Apache proxy + htpasswd

[dabruck]

Hello

I put jellyfin behind Apache as a reverse proxy.
I had an admittedly restrictive double authentication system but it worked until last spring, I'd say:
Apache with htpasswd authentication => jellyfin authentication

So for at least the last 6 months this double authentication hasn't worked at all.
As soon as I activate htpasswd, authentication requests between htpasswd and jellyfin authentication loop back and forth.
I have the impression that the htpasswd authorisation header is overwritten by the jellyfin header, etc, etc, ...

I've searched the web to find a solution to this problem and tried lots of different things without success.
Ideally, the credentials requested by htpasswd should be passed on to Jellyfin, which validates the access, but it doesn't matter if this method doesn't work, the main thing for me is that my public Jellyfin should under no circumstances be ...
- referenced by any search engine
- scanned by an attacker looking for a vulnerability
In short, that only legitimate users know that there's a Jellyfin behind my URL.

The Apache configuration is based on the https://jellyfin.org/docs/general/networking/apache/ documentation.
Jellyfin is accessible without a subpath.
The published URL is of the form "all=https://mydomain.tld".
In addition to the SSL certificate, this is the only configuration made in the Jellyfin network tab.

If anyone has a clue as to how to resolve this, I'd love to hear from you.
Thanks

[TheDreadPirate]

AFAIK Jellyfin does not support basic auth on top of its own basic auth.

https://github.com/jellyfin/jellyfin-android/issues/123

[dabruck]

Thanks a lot @TheDreadPirate !
I had seen this issue dating back to 2020.
I was hoping that there would have been some changes in the meantime.
I'm thinking that having a publicly accessible instance of Jellyfin is a bit suicidal.

Isn't there a way via Apache to completely block all web requests until the user has authenticated?
I'll test with ‘AuthType Digest’ instead of ‘AuthType Basic’ and see if it works.

[TheDreadPirate]

Disable user profiles on the login screen, using a non-standard https port, and setting up fail2ban mitigates nearly all the risk of directly exposing Jellyfin to the Internet, IMO.

[dabruck]

It's true @TheDreadPirate that changing the https port is a good way of preventing the vast majority of pests, well done!

Finally I went through Apache's mod_session (https://httpd.apache.org/docs/2.4/en/mod...ssion.html).
This way an authenticated user is validated by a specific cookie and not by an authorisation header.
So it doesn't conflict with the jellyfin authentication header mechanism.

I've tried unsuccessfully to get this to work from the Apache doc, but I always get strange behaviour and in the end something that doesn't work.

I now use this conf https://github.com/buxxi/mod_auth_form-sample ...

$ a2enmod auth_form request session session_cookie session_crypto
$ cat /etc/apache2/sites-available/my-jelly.conf
...
<Location "/">
# IP
Require ip ...
# Auth
AuthName "Secure area"
AuthType form
AuthFormProvider file
AuthUserFile "/my/path/to/.htpasswd"
ErrorDocument 401 /folder/login.html
AuthFormLoginSuccessLocation "/folder/login.json"
Session on
SessionCookieName cookie_name path=/
SessionMaxAge 14400 # seconds
SessionExpiryUpdateInterval 10 # seconds
SessionCryptoPassphrase passphraseofyourchoice
Require valid-user

Options None
AllowOverride None
</Location>

<Location "/folder/">
Require all granted # everyone must be able to access login
</Location>

ProxyPass /folder/ ! # do not proxyfy this URL

If anyone has a cleaner and/or more secure solution with ‘mod_session’ I'd love to hear about it!

[TheDreadPirate]

I'm not super familiar with Apache.

I found this post. Give it a read.

https://serverfault.com/questions/801106...ache-httpd

[dabruck]

Thx TheDreadPirate
I don't need to play with/change/tweak any cookie because it's working now.

- I have an initial authentication before arriving on the interface or any jellyfin URL whatsoever
- this authentication generates a cookie on the visitor's browser side
- then you get the jellyfin authentication page (user profiles disabled on the login screen)
- which, if successful, generates an authentication header

So now a visitor doesn't see that there's a jellyfin on the URL of my jellyfin (no icon, no code, no search for a potential flaw) but just a neutral authentication request.

The only drawback is that visitors have to answer two authentication requests, but I consider this to be the lesser evil.

I'll do some more tests later on this form authentication mechanism in Apache.

Thanks for your help.

[TheDreadPirate]

If you're up for it, perhaps consider writing a walk-through on the walk-through sub-forum for setting this up. I'm sure you aren't the only person that would want this.