From b6a27616c1b52ed4b4a41ed888f89a1418a47d82 Mon Sep 17 00:00:00 2001
From: Christoph Haas <christoph.h@sprinternet.at>
Date: Thu, 11 Dec 2025 18:38:26 +0100
Subject: [PATCH] allow setting a base-path for the web UI and API (#583)

---
 cmd/wg-portal/main.go                         |   2 +-
 config.yml.sample                             |   9 +-
 docs/documentation/configuration/overview.md  |  10 +-
 .../getting-started/reverse-proxy.md          |  10 ++
 frontend/index.html                           |   1 +
 frontend/src/App.vue                          |   3 +-
 frontend/src/views/SettingsView.vue           |   4 +-
 .../api/core/assets/img/header-logo-small.png | Bin 7713 -> 709 bytes
 internal/app/api/core/assets/tpl/index.gohtml |  20 +--
 .../app/api/core/assets/tpl/prt_nav.gohtml    |   2 +-
 .../app/api/core/assets/tpl/rapidoc.gohtml    |   2 +-
 internal/app/api/core/server.go               | 132 +++++++++++++++---
 .../app/api/v0/handlers/endpoint_config.go    |   8 +-
 .../api/v0/handlers/frontend_config.js.gotpl  |   1 +
 internal/app/api/v0/handlers/web_session.go   |   6 +-
 internal/app/auth/auth.go                     |   4 +-
 internal/config/config.go                     |   1 +
 internal/config/web.go                        |  12 ++
 18 files changed, 177 insertions(+), 50 deletions(-)

diff --git a/cmd/wg-portal/main.go b/cmd/wg-portal/main.go
index cd5fd7e..da1b06c 100644
--- a/cmd/wg-portal/main.go
+++ b/cmd/wg-portal/main.go
@@ -84,7 +84,7 @@ func main() {
 	internal.AssertNoError(err)
 	userManager.StartBackgroundJobs(ctx)
 
-	authenticator, err := auth.NewAuthenticator(&cfg.Auth, cfg.Web.ExternalUrl, eventBus, userManager)
+	authenticator, err := auth.NewAuthenticator(&cfg.Auth, cfg.Web.ExternalUrl, cfg.Web.BasePath, eventBus, userManager)
 	internal.AssertNoError(err)
 	authenticator.StartBackgroundJobs(ctx)
 
diff --git a/config.yml.sample b/config.yml.sample
index 9e5ef5d..5d4c594 100644
--- a/config.yml.sample
+++ b/config.yml.sample
@@ -11,18 +11,11 @@ core:
 
 web:
   external_url: http://localhost:8888
+  base_path: ""
   request_logging: true
-  # Optional path where custom frontend files are stored.
-  # If this folder contains at least one file, it will override the embedded frontend.
-  # If the folder is empty or does not exist on startup, the embedded frontend will be
-  # written into it. Leave empty to use the embedded frontend only.
   frontend_filepath: ""
 
 mail:
-  # Path where custom email templates (.gotpl and .gohtml) are stored.
-  # If the directory is empty on startup, the default embedded templates
-  # will be written there so you can modify them.
-  # Leave empty to use embedded templates only.
   templates_path: ""
 
 webhook:
diff --git a/docs/documentation/configuration/overview.md b/docs/documentation/configuration/overview.md
index b926ddd..ded802b 100644
--- a/docs/documentation/configuration/overview.md
+++ b/docs/documentation/configuration/overview.md
@@ -88,6 +88,7 @@ auth:
 web:
   listening_address: :8888
   external_url: http://localhost:8888
+  base_path: ""
   site_company_name: WireGuard Portal
   site_title: WireGuard Portal
   session_identifier: wgPortalSession
@@ -800,9 +801,16 @@ Without a valid `external_url`, the login process may fail due to CSRF protectio
 ### `external_url`
 - **Default:** `http://localhost:8888`
 - **Environment Variable:** `WG_PORTAL_WEB_EXTERNAL_URL`
-- **Description:** The URL where a client can access WireGuard Portal. This URL is used for generating links in emails and for performing OAUTH redirects.  
+- **Description:** The URL where a client can access WireGuard Portal. This URL is used for generating links in emails and for performing OAUTH redirects.
+  The external URL must not contain a path component or trailing slash. If you want to serve WireGuard Portal on a subpath, use the `base_path` setting.
   **Important:** If you are using a reverse proxy, set this to the external URL of the reverse proxy, otherwise login will fail. If you access the portal via IP address, set this to the IP address of the server.
 
+### `base_path`
+- **Default:** *(empty)*
+- **Environment Variable:** `WG_PORTAL_WEB_BASE_PATH`
+- **Description:** The base path for the web server (e.g., `/wgportal`). 
+  By default (meaning an empty value), the portal will be served from the root path `/`.
+
 ### `site_company_name`
 - **Default:** `WireGuard Portal`
 - **Environment Variable:** `WG_PORTAL_WEB_SITE_COMPANY_NAME`
diff --git a/docs/documentation/getting-started/reverse-proxy.md b/docs/documentation/getting-started/reverse-proxy.md
index e1fad58..4bf07ae 100644
--- a/docs/documentation/getting-started/reverse-proxy.md
+++ b/docs/documentation/getting-started/reverse-proxy.md
@@ -84,6 +84,16 @@ web:
   external_url: https://wg.domain.com
 ```
 
+If you want to serve the web interface on a different base-path, you can also set the `web.base_path` option:
+
+```yaml
+web:
+  external_url: https://wg.domain.com
+  base_path: /subpath
+```
+
+The WireGuard Portal will then be available at `https://wg.domain.com/subpath`.
