Giters

lardbit / nefarious

Web application for automatically downloading TV & Movies (w/ VPN)

Home Page:https://lardbit.github.io/nefarious/

Geek Repo:Geek Repo

Github PK Tool:Github PK Tool

Nefarious Login Error Behind Protected Proxy

slapcat opened this issue · comments

commented

I have placed Nefarious behind a simple Apache proxy. It runs perfectly until I add in some basic authentication to the proxy. When I do, the site will render, but when I try to login, Nefarious presents an error in the top right corner:

Username
Password
"<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">\n\n<title>401 Unauthorized</title>\n\n

Unauthorized

\n

This server could not verify that you\nare authorized to access the document\nrequested. Either you supplied the wrong\ncredentials (e.g., bad password), or your\nbrowser doesn't understand how to supply\nthe credentials required.

\n
\nApache/2.4.53 (Debian) Server at example.com Port 80\n\n"

My proxy configuration is very boilerplate:

<VirtualHost *:80>
  ServerName example.com
  ProxyPreserveHost On

  ProxyPass / http://192.168.122.164:8000/
  ProxyPassReverse / http://192.168.122.164:8000/

    Timeout 5400
    ProxyTimeout 5400

    <Proxy *>
        Order deny,allow
        Allow from all
        Authtype Basic
        Authname "Password Required"
        AuthUserFile /etc/apache2/.htpasswd
        Require valid-user
    </Proxy>

</VirtualHost>

It seems like the authentication between the proxy and Nefarious are getting crossed somehow... Is there any workaround for this? (Even if it is just possible to remove the login completely from Nefarious, that would be acceptable for my use case.)

commented

I don't immediately know why this wouldn't work. It sounds like just the javascript XMLHttpRequest/ajax requests are being denied by the apache authentication rule (since you said the page loaded initially). I would have assumed the browser would have already authenticated and subsequently passed those credentials along with the ajax requests but maybe I'm mistaken. Maybe the javascript ajax requests need to explicitly send the authentication credentials with every request. I'll have to set this configuration up myself to confirm my theory.

commented

I now have a feeling apache isn't sending the Authorization http header to nefarious to authenticate.

nefarious needs to see an http header like Authorization: Token 123abc to athenticate the requests and i'm wondering if the 401 error is from nefarious because it can't authenticate without that header.

image

commented

Closing due to inactivity, but feel free to re-open if you want to continue troubleshooting this.