diff --git a/app.php b/app.php
index 112d84dd..c036c41b 100644
--- a/app.php
+++ b/app.php
@@ -19,6 +19,7 @@ require_once __DIR__ . '/config-dist.php'; // For not in own config defined valu
 if ((GROCY_MODE === 'dev' || GROCY_MODE === 'demo' || GROCY_MODE === 'prerelease') && !defined('GROCY_USER_ID'))
 {
 	define('GROCY_USER_ID', 1);
+	define('GROCY_SHOW_AUTH_VIEWS', true);
 }
 
 // Definitions for disabled authentication mode
@@ -28,6 +29,7 @@ if (GROCY_DISABLE_AUTH === true)
 	{
 		define('GROCY_USER_ID', 1);
 	}
+	define('GROCY_SHOW_AUTH_VIEWS', false);
 }
 
 // Setup base application
diff --git a/config-dist.php b/config-dist.php
index 2c746528..a37600ad 100644
--- a/config-dist.php
+++ b/config-dist.php
@@ -66,6 +66,14 @@ Setting('ENTRY_PAGE', 'stock');
 # places where user context is needed will then use the default (first existing) user
 Setting('DISABLE_AUTH', false);
 
+# Either "Grocy\Middleware\DefaultAuthMiddleware", "Grocy\Middleware\ReverseProxyAuthMiddleware"
+# or any class that implements Grocy\Middleware\AuthMiddleware
+Setting('AUTH_CLASS', 'Grocy\Middleware\DefaultAuthMiddleware');
+
+# When using ReverseProxyAuthMiddleware,
+# the name of the HTTP header which your reverse proxy uses to pass the username (on successful authentication)
+Setting('REVERSE_PROXY_AUTH_HEADER', 'REMOTE_USER');
+
 # Set this to true if you want to disable the ability to scan a barcode via the device camera (Browser API)
 Setting('DISABLE_BROWSER_BARCODE_CAMERA_SCANNING', false);
 
diff --git a/middleware/ApiKeyAuthMiddleware.php b/middleware/ApiKeyAuthMiddleware.php
index 462d3d55..3f1679da 100644
--- a/middleware/ApiKeyAuthMiddleware.php
+++ b/middleware/ApiKeyAuthMiddleware.php
@@ -2,104 +2,75 @@
 
 namespace Grocy\Middleware;
 
+use Psr\Http\Message\ResponseFactoryInterface;
 use Psr\Http\Message\ServerRequestInterface as Request;
-use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
-use Psr\Http\Message\ResponseInterface as Response;
 use Slim\Routing\RouteContext;
 
-use Grocy\Services\SessionService;
 use Grocy\Services\ApiKeyService;
 
-class ApiKeyAuthMiddleware extends BaseMiddleware
+class ApiKeyAuthMiddleware extends AuthMiddleware
 {
-	public function __construct(\DI\Container $container, string $sessionCookieName, string $apiKeyHeaderName)
-	{
-		parent::__construct($container);
-		$this->SessionCookieName = $sessionCookieName;
-		$this->ApiKeyHeaderName = $apiKeyHeaderName;
-	}
+    public function __construct(\DI\Container $container, ResponseFactoryInterface $responseFactory)
+    {
+        parent::__construct($container, $responseFactory);
+        $this->ApiKeyHeaderName = $this->AppContainer->get('ApiKeyHeaderName');
+    }
 
-	protected $SessionCookieName;
-	protected $ApiKeyHeaderName;
+    protected $ApiKeyHeaderName;
 
-	public function __invoke(Request $request, RequestHandler $handler): Response
-	{
-		$routeContext = RouteContext::fromRequest($request);
-		$route = $routeContext->getRoute();
-		$routeName = $route->getName();
+    function authenticate(Request $request)
+    {
+        if (!defined('GROCY_SHOW_AUTH_VIEWS'))
+        {
+            define('GROCY_SHOW_AUTH_VIEWS', true);
+        }
 
-		if (GROCY_MODE === 'dev' || GROCY_MODE === 'demo' || GROCY_MODE === 'prerelease' || GROCY_IS_EMBEDDED_INSTALL || GROCY_DISABLE_AUTH)
-		{
-			define('GROCY_AUTHENTICATED', true);
-			$response = $handler->handle($request);
-		}
-		else
-		{
-			$validSession = true;
-			$validApiKey = true;
-			$usedApiKey = null;
+        $routeContext = RouteContext::fromRequest($request);
+        $route = $routeContext->getRoute();
+        $routeName = $route->getName();
 
