YunoHost-Apps/kanboard_ynh
1
0
Fork 0
mirror of https://github.com/YunoHost-Apps/kanboard_ynh.git synced 2024-09-03 19:36:17 +02:00
Code Issues Activity Actions
kanboard_ynh/sources/doc/reverse-proxy-authentication.markdown
mbugeia 9b8806775a Update sources to kanboard v1.0.22
2015-12-29 01:24:09 +01:00

64 lines
2.3 KiB
Markdown
Raw Blame History

Reverse Proxy Authentication
============================
This authentication method is often used for [SSO](http://en.wikipedia.org/wiki/Single_sign-on) (Single Sign-On) especially for large organizations.
The authentication is done by another system, Kanboard doesn't know your password and suppose you are already authenticated.
Requirements
------------
- A well-configured reverse proxy
or
- Apache Auth on the same server
How does this work?
-------------------
1. Your reverse proxy authenticates the user and send the username through a HTTP header.
2. Kanboard retrieve the username from the request
- The user is created automatically if necessary
- Open a new Kanboard session without any prompt assuming it's valid
Installation instructions
-------------------------
### Setting up your reverse proxy
This is not in the scope of this documentation.
You should check the user login is sent by the reverse proxy using a HTTP header, and find out which one.
### Setting up Kanboard
Create a custom `config.php` file or copy the `config.default.php` file:
```php
<?php
// Enable/disable reverse proxy authentication
define('REVERSE_PROXY_AUTH', true); // Set this value to true
// The HTTP header to retrieve. If not specified, REMOTE_USER is the default
define('REVERSE_PROXY_USER_HEADER', 'REMOTE_USER');
// The default Kanboard admin for your organization.
// Since everything should be filtered by the reverse proxy,
// you should want to have a bootstrap admin user.
define('REVERSE_PROXY_DEFAULT_ADMIN', 'myadmin');
// The default domain to assume for the email address.
// In case the username is not an email address, it
// will be updated automatically as USER@mydomain.com
define('REVERSE_PROXY_DEFAULT_DOMAIN', 'mydomain.com');
```
Notes:
- If the proxy is the same web server that runs Kanboard, according the [CGI protocol](http://www.ietf.org/rfc/rfc3875) the header name will be `REMOTE_USER`. By example, Apache add `REMOTE_USER` by default if `Require valid-user` is set.
- If Apache is a reverse proxy to another Apache running Kanboard, the header `REMOTE_USER` is not set (same behavior with IIS and Nginx).
- If you have a real reverse proxy, the [HTTP ICAP draft](http://tools.ietf.org/html/draft-stecher-icap-subid-00#section-3.4) proposes the header to be `X-Authenticated-User`. This de facto standard has been adopted by a number of tools.
Reference in a new issue View git blame Copy permalink