Unraid/Authelia - Audiobookshelf bypass #809

Kerbster715 · 2022-07-06T00:52:55Z

Kerbster715
Jul 6, 2022

I self host on Unraid, but I use Authelia for extra security layer. For the browser it works without issue when i navigate to audiobookshelf.mydomain.com. I hit my Authelia login page, and then after authenticating, get redirected to the Audiobookshelf login page. " I have nNginx proxy Manager"

What I want to do is leave Audiobookshelf protected behind Authelia, but this breaks the mobile app. Is there an api that the mobile app uses (android) that I can add in the bypass rules of Authelia?

Here is the Authelia log I get when attempting to connect via the mobile app: "time="2022-07-05T19:49:01-05:00" level=info msg="Access to https://audiobooks.mydomain.com/ping (method unknown) is not authorized to user , responding with status code 401" method=GET path=/api/verify remote_ip=X.X.X.X

advplyr · 2022-07-24T21:17:13Z

advplyr
Jul 24, 2022
Maintainer

Unfortunately not, I'm not sure how to implement this.

0 replies

NorthhtroN · 2022-08-03T14:14:11Z

NorthhtroN
Aug 3, 2022

This is not something that individual apps can implement, you need to ass the appropriate bypass rule in authelia to allow the mobile apps though without challanging for auth (typically the api paths)

0 replies

Kerbster715 · 2022-08-03T14:39:34Z

Kerbster715
Aug 3, 2022
Author

@NorthhtroN How would I find the api path that the audiobookshelf mobile app uses?

0 replies

philhagger · 2022-09-05T19:52:24Z

philhagger
Sep 5, 2022

I’ve got the same setup here. Using the iOS app won’t allow me to login using the reverse link as authelia catches it and there is no user.

0 replies

Kerbster715 · 2022-09-06T03:50:43Z

Kerbster715
Sep 6, 2022
Author

I found a temporary solution. If you watch the authelia log when trying to access via the mobile app, you can figure out what to "bypass" and then create another rule to still catch the main webpage for login behind authelia. See my authelia code below. Make sure to put the bypass rule before the restrictive rule. - domain: "audiobooks.domain.com" resources: - '^/ping/*$' - '^/api/.*$' - '^/socket.io([/?].*)?$' - '/s/.*$' - '/hls/.*$' policy: bypass - domain: "audiobooks.domain.com" subject: - "group:admins" policy: two_factor

…

On Mon, Sep 5, 2022, 2:52 PM Phil ***@***.***> wrote: I’ve got the same setup here. Using the iOS app won’t allow me to login using the reverse link as authelia catches it and there is no user. — Reply to this email directly, view it on GitHub <#809 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AZ532AWTDVAWS27LOSH73YLV4ZFQHANCNFSM52X5SH7A> . You are receiving this because you are subscribed to this thread.Message ID: ***@***.*** com>

4 replies

esmoyer Jun 30, 2023

I just tried this but still get "Failed to ping server" in the app and Authelia log shows "Access to https://audiobook.mydomain.com/ping (method GET) is not authroized to user , responding with status code 401" method=GET path-/api/verify remote_ip=xx.xx.xxx.xx

Any other thoughts, I have setup bypasses for other apps like Tautulli and such but can't seem to get this one to work.

This is my Authelia entry, and the only items above it are other bypasses...

# bypass api for audiobookshelf app
  - domain:
    - "audiobook.mydomain.com"
    resources:
      - "^/ping/*$"
      - "^/api/.*$"
      - "^/socket.io([/?].*)?$"
      - "/s/.*$"
      - "/hls/.*$"
    policy: bypass

Kerbster715 Jul 1, 2023
Author

bypass api for audiobookshelf app

domain:
- "audiobook.mydomain.com"
  resources:
  - "^/ping/*"
  - "^/api/.*$"
  - "^/socket.io([/?].*)?$"
  - "/s/.*$"
  - "/hls/.*$"
    policy: bypass

This is what I had when I was still using authelia. There is no "$" after /ping. You will also want to make sure that any authelia stopping rule for ABS is below this bypass rule in your code.

