User Tools

Differences

This shows you the differences between two versions of the page.

Link to this comparison view

Both sides previous revisionPrevious revision
Next revision		Previous revision
services:grist [2025/01/22 15:20] – [Reverse Proxy] willyservices:grist [2025/03/13 14:59] (current) – [Reverse Proxy] willy
Line 23: Line 23:
       - GRIST_SESSION_SECRET=here_write_a_secret_passcode       - GRIST_SESSION_SECRET=here_write_a_secret_passcode
       - GRIST_DEFAULT_EMAIL=me@mydomain.com       - GRIST_DEFAULT_EMAIL=me@mydomain.com
-      - APP_HOME_URL=https://grist.mydomain.com/+      - GRIST_FORWARD_AUTH_HEADER=Remote-Email 
 +      - GRIST_PROXY_AUTH_HEADER=Remote-Email 
 +      - APP_HOME_URL=https://grist.mydomain.com 
 +      - APP_DOC_URL=https://grist.mydomain.com 
 +      - GRIST_IGNORE_SESSION=true    
     stdin_open: true     stdin_open: true
     tty: true     tty: true
Line 34: Line 38:
 </file> </file>
  
-Remember to set an available port (8484)!+Remember to set an available port (8484)! I have not been able to make grist run as user //grist// inside the container, it will run as user 1001. This is not an issue, just a cosmetic annoyance.
  
 Now pull it: Now pull it:
Line 44: Line 48:
 ==== Single Sign On ==== ==== Single Sign On ====
  
-...+Grist will happily inherit your SSO authentication from the reverse proxy, the key point are the following settings in your docker compose: 
 +<code> 
 +      - GRIST_FORWARD_AUTH_HEADER=Remote-Email 
 +      - GRIST_PROXY_AUTH_HEADER=Remote-Email 
 +      - GRIST_IGNORE_SESSION=true     
 +</code>
  
 +If you need //multiple// users, each one with it's own Grist user you will need to remove the GRIST_IGNORE_SESSION setting.
  
 ==== Reverse Proxy ==== ==== Reverse Proxy ====
Line 63: Line 73:
         access_log /var/log/nginx/grist.mydomain.com_access_log main;         access_log /var/log/nginx/grist.mydomain.com_access_log main;
         error_log /var/log/nginx/grist.mydomain.com_error_log info;         error_log /var/log/nginx/grist.mydomain.com_error_log info;
 +
 +        include "com.mydomain/authelia_location.conf";
  
          location / {          location / {
-          proxy_pass http://127.0.0.1:8484; +                include "com.mydomain/authelia_proxy.conf"; 
-          proxy_set_header Host $host; +                include "com.mydomain/authelia_authrequest.conf"; 
-          proxy_set_header X-Real-IP $remote_addr; + 
-          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; +                proxy_pass http://127.0.0.1:8484; 
-          proxy_set_header X-Forwarded-Proto $scheme; +                proxy_set_header Host $host; 
-          proxy_set_header Upgrade $http_upgrade; +                proxy_set_header X-Real-IP $remote_addr; 
-          proxy_set_header Connection "upgrade"; +                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; 
-      }+                proxy_set_header X-Forwarded-Proto $scheme; 
 +                proxy_set_header Upgrade $http_upgrade; 
 +                proxy_set_header Connection "upgrade"; 
 +    }
 } }
 </file> </file>
 +
 +This will enable Authelia SSO (see [[selfhost:sso|here]] for your Grist installation as well.