From 0dfc772cdbb3c7aaaab8b91860a912c41bf36abe Mon Sep 17 00:00:00 2001
From: Michael Eischer <michael.eischer@fau.de>
Date: Mon, 17 Feb 2025 22:32:49 +0100
Subject: [PATCH] document proxy auth in readme

---
 README.md                     | 10 ++++++++++
 changelog/unreleased/pull-307 |  4 ++--
 2 files changed, 12 insertions(+), 2 deletions(-)

diff --git a/README.md b/README.md
index 6a5ba1a..4deac52 100644
--- a/README.md
+++ b/README.md
@@ -139,6 +139,16 @@ docker exec -it rest_server create_user myuser mypassword
 docker exec -it rest_server delete_user myuser
 ```
 
+## Proxy Authentication
+
+See above for no authentication (`--no-auth`) and basic authentication.
+
+To delegate authentication to a proxy, use the `--proxy-auth-username` flag. The specified header name, for example `X-Forwarded-User`,
+must be present in the request headers and specifies the username. Basic authentication is disabled when this flag is set.
+
+Warning: rest-server trusts the username in the header. It is the responsibility of the proxy
+to ensure that the username is correct and cannot be forged by an attacker.
+
 
 ## Prometheus support and Grafana dashboard
 
diff --git a/changelog/unreleased/pull-307 b/changelog/unreleased/pull-307
index 2aa948e..2902565 100644
--- a/changelog/unreleased/pull-307
+++ b/changelog/unreleased/pull-307
@@ -1,8 +1,8 @@
 Enhancement: Add support for proxy-based authentication
 
-The server now supports authentication via a proxy header specified with the --proxy-auth flag (e.g., --proxy-auth=X-Forwarded-User).
+The server now supports authentication via a proxy header specified with the `--proxy-auth-username` flag (e.g., `--proxy-auth-username=X-Forwarded-User`).
 When this flag is set, the server will authenticate users based on the given header and disable BasicAuth.
-Note that --proxy-auth is ignored if --no-auth is set, as --no-auth disables all authentication.
+Note that `--proxy-auth-username` is ignored if `--no-auth` is set, as `--no-auth` disables all authentication.
 
 https://github.com/restic/rest-server/issues/174
 https://github.com/restic/rest-server/pull/307
\ No newline at end of file