{ email dead@cxap.space acme_dns cloudflare {$CF_API_TOKEN} order authenticate before respond order authorize before reverse_proxy servers { trusted_proxies static private_ranges } security { local identity store localdb { realm local path /data/users.json } authentication portal authportal { crypto default token lifetime {$AUTH_TOKEN_LIFETIME:43200} enable identity store localdb cookie domain realy.nothing.help cookie lifetime {$AUTH_COOKIE_LIFETIME:43200} cookie samesite lax ui { links { "Portainer" "https://port.realy.nothing.help" icon "las la-tachometer-alt" "WhoAmI" "/whoami" icon "las la-user" } } transform user { match origin local action add role admin # require mfa } } authorization policy apikey_or_admin { set auth url https://auth.realy.nothing.help allow roles admin with api key auth portal authportal realm local acl rule { comment "Accept" match role admin allow stop log info } acl rule { comment "Deny" match any deny log warn } } } } (auth_forward) { authorize with apikey_or_admin { set auth url https://auth.realy.nothing.help inject headers with claims } } auth.realy.nothing.help { route { authenticate with authportal } header { Strict-Transport-Security "max-age=31536000; includeSubDomains; preload" X-Content-Type-Options "nosniff" X-Frame-Options "DENY" Referrer-Policy "no-referrer" } } *.realy.nothing.help { respond / "ok" }