Allowing apps to work with services using Organizr server auth

When using server authenication to reach these services you will have trouble using apps like nzb360/Plexpy Remote ect. But by adding an extra block or line in your nginx config you can get around that!

 Allowing /api

One way is to open access to the /api page so that nzb360 or Plexpy Remote can access just that page.

Note: If you use server authentication on your main server block, adding basic auth  to the /api block wont work.

Example:

PlexPy

# PLEXPY ALLOW API FOR MOBILE APP
location /plexpy/api {
proxy_pass http://192.168.1.34:8181/plexpy/api;
include /config/nginx/proxy.conf;
proxy_bind $server_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Ssl on; 
}

Plexpy Remote and nzb360 Settings

Basic auth

You can use http auth (.htaccess) and embed the username and password into the URL. e.g. https://username:[email protected]/url So for that to work with nzb360 you need to add username:[email protected] in IP/Host Address and /service in Server Port for Service

Note: This will not work if you use Organizr Server Authentication on your main server block /auth-admin /auth_user Use a subdomain instead.

Create your .htpasswd file and add it to the block. This will protect /service with an extra layer of security.

Use this command to create a .htpasswd file. Just drop the docker part if you don’t use that.

docker exec -it letsencrypt htpasswd -c /config/nginx/.htpasswd YOUR-USER-NAME

Use the include syntax and create a basicauth.conf that you include in the block.

include /config/nginx/basicauth.conf;

basicauth.conf contents

auth_basic "Restricted";
auth_basic_user_file /config/nginx/.htpasswd;

If you choose to put the .htaccess in your root folder you can block access to it with this:

location ~ /\. { 
return 404; 
}

Note: Using basic auth will for the time being not work on the Tautulli Remote app. So for now you can just use the /api method.

https://github.com/wcomartin/PlexPy-Remote/issues/53

Example:

Sabnzbd

# SABNZBD redirect
location /sabnzbd {
return 301 /sabnzbd/;
}
# SABNZBD
location /sabnzbd/ {
include /config/nginx/basicauth.conf;
include /config/nginx/proxy.conf;
proxy_pass http://192.168.1.34:8383/sabnzbd/;
}

Subdomains

By using subdomains you can have your cake and eat it too! Now you can have server authentication on your sub directories and http auth on your subdomain.

Note: Using basic auth will for the time being not work on the Tautulli Remote app. So for now you can just use the /api method.

https://github.com/wcomartin/PlexPy-Remote/issues/53

server {
listen 80;
server_name service.domain.com;
return 301 https://service.domain.com$request_uri;
}

server {
listen 443 ssl http2;
server_name service.domain.com;

location / {
proxy_pass http://IP:PORT;
#Don't add base URL to the proxy_pass
include /config/nginx/proxy.conf;
include /config/nginx/basicauth.conf;
} 

}

By using basic auth on you apps there is nothing stopping people from trying to brute force their way in. But by implementing Fail2ban, you can give the user or intruder x amount of retries before getting banned! Read more here

W.