Can someone help me setup a username and password for a site? Under Access List the only option I get is Publicly Accessible, nothing about passwords. It says I need to “Enable authentication” but I don’t see a way to do that.
No, not in Location but in Advanced
From the dashboard go to Access Lists and create a new one.
In Authorization tab then enter user and password.
Then go back to the proxy hosts lists and the new access list should be available.
LE: keep in mind that, if you enable NPM authentication and you plan to use subfolders in tab Advanced, the authentication will be applicable only to the main host, not to the subfolders. For subfolders authentication you need to enable it manually for each subfolder (see my post above concerning Transmission).
Thank you so much. This has been driving me crazy.
Now I have another problem. I created an Access List and attached it to my site but now all I get is a “401 Authorization Required” page and no place to enter a user name and password.
Hey Petrica,
I added the following Advanced (and deleted all items in customer locations):
location /sickchill/ {
proxy_read_timeout 300;
proxy_pass_header X-Transmission-Session-Id;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.86.100:8081/sickchill/;
}
I tried afew variations for proxy_pass, including http://192.168.86.100:8081/home/ which is how i access sickchill on my local network - both have the same 404 errors.
I was attempting to re-use what you did for transmission for sickchill, however only the text loads. I can see 404 errors in the logs.
404 404 - GET http xxx.duckdns.org "/js/ajaxNotifications.js?v=9ad35436f9ef5e663a065ff57ee2f1ec" [Client 192.168.86.1] [Length 2647] [Gzip -] [Sent-to 192.168.86.100] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36" "http://xxx.duckdns.org/sickchill/"
My understanding of your items is that it would hit the local IP address for sickchill and then pass back the code as if it was on my local network. The 404 errors have thrown me completely as it shouldn’t need permissions to access those files?
All my docker containers are on that internal IP, but this port is not pointing to NPM - does that matter, the service im hitting works perfectly via the xxx.duckdns.org?
Hi @mitch,
Could you try:
location /sickchill/ {
proxy_pass http://192.168.86.100:8081/sickchill/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_buffering off;
client_max_body_size 0;
proxy_read_timeout 36000s;
proxy_redirect off;
}
It doesn’t matter they’re not on the same machine.
I’m gonna leave these here for others that might need them (but keep in mind that 1. most of the services don’t use their own authentication thus, if not setting and relying on external authentication such as NPM Access List - these two lines below - then they are accessible by anyone on the internet (WITHOUT ANY RESTRICTION), which is generally considered bad form 
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
and 2. some of them (where the address is http://ip:port/service_name) require a base path override; this is done in the gui settings or, some other times, in a file that needs to be modified on the server)
NGINX Reverse proxy examples
location /ombi {
proxy_pass http://192.168.0.45:3579;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto $scheme;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /logarr/ {
proxy_pass http://192.168.0.45:8003/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /nagioslogserver {
proxy_pass http://192.168.0.222:80;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location ~* ^(/apps/portainer)(/api/websocket/.*)$ {
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_http_version 1.1;
set $upstream http://192.168.0.45:9000$2;
proxy_pass $upstream ;
}
location ~* ^(/apps/portainer)(/.*)$ {
proxy_http_version 1.1;
proxy_set_header Connection "";
set $upstream http://192.168.0.45:9000$2;
proxy_pass $upstream;
}
location /privatebin/ {
proxy_pass https://192.168.0.233/;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
}
location /webmin/ {
proxy_pass http://192.168.0.45:10000/webmin/;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /unmanic {
proxy_pass http://192.168.0.45:8889/;
proxy_set_header Host $host;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /plexpy {
proxy_pass http://192.168.0.45:8182;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /syncthing/ {
proxy_pass http://192.168.0.45:8384/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_read_timeout 600s;
proxy_send_timeout 600s;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /lidarr {
proxy_pass http://192.168.0.45:8686;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /gui/ {
proxy_pass http://192.168.0.45:8888/gui/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location ~ ^/mylar($|./*) {
proxy_pass http://192.168.0.45:8090;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location = /makemkv {return 301 $scheme://$http_host/makemkv/;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /makemkv/ {
proxy_pass http://192.168.0.45:5802/;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
location /makemkv/websockify {
proxy_pass http://192.168.0.45:5802/websockify/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
}
location /librarian {
proxy_pass http://192.168.0.45:5299/librarian/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location ~ ^/headphones($|./*) {
proxy_pass http://192.168.0.45:8181;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location = /handbrake {return 301 $scheme://$http_host/handbrake/;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /handbrake/ {
proxy_pass http://192.168.0.45:5801/;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
location /handbrake/websockify {
proxy_pass http://192.168.0.45:5801/websockify/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
}
