Files
auth-proxy/docs/deploy.md
db123-test b008f468f7 fix(deploy): add auth proxy configuration for phpMyAdmin
Include auth_request and upstream_status directives in
nginx location block to enable authentication proxy
for phpMyAdmin access.
2026-05-04 11:46:44 +03:30

2.3 KiB

Deployment Instructions

Prerequisites

  • Docker (v19+)
  • Docker Compose (v2+)
  • NGINX (with auth_request module)

Build

docker build -t db123/auth-proxy:latest .

or

docker pull git.yejayekhoob.com/db123/auth-proxy:latest

Run

docker-compose up -d

NGINX integration

1. Create the auth-proxy include file

# /etc/nginx/snippets/auth-proxy.conf
#
# This is the shared auth_request configuration. Include it in any
# server block that needs authentication.
#
# Important: we use X-Real-IP (set by NGINX) rather than
# X-Forwarded-For. X-Forwarded-For is client-controlled and can be
# spoofed. If you need a CDN, configure the realip module instead
# of trusting the header.

location = /_auth_proxy {
    internal;

    proxy_pass http://auth-proxy:8080/auth;

    proxy_pass_request_body off;
    proxy_set_header Content-Length "";
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Original-Host $host;
    proxy_set_header X-Original-URI $request_uri;
    proxy_set_header Authorization $http_authorization;
}

2. Apply the include to sensitive server blocks

server {
    listen 443 ssl;
    server_name phpmyadmin.yejayekhoob.com;

    include /etc/nginx/snippets/auth-proxy.conf;

    location / {
        auth_request /_auth_proxy;
        auth_request_set $auth_status $upstream_status;

        proxy_pass http://phpmyadmin:80/;
        # ... other proxy settings ...
    }
}

3. Test and reload

nginx -t
nginx -s reload

Environment variables

Variable Description Default
AUTH_proxy_PORT HTTP listen port 8080
AUTH_proxy_API_TOKEN API bearer token (none)
AUTH_proxy_DB_PATH SQLite database path ./data/auth-proxy.db
DATA_DIR Data directory /data
CLEANUP_INTERVAL Cleanup interval 60s

Graceful shutdown

docker-compose down

The service waits up to 30 seconds for in-flight requests to complete.

Hardened deployment

For production, use the Dockerfile from this repository. It:

  • Builds the binary in a separate stage (smaller image).
  • Runs the service as a non-root user.
  • Drops all Linux capabilities.
  • Sets the no-new-privileges flag.
  • Mounts /tmp as tmpfs (no persistence).