Reverse Proxy Authentication
Calibre-Web Automated supports reverse proxy authentication, enabling seamless integration with authentication gateways like Authelia, Authentik, Nginx Auth, Traefik ForwardAuth, and other reverse proxy authentication systems. This guide covers everything you need to know about configuring and using reverse proxy authentication in CWA.
CWA's reverse proxy authentication provides enterprise-grade SSO integration:
- β Auto-User Creation: Automatically creates user accounts from trusted proxy headers (configurable)
- β
Header-Based Authentication: Supports standard authentication headers like
Remote-User - β Default Permissions: New users inherit all default configuration settings
- β SSO Integration: Works with popular authentication gateways
- β Security Validation: Built-in configuration validation and security warnings
- β Audit Logging: Comprehensive logging for authentication events
- β Enterprise Ready: Designed for corporate SSO environments
CRITICAL: Reverse proxy authentication should ONLY be used when:
- CWA is not directly accessible from the internet or untrusted networks
- All traffic goes through the authentication proxy - no bypass routes exist
- The proxy validates users before setting authentication headers
- Network traffic between proxy and CWA is secure and trusted
- You understand the security implications of header-based authentication
Never enable this feature if CWA can be accessed directly, as it would allow anyone to impersonate users by setting HTTP headers.
First, set up your reverse proxy to handle authentication and set the user header. Common examples:
server {
server_name cwa.example.com;
location / {
# Authelia authentication
auth_request /authelia;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
# Forward authentication header to CWA
proxy_set_header Remote-User $user;
proxy_pass http://cwa-backend;
}
}# docker-compose.yml
services:
cwa:
labels:
- "traefik.http.routers.cwa.middlewares=authelia@docker"
- "traefik.http.middlewares.authelia.forwardauth.authRequestHeaders=Remote-User"cwa.example.com {
forward_auth authelia:9091 {
uri /api/verify?rd=https://auth.example.com/
copy_headers Remote-User Remote-Groups
}
reverse_proxy cwa:8083 {
header_up Remote-User {http.auth.user.id}
}
}- Log in as an Admin user
- Navigate to Admin Panel β Basic Configuration
- Scroll down to Reverse Proxy Authentication section
βοΈ Allow Reverse Proxy Authentication: Enabled
π Reverse Proxy Header Name: Remote-User
βοΈ Auto-create users from reverse proxy: Enabled (recommended)
- Save configuration and restart CWA
- Test authentication through your reverse proxy
- Verify user creation (if auto-create is enabled)
- Check logs for authentication events
| Setting | Description | Recommended Value |
|---|---|---|
| Allow Reverse Proxy Authentication | Enable header-based authentication | β Enabled |
| Reverse Proxy Header Name | HTTP header containing username |
Remote-User (standard) |
| Auto-create users from reverse proxy | Automatically create user accounts | β Enabled |
Different authentication systems use different header names:
| System | Common Header | Example Value |
|---|---|---|
| Authelia | Remote-User |
john.doe |
| Authentik | X-authentik-username |
john.doe |
| Nginx Auth | Remote-User |
[email protected] |
| Traefik ForwardAuth | Remote-User |
john.doe |
| Custom | X-Forwarded-User |
user123 |
Configure the header name to match your reverse proxy setup.
When Auto-create users from reverse proxy is enabled:
- Header Validation: CWA checks for the configured authentication header
- User Lookup: Searches for existing user with header username
- Auto-Creation: Creates new user if not found (when enabled)
- Session Setup: Logs in user automatically
- Audit Logging: Records authentication and creation events
New reverse proxy users automatically inherit all default configuration settings:
- π Default Role: Configured role permissions
- π Sidebar View: Default sidebar visibility settings
- π Locale: Default interface language
- π Default Language: Default book language filter
- π·οΈ Tag Restrictions: Default allowed/denied tags
- π Content Restrictions: Default column restrictions
- π¨ Theme: Default CWA theme setting
- π± Kobo Sync: Default Kobo integration settings
This ensures reverse proxy users get the same permissions and interface settings as manually created users.