+
 ### Built-in TLS
 
 If you prefer to let WireGuard Portal handle TLS itself, you can use the built-in TLS support.
diff --git a/frontend/index.html b/frontend/index.html
index 287ef99..8aed737 100644
--- a/frontend/index.html
+++ b/frontend/index.html
@@ -9,6 +9,7 @@
     <script>
       // global config, will be overridden by backend if available
       let WGPORTAL_BACKEND_BASE_URL="http://localhost:5000/api/v0";
+      let WGPORTAL_BASE_PATH="";
       let WGPORTAL_VERSION="unknown";
       let WGPORTAL_SITE_TITLE="WireGuard Portal";
       let WGPORTAL_SITE_COMPANY_NAME="WireGuard Portal";
diff --git a/frontend/src/App.vue b/frontend/src/App.vue
index 8810855..e135fae 100644
--- a/frontend/src/App.vue
+++ b/frontend/src/App.vue
@@ -85,6 +85,7 @@ const languageFlag = computed(() => {
 const companyName = ref(WGPORTAL_SITE_COMPANY_NAME);
 const wgVersion = ref(WGPORTAL_VERSION);
 const currentYear = ref(new Date().getFullYear())
+const webBasePath = ref(WGPORTAL_BASE_PATH);
 
 const userDisplayName = computed(() => {
   let displayName = "Unknown";
@@ -113,7 +114,7 @@ const userDisplayName = computed(() => {
 
   <nav class="navbar navbar-expand-lg navbar-dark bg-primary">
     <div class="container-fluid">
-      <a class="navbar-brand" href="/"><img :alt="companyName" src="/img/header-logo.png" /></a>
+      <RouterLink class="navbar-brand" :to="{ name: 'home' }"><img :alt="companyName" :src="webBasePath + '/img/header-logo.png'" /></RouterLink>
       <button aria-controls="navbarColor01" aria-expanded="false" aria-label="Toggle navigation" class="navbar-toggler"
         data-bs-target="#navbarTop" data-bs-toggle="collapse" type="button">
         <span class="navbar-toggler-icon"></span>
diff --git a/frontend/src/views/SettingsView.vue b/frontend/src/views/SettingsView.vue
index 2e8c2f6..45509ea 100644
--- a/frontend/src/views/SettingsView.vue
+++ b/frontend/src/views/SettingsView.vue
@@ -9,6 +9,8 @@ const profile = profileStore()
 const settings = settingsStore()
 const auth = authStore()
 
+const webBasePath = ref(WGPORTAL_BASE_PATH);
+
 onMounted(async () => {
   await profile.LoadUser()
   await auth.LoadWebAuthnCredentials()
@@ -241,7 +243,7 @@ const updatePassword = async () => {
           </button>
         </div>
         <div class="col-6">
-          <a href="/api/v1/doc.html" target="_blank" :alt="$t('settings.api.api-link')">{{ $t('settings.api.api-link') }}</a>
+          <a :href="webBasePath + '/api/v1/doc.html'" target="_blank" :alt="$t('settings.api.api-link')">{{ $t('settings.api.api-link') }}</a>
         </div>
       </div>
     </div>
diff --git a/internal/app/api/core/assets/img/header-logo-small.png b/internal/app/api/core/assets/img/header-logo-small.png
index 474353501cda27cea79ef6281049f0b5a5015b34..caaf5e373786439383ef796a95fa24d3f7292ed7 100644
GIT binary patch
literal 709
zcmV;$0y_PPP)<h;3K|Lk000e1NJLTq002M$002M;1^@s6s%dfF00001b5ch_0olnc
ze*gdg1ZP1_K>z@;j|==^1poj5AY({UO#lFTCIA3{ga82g0001h=l}q9FaQARU;qF*
zm;eA5aGbhPJOBUy24YJ`L;wH)0002_L%V+f000SaNLh0L01FcU01FcV0GgZ_00007
zbV*G`2k8t97Yq_K+&SU^00Id~L_t(|+U;9gZp1JMG$;q@wR-K|qi1k`x>8gnG1$yN
zy5W1*z?ip5YY#p2)+7ujz4z`GOhj%Az>LCKphy+PU&>j|hy+5aC_a1UDi~71)H6X)
zmh$pTX60M^Y$6|4S!OR|W8M1ee~#PwYOQ@A{r*gb-h202gRo8BD<C?BD%;<y)g9ZN
zg&&<`u>`4P`Uoo<@!gm=!Y*^6X%J!N2w+ARs9AxJ3BptiU`72ag(GD+<D=O=cvZzQ
ztRWo$mP?$TpV`kJ@mXz*ylx;_zBiL55g<Taz+=Aq-!fx@qEMa@)&fHLAh<lC8GsON
z1@tVyp7~L`L2K~J><j*OiHc5tqcgKhVy)o&M<Cob2xchpFG}GoP_?p>Z`BNCC|{}+
zUdb3G09X}nfAgNlkn%1t+YqrxqEYsaxH87&d!Dq1k=gPWT}udp*;z+dLGjCh2y*`B
znG7+TB}%lN@pH@kFx&z%vcS<;+_OkgE)818VOQ?~%oaIp`g#=j5W7Fo3t7tY@hD#|
zHxoogX~sNZJ5$QT+?w_>2PCk^(L3!9xd5oN#esBFW%_SQw>RLa)!NfCE>Ho4)j(>I
zojw+~0vh?o=&l4Kqy5Yd5OaH+vMY>Ub6MdfC_$n@K)ospQlKahkWcEuFiT|Pl={gG
r3JB&B#q-%5qoAq$;p9UPy*d2=gZR6z_o5Cc00000NkvXXu0mjfU5F;V

literal 7713
zcmeHMc{r5q_n&0nl6^Nu(O?)1GbTgXx3SCE8?!JN%gorLg={5}vP7~ag{&b8Wht`n
zWNQ&hT127x4fVcn@Ados^Zu^i_rLeKu4lXNb3W&s&pG#fJ?DB7tSpSU*hSd^005VX
zvAzxcuDx@zGSjcr)|>hO0Ow-39foFu4FLvF{D~xA0+1FKKmZa#Nkjl3baExrk@5z~
ztN)`i(Tzc6Z+ENR{`=8xQMn8x$15va_^$@ElUi?_(!f<#H>DLWjg|h`c7EFYC83<3
z&qJx?2JJnc_s#MTdE&1vr&iZlw<3Rh35xX8xdyLO7B6mc3;XUk81!u_EJ7_nQZ)B@
zPM&JH@@A*9cm3OR7QHcDHx%VWMtWYj$j5iv58aq28_HxxQdjHx??||8<YMQ>7O!$T
ze0F*JIwbjIocS6NFR}XU<ET_q#7WJ$&toF9>v1>a)^wHn`!YA?R$j5~`6_QwCv`<V
zzdTl1dGq4sDY>oBVV^R}=E}{s^)3#re0ddydokuXk=N|3nfB(=R;c!|H<rng`OVSF
z)sJV?8oi|VFVo1&WQ8rhv6KtfV-s6zY4|7^*^g27Zf9>vrajc^7zpEXF2j*4TP>za
z$7_=xal3H(iKKs>dlnFttEk<$%$!++Pf8a^kNi9&M9~bMj1GajzjeDS`RMHkyMkqR
zQLo2SZ`bWLLR5Hk{M|FPMh)%k&Dlf8U&InEW*g3*$26P~4LLRImaLQIV98uy=;&O?
