Bypass http auth from internal network

Sorry for the delay. I’ve been watching so many movies lately and neglecting my computer.

So here goes. Nothing special going on in my setup. I have Nginx-Proxy-Manager running in docker along with all my services (sonarr, radarr, tautulli, plex etc etc).

My setup uses subdomains on my own domain that cannot be reached unless authorised through Organizr.

The following is all carried out through nginx-proxy-manager - https://nginxproxymanager.com/ (thanks guys)

Main Page

Choose Hosts > Proxy Hosts > Add Proxy Host

Details

Domain: yourdomain.xyz
Scheme http
Forward Hostname / IP internal.ip.of.organizr
Forward Port internal port for Organizr

Enable required features > Save

Custom locations

location: ~ /auth-(.*)
Forward Hostname / IP: 192.168.1.234/api/?v1/auth&group=$1

auth&group=$1 will use the co-admin group within Organizr and authenticate users that are part of that group.

Click gear icon and input the following into the expanded box
internal;
proxy_set_header Content-Length "";

Save

Your domain name that Organizr is reachable on, enable the features you require then move one.

xW5H5ZZK4Y

The Advanced section is empty on the Organizr reverse proxy but will be populated for each service.

So that covers the initial Organizr setup.

Next we’ll add a service. Sonarr is widely used so we’ll go for that.

Domain Names sonarr.yourdomain.xyz
Forward Hostname / IP sonarr.internal.ip
Forward Port Internal port for Sonarr

Enable required features > Save

Define location ~ ^/auth-(.*) (notice how similar it is to the Organizr location but not quite the same)
Forward Hostname / IP 192.168.1.234/api/?v1/auth&group=$1
Forward Port Organizr Port - NOT THE SONARR PORT

Click the gear and input: proxy_set_header Content-Length "";

SSL

Add domain i.e. sonarr.yourdomain.xyz
Enable options > Save

Advanced

Input auth_request /auth-1; which tells Organizr the groups allowed to access this particular service.

Save

I think at this point you should be operational. If not, restart the relevant containers and try it out.

When you attempt to access https://sonarr.yourdomain.xyz you should be met with a 401 error page until you sign in to Organizr.

When I used Caddy I had a rewrite rule to send the user straight to Organizr but I just haven’t bothered with this setup as I’m the only user anyway.

I’ll check over my other services to see if there’s any major differences that need addressed.

I’m no expert but if you have any questions please ask away and I’ll see what I can do. If I’ve left out anything please let me know.

1 Like