Unable to get a simple authentication to work

[gardiol]

I have a single user instance which i would like to protect behind a simple basic proxy authentication, no OIDC, so with LL authentication simply disabled and no OIDC, but it doesnt work.

If i disable LL authentication and NGINX basic auth, then it works, but of course with no auth.
If i enable LL authentication and disable NGINX basic auth, then it works, but of course it means a different login to keep in sync.
If i disable LL authentication and enable NGINX basic auth (it works for other services), then LL will only show a blank page and show an error 400 in the browser console.

Is there a way to make it work?

[hargata]

Sorry, no clue how to assist with your use case since we've never used nginx proxy auth before, maybe someone else can chime in.

Additionally, we really don't think this is an issue with the app itself and moreso with your implementation, hence we will be adding the unsupported tag to this, because we're not going to troubleshoot your reverse proxy config.

[gardiol]

It's just plain BASIC AUTH, whatever web server / proxy you use, it's just plain BASIC AUTH...

[hargata]

It's gotta be something with your config then. If auth is not enabled in LL then it wouldn't check for any auth headers at all, because:

1. Why would it?
2. It has nothing to compare the credentials to.

Additionally, there is no mechanism in LL that will return a 400 status code if auth is disabled and you pass in auth headers anyways. This is a reverse proxy config issue that you need to figure out yourself

[gardiol]

Ok, that's what I tought...

I am pretty sure my setup is correct, but that would not be the first time I am stupidly mistaken so I will definitely double check again tomorrow.

So you say that if I disable ll auth, I should be able to slap in front any other kind of authentication without issues?

[hargata]

If you disable auth in LL then it won't check for any auth methods at all, meaning that all devices that runs in the same network can connect to that instance of LL.

At that point, I don't see how any authentication methods you place in front of it will affect LL. Then again, we have zero intentions of spinning up an instance of nginx and set up basic auth on it just to test this theory lol.

400 status codes are only for bad requests, meaning that your proxy config is not forwarding the right parameters to a certain action.

[gardiol]

For future reference, you need a barebone NGINX. I started with the one proposed somewhere in LL docs (or issues in github? i don't remember) then i made it work with the following:

server {
        server_name xxxxxx.com;
        listen 443 ssl; 
         location / {
                include "your_basic_auth_setup.conf";
                proxy_pass http://127.0.0.1:8080;
                client_max_body_size               50000M;
#               proxy_set_header Host              $http_host;
#               proxy_set_header X-Real-IP         $remote_addr;
#               proxy_set_header X-Forwarded-For   $proxy_add_x_forwarded_for;
#               proxy_set_header X-Forwarded-Proto $scheme;
                proxy_set_header   Upgrade    $http_upgrade;
                proxy_set_header   Connection "upgrade";
    }
}

i had to comment the above lines to make it work, otherwise i would always get a 400 error both in firefox and chrome.

Then, to avoid double login i went to settings in the web UI and disabled authentication. For some reason, the setting in my docker-compose.yml was ignored regarding authentication, maybe it's intended in that way i have no idea.