Guard config creator

Features

Enable or disable feature flags

Proxy authentication

Guard will proxy reqeusts and enforce authentication.

Reverse proxy authentication

Authenticate requests forwarded from your reverse proxy (e.g NGINX auth-url)

Proxy header *

The original request URL will be lost. Reverse proxies include an original URL request header. Choose which header to use as a reference. **Do not use a user-controlled header**. The integrity of this header is vitally important as it chooses which authentication policies are checked.

OAuth server

Expose an OAuth 2.0 server endpoint

TLS

Setup TLS for Guard webserver

Global styling

Customize the default login page appearance

Image URL

Alias

Public description

Username placeholder

Domain placeholder

MySQL

Connection settings for your MySQL / MariaDB instance

Hostname

Port

Database

Username

Password env var

SQL tables

Customize table names (Guard uses these defaults)

Users

Devices

Magiclinks

SMTP

Email delivery for magic links

Host

Port

Username

Password env var

Sender name

Sender address

Reply-to address

Authentication methods

Configure how users can sign in

emailemail

Method ID

Type

Alias (optional)

Applied policies

staff_only

Create new users

Automatically register first-time users

Policies

Define who is allowed or blocked from protected services

staff_onlyallowon email

Action

Property

Starts with (optional)

Ends with (optional)

Hostnames

Services protected by Guard — link each to auth methods and policies

sydney.example.comSydney

Active

Hostname

Alias (optional)

Authentication methods

Enter method IDs (e.g. email). Press Enter or , to add.

Applied policies

Enter policy IDs (e.g. staff_only).

staff_only

Multistep authentication

Require all listed methods to pass, not just one