I have since switched to cloudflare tunneling so I don't have to open ports 443 and 80 on my firewall

esmoyer Jul 1, 2023

I appreciate it. Embarrassingly, I'm a complete idiot and discovered this morning I was not putting the edits in my PROD config file. Once I made the edits to the PROD file (rather than my backup) it works great. Thanks again!

xyourmomx Nov 8, 2023

@Kerbster715 - not to resurrect this. But how'd you get it to accept the domain on Audiobookshelf mobile app after setting up CF Tunnels? I can access from web browser fine but when trying to add the server on mobile app, after hitting submit it jsut bounces back to the domain

I do have CF Access on if that matters. But I turned it off and still had the issue.

Kerbster715 · 2022-10-11T08:37:24Z

Kerbster715
Oct 11, 2022
Author

Note: I am on android, so this may vary slightly for apple users

…

On Mon, Sep 5, 2022 at 10:50 PM Kyle Kerby ***@***.***> wrote: I found a temporary solution. If you watch the authelia log when trying to access via the mobile app, you can figure out what to "bypass" and then create another rule to still catch the main webpage for login behind authelia. See my authelia code below. Make sure to put the bypass rule before the restrictive rule. - domain: "audiobooks.domain.com" resources: - '^/ping/*$' - '^/api/.*$' - '^/socket.io([/?].*)?$' - '/s/.*$' - '/hls/.*$' policy: bypass - domain: "audiobooks.domain.com" subject: - "group:admins" policy: two_factor On Mon, Sep 5, 2022, 2:52 PM Phil ***@***.***> wrote: > I’ve got the same setup here. Using the iOS app won’t allow me to login > using the reverse link as authelia catches it and there is no user. > > — > Reply to this email directly, view it on GitHub > <#809 (comment)>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/AZ532AWTDVAWS27LOSH73YLV4ZFQHANCNFSM52X5SH7A> > . > You are receiving this because you are subscribed to this thread.Message > ID: ***@***.*** > com> >

-- Thanks, * Kyle Kerby*

0 replies

Kerbster715 · 2023-11-08T19:21:10Z

Kerbster715
Nov 8, 2023
Author

You have to create similar bypass rules to bypass the API's through CF Tunnels. Another thing that I have found is you have to have /login open on the first initial connection, and then it can be proxied after it has been setup on the mobile app. [image: image.png]

…

On Tue, Nov 7, 2023 at 9:46 PM xyourmomx ***@***.***> wrote: @Kerbster715 <https://github.com/Kerbster715> - not to resurrect this. But how'd you get it to accept the domain on Audiobookshelf mobile app after setting up CF Tunnels? I can access from web browser fine but when trying to add the server on mobile app, after hitting submit it jsut bounces back to the domain I do have CF Access on if that matters. But I turned it off and still had the issue. — Reply to this email directly, view it on GitHub <#809 (reply in thread)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AZ532AUP4DWXVQYMBO7MBNTYDL6DHAVCNFSM52X5SH7KU5DIOJSWCZC7NNSXTOKENFZWG5LTONUW63SDN5WW2ZLOOQ5TONJQGU3TIOA> . You are receiving this because you were mentioned.Message ID: ***@***.***>

-- Thanks, * Kyle Kerby*

3 replies

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Unraid/Authelia - Audiobookshelf bypass #809

{{title}}

Replies: 7 comments 7 replies

{{title}}

{{title}}

{{editor}}'s edit

{{editor}}'s edit

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

{{title}}

Select a reply

Unraid/Authelia - Audiobookshelf bypass #809

Replies: 7 comments · 7 replies

advplyr Jul 24, 2022 Maintainer

Kerbster715 Aug 3, 2022 Author

Kerbster715 Sep 6, 2022 Author

Kerbster715 Jul 1, 2023 Author

bypass api for audiobookshelf app

Kerbster715 Oct 11, 2022 Author

Kerbster715 Nov 8, 2023 Author

Replies: 7 comments 7 replies

advplyr
Jul 24, 2022
Maintainer

Kerbster715
Aug 3, 2022
Author

Kerbster715
Sep 6, 2022
Author

Kerbster715 Jul 1, 2023
Author

Kerbster715
Oct 11, 2022
Author

Kerbster715
Nov 8, 2023
Author