From 77464b8030e97a0df7b2a44ad5eacf9770cd984a Mon Sep 17 00:00:00 2001 From: MiTHRAL Date: Wed, 13 May 2026 22:33:37 -0400 Subject: [PATCH] Document NPM-protected deploy mode --- .env.deploy.example | 4 +--- README.md | 7 +++++-- 2 files changed, 6 insertions(+), 5 deletions(-) diff --git a/.env.deploy.example b/.env.deploy.example index 6d140a6..d29e0a5 100644 --- a/.env.deploy.example +++ b/.env.deploy.example @@ -6,9 +6,7 @@ CHECK_INTERVAL_SECONDS=60 HTTP_USER_AGENT=ArchiveStatusBot/1.0 DISCORD_DRY_RUN=false DASHBOARD_ENABLED=true +DASHBOARD_AUTH_DISABLED=true DASHBOARD_HOST=0.0.0.0 DASHBOARD_PORT=8787 -DASHBOARD_USERNAME=admin -DASHBOARD_PASSWORD_HASH=replace-with-generated-pbkdf2-hash -DASHBOARD_SESSION_TTL_SECONDS=28800 DASHBOARD_COOKIE_SECURE=true diff --git a/README.md b/README.md index 3b5107d..0aed3f3 100644 --- a/README.md +++ b/README.md @@ -148,13 +148,16 @@ Use this target from your proxy: http://archive-status-bot:8787 ``` -For HTTPS behind a reverse proxy, set: +For Nginx Proxy Manager, put the dashboard behind an Access List or basic auth on the proxy host and disable the app's own login: ```env +DASHBOARD_AUTH_DISABLED=true DASHBOARD_COOKIE_SECURE=true ``` -Leave it `false` only for direct localhost HTTP testing. +NPM’s Access Lists use browser `Authorization` headers, so the app never needs to receive your username/password directly. Leave `DASHBOARD_AUTH_DISABLED=false` only for direct localhost testing. + +NPM’s own docs call out that Access List basic auth and app-side auth both use `Authorization`, so the app-side login is the one to disable in production. For direct local Docker testing without a proxy: