From b6c45992152ffd5bdad8d2eb78367a096b3bf210 Mon Sep 17 00:00:00 2001
From: Alex Jordan <alex@strugee.net>
Date: Wed, 17 Aug 2016 12:17:07 -0400
Subject: [PATCH] Move HTTP mode auth docs into "reverse proxy"

---
 README.md | 44 +++++++++++++++++---------------------------
 1 file changed, 17 insertions(+), 27 deletions(-)

diff --git a/README.md b/README.md
index c0cb5fc..db995f9 100644
--- a/README.md
+++ b/README.md
@@ -53,7 +53,6 @@ We developed the Recorder as a one-stop solution to storing location data publis
   * [Authentication](#authentication)
 * [HTTP mode](#http-mode)
   * [Friends in HTTP mode](#friends-in-http-mode)
-  * [Authentication](#authentication-1)
 * [Advanced topics](#advanced-topics)
   * [Browser API keys](#browser-api-keys)
   * [The LMDB database](#the-lmdb-database)
@@ -285,7 +284,7 @@ Note that options passed to `ot-recorder` override both configuration file setti
 
 ## Reverse proxy
 
-Running the Recorder protected by an _nginx_ or _Apache_ server is possible and is the only recommended method if you want to server data behind _localhost_. The snippets below show how to do it, but you would also add authentication to them.
+Running the Recorder protected by an _nginx_ or _Apache_ server is possible and is the only recommended method if you want to server data behind _localhost_. The snippets below show how to do it, but you would also add authentication to them - or at least, to everything but the views. The snippet for HTTP mode shows an example of how to do this.
 
 ### nginx
 
@@ -335,6 +334,22 @@ server {
          proxy_set_header        X-Real-IP $remote_addr;
     }
 
+    # HTTP Mode
+    location /owntracks/pub {
+        auth_basic              "OwnTracks pub";
+        auth_basic_user_file    /usr/local/etc/nginx/owntracks.htpasswd;
+        proxy_pass              http://127.0.0.1:8083/pub;
+        proxy_http_version      1.1;
+        proxy_set_header        Host $host;
+        proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header        X-Real-IP $remote_addr;
+
+        # Optionally force Recorder to use username from Basic
+        # authentication user. Whether or not client sets
+        # X-Limit-U and/or uses ?u= parameter, the user will
+        # be set to $remote_user.
+        proxy_set_header        X-Limit-U $remote_user;
+    }
 }
 ```
 
@@ -878,31 +893,6 @@ when user `jane` and device `phone` POST a new location via HTTP, the Recorder w
 
 Note, that Jane's user/device tuple should also be returned in order to display Jane on the map or list of friends in the apps.
 
-### Authentication
-
-In HTTP mode, the Recorder provides no form of authentication; anybody who "stumbles" over the correct endpoint will be able to post location data to your Recorder! You do not want this to happen.
-
-Install, say, an _nginx_ proxy before it and ensure it's configured for HTTP basic authentication:
-
-```
-# - Recorder PUB -----------------------------------------------------------
-location /owntracks/pub {
-    auth_basic              "OwnTracks pub";
-    auth_basic_user_file    /usr/local/etc/nginx/owntracks.htpasswd;
-    proxy_pass              http://127.0.0.1:8083/pub;
-    proxy_http_version      1.1;
-    proxy_set_header        Host $host;
-    proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
-    proxy_set_header        X-Real-IP $remote_addr;
-
-    # Optionally force Recorder to use username from Basic
-    # authentication user. Whether or not client sets
-    # X-Limit-U and/or uses ?u= parameter, the user will
-    # be set to $remote_user.
-    proxy_set_header        X-Limit-U $remote_user;
-}
-```
-
 ## Advanced topics
 
 ### Browser API keys