From d1645201345f8222c5b5acf01fb0a44f4c5a41b4 Mon Sep 17 00:00:00 2001
From: Andrew Roberts <adroberts@gmail.com>
Date: Sun, 5 Jan 2020 08:16:54 -0500
Subject: [PATCH] Updated Setup Reverse Proxy (markdown)

---
 Setup-Reverse-Proxy.md | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/Setup-Reverse-Proxy.md b/Setup-Reverse-Proxy.md
index edb3316..7c2ff43 100644
--- a/Setup-Reverse-Proxy.md
+++ b/Setup-Reverse-Proxy.md
@@ -106,3 +106,8 @@ My web.config file looks like this:
 
 The crossed out sections aren't needed, they are leftovers from my experiments.
 
+### Login via header from upstream authentication source
+
+If your reverse proxy has some kind of authentication mechanism, you can configure Calibre-web to log users in based on headers received from the proxy. If using this feature, it's important that only the proxy is exposed to users, because if the Calibre-web instance is at all directly exposed to traffic, then a malicious user will be able to log in as any user that exists via simply setting a header.
+
+In the admin configuration, check the box marked `Allow Reverse Proxy Authentication`, and then fill in the text box that appears with the name of the header that will contain the username.