zJ06v_IPgH`^lZYqi?HT3l-H*wP9D&e3kV!a1n4trboFgYPWLG9W8E{N<%gwQ<o0S9
z!UG4HR{0vh7U>IDd^d`ekQQRSdx?0^rhc4&>ag)K)|AaBc~*LmO<|Ao;026F667nt
zjXC&L;q~#VzSfr+w!IB6vz$L1OvBhbDN1v43L4p)Re2-Jr=<37M;2FiQlpqq&8X`J
zYRxNrxgp&xLM*M1RptWh<Dr5J8q;fh+Zm(<M`8|n!T?-W@!VA5PSvuvZb<^1_kd}t
zqQR{i=h5<-sPJz<pY^V+smwu+PY|E%p07PI_K1WmHQojD3cQvN`ysDl&BKXYt)vB*
zr;&Z>Ic~Xv1z)EgVG+*mdxzE`Assm)BTv7{`^(1d3!~m4_IfQxWi<4KZOQxCcJ_~p
z9B#CV4iCMTyy`$Ihe-tIURY>UjtbvC2|s}17{H`uiJ!=3F{wnd+>`v$QIy}wTPn46
zo^i~$QW)%aIWnSze3|Tj|9EfqdX#_fv&IcE>cS^KcQwxk95a?ZnL4kZhfx<YhqZCN
zTJGSJ8lF*3p|hE4cSb&VQWt8G-+g<xZ$RGlWX^_6=%Agi#TXBLmo5EvQlrq?b#z0*
zb_A#9KCfjs`2L=uof#%yT7WR|0di$Vu%OjGrLJHzrt+@MN_TtMOH2fI+)}R6^2MbZ
z@d3b4uSPKk8Pj&;j7fb(6G!L8a*MwHbwi$XcZr@y37#6EUpi{<cR5~o?Upp!SL-;v
z-0*sIyLurz1}tc8dqRx*Wn5^@tGw%4q>ms&EzxPDowk;!fA&%9BZaHI)VAUL<;BO%
zZ@eTePXs=Fv95A~t+<@eCg>dP;>?z+z~^TXkJ;>lg%)2Z^$#95)Oa-yAu?N-CU#2@
zOb<l9?-q|`%Y%OrJ;9xr`O$h*_x!&4V<tTGP^wgqK6Sk3Uec!Fk)mqMA$fiY<5`}<
z**l``9Vc#4wU4hoh*fF7Zp({Y1KwU9s*fXj{H~LW>3sN0964~@4rSYhey}uMA}}6E
z({FI{;1Q&yKdntjyCNOm8Mz^z_eh}Z*g^4oO2zp@F`Ukl`o)~7=RPihk2H11e=lRa
znUKsh7re)67S|y;VO=^@cmNg4EprXLF<}<eeHIhT`w3}Qm$iko;UPTK1VRUu+E23s
z-s@+PkCYi5#*EIox7RzMmJ1ID#xwTeqGwW?rrQ(3`9>m=nR~9b&x*p5l^%HapQwAy
z5}oJGfUmzWc_fDy4OWk{b1n}=@E39oXBq4Xdb3eo>&W)*qefRH2sK|ND_fY^FYuDd
zRn6J(B!A-AR}8pT5M9gEo}KdafT2NR>dT{k69OfVGWIQ=<74tlG-(ePJ=`}F7r)^X
zYfn_E23cw`2``<#T(WH;u*$XaB@M)Nny=KVcw3gA$E%w8Av5YA7<i|{17BT&>^xp}
z)N-<czY-%cE%eMBa2^!2KIqCFI{Dc-eXQ`4DmH`K?x+A6ENSfEzIfsgIFdcRvnu6c
z@pQqdc8~<PRP@u+Gi@LDVgg{JixN7_oBNI{;3SM8`nY^5<XRoLmM>}i@k+0l@b!6N
z6l9NBN7w3Y4qdy+Yv1;gw*`kw+AH|ETb@1`4lJ>^Iwvj7@>)>_{Z_ez@wBm2VxJK_
zY9c=bBhLtkRm7)@0-3r>6GeOGFov_pv{zNZ7i4<R0JRO}Znvyr(n{cCj3NVWdP7qe
zuc1Wt=O9L}vTU2^n7l0sDy(*8eKoKr#-uhCnivsg>NurS;H1uGt@X9oVbY1evydel
zZf|xz(#q%X&D3RXpPoZe59I}n9c|?vSKJ=*;{+wL-r0OscGgR%<i;}V)uB~eS5M{<
zjH28UU!GY)QxeI+lBymQqeeZ=o8#o3wGRo4cPu!y?5k81%jV6Ld&A22@<-{E3ArOG
z)vr3fH%ai3k|jiGi#OJJ<Ah~#L)??3jU>s8nygTfG>@8U-09Rd$@#AO?wa#d=KB(h
zlC6Ax>@$o5^*mp*j!BxQ&P-5)G4Bm<rL6--D|*)s?vILd4t~qJ74bgxu1X{yGf&}R
z>sv>A$nxyQ{Z~?h349>nk#8l_a!L%Byu7%YJDy53cE<3!T#1$H(!cWVT}{LhZ1EB!