-			$sessionService = SessionService::getInstance();
-			if (!isset($_COOKIE[$this->SessionCookieName]) || !$sessionService->IsValidSession($_COOKIE[$this->SessionCookieName]))
-			{
-				$validSession = false;
-			}
+        $validApiKey = true;
+        $usedApiKey = null;
 
-			$apiKeyService = new ApiKeyService();
+        $apiKeyService = new ApiKeyService();
 
-			// First check of the API key in the configured header
-			if (!$request->hasHeader($this->ApiKeyHeaderName) || !$apiKeyService->IsValidApiKey($request->getHeaderLine($this->ApiKeyHeaderName)))
-			{
-				$validApiKey = false;
-			}
-			else
-			{
-				$usedApiKey = $request->getHeaderLine($this->ApiKeyHeaderName);
-			}
+        // First check of the API key in the configured header
+        if (!$request->hasHeader($this->ApiKeyHeaderName) || !$apiKeyService->IsValidApiKey($request->getHeaderLine($this->ApiKeyHeaderName)))
+        {
+            $validApiKey = false;
+        }
+        else
+        {
+            $usedApiKey = $request->getHeaderLine($this->ApiKeyHeaderName);
+        }
 
-			// Not recommended, but it's also possible to provide the API key via a query parameter (same name as the configured header)
-			if (!$validApiKey && !empty($request->getQueryParam($this->ApiKeyHeaderName)) && $apiKeyService->IsValidApiKey($request->getQueryParam($this->ApiKeyHeaderName)))
-			{
-				$validApiKey = true;
-				$usedApiKey = $request->getQueryParam($this->ApiKeyHeaderName);
-			}
+        // Not recommended, but it's also possible to provide the API key via a query parameter (same name as the configured header)
+        if (!$validApiKey && !empty($request->getQueryParam($this->ApiKeyHeaderName)) && $apiKeyService->IsValidApiKey($request->getQueryParam($this->ApiKeyHeaderName)))
+        {
+            $validApiKey = true;
+            $usedApiKey = $request->getQueryParam($this->ApiKeyHeaderName);
+        }
 
-			// Handling of special purpose API keys
-			if (!$validApiKey)
-			{
-				if ($routeName === 'calendar-ical')
-				{
-					if ($request->getQueryParam('secret') !== null && $apiKeyService->IsValidApiKey($request->getQueryParam('secret'), ApiKeyService::API_KEY_TYPE_SPECIAL_PURPOSE_CALENDAR_ICAL))
-					{
-						$validApiKey = true;
-					}
-				}
-			}
+        // Handling of special purpose API keys
+        if (!$validApiKey)
+        {
+            if ($routeName === 'calendar-ical')
+            {
+                if ($request->getQueryParam('secret') !== null && $apiKeyService->IsValidApiKey($request->getQueryParam('secret'), ApiKeyService::API_KEY_TYPE_SPECIAL_PURPOSE_CALENDAR_ICAL))
+                {
+                    $validApiKey = true;
+                }
+            }
+        }
 
-			if (!$validSession && !$validApiKey)
-			{
-				define('GROCY_AUTHENTICATED', false);
-				$response = new \Slim\Psr7\Response(); // No content when unauthorized
-				$response = $response->withStatus(401);
-			}
-			elseif ($validApiKey)
-			{
-				$user = $apiKeyService->GetUserByApiKey($usedApiKey);
-				define('GROCY_AUTHENTICATED', true);
-				define('GROCY_USER_ID', $user->id);
+        if ($validApiKey)
+        {
+            return $apiKeyService->GetUserByApiKey($usedApiKey);
 
