feat: update proxy authentication handling to allow disabling with empty credentials

hightemp · hightemp · commit b2bd3f989491 · 2026-05-03T10:30:47.000+03:00
diff --git a/.env.example b/.env.example
@@ -2,9 +2,9 @@
 DOMAIN=example.com
 EMAIL=you@example.com
 
-# Proxy credentials (override values in mounted config).
-PROXY_USERNAME=user
-PROXY_PASSWORD=pass
+# Proxy credentials (leave empty to disable Basic auth).
+PROXY_USERNAME=
+PROXY_PASSWORD=
 
 # Optional: chain through an upstream proxy.
 # PROXY_UPSTREAM_PROXY=https://user:pass@upstream-proxy:8080
diff --git a/README.md b/README.md
@@ -30,20 +30,22 @@ Download the latest binary from the [Releases](https://github.com/hightemp/https
 
 ### Docker
 
-One-liner (HTTP proxy on port 8080, default user/pass `user`/`pass`):
+One-liner (HTTP proxy on port 8080, **no authentication**):
 
 ```sh
 docker run -d --name https_proxy -p 8080:8080 hightemp/https_proxy:latest
 ```
 
-Override credentials via env vars (no config file needed):
+Enable Basic auth via env vars:
 
 ```sh
 docker run -d --name https_proxy -p 8080:8080 \
   -e PROXY_USERNAME=alice -e PROXY_PASSWORD=s3cret \
   hightemp/https_proxy:latest
 ```
 
+> If both `username` and `password` are empty, authentication is disabled.
+
 With a custom config:
 
 ```sh
diff --git a/config.docker.yaml b/config.docker.yaml
@@ -1,6 +1,6 @@
 proxy_addr: 0.0.0.0:8080
-username: user
-password: pass
+username: ""
+password: ""
 proto: http
 cert_path: ""
 key_path: ""
diff --git a/docker-compose.yml b/docker-compose.yml
@@ -9,8 +9,8 @@ services:
     environment:
       PROXY_ADDR: 0.0.0.0:8080
       PROXY_PROTO: http
-      PROXY_USERNAME: ${PROXY_USERNAME:-user}
-      PROXY_PASSWORD: ${PROXY_PASSWORD:-pass}
+      PROXY_USERNAME: ${PROXY_USERNAME:-}
+      PROXY_PASSWORD: ${PROXY_PASSWORD:-}
       PROXY_UPSTREAM_PROXY: ${PROXY_UPSTREAM_PROXY:-}
 
   # HTTPS proxy with Let's Encrypt certificates (read from shared volume)
@@ -23,8 +23,8 @@ services:
     environment:
       PROXY_ADDR: 0.0.0.0:8443
       PROXY_PROTO: https
-      PROXY_USERNAME: ${PROXY_USERNAME:-user}
-      PROXY_PASSWORD: ${PROXY_PASSWORD:-pass}
+      PROXY_USERNAME: ${PROXY_USERNAME:-}
+      PROXY_PASSWORD: ${PROXY_PASSWORD:-}
       PROXY_CERT_PATH: /etc/letsencrypt/live/${DOMAIN:?DOMAIN must be set in .env}/fullchain.pem
       PROXY_KEY_PATH: /etc/letsencrypt/live/${DOMAIN}/privkey.pem
       PROXY_UPSTREAM_PROXY: ${PROXY_UPSTREAM_PROXY:-}
diff --git a/main.go b/main.go
@@ -210,6 +210,11 @@ func applyEnvOverrides(c *Config) {
 }
 
 func basicAuth(w http.ResponseWriter, r *http.Request) bool {
+	// Authentication disabled when no credentials are configured.
+	if config.Username == "" && config.Password == "" {
+		return true
+	}
+
 	auth := r.Header.Get("Proxy-Authorization")
 	if auth == "" {
 		slog.Debug("No Proxy-Authorization header", "remote", r.RemoteAddr)
