Backend

Allowing mobile apps to work with services using Organizr server auth

When using server authenication to reach these services you will have trouble using apps like nzb360/Plexpy Remote ect. But by adding an extra block or line in your nginx config you can get around that!

 Allowing /api

One way is to open access to the /api location so that nzb360 or Tautulli Remote can access just that page.

Note: If you use server authentication on your main server block, adding basic auth  to the /api block won’t work.

The way to get around this is with adding auth_request off; to the block.

In the example below I have added
location /tautulli/api {
auth_request off;
proxy_pass http://192.168.1.34:8181/tautulli/api;
}
inside the Tautulli subdirectory block. This will turn off auth request for /tautulli/api

location /tautulli {
   proxy_pass http://192.168.1.34:8181;
   include /config/nginx/proxy.conf;
   proxy_bind $server_addr;
   proxy_set_header X-Forwarded-Host $server_name;
   proxy_set_header X-Forwarded-Ssl on; 
location /tautulli/api {
   auth_request off;
   proxy_pass http://192.168.1.34:8181/tautulli/api;
   }
}

Plexpy Remote and nzb360 Settings

Sonarr Settings
Radarr Settings
Sab Settings
PlexPy Settings

Basic auth

You can use http auth (.htaccess) and embed the username and password into the URL. e.g. https://username:[email protected]/url So for that to work with nzb360 you need to add username:[email protected] in IP/Host Address and /service in Server Port for Service

Note: This will not work if you use Organizr Server Authentication on your main server block /auth-admin /auth_user Use a subdomain instead.

Create your .htpasswd file and add it to the block. This will protect /service with an extra layer of security.

Use this command to create a .htpasswd file. Just drop the docker part if you don’t use that.

docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd YOUR-USER-NAME

Use the include syntax and create a basicauth.conf that you include in the block.

include /config/nginx/basicauth.conf;

basicauth.conf contents

auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;

If you choose to put the .htaccess in your root folder you can block access to it with this:

location ~ /\. { 
return 404; 
}

Subdomain example

By using subdomains you can have your cake and eat it too! Now you can have server authentication on your sub directories and http auth on your subdomain.

Note: Using basic auth will for the time being not work on the Tautulli Remote app. So for now you can just use the /api method.

https://github.com/wcomartin/PlexPy-Remote/issues/53

server {
listen 80;
server_name service.domain.com;
return 301 https://service.domain.com$request_uri;
}

server {
listen 443 ssl http2;
server_name service.domain.com;
include /config/nginx/ssl.conf;

location / {
proxy_pass http://IP:PORT;
#Don't add base URL to the proxy_pass
include /config/nginx/proxy.conf;
include /config/nginx/basicauth.conf;
} 
}

By using basic auth on you apps there is nothing stopping people from trying to brute force their way in. But by implementing Fail2ban, you can give the user or intruder x amount of retries before getting banned! Read more here

8
Backend
  • Share:
GilbN
Author

GilbN

Just a regular dude from Norway that recently got into servers. Likes long walks on the beach while watching grafana statistics and thinking "Is it really worth it?" "Yes... yes it is"

Related Article
Security
Fail2ban with Organizr and Letsencrypt on unRAID
Read Article
Related Article
Backend
Migrating my UPS data in InfluxDB to a new InfluxDB container
Read Article
Related Article
Security
Banning with basic auth and Fail2Ban
Read Article

Read More