Auth Providers (ForwardAuth)
Put Authelia, Authentik, or a custom auth service in front of your proxy hosts to protect every request with SSO (single sign-on) before it ever reaches the backend.
How it works
Using nginx auth_request, each request is first checked against your auth provider — "is this user signed in?" — before being forwarded to the backend.
| State | Behavior |
|---|---|
| Authenticated | Request is forwarded to the backend, with user info (name, email, groups, …) passed as headers |
| Unauthenticated | Redirected (302) to the login portal |
An auth provider is defined once and reused across many hosts. Create a provider, then attach the same SSO to as many proxy hosts as you like.
Supported providers
| Type | Description |
|---|---|
| Authelia | Authelia 4.37+. The session cookie domain must be a parent domain of all protected hosts and the portal. |
| Authentik | Authenticates through an authentik outpost. An embedded outpost is usually authentik-server:9000. |
| Custom | Any auth_request-compatible verifier (e.g. oauth2-proxy) — you specify the verify path and sign-in redirect. |
Creating an auth provider
Go to Settings → Auth Providers (ForwardAuth) and choose Add Auth Provider.
| Field | Description |
|---|---|
| Name | A label for identification (e.g. Home Authelia) |
| Type | Authelia · Authentik · Custom |
| Auth Service URL | An address reachable from the proxy container. Use host-IP:port for host-network installs, or the service name on a bridge network. |
The Auth Service URL must be reachable from NginxProxyGuard's nginx container. Use the internal address, not the public domain.
Pick from Docker
Instead of typing the URL, click Pick from Docker to choose the auth service from a running container and configure it automatically.
- It is auto-configured with the container's current IP.
- If the container restarts and its IP changes, it is automatically re-resolved and updated.
- The list shows the sync status (synced / container not found).
Applying to a host
- Create the provider under Settings → Auth Providers first.
- Apply it in Proxy Hosts → edit → Security tab → "Auth Provider". Per-host bypass paths are set there too.
The protected host must use HTTPS — Authelia/Authentik reject http targets.
You can also attach multiple hosts at once from the Hosts tab of the auth provider screen. Only unattached HTTPS hosts are offered; hosts with challenge (CAPTCHA) mode enabled or a custom location / are rejected.
Bypass paths
List paths that should skip authentication, one per line (e.g. /api/health, /webhook).
- Each must start with
/and contain no spaces or;{}#characters. - Use this for webhook receivers or health checks that must be reachable without login.
Per-provider settings
Authelia
- No extra fields — just set the Auth Service URL (e.g.
http://127.0.0.1:9091). - Signed-in user info is forwarded to the backend as
Remote-User,Remote-Groups,Remote-Name, andRemote-Emailheaders. - On failure, the user is redirected to the Authelia portal.
Authentik
- Set the Auth Service URL to the outpost address (an embedded outpost is
authentik-server:9000). - The auth/sign-in flow runs through authentik's
/outpost.goauthentik.iopath. - User info is forwarded as
X-authentik-username,X-authentik-groups,X-authentik-email, and related headers.
Custom
For connecting an auth_request-compatible verifier (e.g. oauth2-proxy) directly.
| Field | Description |
|---|---|
| Verify Path | The auth verification endpoint path |
| Sign-in Redirect | Location header (verifier provides the redirect URL) or Redirect template (custom URL) |
| Sign-in Redirect URL | The URL to use with the redirect-template mode |
| Forward Set-Cookie | Pass the verifier's Set-Cookie back to the client |
| Large header buffers | Enlarges header buffers when the auth response carries big headers (JWTs, groups, entitlements) |
Notes and constraints
| Item | Detail |
|---|---|
| Mutually exclusive with Challenge | A host cannot use ForwardAuth and CAPTCHA/geo challenge mode at the same time. Disable challenge mode to use an auth provider. |
| HTTPS required | Authelia/Authentik reject http targets, so the protected host must be HTTPS. |
| Applies to trusted IPs too | Authentication applies to every request, including trusted IPs (except bypass paths). |
Custom location / conflict | Cannot be applied to hosts that define a custom location /. |
| Deletion removes protection | Deleting an in-use auth provider also removes authentication protection from the attached hosts. |
Auth provider changes take effect via nginx config regeneration. Make sure the protected host is HTTPS and the Auth Service URL is reachable from the proxy container first.