-				$response = $handler->handle($request);
-			}
-			elseif ($validSession)
-			{
-				$user = $sessionService->GetUserBySessionKey($_COOKIE[$this->SessionCookieName]);
-				define('GROCY_AUTHENTICATED', true);
-				define('GROCY_USER_ID', $user->id);
-
-				$response = $handler->handle($request);
-			}
-		}
-
-		return $response;
-	}
+        }
+        else
+        {
+            return null;
+        }
+    }
 }
diff --git a/middleware/AuthMiddleware.php b/middleware/AuthMiddleware.php
new file mode 100644
index 00000000..7c7e1afa
--- /dev/null
+++ b/middleware/AuthMiddleware.php
@@ -0,0 +1,84 @@
+<?php
+
+namespace Grocy\Middleware;
+
+use Psr\Http\Message\ResponseFactoryInterface;
+use Psr\Http\Message\ResponseInterface as Response;
+use Psr\Http\Message\ServerRequestInterface as Request;
+use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
+use Slim\Routing\RouteContext;
+
+use Grocy\Services\SessionService;
+
+abstract class AuthMiddleware extends BaseMiddleware
+{
+    public function __construct(\DI\Container $container, ResponseFactoryInterface $responseFactory)
+    {
+        parent::__construct($container);
+        $this->ResponseFactory = $responseFactory;
+    }
+
+    protected $ResponseFactory;
+
+    public function __invoke(Request $request, RequestHandler $handler): Response
+    {
+        $routeContext = RouteContext::fromRequest($request);
+        $route = $routeContext->getRoute();
+        $routeName = $route->getName();
+        $isApiRoute = string_starts_with($request->getUri()->getPath(), '/api/');
+
+        if ($routeName === 'root')
+        {
+            return $handler->handle($request);
+        }
+        else if ($routeName === 'login')
+        {
+            define('GROCY_AUTHENTICATED', false);
+            return $handler->handle($request);
+        }
+        if (GROCY_MODE === 'dev' || GROCY_MODE === 'demo' || GROCY_MODE === 'prerelease' || GROCY_IS_EMBEDDED_INSTALL || GROCY_DISABLE_AUTH)
+        {
+            $sessionService = SessionService::getInstance();
+            $user = $sessionService->GetDefaultUser();
+
+            define('GROCY_AUTHENTICATED', true);
+            define('GROCY_USER_USERNAME', $user->username);
+
+            return $handler->handle($request);
+        }
+        else
+        {
+            $user = $this->authenticate($request);
+
+            if ($user === null)
+            {
+                define('GROCY_AUTHENTICATED', false);
+
+                $response = $this->ResponseFactory->createResponse();
+                if ($isApiRoute)
+                {
+                    return $response->withStatus(401);
+                }
+                else
+                {
+                    return $response->withHeader('Location', $this->AppContainer->get('UrlManager')->ConstructUrl('/login'));
+                }
+            }
+            else
+            {
+                define('GROCY_AUTHENTICATED', true);
+                define('GROCY_USER_ID', $user->id);
+                define('GROCY_USER_USERNAME', $user->username);
+
+                return $response = $handler->handle($request);
+            }
+        }
+    }
+
+    /**
+     * @param Request $request
+     * @return mixed|null the user row or null if the request is not authenticated
+     * @throws \Exception Throws an \Exception if config is invalid.
+     */
+    protected abstract function authenticate(Request $request);
+}
diff --git a/middleware/DefaultAuthMiddleware.php b/middleware/DefaultAuthMiddleware.php
new file mode 100644
index 00000000..cb28e934
--- /dev/null
+++ b/middleware/DefaultAuthMiddleware.php
@@ -0,0 +1,24 @@
+<?php
+
+namespace Grocy\Middleware;
+
+use Psr\Http\Message\ServerRequestInterface as Request;
+
+class DefaultAuthMiddleware extends AuthMiddleware
+{
+    protected function authenticate(Request $request)
+    {
+        // First try to authenticate by API key
+        $auth = new ApiKeyAuthMiddleware($this->AppContainer, $this->ResponseFactory);
+        $user = $auth->authenticate($request);
+        if ($user !== null)
+        {
+            return $user;
+        }
+
+        // Then by session cookie
+        $auth = new SessionAuthMiddleware($this->AppContainer, $this->ResponseFactory);
+        $user = $auth->authenticate($request);
+        return $user;
+    }
+}
diff --git a/middleware/ReverseProxyAuthMiddleware.php b/middleware/ReverseProxyAuthMiddleware.php
new file mode 100644
index 00000000..a0536ca4
--- /dev/null
+++ b/middleware/ReverseProxyAuthMiddleware.php
@@ -0,0 +1,40 @@
+<?php
+
+namespace Grocy\Middleware;
+
+use Psr\Http\Message\ServerRequestInterface as Request;
+
+use Grocy\Services\DatabaseService;
+use Grocy\Services\UsersService;
+
+class ReverseProxyAuthMiddleware extends AuthMiddleware
+{
+    function authenticate(Request $request)
+    {
+        if (!defined('GROCY_SHOW_AUTH_VIEWS'))
+        {
+            define('GROCY_SHOW_AUTH_VIEWS', false);
+        }
+
+        $db = DatabaseService::getInstance()->GetDbConnection();
+
+        $username = $request->getHeader(GROCY_REVERSE_PROXY_AUTH_HEADER);
+        
+        if (count($username) !== 1)
+        {
+            // Invalid configuration of Proxy
+            throw new \Exception("ReverseProxyAuthMiddleware: Invalid username from proxy: " . var_dump($username));
+        }
+
+        $username = $username[0];
+
+        $user = $db->users()->where('username', $username)->fetch();
+        
+        if ($user == null)
+        {
+            $user = UsersService::getInstance()->CreateUser($username, '', '', '');
+        }
+
+        return $user;
+    }
+}
diff --git a/middleware/SessionAuthMiddleware.php b/middleware/SessionAuthMiddleware.php
index 94895e05..aa0b2de6 100644
--- a/middleware/SessionAuthMiddleware.php
+++ b/middleware/SessionAuthMiddleware.php
@@ -1,73 +1,38 @@
 <?php
 
