2024-12-24, 09:36 AM
Hello
I put jellyfin behind Apache as a reverse proxy.
I had an admittedly restrictive double authentication system but it worked until last spring, I'd say:
Apache with htpasswd authentication => jellyfin authentication
So for at least the last 6 months this double authentication hasn't worked at all.
As soon as I activate htpasswd, authentication requests between htpasswd and jellyfin authentication loop back and forth.
I have the impression that the htpasswd authorisation header is overwritten by the jellyfin header, etc, etc, ...
I've searched the web to find a solution to this problem and tried lots of different things without success.
Ideally, the credentials requested by htpasswd should be passed on to Jellyfin, which validates the access, but it doesn't matter if this method doesn't work, the main thing for me is that my public Jellyfin should under no circumstances be ...
- referenced by any search engine
- scanned by an attacker looking for a vulnerability
In short, that only legitimate users know that there's a Jellyfin behind my URL.
The Apache configuration is based on the https://jellyfin.org/docs/general/networking/apache/ documentation.
Jellyfin is accessible without a subpath.
The published URL is of the form "all=https://mydomain.tld".
In addition to the SSL certificate, this is the only configuration made in the Jellyfin network tab.
If anyone has a clue as to how to resolve this, I'd love to hear from you.
Thanks
I put jellyfin behind Apache as a reverse proxy.
I had an admittedly restrictive double authentication system but it worked until last spring, I'd say:
Apache with htpasswd authentication => jellyfin authentication
So for at least the last 6 months this double authentication hasn't worked at all.
As soon as I activate htpasswd, authentication requests between htpasswd and jellyfin authentication loop back and forth.
I have the impression that the htpasswd authorisation header is overwritten by the jellyfin header, etc, etc, ...
I've searched the web to find a solution to this problem and tried lots of different things without success.
Ideally, the credentials requested by htpasswd should be passed on to Jellyfin, which validates the access, but it doesn't matter if this method doesn't work, the main thing for me is that my public Jellyfin should under no circumstances be ...
- referenced by any search engine
- scanned by an attacker looking for a vulnerability
In short, that only legitimate users know that there's a Jellyfin behind my URL.
The Apache configuration is based on the https://jellyfin.org/docs/general/networking/apache/ documentation.
Jellyfin is accessible without a subpath.
The published URL is of the form "all=https://mydomain.tld".
In addition to the SSL certificate, this is the only configuration made in the Jellyfin network tab.
If anyone has a clue as to how to resolve this, I'd love to hear from you.
Thanks
![[Image: GitHub%20Sponsors-grey?logo=github]](https://img.shields.io/badge/GitHub%20Sponsors-grey?logo=github){kind=icon}