Apache proxy + htpasswd

[dabruck]

It's true @TheDreadPirate that changing the https port is a good way of preventing the vast majority of pests, well done!

Finally I went through Apache's mod_session (https://httpd.apache.org/docs/2.4/en/mod...ssion.html).
This way an authenticated user is validated by a specific cookie and not by an authorisation header.
So it doesn't conflict with the jellyfin authentication header mechanism.

I've tried unsuccessfully to get this to work from the Apache doc, but I always get strange behaviour and in the end something that doesn't work.

I now use this conf https://github.com/buxxi/mod_auth_form-sample ...

$ a2enmod auth_form request session session_cookie session_crypto
$ cat /etc/apache2/sites-available/my-jelly.conf
...
<Location "/">
# IP
Require ip ...
# Auth
AuthName "Secure area"
AuthType form
AuthFormProvider file
AuthUserFile "/my/path/to/.htpasswd"
ErrorDocument 401 /folder/login.html
AuthFormLoginSuccessLocation "/folder/login.json"
Session on
SessionCookieName cookie_name path=/
SessionMaxAge 14400 # seconds
SessionExpiryUpdateInterval 10 # seconds
SessionCryptoPassphrase passphraseofyourchoice
Require valid-user

Options None
AllowOverride None
</Location>

<Location "/folder/">
Require all granted # everyone must be able to access login
</Location>

ProxyPass /folder/ ! # do not proxyfy this URL

If anyone has a cleaner and/or more secure solution with ‘mod_session’ I'd love to hear about it!