zF5)8JH;!O(^XOZ!S|V}Qcb-G6E37hK<1U-bhTywZPx#3NL8;`0?d!GWN#IMSb@vWL
znp7$-4XeIib}&~QI;d&p2DU&)GsHdYHK{4>>)+t}9#Qapa|v;oqIuzt`dGLBU5)L=
z*@E$#Xpckv3V5TsNVym0?Hx~OkDX-~__qhl`#+P6-B8@$_FZiH@T@5=urL`r92wpd
zV>qC83vW~jerPLC_Li??@~7CCPqKzyF)XC?qTdbjXhg%EmYjqXpA9(*ISH6LA1*4A
zo^TxEdaT{BB`P=UP^>7QZT}E4Y~%_I5Ep;Yn;nM8%h(sl;Bx9jC+5THj_3roXluts
z7kske#~MGoIr|odALxf|K6Mm1>#W4}Qx7y{YC^hTRp|Muc-b67i(!?u>bIE!4D<3-
z%Of4}xwo%ld##GS+_=;qUq4<=b(!am7mc02@GVmZ1JqN84jObmUu3^qLqXn={=^=^
zW0A8Bzh2g(#jtXss_q?M&GrOnWY&q1fn7@q{p4tD)7(`??xqicT!9a@-g6iG7$KbR
z1u%==$Y_UJ*;7x;nNC<T^)<9uycd!Wd}MJeB8Km9P=ADkqF6+pi6Q$o!)buD0vq~B
zu2-K_!=@dpvTd?P`*3B=R;0t`UaD!7(ZjCVqZ!TSIiZQtaSJ`l%O>Zp5A=BLWpHDw
zzjnP?WS;aW)TuE$v0Vlc1K+;S)NgW|`+<vCQjtWE4%6eq5#2_|2?51v(+K0SP@7Pu
z%<?`%S*GRvccW}w*E+X8`#a>?erYQaX?7WWc8ATx!{7d@kZQF*PRwJY;C%n(rF9?7
zAr<W);#uJivqYzmD$iTT1_F4J><L5Mk>_3Cl{;icxjiU;swrQemmxQ55Zir29l?(8
zTA|oCzUIOwMXX&&j*6;#cfUaUxb@j|oRdA`C5AQ|QwCrw(;Vq6s;@o4mWN*Z#93i5
zD+Z9%f>xX;NZYG0xDI{72qq1|_OQ0Kj^yc;flR@*3HQ!%5zLD8Zt0$CU8v%M2waXf
z8NSjY8-8j+>2#7+JdfZ3M0VJIt`*kB16B8#S$&OL_tXvt9hn88Bkeox_P^1s1f~e_
zP}h7}xqAj4;eTw-j&PR?Qu{92wrSRUiSO}m-*=yR<j{<_gC3~#l97=y<M4?2!NC!=
z?=6=yk}nxnOBcS0;IQ(nh=A08I*N(2^f=y;KT=Xl+AhCd7j^u;YtAtL=aQE?GC>AR
z3EfxQY<n|JOh;L_MtRN{QZ5M&e8$#Xt$*&eHVM8yz+8?~OK3*kXyRmbw}0ik44^O}
zU1+Jy^@X_j__(r`JQ2x*(C_IIro#zQ!A=D)!XIj1cCauj$Y*-eUX>Xm%P(}|a#az?
zu&g(BPN0pQz;FLm>g6h6zD31?#j`(cv)S{k)x;-hd;EgFj;=4j6;p<}y4Db9`qj83
ze|jH$&!Xzup5A=^W$*>K7v~QyFP@VN;;bj*Fj;vlO{yWMf;``FmA|ZEbo(}PNJS?H
z^+P!PRfc6u+PAq!-7BqeHxM}zhk}dkq=K?f&g#5<KlX?_RW!{rcjvR}|L|=ECkOiX
zZa?V$PMQ?D8XV)0H#pwRR`X*cR(Q1HAm_Hwp!PSgr`L;G0ANovNl(wpL{IOJo`>G)
zWJji;j2|5lZ+EvfNJ)$~C`90IS_md4BD@6>t)z$9%a9o^n@niYRDL0&*4nwbPLGk+
zc1H&mhod~(fIu3>hL*znBc0!=Ei~X+a>#~c$SNSu8k;pDzyh1r7<v+u(NmU)y2HcM
z!2^o#eyX}~0L(P|At)K(zUraX{o`3~fqRcLCu@9L^;0PMIoI<g^weCFr8x1R<3VjX
zN%+#4wqzFvt*93+G{?D2tlFh(a@>69+PRM*GcKDag(f0yc_UwOI40ZoI%n6KCe^-s
z;x63vMxooKSo6#Q!AeFp5dW~1A(Mtj&2k~ecqr;&r&QoK-Ufck<<`fQr{rOe%cZvW
zMTPhX$jUVpS}`m}1!gB(U-uO98kKmxH6EBHcjUcD{ovGh@4Xpc58R&_%{OXk(Fh2f
z9!*2dQCNhdRPnaKML=|(6=0@s@hYWd4$@z@@OgByb7}9zymA|OORF^WSmE2C+>njn
z_4U=vV<&Yk&r)iqvLN^9t*I!9-hyJ#=181BSqY2x_aG>Rk^|^1DgdCR6B>ZU`4DJ8
z4}vGj4+UCnYz6^IcofJ%9SubX=n=d~#^Dr#ZMcOUF5CyFi3jOuvulMS=>TK`4GRn<
z`}$Flp(xNUE|UJdGpq~(?uyWSP#_H23aIB#Apl`YFeNC&Ae0oW3esi=YEke+q>aAe
zF9`Y@3gktj1t67`LqbB7Le!M}DW1wInwpx*P*r7BRR~=ILJjkyVM8H)RGA%!pBVZC
zDvm-5pppFjfIFC25C0$<3Iw9h1OM=k9Dqju3GYY!#R8oV<xp&ZvWgN^nM_vxU4u$9
z2&RMla_B#5Q0?fQys`~}>K{bG5e$L}el(fiA@I0A^#g(^zPsVzamoZ=0+}vKrCU|`
zn@J-RwAG&)I}~`5$N{@rbh7^@Nh1;eBI|Fy?ab_k^SdK-^*?d{CjCe3yTWuSG#aVz
zj|<vy&qN;u+Odzs`{PJ><nE&eRt>JHN+d$m2`~f%231jmc;JXo2vHLc!$NTc0$d&O
z8<dG3m4@}h5q6;H;7TMqjye{HhpIw7AnKZ$FbIsGiHBgJSak>-2G@W=)ex$hc<65s
zmJ|}bDzU!5d$j|Fr$b>0Fc=;OSA!671P=%dON2u_U<4dQji8Re;XM#U6$D`y3Xek?
