# Setting Up with a Reverse Proxy

This application supports both direct access and running behind a reverse proxy with authentication. The mode is controlled by the `ENABLE_PROXY` environment variable.

## Configuration Options

### Direct Access Mode (default)

When `ENABLE_PROXY=false` (default), the application:
- Expects direct access via IP:port
- Uses non-secure cookies (suitable for HTTP)
- Relies only on the built-in authentication

Example docker-compose.yml for direct access:
```yaml
services:
  mailcow-alias-manager:
    build: .
    restart: unless-stopped
    environment:
      - FLASK_PORT=5142
      - ENABLE_PROXY=false
    volumes:
      - ./data:/app/data
    ports:
      - "5142:5142"
```

### Proxy Mode

When `ENABLE_PROXY=true`, the application:
- Is configured to work behind a reverse proxy
- Uses secure cookies (requires HTTPS)
- Can integrate with authentication providers like Authelia

Example docker-compose.yml for proxy access:
```yaml
services:
  mailcow-alias-manager:
    build: .
    restart: unless-stopped
    environment:
      - FLASK_PORT=5142
      - ENABLE_PROXY=true
    volumes:
      - ./data:/app/data
    # No ports exposed - access only through proxy
    networks:
      - proxy-network
```

## Setting Up with Nginx

Here's a basic Nginx configuration for proxying to the application:

```nginx
server {
    listen 443 ssl;
    server_name alias.example.com;
    
    # SSL configuration
    ssl_certificate /path/to/cert.pem;
    ssl_certificate_key /path/to/key.pem;
    
    location / {
        proxy_pass http://mailcow-alias-manager:5142;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;
    }
}
```

## Setting Up with Zoraxy or Traefik

For Zoraxy or Traefik, make sure to:

1. Set `ENABLE_PROXY=true` in your container environment
2. Configure the proxy to forward authentication headers if using an authentication provider
3. Set up the appropriate redirect URLs

## Debugging

When running behind a proxy, use the following endpoints for debugging:
- `/debug` - Shows detailed request information
- `/authelia-test` - Tests Authelia header forwarding
- `/health` - Shows basic health and authentication status