location /ubooquity/ {
proxy_pass http://192.168.0.45:2202/ubooquity/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1 ;
}
location /varken/ {
proxy_pass http://192.168.0.45:3000/d/iTbnha5mkasdf/varken-official-v1-6-x/;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1 ;
}
location /bookstack/ {
proxy_pass http://192.168.0.45:6875/;
proxy_set_header Host $host;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /duplicati {
return 301 $scheme://$host/duplicati/;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location ^~ /duplicati/ {
rewrite /duplicati(.*) $1 break;
proxy_pass http://192.168.0.45:8200;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /codeserver/ {
proxy_pass http://192.168.0.45:8443/;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection upgrade;
proxy_set_header Accept-Encoding gzip;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location = /filebot {return 301 $scheme://$http_host/filebot/;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /filebot/ {
proxy_pass http://192.168.0.45:5800/;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
location /filebot/websockify {
proxy_pass http://192.168.0.45:5800/websockify/;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
}
location /transmission/ {
proxy_read_timeout 300;
proxy_pass_header X-Transmission-Session-Id;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.0.45:9091/transmission/;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /jackett {
proxy_pass http://192.168.0.45:9117/jackett;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /htpc/ {
proxy_pass http://192.168.0.45:8085/htpc/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /calibre {
proxy_pass http://192.168.0.45:8083;
proxy_set_header Host $http_host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Scheme $scheme;
proxy_set_header X-Script-Name /calibre;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /radarr {
proxy_pass http://192.168.0.45:7878;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /sonarr {
proxy_pass http://192.168.0.45:8989;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /bazarr {
proxy_pass http://192.168.0.45:6767;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /booksonic {
proxy_pass http://192.168.0.45:4041/booksonic;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
location /cc/ {
proxy_pass http://192.168.0.45:8000/cc/;
proxy_set_header Host $host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
1 Like
Hi Petrica,
Thanks for the quick reply, i had auth enabled via NPM and just disabled whilst testing the reverse proxy. Thanks for the reminder and warning.
I updated the config in “Advanced” as per your suggestions, i still get the same error in the logs and unfortunately no assets are loading still (e.g. .js, .png or anything else reliant on a folder path)
[21/Jun/2020:16:31:55 +1000] - 404 404 - GET http xxx.duckdns.org "/images/sickchill.png?v=46e22e27089cf288c89fdd24dc7211fd" [Client 192.168.86.1] [Length 2647] [Gzip -] [Sent-to 192.168.86.100] "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36" "http://xxx.duckdns.org/sickchill/"
Could this be an issue with the base path, I’m unsure as to where to make this change in the gui/server options (is this on Sickchill side or within NPM?)
I was going to set-up ombi, will do this during the week and try your config to see if that works
Update: I just tested it with Heimdall and have the same issues.
Does the xxx.duckdns.org need to forward to NGINX port directly or to my preferred in-bound item for that port (e.g. home assistant?)
My bad. I didn’t use Sickchill before, but with a quick Docker install, this works for me (I see that you already enabled base path override to /sickchill).
location /sickchill/ {
proxy_pass http://192.168.86.100:8081/sickchill/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header HTTPS $https;
auth_basic "Authorization required";
auth_basic_user_file /data/access/1;
}
Also, in Settings enabled reverse proxy headers.
No, it doesn’t need to be related (actually my default port points to a defunct page I initially had a webserver and now just throws an error).
No idea what i’ve done to break it, i’ve set-up my config exactly as yours (except i removed the auth items).
Still getting errors, now i am just clueless completely. I’ll try restarting my sickchill service in a moment in-case the reverse proxy settings need to do something funky.
[21/Jun/2020:18:01:37 +1000] - 404 404 - GET http xxx.duckdns.org “/images/menu/system18-2.png?v=5e28687ae814113d5e4c9f3111544294” [Client 192.168.86.1] [Length 2647] [Gzip -] [Sent-to 192.168.86.100] “Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Safari/537.36” “http://xxx.duckdns.org/sickchill/”
Update: restarted my sickchill docker container and no lucky. Feeling like i’ve done something silly somewhere else!
Does http://192.168.86.100:8081/sickchill/ work in lan?
http://192.168.86.100:8081/home/
Thats how i access it on my LAN
I updated my config (based on your comment) to:
location /sickchill/ {
proxy_pass http://192.168.86.100:8081/home/;
proxy_set_header Host $http_host;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
#proxy_set_header HTTPS $https;
#auth_basic "Authorization required";
#auth_basic_user_file /data/access/1;
}
which gives me the same type of 404 errors i was receving
sickchill auto-redirects http://192.168.86.100:8081/ -> http://192.168.86.100:8081/home/, i tried putting the root (http://192.168.86.100:8081/) in my config. This just loads my generic server linked to http://xxx.duckdns.org/
1 Like
That’s the problem. In the above comments you included it as
so I specifically mentioned this:
When you are accessing it through the reverse proxy it will actually go to / (so the address will be x.duckdns.org/ which will, in turn, result in an error when going to `x.duckdns.org/home/').
