authwall-direct

Authwall is the entrypoint. Clients connect to Authwall directly; it handles sign-in and proxies authenticated requests to the upstream app.

client → authwall → app

flowchart LR
    client --> authwall --> app

This is the simplest topology — no reverse proxy involved. It matches the docker-compose.yaml shipped at the repository root, minus the external database (this example uses SQLite).

Run it

docker compose up

Then open http://localhost:3000, choose Sign up, and create an account. After signing in you land on the echo-server upstream, which echoes your request back — look for the X-Auth-User header Authwall added.

What to change for your app

• AUTHWALL_UPSTREAM_URL — point it at your own app instead of app:8080.
• AUTHWALL_PUBLIC_URL — set it to the URL users actually reach Authwall on.
• AUTHWALL_UPSTREAM_MODE — leave it direct while one app sits behind Authwall. Switch to proxy only when the upstream is a reverse proxy serving several domains (see the authwall-proxy-nginx example).

Notes

• Storage is SQLite, kept in ./data along with the generated session secret.
• This example serves plain HTTP. For HTTPS, terminate TLS at a cloud load balancer in front of Authwall, and set AUTHWALL_PUBLIC_URL to the https:// address.

Configuration files

docker-compose.yaml

services:

  # Authwall is the entrypoint. Clients connect to it directly on port 3000,
  # and it proxies authenticated requests to the upstream `app` service.
  authwall:
    image: vbarbarosh/authwall
    restart: unless-stopped
    environment:
      AUTHWALL_PUBLIC_URL: http://localhost:3000
      AUTHWALL_UPSTREAM_URL: http://app:8080
    ports:
      - 3000:3000
    volumes:
      - ./data:/app/data
    depends_on:
      - app

  # Stand-in upstream app. echo-server echoes each request it receives,
  # so you can see the `X-Auth-User` header Authwall adds.
  app:
    image: jmalloc/echo-server
    restart: unless-stopped