+
 namespace Grocy\Middleware;
 
-use Psr\Http\Message\ServerRequestInterface as Request;
-use Psr\Http\Server\RequestHandlerInterface as RequestHandler;
 use Psr\Http\Message\ResponseFactoryInterface;
-use Psr\Http\Message\ResponseInterface as Response;
-use Slim\Routing\RouteContext;
+use Psr\Http\Message\ServerRequestInterface as Request;
 
 use Grocy\Services\SessionService;
-use Grocy\Services\LocalizationService;
 
-class SessionAuthMiddleware extends BaseMiddleware
+class SessionAuthMiddleware extends AuthMiddleware
 {
-	public function __construct(\DI\Container $container, string $sessionCookieName, ResponseFactoryInterface $responseFactory)
-	{
-		parent::__construct($container);
-		$this->SessionCookieName = $sessionCookieName;
-		$this->ResponseFactory = $responseFactory;
-	}
+    public function __construct(\DI\Container $container, ResponseFactoryInterface $responseFactory)
+    {
+        parent::__construct($container, $responseFactory);
+        $this->SessionCookieName = $this->AppContainer->get('LoginControllerInstance')->GetSessionCookieName();
+    }
 
-	protected $SessionCookieName;
-	protected $ResponseFactory;
+    protected $SessionCookieName;
 
-	public function __invoke(Request $request, RequestHandler $handler): Response
-	{
-		$routeContext = RouteContext::fromRequest($request);
-		$route = $routeContext->getRoute();
-		$routeName = $route->getName();
-		$sessionService = SessionService::getInstance();
+    function authenticate(Request $request)
+    {
+        if (!defined('GROCY_SHOW_AUTH_VIEWS'))
+        {
+            define('GROCY_SHOW_AUTH_VIEWS', true);
+        }
 
-		if ($routeName === 'root')
-		{
-			$response = $handler->handle($request);
-		}
-		elseif (GROCY_MODE === 'dev' || GROCY_MODE === 'demo' || GROCY_MODE === 'prerelease' || GROCY_IS_EMBEDDED_INSTALL || GROCY_DISABLE_AUTH)
-		{
-			$user = $sessionService->GetDefaultUser();
-			define('GROCY_AUTHENTICATED', true);
-			define('GROCY_USER_USERNAME', $user->username);
-
-			$response = $handler->handle($request);
-		}
-		else
-		{
-			if ((!isset($_COOKIE[$this->SessionCookieName]) || !$sessionService->IsValidSession($_COOKIE[$this->SessionCookieName])) && $routeName !== 'login')
-			{
-				define('GROCY_AUTHENTICATED', false);
-				$response = $this->ResponseFactory->createResponse();
-				return $response->withHeader('Location', $this->AppContainer->get('UrlManager')->ConstructUrl('/login'));
-			}
-			else
-			{
-				if ($routeName !== 'login')
-				{
-					$user = $sessionService->GetUserBySessionKey($_COOKIE[$this->SessionCookieName]);
-					define('GROCY_AUTHENTICATED', true);
-					define('GROCY_USER_USERNAME', $user->username);
-					define('GROCY_USER_ID', $user->id);
-				}
-				else
-				{
-					define('GROCY_AUTHENTICATED', false);
-				}
-
-				$response = $handler->handle($request);
-			}
-		}
-
-		return $response;
-	}
+        $sessionService = SessionService::getInstance();
+        if (!isset($_COOKIE[$this->SessionCookieName]) || !$sessionService->IsValidSession($_COOKIE[$this->SessionCookieName]))
+        {
+            return null;
+        }
+        else
+        {
+            return $sessionService->GetUserBySessionKey($_COOKIE[$this->SessionCookieName]);
+        }
+    }
 }
diff --git a/routes.php b/routes.php
index 4da065c0..11117c72 100644
--- a/routes.php
+++ b/routes.php
@@ -1,13 +1,14 @@
 <?php
 