If auto-creation is disabled:
- Existing users: Can log in normally via reverse proxy
- New users: Will see login failure - admin must create accounts manually
- Security: Provides more control over who gets accounts
- Enterprise: Suitable for pre-provisioned user environments
Authelia Configuration (configuration.yml):
authentication_backend:
ldap:
url: ldap://openldap
base_dn: dc=example,dc=com
access_control:
default_policy: deny
rules:
- domain: cwa.example.com
policy: one_factor
session:
domain: example.comNginx Configuration:
server {
listen 443 ssl;
server_name cwa.example.com;
location /authelia {
internal;
proxy_pass http://authelia:9091/api/verify;
proxy_set_header X-Original-URL $scheme://$http_host$request_uri;
}
location / {
auth_request /authelia;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
proxy_set_header Remote-User $user;
proxy_set_header Remote-Groups $groups;
proxy_pass http://cwa:8083;
}
}CWA Configuration:
βοΈ Allow Reverse Proxy Authentication: Enabled
π Reverse Proxy Header Name: Remote-User
βοΈ Auto-create users from reverse proxy: Enabled
Authentik Outpost Configuration:
# Outpost configuration for CWA
authentik:
host: https://auth.example.com
providers:
- name: cwa-provider
type: proxy
external_host: https://cwa.example.com
internal_host: http://cwa:8083
# Forward authentication headers
forward_auth_headers:
- X-authentik-username
- X-authentik-groupsCWA Configuration:
βοΈ Allow Reverse Proxy Authentication: Enabled
π Reverse Proxy Header Name: X-authentik-username
βοΈ Auto-create users from reverse proxy: Enabled
Traefik Configuration (docker-compose.yml):
services:
cwa:
image: crocodilestick/calibre-web-automated
labels:
- "traefik.http.routers.cwa.rule=Host(`cwa.example.com`)"
- "traefik.http.routers.cwa.middlewares=auth-headers"
- "traefik.http.middlewares.auth-headers.forwardauth.address=http://auth-service:8080/verify"
- "traefik.http.middlewares.auth-headers.forwardauth.authRequestHeaders=Remote-User,Remote-Groups"CWA Configuration:
βοΈ Allow Reverse Proxy Authentication: Enabled
π Reverse Proxy Header Name: Remote-User
βοΈ Auto-create users from reverse proxy: Enabled
- Verify proxy setup: Ensure authentication works at proxy level
- Check headers: Confirm authentication headers are being sent to CWA
-
Test with curl:
# Test authentication header forwarding curl -H "Remote-User: testuser" http://cwa.example.com/
- Monitor logs: Check both proxy and CWA logs for authentication flow
To debug header issues:
- Enable CWA debug logging
- Check proxy logs for header forwarding
- Use browser developer tools to inspect request headers
- Test with known working user
Cause: Header not present or incorrect header name configured Solution:
- Verify Reverse Proxy Header Name matches your proxy configuration
- Check that proxy is forwarding the authentication header
- Test header forwarding with curl or browser developer tools
- Review proxy configuration for header forwarding rules
Cause: Auto-creation disabled or failed, or user doesn't exist Solution:
- Enable Auto-create users from reverse proxy if desired
- Manually create user accounts for reverse proxy users if auto-creation disabled
- Check CWA logs for user creation errors
- Verify default user settings are properly configured
Cause: CWA is accessible directly without going through proxy Solution:
- CRITICAL SECURITY ISSUE: Ensure CWA is only accessible through authenticated proxy
- Use firewall rules to block direct access to CWA
- Configure reverse proxy to be the only route to CWA
- Consider network segmentation to isolate CWA
Cause: Proxy not configured to forward authentication headers Solution:
- Configure proxy to forward user identification headers
- Check proxy documentation for header forwarding syntax
- Verify authentication middleware is properly configured
- Test header forwarding independently of CWA
Critical Security Requirements:
- Isolate CWA: Ensure CWA is only accessible through the authentication proxy
- No Direct Access: Block all direct network routes to CWA
- Trusted Network: Secure the network segment between proxy and CWA
- Firewall Rules: Use firewalls to enforce access restrictions
