Support for Auth proxy - Githubissues

AdguardTeam / AdGuardHome

Network-wide ads & trackers blocking DNS server

https://adguard.com/adguard-home.html

GNU General Public License v3.0

24.98k stars 1.8k forks source link

Support for Auth proxy #1737

Open yegle opened 4 years ago

yegle commented 4 years ago

Prerequisites

[x] I am running the latest version
[x] I checked the documentation and found no answer
[x] I checked to make sure that this issue has not already been filed

Problem Description

I'm running pomerium.io as the reverse proxy to Adguard Home's web UI. It would be great if Adguard Home web UI can support identity-aware proxy like Pomerium.

Proposed Solution

When the incoming HTTP request contains an X-Foo-Bar: username header, Adguard Home web UI should treat it as an authenticated HTTP request as if username is logged in.

The header X-Foo-Bar should be configurable.

(See the doc on Grafana's auth proxy support: https://grafana.com/docs/grafana/latest/auth/auth-proxy/)

Alternatives Considered

An option to disable authentication completely, and relying on the reverse proxy to authenticate the access to the web UI.

Additional Information

ameshkov commented 4 years ago

Thanks for the feature request, it makes sense indeed!

An option to disable authentication completely, and relying on the reverse proxy to authenticate the access to the web UI.

This is possible, removing all users from AdGuardHome.yaml disables authentication. So you can simply replace users with users: []

yegle commented 4 years ago

Thanks for the workaround! Disabling authentication makes sense if you already have a reverse proxy restricting access.

Now think about it I think supporting auth proxy may not make a lot of sense. From what I can see, logged in user doesn't have a way to configure per-user settings. Supporting auth proxy only makes sense if most people would have more than 1 users, otherwise one may just disable authentication and use auth proxy and not passing the username to AdGuard Home's web UI.

Generator commented 2 years ago

@ameshkov won't disabling authentication also leave the API without authentication? would be better disable login page but leave auth on for API?

ihipop commented 1 year ago

@Generator

@ameshkov won't disabling authentication also leave the API without authentication? would be better disable login page but leave auth on for API?

https://github.com/AdguardTeam/AdGuardHome/blob/db52f7a3aca54dcea286a0b151fcca38b0fb8e8b/internal/home/auth.go#L547-L555

BasicAuth is supported , you can set up basic auth via your reserve proxy when connecting to the backend and also keep ADG's authentication at the sametime

LeVraiRoiDHyrule commented 9 months ago

Hi, I am looking if there is a way to disable authentication only on the web UI as I have proxy auth with Authentik. Is that doable without removing auth in the API ?

ihipop commented 9 months ago

I've told you, use basic auth in your reserve proxy when proxy to Adguard home, it's just as simple as set a header in your reserve proxy engine

On Fri, Dec 29, 2023, 5:31 AM LeVraiRoiDHyrule @.***> wrote:

Hi, I am looking if there is a way to disable authentication only on the web UI as I have proxy auth with Authentik. Is that doable without removing auth in the API ?

LeVraiRoiDHyrule commented 9 months ago

It works perfectly with basic auth ! Thanks !