z`cueQdOAsDtS3P^z|V7cVux_#Q7aP^NLA^l)!h**Uo4GCS3rTxNq#}0e~H?W$OKy&
zc85(B4Vb!`rUq0)RUL*<S5x~-=oo=QrB~t(rV3O^?I-R|T9EW$=)_`o>XZ(!t3i(i
zsYfATY5o*De}7*TXvYEIj^=K81GRo8#h65;ON8xI{I8m~B?SI_`?&;sNxM@(;BMI>
zvACZ`sMufve%BCP@8=ZG3+v}eps(*=1@*@`=|3e)T@$MTSBFFJP&_@~s#qdqC({s|
zrm6~7O&vi*5Qu+Ar}`6VAy^9Gs3$#AdNlL`+KmQyXqQUx-=#ym2s=DM>1!LR3Q>jH
zsj4AW;YgUO0#pSFg@TlS1+2WYs{e>sOZk6sqO~jV+crSg`#DD6Ug*1(@}Jw)FV1#o
z{4XBAa`9iZK!^U<$UoxuU%LLK>mM=jkA(lNu7BzJM-2QU;eV^^|BWv8zZxEbAN?yR
zgx=1CYQkLTtq`+^nGyYm-Olk<ukj@P#ui}gNCg0tWOmLyp+!2u^g$My3EF^Vfq`F8
zO#YFbxCj8iz+|F-)Xr;WWvuU<rL}m+hu2hC(zv-PSCMts0fM=Pt%hKJt0A~lF~;VS
zuA+IcDcfNJ3HMRxx^LllMpBg(=5b%1O4l9PndBZ<udLOaOyWD&NVnTtw|hT58(O(0
zQ<P?73jXuLAs7TFOI1V~4=%?aSJ^w^CcD&7$WfH`B<pp!Z*B_gPzkI*L<^)8tjL{x
z2?knfDtuxP3k2OGCmTD7?RN$}?^7(=@|{hJN27acR_gXwKCoR<Z?T-(YlebCnK=7+
zZ%T!}T97E=fHR+0U+Y)})Dd0805j^-!l6zM;R^317RmXD0O2pk8|_}}wY(N2PPX*k
zJDz;H8y$%|qFm98oY`YuYquHYdh>n@V@1=_EE|+_JHYG|ISA`EsXeN@6x~8QSL8o-
zR+FvCD{n2Zj`a(d?;<~u={?i<bih*e2qNNCGDM)+NobM%eZ~A>K?{89+sM~wLDQ2}
z(?j6?Tgw}@4XuOew=!qG{OGDU`&@2Wcbd@;hS@|yv5o#6pIc+ilE;)LZ@=a?4o8jU
zn+@t}$WNzQn2Dy=+)w)$)!_~Cojn)t%2mqUY&vOe8a7&qfXb8lvZu1*m8KMK3qf;T
z``t|}LC@{<x0iV;y4S5uwhokC^{GQ7s}vtZrP9jMKFY#p|H=scX>jlhOV@OX%FDFp
R6*~oFVql?Pu6z8<{{YN)*@XZA

diff --git a/internal/app/api/core/assets/tpl/index.gohtml b/internal/app/api/core/assets/tpl/index.gohtml
index 3a65f84..553d980 100644
--- a/internal/app/api/core/assets/tpl/index.gohtml
+++ b/internal/app/api/core/assets/tpl/index.gohtml
@@ -6,9 +6,9 @@
     <meta name="viewport" content="width=device-width, initial-scale=1.0, shrink-to-fit=no">
     <title>WireGuard Portal API</title>
     <meta name="description" content="WireGuard Portal API">
-    <link rel="stylesheet" href="/css/bootstrap.min.css">
-    <link rel="stylesheet" href="/fonts/fontawesome-all.min.css">
-    <link rel="shortcut icon" type="image/x-icon" href="/app/favicon.ico">
+    <link rel="stylesheet" href="{{$.BasePath}}/css/bootstrap.min.css">
+    <link rel="stylesheet" href="{{$.BasePath}}/fonts/fontawesome-all.min.css">
+    <link rel="shortcut icon" type="image/x-icon" href="{{$.BasePath}}/app/favicon.ico">
 </head>
 
 <body id="page-top" class="d-flex flex-column min-vh-100">
@@ -25,7 +25,7 @@
                 <div class="card-header">SPA Api</div>
                 <div class="card-body">
                     <p class="card-text">This endpoint is used by the Single Page Application (the Frontend/UI).</p>
-                    <a href="/api/v0/doc.html" title="API version 0" target="_blank" rel="noopener noreferrer" class="btn btn-primary btn-sm">Open Documentation</a>
+                    <a href="{{$.BasePath}}/api/v0/doc.html" title="API version 0" target="_blank" rel="noopener noreferrer" class="btn btn-primary btn-sm">Open Documentation</a>
                 </div>
             </div>
         </div>
@@ -34,7 +34,7 @@
                 <div class="card-header"><b>Version 1</b></div>
                 <div class="card-body">
                     <p class="card-text">This is the current main API endpoint.</p>
-                    <a href="/api/v1/doc.html" title="API version 1" target="_blank" rel="noopener noreferrer" class="btn btn-primary btn-sm">Open Documentation</a>
+                    <a href="{{$.BasePath}}/api/v1/doc.html" title="API version 1" target="_blank" rel="noopener noreferrer" class="btn btn-primary btn-sm">Open Documentation</a>
                 </div>
             </div>
         </div>
@@ -43,17 +43,17 @@
                 <div class="card-header">Version 2</div>
                 <div class="card-body">
                     <p class="card-text">This will be a future API version, it is currently work in progress.</p>
-                    <a href="/api/v2/doc.html" title="API version 2" target="_blank" rel="noopener noreferrer" class="btn btn-primary btn-sm">Open Documentation</a>
+                    <a href="{{$.BasePath}}/api/v2/doc.html" title="API version 2" target="_blank" rel="noopener noreferrer" class="btn btn-primary btn-sm">Open Documentation</a>
                 </div>
             </div>
         </div>
     </div>
 </div>
 {{template "prt_footer.gohtml" .}}
-<script src="/js/jquery.min.js"></script>
-<script src="/js/jquery.easing.js"></script>
-<script src="/js/popper.min.js"></script>
-<script src="/js/bootstrap.bundle.min.js"></script>
+<script src="{{$.BasePath}}/js/jquery.min.js"></script>
+<script src="{{$.BasePath}}/js/jquery.easing.js"></script>
+<script src="{{$.BasePath}}/js/popper.min.js"></script>
+<script src="{{$.BasePath}}/js/bootstrap.bundle.min.js"></script>
 </body>
 
 </html>
\ No newline at end of file
diff --git a/internal/app/api/core/assets/tpl/prt_nav.gohtml b/internal/app/api/core/assets/tpl/prt_nav.gohtml
index 9337daf..2ebd535 100644
--- a/internal/app/api/core/assets/tpl/prt_nav.gohtml
+++ b/internal/app/api/core/assets/tpl/prt_nav.gohtml
@@ -3,7 +3,7 @@
         <span class="navbar-toggler-icon"></span>
     </button>
 
-    <a class="navbar-brand" href="/"><img src="/img/header-logo.png" alt="Prolicht"/></a>
+    <a class="navbar-brand" href="/"><img src="{{$.BasePath}}/img/header-logo.png" alt="Prolicht"/></a>
     <div id="topNavbar" class="navbar-collapse collapse">
         <ul class="navbar-nav mr-auto mt-2 mt-lg-0">
