Comments (33)
I've found a work around of sorts for this. It'll only work for certain setups like mine.
My setup:
to access my organizr install you go to mydomain.com and to access plexypy you'd go to mydomain.com/plexpy
I use nginx and with location and proxy_pass statements
location /plexpy {
add_header X-Frame-Options "SAMEORIGIN";
proxy_pass http://127.0.0.1:8181;
}
y for this example let's assume it's exposed to the web to anyone
However if I modify the login sections of user.php to set another cookie like below:
setcookie("OrganizrRand", "test", time() + (86400 * 7), "/");
and then I check for this cookie in nginx at the location block
location /plexpy {
if ($cookie_OrganizrRand != "test") { return 403; }
add_header X-Frame-Options "SAMEORIGIN";
proxy_pass http://127.0.0.1:8181;
}
this is now returning 403 to anyone who hasn't successfully logged into my organizr installation.
This should totally be doable in apache also, I'd just have to fiddle a bit to suggest the relevant config options.
from organizr.
You would need something like in a location block in the vhost iirc
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !cookie_name=specific_value [NC]
RewriteRule ^ https://mydomain.com [NC,L,R=302]
from organizr.
This was suggested earlier but I didn't have any success on implementation. it would have to be a php script that works flawless :/
from organizr.
This would be amazing
As currently I have http auth set up on all my tabs... /sonarr etc
Currently I have Idashboard (also with http auth) and guest enabled for all tabs meaning I only need to enter my user and password once for them all.
from organizr.
+1 on this one. I would love to get rid of htaccess
from organizr.
i've been playing around with a few php proxies and they all suck :/
from organizr.
+1 on this. It would be awesome to use Organizr over a secure proxy with SSL.
from organizr.
Like this? https://drive.google.com/file/d/0BzPd75yQAJYhWG1keDJpWU9QZVU/view?usp=sharing
from organizr.
@2wheelsdown that is another webserver, wont help us here :(
from organizr.
@ImperialXT
do you still have http auth set up for each sub site?
from organizr.
@ImperialXT that is actually really good. you weren't able to use the cookie that Organizr already sets?
from organizr.
@causefx no because I'm checking the content of that cookie and nginx needs to know what content to look for. It's not just a simple is the cookie set check
from organizr.
@phairplay no because the cookie check is enough for me
from organizr.
@ImperialXT I just added this into the code, you will set a cookie password in the settings and edit your nginx configuration to:
location /plexpy {
if ($cookie_cookiePassword != "PASSWORDHERE") { return 403; }
add_header X-Frame-Options "SAMEORIGIN";
proxy_pass http://127.0.0.1:8181;
}
at least now it will survive upgrades for you. I will push a new update tomorrow.
from organizr.
@causefx excellent thanks for that
from organizr.
@ImperialXT nah man thank you, that was an excellent idea.
from organizr.
@ImperialXT update is live
from organizr.
@causefx thanks. I'll pull it down. I've also submitted a pull request to fix up the .gitignore file :)
from organizr.
nice, thank you, just merged it into develop.
from organizr.
does anyone use Apache? would love to test this new version with that so we can add it to the wiki
from organizr.
nice, just need someone to test it :)
from organizr.
In nginx, this doesn't work for any location that needs a rewrite to function properly. Is there any solution for this?
from organizr.
@evulhotdog are you able to give me an example of what you're talking about? I can probably figure something out.
from organizr.
@ImperialXT So this works, for forwarding, but I can access it, even if the cookie is not set and the referrer isn't 10.0.0.10.
location /monit/ { rewrite /monit/(.*) /$1 break; proxy_pass http://10.0.0.10:8083; valid_referers 10.0.0.10 ~.; if ($invalid_referer) { return 401; } if ($cookie_cookiePassword != "the_pw") { return 403; } }
from organizr.
from organizr.
@causefx even after moving it to the bottom of the block, there's no difference. I've moved a few things around before thinking that maybe it had some order of operations, but I don't think it does.
from organizr.
@evulhotdog
try this
location /monit/ {
if ($cookie_cookiePassword != "the_pw") { return 403; }
rewrite /monit/(.*) /$1 break;
valid_referers 10.0.0.10 ~.;
if ($invalid_referer) { return 401; }
proxy_pass http://10.0.0.10:8083;
}
I'm not quite sure what you're expecting to accomplish with the valid_referers part.
from organizr.
That seems to work w/ the cookie, but the $invalid_referer does not. Any idea why?
from organizr.
That seems to work w/ the cookie, but the $invalid_referer does not. Any idea why?
Not sure to be honest, as I'm not quite sure what you're trying to achieve with it.
What's the purpose of the $invalid_referer check?
from organizr.
It only allows you to refer from 10.0.0.10. This is just another check to prevent accessing https://site.com/sonarr/ directly and to force all traffic through the root and use that authentication. Essentially ensuring that only that IP can talk to... that IP, for those locations.
Works for every single location, just not the ones with a rewrite in them (from what I can tell.)
from organizr.
seems a bit pointless with the cookie check also in place. But try putting it before the rewrite.
from organizr.
Have a look at #141. Auth_request is a better solution to protect URLs for nginx users. No static shared secret, everything happens on the server side, and the nginx configuration is cleaner.
Edit: Also note this could be pretty easily expanded to auth not only simple logged in/logged out status, but also whether the logged in Organizr user has access to that specific location block in nginx. It's really flexible since the script tells nginx whether or not to permit access to the URL.
from organizr.
Will dive into this in the future. for now we have #141
from organizr.
Related Issues (20)
- Can't login to SABnzbd or Prowlarr HOT 5
- Calendar doesn't show Sonarr/Radarr elements HOT 17
- Drawer cannot be moved to the right and add new theme features HOT 2
- [Feature Request] Require 2FA from users HOT 1
- Google Authenticator disabling HOT 6
- Login Loop, no reverse proxy or other additions. HOT 10
- Calender not scaling on mobile HOT 5
- [Question] Organizr hardware accelerated Android TV app? HOT 2
- Dependencies Missing FILEINFO & MBSTRING HOT 30
- Organizr Vulnerabilities
- Plex Oauth Login not working HOT 4
- Donation arrows doesn't change price HOT 4
- Upgrading from 2.1.1690 to Latest Version HOT 2
- "Slim Application Error" after starting the Docker container HOT 10
- Calendar Item's backdrop images are missing HOT 4
- Feature suggestion: Import tabs from CSV HOT 2
- Unable to get docker install to recognise that I'm outside of local network. HOT 9
- allow changing iframe name HOT 1
- Unable to use Nextcloud Talk in an iframe because of allow attributes HOT 4
- 502 Bad Gateway HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from organizr.