When using server authenication to reach these services you will have trouble using apps like nzb360/Plexpy Remote ect. But by adding an extra block or line in your nginx config you can get around that!
Allowing /api
One way is to open access to the /api location so that nzb360 or Tautulli Remote can access just that page.
Note: If you use server authentication on your main server block, adding basic auth to the /api block won’t work.
The way to get around this is with adding auth_request off;
to the block.
In the example below I have added
location /tautulli/api {
auth_request off;
proxy_pass http://192.168.1.34:8181/tautulli/api;
}
inside the Tautulli subdirectory block. This will turn off auth request for /tautulli/api
location /tautulli {
auth_request /auth-4; #=User
proxy_pass http://192.168.1.34:8181;
include /config/nginx/proxy.conf;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_bind $server_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Ssl on;
proxy_redirect http:// $scheme://;
# TAUTULLI ALLOW API FOR MOBILE APP
location /tautulli/api {
auth_request off;
proxy_pass http://192.168.1.34:8181/tautulli/api;
}
# TAUTULLI ALLOW SELFHOSTED NEWLETTER
location /tautulli/newsletter {
auth_request off;
proxy_pass http://192.168.1.34:8181/tautulli/newsletter;
}
# TAUTULLI ALLOW SELFHOSTED IMAGES
location /tautulli/image {
auth_request off;
proxy_pass http://192.168.1.34:8181/tautulli/image;
}
}
Plexpy Remote and nzb360 Settings
Basic auth
You can use http auth (.htaccess) and embed the username and password into the URL. e.g. https://username:[email protected]/url
So for that to work with nzb360 you need to add username:[email protected]
in IP/Host Address and /service
in Server Port for Service
Note: This will not work if you use Organizr server auth with Organizr Error pages! You will need to remove the custom error_pages lines.
Create your .htpasswd file and add it to the block. This will protect /service with an extra layer of security.
Use this command to create a .htpasswd file. Just drop the docker part if you don’t use that.
docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd YOUR-USER-NAME
Use the include
syntax and create a basicauth.conf that you include in the block.
include /config/nginx/basicauth.conf;
# SABNZBD ALLOW API FOR MOBILE APPS
location /sabnzbd/api {
auth_request off;
include /config/nginx/basicauth.conf;
proxy_pass http://192.168.1.34:8383/sabnzbd/api;
}
basicauth.conf contents
auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;
If you choose to put the .htaccess in your root folder you can block access to it with this:
location ~ /. {
return 404;
}
Subdomain example
Note: Using basic auth will for the time being not work on the Tautulli Remote app. So for now you can just use the /api
method.
https://github.com/wcomartin/PlexPy-Remote/issues/53
server {
listen 80;
server_name service.domain.com;
return 301 https://service.domain.com$request_uri;
}
server {
listen 443 ssl http2;
server_name service.domain.com;
include /config/nginx/ssl.conf;
location / {
proxy_pass http://IP:PORT;
#Don't add base URL to the proxy_pass
include /config/nginx/proxy.conf;
include /config/nginx/basicauth.conf;
}
}
By using basic auth on you apps there is nothing stopping people from trying to brute force their way in. But by implementing Fail2ban, you can give the user or intruder x amount of retries before getting banned! Read more here