         </ul>
diff --git a/internal/app/api/core/assets/tpl/rapidoc.gohtml b/internal/app/api/core/assets/tpl/rapidoc.gohtml
index 4f23962..492d2cb 100644
--- a/internal/app/api/core/assets/tpl/rapidoc.gohtml
+++ b/internal/app/api/core/assets/tpl/rapidoc.gohtml
@@ -22,7 +22,7 @@
             allow-spec-file-load="false"
             allow-spec-file-download="true"
     >
-        <img slot="logo" src="/img/header-logo-small.png" style="width:50px; height:50px"/>
+        <img slot="logo" src="{{$.BasePath}}/img/header-logo-small.png" style="width:50px; height:50px"/>
 
         <p slot="footer" style="margin:0; padding:16px 36px; background-color:#f76b39; color:#fff; text-align:center;" >
             Copyright © WireGuard Portal {{$.Year}}, version {{$.Version}}
diff --git a/internal/app/api/core/server.go b/internal/app/api/core/server.go
index 5ed8746..6b82ed8 100644
--- a/internal/app/api/core/server.go
+++ b/internal/app/api/core/server.go
@@ -10,6 +10,8 @@ import (
 	"net/http"
 	"os"
 	"path/filepath"
+	"regexp"
+	"strings"
 	"time"
 
 	"github.com/go-pkgz/routegroup"
@@ -37,6 +39,7 @@ type ApiEndpointSetupFunc func() (ApiVersion, GroupSetupFn)
 type Server struct {
 	cfg      *config.Config
 	server   *routegroup.Bundle
+	root     *routegroup.Bundle // root is the web-root (potentially with path prefix)
 	tpl      *respond.TemplateRenderer
 	versions map[ApiVersion]*routegroup.Bundle
 }
@@ -77,13 +80,42 @@ func NewServer(cfg *config.Config, endpoints ...ApiEndpointSetupFunc) (*Server,
 		template.Must(template.New("").ParseFS(apiTemplates, "assets/tpl/*.gohtml")),
 	)
 
-	// Serve static files
+	// Mount base path if configured
+	s.root = s.server
+	if s.cfg.Web.BasePath != "" {
+		s.root = s.server.Mount(s.cfg.Web.BasePath)
+	}
+
+	// Serve static files (under base path if configured)
 	imgFs := http.FS(fsMust(fs.Sub(apiStatics, "assets/img")))
-	s.server.HandleFiles("/css", http.FS(fsMust(fs.Sub(apiStatics, "assets/css"))))
-	s.server.HandleFiles("/js", http.FS(fsMust(fs.Sub(apiStatics, "assets/js"))))
-	s.server.HandleFiles("/img", imgFs)
-	s.server.HandleFiles("/fonts", http.FS(fsMust(fs.Sub(apiStatics, "assets/fonts"))))
-	s.server.HandleFiles("/doc", http.FS(fsMust(fs.Sub(apiStatics, "assets/doc"))))
+	s.root.HandleFiles("/css", http.FS(fsMust(fs.Sub(apiStatics, "assets/css"))))
+	s.root.HandleFiles("/js", http.FS(fsMust(fs.Sub(apiStatics, "assets/js"))))
+	s.root.HandleFiles("/img", imgFs)
+	s.root.HandleFiles("/fonts", http.FS(fsMust(fs.Sub(apiStatics, "assets/fonts"))))
+	if cfg.Web.BasePath == "" {
+		s.root.HandleFiles("/doc", http.FS(fsMust(fs.Sub(apiStatics, "assets/doc"))))
+	} else {
+		customV0File, _ := fs.ReadFile(fsMust(fs.Sub(apiStatics, "assets/doc")), "v0_swagger.yaml")
+		customV1File, _ := fs.ReadFile(fsMust(fs.Sub(apiStatics, "assets/doc")), "v1_swagger.yaml")
+		customV0File = []byte(strings.Replace(string(customV0File),
+			"basePath: /api/v0", "basePath: "+cfg.Web.BasePath+"/api/v0", 1))
+		customV1File = []byte(strings.Replace(string(customV1File),
+			"basePath: /api/v1", "basePath: "+cfg.Web.BasePath+"/api/v1", 1))
+
+		s.root.HandleFunc("GET /doc/", func(w http.ResponseWriter, r *http.Request) {
+			if r.URL.Path == s.cfg.Web.BasePath+"/doc/v0_swagger.yaml" {
+				respond.Data(w, http.StatusOK, "application/yaml", customV0File)
+				return
+			}
+
+			if r.URL.Path == s.cfg.Web.BasePath+"/doc/v1_swagger.yaml" {
+				respond.Data(w, http.StatusOK, "application/yaml", customV1File)
+				return
+			}
+
+			respond.Status(w, http.StatusNotFound)
+		})
+	}
 
 	// Setup routes
 	s.setupRoutes(endpoints...)
@@ -128,14 +160,14 @@ func (s *Server) Run(ctx context.Context, listenAddress string) {
 }
 
 func (s *Server) setupRoutes(endpoints ...ApiEndpointSetupFunc) {
-	s.server.HandleFunc("GET /api", s.landingPage)
+	s.root.HandleFunc("GET /api", s.landingPage)
 	s.versions = make(map[ApiVersion]*routegroup.Bundle)
 
 	for _, setupFunc := range endpoints {
 		version, groupSetupFn := setupFunc()
 
 		if _, ok := s.versions[version]; !ok {
-			s.versions[version] = s.server.Mount(fmt.Sprintf("/api/%s", version))
+			s.versions[version] = s.root.Mount(fmt.Sprintf("/api/%s", version))
 
 			// OpenAPI documentation (via RapiDoc)
 			s.versions[version].HandleFunc("GET /swagger/index.html", s.rapiDocHandler(version)) // Deprecated: old link
@@ -149,16 +181,17 @@ func (s *Server) setupRoutes(endpoints ...ApiEndpointSetupFunc) {
 
 func (s *Server) setupFrontendRoutes() {
 	// Serve static files
-	s.server.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
-		respond.Redirect(w, r, http.StatusMovedPermanently, "/app")
+	s.root.HandleFunc("/", func(w http.ResponseWriter, r *http.Request) {
+		respond.Redirect(w, r, http.StatusMovedPermanently, s.cfg.Web.BasePath+"/app")
 	})
 
-	s.server.HandleFunc("/favicon.ico", func(w http.ResponseWriter, r *http.Request) {
-		respond.Redirect(w, r, http.StatusMovedPermanently, "/app/favicon.ico")
+	s.root.HandleFunc("/favicon.ico", func(w http.ResponseWriter, r *http.Request) {
+		respond.Redirect(w, r, http.StatusMovedPermanently, s.cfg.Web.BasePath+"/app/favicon.ico")
 	})
 
 	// If a custom frontend path is configured, serve files from there when it contains content.
