anynews/republisher
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Add trusted header auth and publisher shell
All checks were successful
buildbot/nix-eval Build done.
Details
buildbot/nix-build Build done.
Details
buildbot/nix-effects Build done.
Details

Browse source
This commit is contained in:
Abel Luck 2026-06-01 18:11:23 +02:00
parent 89e6a4d78c
commit 96551c2788
8 changed files with 569 additions and 19 deletions
Download patch file Download diff file Expand all files Collapse all files

6
README.md
View file

@ -42,7 +42,11 @@ In `--dev-mode`, requests under `/feeds/...` are served from `out/feeds/...`.
In production, do not rely on Quart to serve published feeds. Configure the reverse proxy to serve `out/feeds/...` directly at `/feeds/...`.
Important: the admin UI has no built-in authentication. Keep it bound to localhost or put it behind a trusted network layer such as Tailscale.
By default the UI runs with `REPUBLISHER_AUTH_MODE=disabled` for local development.
For production, set `REPUBLISHER_AUTH_MODE=trusted-headers`, keep the app bound to `127.0.0.1`, and put it behind nginx plus oauth2-proxy.
In trusted-header mode, nginx must overwrite the `X-Republisher-*` identity headers before proxying to the app.
Once the UI is running: