Allowing mobile apps to work with services using Organizr server auth

When using server authenication to reach these services you will have trouble using apps like nzb360/Plexpy Remote ect. But by adding an extra block or line in your nginx config you can get around that!

 Allowing /api

One way is to open access to the /api location so that nzb360 or Tautulli Remote can access just that page.

Note: If you use server authentication on your main server block, adding basic auth  to the /api block won’t work.

The way to get around this is with adding auth_request off; to the block.

In the example below I have added
location /tautulli/api {
auth_request off;
proxy_pass http://192.168.1.34:8181/tautulli/api;
}
inside the Tautulli subdirectory block. This will turn off auth request for /tautulli/api

 location /tautulli {
    auth_request /auth-4;   #=User 
    proxy_pass http://192.168.1.34:8181;
    include /config/nginx/proxy.conf;   
    proxy_set_header    Host                $host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Host    $server_name;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_bind              $server_addr;
    proxy_set_header X-Forwarded-Host   $server_name;
    proxy_set_header X-Forwarded-Ssl        on;
    proxy_redirect  http://         $scheme://;
# TAUTULLI ALLOW API FOR MOBILE APP
location /tautulli/api {
    auth_request off;
    proxy_pass http://192.168.1.34:8181/tautulli/api;
    }
# TAUTULLI ALLOW SELFHOSTED NEWLETTER   
location /tautulli/newsletter {
    auth_request off;
    proxy_pass http://192.168.1.34:8181/tautulli/newsletter;
    }
# TAUTULLI ALLOW SELFHOSTED IMAGES      
location /tautulli/image {
    auth_request off;
    proxy_pass http://192.168.1.34:8181/tautulli/image;
    }   
}

Plexpy Remote and nzb360 Settings

Basic auth

You can use http auth (.htaccess) and embed the username and password into the URL. e.g. https://username:[email protected]/url So for that to work with nzb360 you need to add username:[email protected] in IP/Host Address and /service in Server Port for Service

Note: This will not work if you use Organizr Server Authentication on your main server block /auth-admin /auth_user Use a subdomain instead.

Create your .htpasswd file and add it to the block. This will protect /service with an extra layer of security.

Use this command to create a .htpasswd file. Just drop the docker part if you don’t use that.

docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd YOUR-USER-NAME

Use the include syntax and create a basicauth.conf that you include in the block.

include /config/nginx/basicauth.conf;

basicauth.conf contents

auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;

If you choose to put the .htaccess in your root folder you can block access to it with this:

location ~ /\. { 
return 404; 
}

Subdomain example

By using subdomains you can have your cake and eat it too! Now you can have server authentication on your sub directories and http auth on your subdomain.

Note: Using basic auth will for the time being not work on the Tautulli Remote app. So for now you can just use the /api method.

https://github.com/wcomartin/PlexPy-Remote/issues/53

server {
listen 80;
server_name service.domain.com;
return 301 https://service.domain.com$request_uri;
}

server {
listen 443 ssl http2;
server_name service.domain.com;
include /config/nginx/ssl.conf;

location / {
proxy_pass http://IP:PORT;
#Don't add base URL to the proxy_pass
include /config/nginx/proxy.conf;
include /config/nginx/basicauth.conf;
} 
}

By using basic auth on you apps there is nothing stopping people from trying to brute force their way in. But by implementing Fail2ban, you can give the user or intruder x amount of retries before getting banned! Read more here