Add HTTP Proxy Support about organizr HOT 33 CLOSED

I've found a work around of sorts for this. It'll only work for certain setups like mine.

My setup:

to access my organizr install you go to mydomain.com and to access plexypy you'd go to mydomain.com/plexpy

I use nginx and with location and proxy_pass statements

 location /plexpy {
    add_header X-Frame-Options "SAMEORIGIN";
    proxy_pass http://127.0.0.1:8181;
 }

y for this example let's assume it's exposed to the web to anyone

However if I modify the login sections of user.php to set another cookie like below:

setcookie("OrganizrRand", "test", time() + (86400 * 7), "/");

and then I check for this cookie in nginx at the location block

 location /plexpy {
    if ($cookie_OrganizrRand != "test") { return 403; }
    add_header X-Frame-Options "SAMEORIGIN";
    proxy_pass http://127.0.0.1:8181;
 }

this is now returning 403 to anyone who hasn't successfully logged into my organizr installation.

This should totally be doable in apache also, I'd just have to fiddle a bit to suggest the relevant config options.

from organizr.

You would need something like in a location block in the vhost iirc
RewriteEngine On
RewriteCond %{HTTP_COOKIE} !cookie_name=specific_value [NC]
RewriteRule ^ https://mydomain.com [NC,L,R=302]

from organizr.

This was suggested earlier but I didn't have any success on implementation. it would have to be a php script that works flawless :/

from organizr.

This would be amazing
As currently I have http auth set up on all my tabs... /sonarr etc
Currently I have Idashboard (also with http auth) and guest enabled for all tabs meaning I only need to enter my user and password once for them all.

from organizr.

+1 on this one. I would love to get rid of htaccess

from organizr.

i've been playing around with a few php proxies and they all suck :/

from organizr.

+1 on this. It would be awesome to use Organizr over a secure proxy with SSL.

from organizr.

Like this? https://drive.google.com/file/d/0BzPd75yQAJYhWG1keDJpWU9QZVU/view?usp=sharing

from organizr.

@2wheelsdown that is another webserver, wont help us here :(

from organizr.

@ImperialXT
do you still have http auth set up for each sub site?

from organizr.

@ImperialXT that is actually really good. you weren't able to use the cookie that Organizr already sets?

from organizr.

@causefx no because I'm checking the content of that cookie and nginx needs to know what content to look for. It's not just a simple is the cookie set check

from organizr.

@phairplay no because the cookie check is enough for me

from organizr.

@ImperialXT I just added this into the code, you will set a cookie password in the settings and edit your nginx configuration to:

 location /plexpy {
    if ($cookie_cookiePassword != "PASSWORDHERE") { return 403; }
    add_header X-Frame-Options "SAMEORIGIN";
    proxy_pass http://127.0.0.1:8181;
 }

at least now it will survive upgrades for you. I will push a new update tomorrow.

from organizr.

@causefx excellent thanks for that

from organizr.

@ImperialXT nah man thank you, that was an excellent idea.

from organizr.

@ImperialXT update is live

from organizr.

@causefx thanks. I'll pull it down. I've also submitted a pull request to fix up the .gitignore file :)

from organizr.

nice, thank you, just merged it into develop.

from organizr.

does anyone use Apache? would love to test this new version with that so we can add it to the wiki

from organizr.

nice, just need someone to test it :)

from organizr.

In nginx, this doesn't work for any location that needs a rewrite to function properly. Is there any solution for this?

from organizr.

@evulhotdog are you able to give me an example of what you're talking about? I can probably figure something out.

from organizr.

@ImperialXT So this works, for forwarding, but I can access it, even if the cookie is not set and the referrer isn't 10.0.0.10.

     location /monit/ {
            rewrite /monit/(.*) /$1 break;
            proxy_pass   http://10.0.0.10:8083;
            valid_referers 10.0.0.10 ~.;
            if ($invalid_referer) { return 401; }
            if ($cookie_cookiePassword != "the_pw") { return 403; }
    }

from organizr.

from organizr.

@causefx even after moving it to the bottom of the block, there's no difference. I've moved a few things around before thinking that maybe it had some order of operations, but I don't think it does.

from organizr.

@evulhotdog
try this

  location /monit/ {
            if ($cookie_cookiePassword != "the_pw") { return 403; }
            rewrite /monit/(.*) /$1 break;
            valid_referers 10.0.0.10 ~.;
            if ($invalid_referer) { return 401; }
            proxy_pass   http://10.0.0.10:8083;
    }

I'm not quite sure what you're expecting to accomplish with the valid_referers part.

from organizr.

That seems to work w/ the cookie, but the $invalid_referer does not. Any idea why?

from organizr.

That seems to work w/ the cookie, but the $invalid_referer does not. Any idea why?

Not sure to be honest, as I'm not quite sure what you're trying to achieve with it.

What's the purpose of the $invalid_referer check?

from organizr.

It only allows you to refer from 10.0.0.10. This is just another check to prevent accessing https://site.com/sonarr/ directly and to force all traffic through the root and use that authentication. Essentially ensuring that only that IP can talk to... that IP, for those locations.

Works for every single location, just not the ones with a rewrite in them (from what I can tell.)

from organizr.

seems a bit pointless with the cookie check also in place. But try putting it before the rewrite.

from organizr.

Have a look at #141. Auth_request is a better solution to protect URLs for nginx users. No static shared secret, everything happens on the server side, and the nginx configuration is cleaner.

Edit: Also note this could be pretty easily expanded to auth not only simple logged in/logged out status, but also whether the logged in Organizr user has access to that specific location block in nginx. It's really flexible since the script tells nginx whether or not to permit access to the URL.

from organizr.

Will dive into this in the future. for now we have #141

from organizr.