+use Grocy\Middleware\AuthMiddleware;
 use Psr\Http\Message\ServerRequestInterface as Request;
 use Psr\Http\Message\ResponseInterface as Response;
 use Slim\Routing\RouteCollectorProxy;
 
 use Grocy\Middleware\JsonMiddleware;
 use Grocy\Middleware\CorsMiddleware;
-use Grocy\Middleware\SessionAuthMiddleware;
-use Grocy\Middleware\ApiKeyAuthMiddleware;
+
+$authMiddlewareClass = GROCY_AUTH_CLASS;
 
 $app->group('', function(RouteCollectorProxy $group)
 {
@@ -134,7 +135,7 @@ $app->group('', function(RouteCollectorProxy $group)
 	$group->get('/api', '\Grocy\Controllers\OpenApiController:DocumentationUi');
 	$group->get('/manageapikeys', '\Grocy\Controllers\OpenApiController:ApiKeysList');
 	$group->get('/manageapikeys/new', '\Grocy\Controllers\OpenApiController:CreateNewApiKey');
-})->add(new SessionAuthMiddleware($container, $container->get('LoginControllerInstance')->GetSessionCookieName(), $app->getResponseFactory()));
+})->add(new $authMiddlewareClass($container, $app->getResponseFactory()));
 
 $app->group('/api', function(RouteCollectorProxy $group)
 {
@@ -255,7 +256,7 @@ $app->group('/api', function(RouteCollectorProxy $group)
 		$group->get('/calendar/ical/sharing-link', '\Grocy\Controllers\CalendarApiController:IcalSharingLink');
 	}
 })->add(JsonMiddleware::class)
-->add(new ApiKeyAuthMiddleware($container, $container->get('LoginControllerInstance')->GetSessionCookieName(), $container->get('ApiKeyHeaderName')));
+->add(new $authMiddlewareClass($container, $app->getResponseFactory()));
 
 // Handle CORS preflight OPTIONS requests
 $app->options('/api/{routes:.+}', function(Request $request, Response $response): Response
diff --git a/services/UsersService.php b/services/UsersService.php
index 14810db0..42f298d2 100644
--- a/services/UsersService.php
+++ b/services/UsersService.php
@@ -12,7 +12,7 @@ class UsersService extends BaseService
 			'last_name' => $lastName,
 			'password' => password_hash($password, PASSWORD_DEFAULT)
 		));
-		$newUserRow->save();
+		return $newUserRow->save();
 	}
 
 	public function EditUser(int $userId, string $username, string $firstName, string $lastName, string $password)
diff --git a/views/layout/default.blade.php b/views/layout/default.blade.php
index 616c851b..3872148f 100644
--- a/views/layout/default.blade.php
+++ b/views/layout/default.blade.php
@@ -313,7 +313,7 @@
 			</ul>
 
 			<ul class="navbar-nav ml-auto">
-				@if(GROCY_AUTHENTICATED === true && !GROCY_IS_EMBEDDED_INSTALL)
+				@if(GROCY_AUTHENTICATED === true && !GROCY_IS_EMBEDDED_INSTALL && GROCY_SHOW_AUTH_VIEWS)
 				<li class="nav-item dropdown">
 					<a class="nav-link dropdown-toggle discrete-link" href="#" data-toggle="dropdown"><i class="fas fa-user"></i> {{ GROCY_USER_USERNAME }}</a>
 
@@ -416,9 +416,11 @@
 						<a class="dropdown-item discrete-link" href="{{ $U('/taskssettings') }}"><i class="fas fa-tasks"></i>&nbsp;{{ $__t('Tasks settings') }}</a>
 						@endif
 						<div class="dropdown-divider"></div>
+						@if(GROCY_SHOW_AUTH_VIEWS)
 						<a class="dropdown-item discrete-link" href="{{ $U('/users') }}"><i class="fas fa-users"></i>&nbsp;{{ $__t('Manage users') }}</a>
 						<div class="dropdown-divider"></div>
 						<a class="dropdown-item discrete-link" href="{{ $U('/manageapikeys') }}"><i class="fas fa-handshake"></i>&nbsp;{{ $__t('Manage API keys') }}</a>
+						@endif
 						<a class="dropdown-item discrete-link" target="_blank" href="{{ $U('/api') }}"><i class="fas fa-book"></i>&nbsp;{{ $__t('REST API & data model documentation') }}</a>
 						<a class="dropdown-item discrete-link" href="{{ $U('/barcodescannertesting') }}"><i class="fas fa-barcode"></i>&nbsp;{{ $__t('Barcode scanner testing') }}</a>
 						<div class="dropdown-divider"></div>