Allowing mobile apps to work with services using Organizr server auth

When using server authenication to reach these services you will have trouble using apps like nzb360/Plexpy Remote ect. But by adding an extra block or line in your nginx config you can get around that!

 Allowing /api

One way is to open access to the /api location so that nzb360 or Tautulli Remote can access just that page.

Note: If you use server authentication on your main server block, adding basic auth  to the /api block won’t work.

The way to get around this is with adding auth_request off; to the block.

In the example below I have added
location /tautulli/api {
auth_request off;
proxy_pass http://192.168.1.34:8181/tautulli/api;
}
inside the Tautulli subdirectory block. This will turn off auth request for /tautulli/api

 location /tautulli {
    auth_request /auth-4;   #=User 
    proxy_pass http://192.168.1.34:8181;
    include /config/nginx/proxy.conf;   
    proxy_set_header    Host                $host;
    proxy_set_header    X-Real-IP           $remote_addr;
    proxy_set_header    X-Forwarded-Host    $server_name;
    proxy_set_header    X-Forwarded-For     $proxy_add_x_forwarded_for;
    proxy_bind              $server_addr;
    proxy_set_header X-Forwarded-Host   $server_name;
    proxy_set_header X-Forwarded-Ssl        on;
    proxy_redirect  http://         $scheme://;
# TAUTULLI ALLOW API FOR MOBILE APP
location /tautulli/api {
    auth_request off;
    proxy_pass http://192.168.1.34:8181/tautulli/api;
    }
# TAUTULLI ALLOW SELFHOSTED NEWLETTER   
location /tautulli/newsletter {
    auth_request off;
    proxy_pass http://192.168.1.34:8181/tautulli/newsletter;
    }
# TAUTULLI ALLOW SELFHOSTED IMAGES      
location /tautulli/image {
    auth_request off;
    proxy_pass http://192.168.1.34:8181/tautulli/image;
    }   
}

Plexpy Remote and nzb360 Settings

Basic auth

You can use http auth (.htaccess) and embed the username and password into the URL. e.g. https://username:[email protected]/url So for that to work with nzb360 you need to add username:[email protected] in IP/Host Address and /service in Server Port for Service

Note: This will not work if you use Organizr server auth with Organizr Error pages! You will need to remove the custom error_pages lines. 

Create your .htpasswd file and add it to the block. This will protect /service with an extra layer of security.

Use this command to create a .htpasswd file. Just drop the docker part if you don’t use that.

docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd YOUR-USER-NAME

Use the include syntax and create a basicauth.conf that you include in the block.

include /config/nginx/basicauth.conf;

# SABNZBD ALLOW API FOR MOBILE APPS
location /sabnzbd/api {
    auth_request off;
    include /config/nginx/basicauth.conf;
    proxy_pass http://192.168.1.34:8383/sabnzbd/api;
    }

basicauth.conf contents

auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;

If you choose to put the .htaccess in your root folder you can block access to it with this:

location ~ /. { 
return 404; 
}

Subdomain example

Note: Using basic auth will for the time being not work on the Tautulli Remote app. So for now you can just use the /api method.

https://github.com/wcomartin/PlexPy-Remote/issues/53

server {
listen 80;
server_name service.domain.com;
return 301 https://service.domain.com$request_uri;
}

server {
listen 443 ssl http2;
server_name service.domain.com;
include /config/nginx/ssl.conf;

location / {
proxy_pass http://IP:PORT;
#Don't add base URL to the proxy_pass
include /config/nginx/proxy.conf;
include /config/nginx/basicauth.conf;
} 
}

By using basic auth on you apps there is nothing stopping people from trying to brute force their way in. But by implementing Fail2ban, you can give the user or intruder x amount of retries before getting banned! Read more here