request_uri; proxy_set_header Authorization $http_authorization; } ``` ### 2. Apply the include to sensitive server blocks ```nginx server { listen 443 ssl; server_name phpmyadmin.yejayekhoob.com; include /etc/nginx/snippets/auth-proxy.conf; location / { proxy_pass http://phpmyadmin:80/; # ... other proxy settings ... } } ``` ### 3. Test and reload ```bash nginx -t nginx -s reload ``` ## Environment variables | Variable | Description | Default | |----------|-------------|---------| | AUTH_proxy_PORT | HTTP listen port | 8080 | | AUTH_proxy_API_TOKEN | API bearer token | (none) | | AUTH_proxy_DB_PATH | SQLite database path | ./data/auth-proxy.db | | DATA_DIR | Data directory | /data | | CLEANUP_INTERVAL | Cleanup interval | 60s | ## Graceful shutdown ```bash docker-compose down ``` The service waits up to 30 seconds for in-flight requests to complete. ## Hardened deployment For production, use the Dockerfile from this repository. It: - Builds the binary in a separate stage (smaller image). - Runs the service as a non-root user. - Drops all Linux capabilities. - Sets the no-new-privileges flag. - Mounts /tmp as tmpfs (no persistence).