 	// If the directory is empty or missing, populate it with the embedded frontend-dist content first.
+	useEmbeddedFrontend := true
 	if s.cfg.Web.FrontendFilePath != "" {
 		if err := os.MkdirAll(s.cfg.Web.FrontendFilePath, 0755); err != nil {
 			slog.Error("failed to create frontend base directory", "path", s.cfg.Web.FrontendFilePath, "error", err)
@@ -181,34 +214,93 @@ func (s *Server) setupFrontendRoutes() {
 			if ok {
 				// serve files from FS
 				slog.Debug("serving frontend files from custom path", "path", s.cfg.Web.FrontendFilePath)
-				s.server.HandleFiles("/app", http.Dir(s.cfg.Web.FrontendFilePath))
-				return
+				useEmbeddedFrontend = false
 			}
 		}
 	}
 
-	// Fallback: serve embedded frontend files
-	s.server.HandleFiles("/app", http.FS(fsMust(fs.Sub(frontendStatics, "frontend-dist"))))
+	var fileServer http.Handler
+	if useEmbeddedFrontend {
+		fileServer = http.FileServer(http.FS(fsMust(fs.Sub(frontendStatics, "frontend-dist"))))
+	} else {
+		fileServer = http.FileServer(http.Dir(s.cfg.Web.FrontendFilePath))
+	}
+	fileServer = http.StripPrefix(s.cfg.Web.BasePath+"/app", fileServer)
+
+	// Modify index.html and CSS to include the correct base path.
+	var customIndexFile, customCssFile []byte
+	var customCssFileName string
+	if s.cfg.Web.BasePath != "" {
+		customIndexFile, customCssFile, customCssFileName = s.updateBasePathInFrontend(useEmbeddedFrontend)
+	}
+
+	s.root.HandleFunc("GET /app/", func(w http.ResponseWriter, r *http.Request) {
+		// serve a custom index.html file with the correct base path applied
+		if s.cfg.Web.BasePath != "" && r.URL.Path == s.cfg.Web.BasePath+"/app/" {
+			respond.Data(w, http.StatusOK, "text/html", customIndexFile)
+			return
+		}
+
+		// serve a custom CSS file with the correct base path applied
+		if s.cfg.Web.BasePath != "" && r.URL.Path == s.cfg.Web.BasePath+"/app/assets/"+customCssFileName {
+			respond.Data(w, http.StatusOK, "text/css", customCssFile)
+			return
+		}
+
+		// pass all other requests to the file server
+		fileServer.ServeHTTP(w, r)
+	})
 }
 
 func (s *Server) landingPage(w http.ResponseWriter, _ *http.Request) {
 	s.tpl.HTML(w, http.StatusOK, "index.gohtml", respond.TplData{
-		"Version": internal.Version,
-		"Year":    time.Now().Year(),
+		"BasePath": s.cfg.Web.BasePath,
+		"Version":  internal.Version,
+		"Year":     time.Now().Year(),
 	})
 }
 
 func (s *Server) rapiDocHandler(version ApiVersion) http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
 		s.tpl.HTML(w, http.StatusOK, "rapidoc.gohtml", respond.TplData{
-			"RapiDocSource": "/js/rapidoc-min.js",
-			"ApiSpecUrl":    fmt.Sprintf("/doc/%s_swagger.yaml", version),
+			"RapiDocSource": s.cfg.Web.BasePath + "/js/rapidoc-min.js",
+			"BasePath":      s.cfg.Web.BasePath,
+			"ApiSpecUrl":    fmt.Sprintf("%s/doc/%s_swagger.yaml", s.cfg.Web.BasePath, version),
 			"Version":       internal.Version,
 			"Year":          time.Now().Year(),
 		})
 	}
 }
 
+func (s *Server) updateBasePathInFrontend(useEmbeddedFrontend bool) ([]byte, []byte, string) {
+	if s.cfg.Web.BasePath == "" {
+		return nil, nil, "" // nothing to do
+	}
+
+	var customIndexFile []byte
+	if useEmbeddedFrontend {
+		customIndexFile, _ = fs.ReadFile(fsMust(fs.Sub(frontendStatics, "frontend-dist")), "index.html")
+	} else {
+		customIndexFile, _ = os.ReadFile(filepath.Join(s.cfg.Web.FrontendFilePath, "index.html"))
+	}
+	newIndexStr := strings.ReplaceAll(string(customIndexFile), "src=\"/", "src=\""+s.cfg.Web.BasePath+"/")
+	newIndexStr = strings.ReplaceAll(newIndexStr, "href=\"/", "href=\""+s.cfg.Web.BasePath+"/")
+
+	re := regexp.MustCompile(`/app/assets/(index-.+.css)`)
+	match := re.FindStringSubmatch(newIndexStr)
+	cssFileName := match[1]
+
+	var customCssFile []byte
+	if useEmbeddedFrontend {
+		customCssFile, _ = fs.ReadFile(fsMust(fs.Sub(frontendStatics, "frontend-dist")), "assets/"+cssFileName)
+	} else {
+		customCssFile, _ = os.ReadFile(filepath.Join(s.cfg.Web.FrontendFilePath, "/assets/", cssFileName))
+	}
+	newCssStr := strings.ReplaceAll(string(customCssFile), "/app/assets/", s.cfg.Web.BasePath+"/app/assets/")
+
+	return []byte(newIndexStr), []byte(newCssStr), cssFileName
+}
+
 func fsMust(f fs.FS, err error) fs.FS {
 	if err != nil {
 		panic(err)
diff --git a/internal/app/api/v0/handlers/endpoint_config.go b/internal/app/api/v0/handlers/endpoint_config.go
index 9936644..1c5d744 100644
--- a/internal/app/api/v0/handlers/endpoint_config.go
+++ b/internal/app/api/v0/handlers/endpoint_config.go
@@ -67,7 +67,8 @@ func (e ConfigEndpoint) RegisterRoutes(g *routegroup.Bundle) {
 // @Router /config/frontend.js [get]
 func (e ConfigEndpoint) handleConfigJsGet() http.HandlerFunc {
 	return func(w http.ResponseWriter, r *http.Request) {
-		backendUrl := fmt.Sprintf("%s/api/v0", e.cfg.Web.ExternalUrl)
+		basePath := e.cfg.Web.BasePath
+		backendUrl := fmt.Sprintf("%s%s/api/v0", e.cfg.Web.ExternalUrl, basePath)
 		if request.Header(r, "x-wg-dev") != "" {
 			referer := request.Header(r, "Referer")