You need to edit the config.ini file for Sickchill container and modify web_root="" to web_root="/sickchill".
But first, you need to turn off the container (otherwise it won’t save any change you do the files in the container).
Depending on your install, you should find the location of the config.ini file in Portainer at container’s Volumes section (about the lower quarter or the page)
It is working perfectly. Thank you for your patience, i did not understand the base path override comment.
Testing if i’ve understood by installing ombi. Grabbed a fresh copy via
linuxserver/ombi:latest
Configured everything as per specs, loaded it and linked my accounts to make sure it was working. Dropped in the below and it 404’s on me.
I thought i’d learnt!
location /ombi {
proxy_pass http://192.168.86.100:3579;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header X-Forwarded-Proto $scheme;
#auth_basic "Authorization required";
#auth_basic_user_file /data/access/1;
}
I can hit http://192.168.86.100:3579 succesfully on my LAN, i can see a base_url option in ombi, but it appears you haven’t used this item this time (which is why i was curious to try ombi as you don’t have a base path listed).
[22/Jun/2020:13:28:40 +1000] - 500 500 - GET http x.duckdns.org "/images/favicon/favicon-16x16.png" [Client 192.168.86.1] [Length 572] [Gzip -] [Sent-to 192.168.86.100] "Mozilla/5.0 (Linux; Android 6.0; Nexus 5 Build/MRA58N) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/83.0.4103.97 Mobile Safari/537.36" "http://x.duckdns.org/ombi/"
Actually I have Ombi installed in the Linux host, not Docker (this was the initial setup and then started moving bits to Docker after dependency issues started pilling up).
I’ve setup a second Ombi instance (this time in Docker) and you’re right, it does need to use the base path in NGINX (ie. proxy_pass http://192.168.86.100:3579/ombi/;), otherwise it blocks on the loading screen.
1 Like
Has anyone ever gotten this error before?
[11:16:48] INFO: Starting NGinx...
nginx: [emerg] unexpected ";" in /data/nginx/proxy_host/34.conf:41
After an internal error when trying to create a new proxy host with a SSL certificate, I restarted the addon. The addon now doesn’t start anymore and gives me this error.
I assume that 34.conf is the configuration for the proxy host that gave me the internal error. So I should be able to just delete the file.
How do i access the file 34.conf in hassio? Can I do that in the terminal addon?
You can ssh into the addon from Portainer, but you might break things.
Have you tried uninstalling and reinstalling NPM?
My ideal goal was to utilise the auth system of Home Assistant with the power of a reverse proxy to let me access my files via HASS iFrames.
Thanks to you, i’ve got my iFrames fully functional within HASS (and working a treat), i know what i need in my .htaccess:
order deny,allow
deny from all
allow from 192.168.86.0/24
But i don’t know how to do this on a location by location example (i still want x.duckdns.org to point to my home assistant instance externally which this blocks).
How do i apply htaccess rules on a location by location basis?
Sorry, I don’t have a full understanding of the .htaccess and might lead you to an inappropriate solution
You can, however, point HA iframes to the external addresses of the services both on lan and wan.(for example https://x.duckdns.org/sonarr/ ; https://x.duckdns.org/radarr/ ; https://x.duckdns.org/transmission/werb/ from either lan or wan would show the NGINX authentication screen but this would be a minor annoyance since the browser can save the login details and it would only show once per session).
I’m not a big fan of iframes since the real estate in HA is quite limited and I want the links to open in a different tab.
I tried setting up a bookmarks page in AppDaemon (would be perfect but it is not opening links in new tab), Muximux, then Organizr and I ended up setting a home page with Heimdall and pointing to both internet sites (email, Youtube, Netflix, Reddit, news sites, etc) and internal lan resources. Some of the internal sites (Transmission, Tautulli, the rr suite) also have api integration and you can see, at a glance, a lot of information without accessing them.
1 Like
Thanks Petrica, and appreciate you keeping me safe!
I might run with your path and re-add auth to my ngingx to be safe. I’m also using heimdall but was disapointed it only supports subdomains (e.g. heimdall.duckdns.org/) and not a sub-folder (e.g. x.duckdns.org/heimdall (unless i misunderstood when i was reading the git for my container: https://github.com/linuxserver/Heimdall)