Proxy Auth for a singe-author blog


I want to host single-user Ghost instances on VMs that my customers are renting. They get the fully configured VM and can install Ghost with a single click and start blogging. At least that is the idea.
However, I am still looking for a way to configure authentication such that there is no need for the user to register and login.

Ghost is deployed behind a Traefik reverse proxy, and authentication and access control is handled there:

  • all paths starting with /ghost/ are only accessible by the owner.
  • all other paths are public.

The perfect solution would be if:

  • I can configure an initial admin user using environment variables.
  • Let Traefik add the username to http headers, so ghost knows that the user is logged-in and skips authentication.
  • alternatively basic auth would to the trick, since it works stateless on a per-request basis.

I cannot handle session tokens or the like since I can only really control the environment variables with which the docker container is started and the Traefik reverse proxy configuration.

I would be greatful for any hints on how to achieve this.