Published: October 8, 2025
Last updated: April 20, 2026
Suggest an edit

Authenticate based on HTTP headers – strictly designed to be used behind a reverse proxy.

Configuration

YAML 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12

auth:
  methods:
    proxy:
      enabled: true
      header: "X-Forwarded-User"  # or "Remote-User"
      # Optional (same shared fields as OIDC / LDAP / JWT):
      # adminGroup: ""
      # userGroups: []
      # groupsClaim: "groups"
      # userIdentifier: ""
      # disableVerifyTLS: false   # testing only
      # logoutRedirectUrl: ""

Options

OptionDescription
enabledEnable proxy authentication
headerRequired. Header whose value is trusted as the username (must sit behind a trusted proxy)
adminGroupGroup name that grants admin (if your proxy/IdP also sends group claims — integration-dependent)
userGroupsIf set, only users in these groups may log in
groupsClaimJSON field name for groups when reading group data (default: groups)
userIdentifierField to use as username when not using the raw header value in composite setups
disableVerifyTLSDisable TLS verification for any outbound calls (testing only)
logoutRedirectUrlOptional URL to redirect after logout

Example Use Cases

  • Corporate SSO via proxy
  • Kubernetes ingress authentication
  • Nginx auth_request module
  • Traefik ForwardAuth

Traefik Example

YAML 
1
2
3
4
5
6

http:
  middlewares:
    auth:
      forwardAuth:
        address: "https://auth.example.com/verify"
        trustForwardHeader: true

Nginx Example

TEXT 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18

map $remote_addr $uuid {
    default "demo-${remote_addr}";
}

server {
    listen 80;
    server_name localhost 127.0.0.1;

    location / {
        proxy_set_header X-Username $uuid;
        add_header X-Forwarded-User $uuid;
        proxy_pass http://filebrowser:8080/subpath;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}

FileBrowser config:

YAML 
1
2
3
4
5
6
7

auth:
  methods:
    proxy:
      enabled: true
      header: "X-Forwarded-User"
    password:
      enabled: false

Next Steps