 			host := "localhost"
@@ -76,12 +77,13 @@ func (e ConfigEndpoint) handleConfigJsGet() http.HandlerFunc {
 			if err == nil {
 				host, port, _ = net.SplitHostPort(parsedReferer.Host)
 			}
-			backendUrl = fmt.Sprintf("http://%s:%s/api/v0", host,
-				port) // override if request comes from frontend started with npm run dev
+			backendUrl = fmt.Sprintf("http://%s:%s%s/api/v0", host,
+				port, basePath) // override if request comes from frontend started with npm run dev
 		}
 
 		e.tpl.Render(w, http.StatusOK, "frontend_config.js.gotpl", "text/javascript", map[string]any{
 			"BackendUrl":      backendUrl,
+			"BasePath":        basePath,
 			"Version":         internal.Version,
 			"SiteTitle":       e.cfg.Web.SiteTitle,
 			"SiteCompanyName": e.cfg.Web.SiteCompanyName,
diff --git a/internal/app/api/v0/handlers/frontend_config.js.gotpl b/internal/app/api/v0/handlers/frontend_config.js.gotpl
index 034f34b..fe0735e 100644
--- a/internal/app/api/v0/handlers/frontend_config.js.gotpl
+++ b/internal/app/api/v0/handlers/frontend_config.js.gotpl
@@ -1,4 +1,5 @@
 WGPORTAL_BACKEND_BASE_URL="{{ $.BackendUrl }}";
+WGPORTAL_BASE_PATH="{{ $.BasePath }}";
 WGPORTAL_VERSION="{{ $.Version }}";
 WGPORTAL_SITE_TITLE="{{ $.SiteTitle }}";
 WGPORTAL_SITE_COMPANY_NAME="{{ $.SiteCompanyName }}";
diff --git a/internal/app/api/v0/handlers/web_session.go b/internal/app/api/v0/handlers/web_session.go
index 1e12eaa..fcb6eca 100644
--- a/internal/app/api/v0/handlers/web_session.go
+++ b/internal/app/api/v0/handlers/web_session.go
@@ -49,7 +49,11 @@ func NewSessionWrapper(cfg *config.Config) *SessionWrapper {
 	sessionManager.Cookie.Secure = strings.HasPrefix(cfg.Web.ExternalUrl, "https")
 	sessionManager.Cookie.HttpOnly = true
 	sessionManager.Cookie.SameSite = http.SameSiteLaxMode
-	sessionManager.Cookie.Path = "/"
+	if cfg.Web.BasePath != "" {
+		sessionManager.Cookie.Path = cfg.Web.BasePath
+	} else {
+		sessionManager.Cookie.Path = "/"
+	}
 	sessionManager.Cookie.Persist = false
 
 	wrappedSessionManager := &SessionWrapper{sessionManager}
diff --git a/internal/app/auth/auth.go b/internal/app/auth/auth.go
index 1ad1718..af8b0f6 100644
--- a/internal/app/auth/auth.go
+++ b/internal/app/auth/auth.go
@@ -99,7 +99,7 @@ type Authenticator struct {
 }
 
 // NewAuthenticator creates a new Authenticator instance.
-func NewAuthenticator(cfg *config.Auth, extUrl string, bus EventBus, users UserManager) (
+func NewAuthenticator(cfg *config.Auth, extUrl, basePath string, bus EventBus, users UserManager) (
 	*Authenticator,
 	error,
 ) {
@@ -107,7 +107,7 @@ func NewAuthenticator(cfg *config.Auth, extUrl string, bus EventBus, users UserM
 		cfg:                 cfg,
 		bus:                 bus,
 		users:               users,
-		callbackUrlPrefix:   fmt.Sprintf("%s/api/v0", extUrl),
+		callbackUrlPrefix:   fmt.Sprintf("%s%s/api/v0", extUrl, basePath),
 		oauthAuthenticators: make(map[string]AuthenticatorOauth, len(cfg.OpenIDConnect)+len(cfg.OAuth)),
 		ldapAuthenticators:  make(map[string]AuthenticatorLdap, len(cfg.Ldap)),
 	}
diff --git a/internal/config/config.go b/internal/config/config.go
index d9ffe54..ee5be08 100644
--- a/internal/config/config.go
+++ b/internal/config/config.go
@@ -149,6 +149,7 @@ func defaultConfig() *Config {
 		RequestLogging:    getEnvBool("WG_PORTAL_WEB_REQUEST_LOGGING", false),
 		ExposeHostInfo:    getEnvBool("WG_PORTAL_WEB_EXPOSE_HOST_INFO", false),
 		ExternalUrl:       getEnvStr("WG_PORTAL_WEB_EXTERNAL_URL", "http://localhost:8888"),
+		BasePath:          getEnvStr("WG_PORTAL_WEB_BASE_PATH", ""),
 		ListeningAddress:  getEnvStr("WG_PORTAL_WEB_LISTENING_ADDRESS", ":8888"),
 		SessionIdentifier: getEnvStr("WG_PORTAL_WEB_SESSION_IDENTIFIER", "wgPortalSession"),
 		SessionSecret:     getEnvStr("WG_PORTAL_WEB_SESSION_SECRET", "very_secret"),
diff --git a/internal/config/web.go b/internal/config/web.go
index 407356c..4dadb87 100644
--- a/internal/config/web.go
+++ b/internal/config/web.go
@@ -11,6 +11,10 @@ type WebConfig struct {
 	// ExternalUrl is the URL where a client can access WireGuard Portal.
 	// This is used for the callback URL of the OAuth providers.
 	ExternalUrl string `yaml:"external_url"`
+	// BasePath is an optional URL path prefix under which the whole web UI and API are served.
+	// Example: "/wg" will make the UI available at /wg/app and the API at /wg/api.
+	// Empty string means no prefix (served from root path).
+	BasePath string `yaml:"base_path"`
 	// ListeningAddress is the address and port for the web server.
 	ListeningAddress string `yaml:"listening_address"`
 	// SessionIdentifier is the session identifier for the web frontend.
@@ -35,4 +39,12 @@ type WebConfig struct {
 
 func (c *WebConfig) Sanitize() {
 	c.ExternalUrl = strings.TrimRight(c.ExternalUrl, "/")
+
+	// normalize BasePath: allow empty, otherwise ensure leading slash, no trailing slash
+	p := strings.TrimSpace(c.BasePath)
+	p = strings.TrimRight(p, "/")
+	if p != "" && !strings.HasPrefix(p, "/") {
+		p = "/" + p
+	}
+	c.BasePath = p
 }