nforwardauth

nforwardauth is a lightweight forward authentication service written in Rust that provides a single auth middleware for reverse proxies. It validates requests, issues signed auth tokens (cookies), and redirects unauthenticated users to a simple login page.

Key Features

• Forward-auth middleware compatible with common reverse proxies such as Traefik, Caddy, and nginx
• Uses a passwd file of usernames and hashed passwords (sha-512) for credential storage
• Issues signed authentication tokens/cookies using a configurable TOKEN_SECRET
• Optional downstream header (X-Forwarded-User) to pass authenticated identity
• Configurable cookie name, domain, secure flag, port, and pass-through behavior
• Built-in, configurable rate limiter to mitigate brute-force login attempts
• Distributed as a Docker image and usable with docker-compose; simple static login UI

Use Cases

• Protect multiple self-hosted web apps behind a single authentication wall
• Integrate a simple auth layer into Traefik/Caddy/nginx setups for homelabs and small deployments
• Provide password-based access control where a full identity provider is unnecessary

Limitations and Considerations

• Authentication is limited to username/password entries in a local passwd file; no built-in OIDC/SAML/OAuth providers
• No built-in CSRF protection as of current roadmap items
• Not intended as a full SSO or enterprise identity solution; focuses on minimalism and simplicity

nforwardauth is designed for minimal operational overhead and fast response times. It is well suited to homelab and small deployments that need a simple, centralized forward-auth layer without external identity provider integrations.