From 7222b53d01dec0eda00484ed0c279b3734d059c4 Mon Sep 17 00:00:00 2001 From: Lunny Xiao Date: Thu, 7 Sep 2023 16:31:46 +0800 Subject: [PATCH] Add reverseproxy auth for API back with default disabled (#26703) This feature was removed by #22219 to avoid possible CSRF attack. This PR takes reverseproxy auth for API back but with default disabled. To prevent possbile CSRF attack, the responsibility will be the reverseproxy but not Gitea itself. For those want to enable this `ENABLE_REVERSE_PROXY_AUTHENTICATION_API`, they should know what they are doing. --------- Co-authored-by: Giteabot --- administration/config-cheat-sheet.en-us.md | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/administration/config-cheat-sheet.en-us.md b/administration/config-cheat-sheet.en-us.md index 7e8befb8..f11825aa 100644 --- a/administration/config-cheat-sheet.en-us.md +++ b/administration/config-cheat-sheet.en-us.md @@ -621,7 +621,8 @@ And the following unique queues: BASIC and the user's password. Please note if you disable this you will not be able to access the tokens API endpoints using a password. Further, this only disables BASIC authentication using the password - not tokens or OAuth Basic. -- `ENABLE_REVERSE_PROXY_AUTHENTICATION`: **false**: Enable this to allow reverse proxy authentication. +- `ENABLE_REVERSE_PROXY_AUTHENTICATION`: **false**: Enable this to allow reverse proxy authentication for web requests +- `ENABLE_REVERSE_PROXY_AUTHENTICATION_API`: **false**: Enable this to allow reverse proxy authentication for API requests, the reverse proxy is responsible for ensuring that no CSRF is possible. - `ENABLE_REVERSE_PROXY_AUTO_REGISTRATION`: **false**: Enable this to allow auto-registration for reverse authentication. - `ENABLE_REVERSE_PROXY_EMAIL`: **false**: Enable this to allow to auto-registration with a