Sickchill: Force user / pass internet facing breaks reverse proxy setup

Created on 25 Feb 2020  路  9Comments  路  Source: SickChill/SickChill

Commit 5d2611781e28a869d2049f9ea19bcccc42249780 broke my Apache reverse proxy setup.

I'm not a fan of basic auth (and configuring all different credendtials for all my web facing tools) nor do I trust apps to be bullitproof (no offence). I like offloading all my authentication requirements to one single application. That's why I've setup oath2 authentication in my Apache server and setup reverse proxies to stuff I want exposed to the internet. It seems it's now required to define a username and password when accessing from a non private ip range which seems to break my setup.

Is there any way to disable this check?

Snippet of Apache config:

ProxyPass /sickrage http://localhost:8081/sickrage
ProxyPassReverse /sickrage http://localhost:8081/sickrage

#Define access profile
<Location /sickrage>
    Include access_directives/profiles/me-oath.conf
</Location>

Branch/Commit: 5d2611781e28a869d2049f9ea19bcccc42249780
What you did: Try to browse to my SickChill instance via reverse proxy
What happened: Got message about internet facing without password
What you expected: Normal login
Logs:
2020-02-25 17:46:50 WARNING WEBSERVER :: Remote access was attempted by xxx.xxx.xxx.xxx (public ip)

picture erikhubers

Most helpful comment

I'll look into an ini only override

picture miigotu on 25 Feb 2020
👍3

All 9 comments

Hi, thanks for the report. Please use search to make sure your issue has not been reported yet, and someone will try to help you as soon as possible.

github-actions[bot] picture github-actions[bot] on 25 Feb 2020

I'll look into an ini only override

miigotu picture miigotu on 25 Feb 2020
👍3

Basic auth is now an option.

miigotu picture miigotu on 25 Feb 2020

I'm sure if you use a reverse proxy, you can figure out how to add the header in your reverse proxy config.

>>> import base64
>>> value = 'Basic ' + base64.encodestring('username:password')
>>> print('Header needs to look like:')
Header needs to look like:
>>> print('Authorization: {}'.format(value))
Authorization: Basic dXNlcm5hbWU6cGFzc3dvcmQ=

Basic really sucks, but ANY auth is better than NO AUTH.

miigotu picture miigotu on 25 Feb 2020
1

Hey miigotu,

Wow, thnx for the really quick response and fix. Seems to work great!
For other peeps, example of my modified config (with user/pass example)

(Apache)

ProxyPass /sickrage http://localhost:8081/sickrage
ProxyPassReverse /sickrage http://localhost:8081/sickrage

#Define access profile
<Location /sickrage>
    Include access_directives/profiles/me-oath.conf
    RequestHeader set Authorization: "Basic ZXhabXBsZepleGFtcGxl"
</Location>
erikhubers picture erikhubers on 25 Feb 2020

@erikhubers I hope that isnt your real digest value posted publicly on github =P
I edited it but the history is still available, if it is the real one you should delete the comment and post again ;)

miigotu picture miigotu on 25 Feb 2020

I see now you said (with user/pass example) so I guess its a fake haha

miigotu picture miigotu on 25 Feb 2020

Hehe jep, I was typing a reply. But you were faster :P

erikhubers picture erikhubers on 25 Feb 2020
😄1

Oof, I wanted to get it out quick and made a boo-boo. Fixed in https://github.com/SickChill/SickChill/commit/d44fe0b9a68d679fb4152d1bb2897eb7aea3d32a

miigotu picture miigotu on 25 Feb 2020
Was this page helpful?
0 / 5 - 0 ratings

Related issues

Rouzax picture Rouzax  路  3Comments
proctophage picture proctophage  路  3Comments
jkjkrules picture jkjkrules  路  3Comments
Hydrog3n picture Hydrog3n  路  4Comments
d9001089 picture d9001089  路  4Comments