Network Architecture Example:
Internet β Reverse Proxy (Auth) β Internal Network β CWA
β β
(Public) (Private)
- Validate Headers: CWA performs input validation on authentication headers
- Strip Dangerous Characters: Usernames are sanitized for security
- Prevent Header Injection: Proxy should strip/override user-supplied auth headers
- Use Standard Headers: Stick to well-known header names when possible
- Enable Authentication Logging: Monitor all reverse proxy authentication events
- Regular Security Reviews: Periodically audit proxy and CWA configurations
- Access Monitoring: Monitor for unusual authentication patterns
- Incident Response: Have procedures for handling authentication security incidents
- Set up reverse proxy with authentication
- Test with pilot users to verify configuration
- Enable reverse proxy auth in CWA with auto-creation
- Migrate user authentication to proxy system
- Disable standard login once fully migrated (optional)
- Configure reverse proxy to work with existing OAuth provider
- Enable both authentication methods during transition
- Test user experience with both authentication paths
- Gradually transition users to reverse proxy path
- Consolidate to single authentication method when ready
Compatible Authentication Systems:
- Authelia: Full-featured authentication gateway
- Authentik: Modern identity provider with proxy support
- Nginx Auth Module: Simple authentication integration
- Traefik ForwardAuth: Middleware-based authentication
- Apache mod_auth: Apache-based authentication modules
- Custom Solutions: Any system that can forward authentication headers
Monitor these key metrics:
- Authentication Success Rate: Track successful vs failed authentications
- User Creation Rate: Monitor auto-created user accounts
- Header Validation Errors: Watch for malformed or missing headers
- Proxy Connectivity: Ensure consistent proxy-to-CWA communication
Key log entries to monitor:
Reverse proxy authentication successful for user: [username]Auto-created user from reverse proxy: [username]Reverse proxy authentication failed: missing headerUser creation from reverse proxy failed: [reason]
Regular maintenance activities:
- Review auto-created accounts: Audit new user accounts for appropriateness
- Clean up test accounts: Remove accounts created during testing
- Update proxy configuration: Keep authentication system configurations current
- Security audits: Regular reviews of proxy and CWA security configurations
- β Auto-User Creation: Configurable automatic account creation from reverse proxy headers
- β Enhanced Security Validation: Built-in configuration validation with security warnings
- β Default Permissions Inheritance: New users inherit all default configuration settings
- β Improved Error Handling: Better error messages and logging for troubleshooting
- β Admin UI Integration: Streamlined configuration interface with help text
- β Comprehensive Logging: Detailed authentication and user creation audit trail
- π Group Header Support: Role assignment based on reverse proxy group headers
- π Multiple Header Authentication: Support for multiple authentication headers
- π Session Management: Enhanced session timeout and security controls
- π Advanced User Mapping: Custom user attribute mapping from proxy headers
- Check Configuration: Verify both proxy and CWA settings are correct
- Review Logs: Enable debug logging and check both proxy and CWA logs
- Test Independently: Test proxy authentication separately from CWA integration
- Community Support: Join our Discord for help
- GitHub Issues: Report bugs or request features on GitHub
- Authelia Documentation
- Authentik Documentation
- Traefik ForwardAuth Middleware
- Nginx Auth Request Module
- curl: Command-line tool for testing HTTP headers
- Browser Developer Tools: Inspect request headers in real-time
- Proxy Logs: Monitor proxy access and authentication logs
- CWA Debug Logs: Enable debug logging for detailed authentication flow
This documentation covers CWA's reverse proxy authentication implementation. For additional help, please visit our Discord community or check the GitHub repository.