Created
April 11, 2026 01:52
-
-
Save Hashbrown777/3e7a5ab965b5e3fdc98ad1918d20cc04 to your computer and use it in GitHub Desktop.
Basic Auth for Jellyfin
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #reverse proxy | |
| server { | |
| include inter.ssl; | |
| listen unix:/tmp/jellyfin.sock ssl; | |
| # server_name jellyfin; | |
| client_max_body_size 0; | |
| # location = Authorization { | |
| # auth_basic 'Bear Crew'; | |
| # auth_basic_user_file ../htpasswd; | |
| # | |
| # try_files null @authorized; | |
| # } | |
| # location @authorized { | |
| # return 200; | |
| # } | |
| location = / { | |
| # auth_request Proxy-Authorization; | |
| auth_basic 'Bear Crew'; | |
| auth_basic_user_file ../htpasswd; | |
| try_files null @accept; | |
| } | |
| location @accept { | |
| add_header Set-Cookie "Proxy-Authorization=\"$http_authorization\";Domain=$host;secure;HttpOnly;SameSite=Strict"; | |
| return 307 https://$http_host/web/; | |
| } | |
| location / { | |
| auth_request Proxy-Authorization; | |
| error_page 401 @deny; | |
| if ($http_cookie ~ '^\s*((?:[^;=\s]+\s*(?:=\s*(?:"[^"]*"|[^";\s](?:[^";]*[^";\s]|))\s*|);\s*)*)Proxy-Authorization\s*=\s*("[^"]*"|[^";\s](?:[^";]*[^";\s]|))((?:\s*;\s*[^;=\s]+\s*(?:=\s*(?:"[^"]*"|[^";\s](?:[^";]*[^";\s]|))\s*|))*);?\s*$') { | |
| set $cookie $1$3; | |
| } | |
| proxy_set_header Cookie $cookie; | |
| proxy_set_header X-Forwarded-Host $http_host; | |
| proxy_set_header X-Forwarded-Proto $scheme; | |
| proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; | |
| proxy_pass http://unix:/etc/jellyfin/socket; | |
| proxy_http_version 1.1; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection "upgrade"; | |
| } | |
| location @deny { | |
| return 307 https://$http_host/; | |
| } | |
| location = Proxy-Authorization { | |
| # set $authorization $http_authorization; | |
| if ($http_cookie ~ '^\s*((?:[^;=\s]+\s*(?:=\s*(?:"[^"]*"|[^";\s](?:[^";]*[^";\s]|))\s*|);\s*)*)Proxy-Authorization\s*=\s*("[^"]*"|[^";\s](?:[^";]*[^";\s]|))((?:\s*;\s*[^;=\s]+\s*(?:=\s*(?:"[^"]*"|[^";\s](?:[^";]*[^";\s]|))\s*|))*);?\s*$') { | |
| set $authorization $2; | |
| } | |
| # rewrite '^.*$' 'Authorization'; | |
| # proxy_pass https://$server_addr; | |
| # | |
| # proxy_pass_request_body off; | |
| # proxy_set_header Content-Length ''; | |
| # proxy_set_header Authorization $authorization; | |
| include /etc/nginx/fastcgi_params; | |
| fastcgi_pass unix:/var/run/fcgiwrap.socket; | |
| fastcgi_param SCRIPT_FILENAME /home/lounge/test.sh; | |
| fastcgi_param authorization $authorization; | |
| #fastcgi_catch_stderr 401; | |
| fastcgi_param http_host $http_host; | |
| error_page 502 @unauthorized; | |
| } | |
| location @unauthorized { | |
| return 401; | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #intranet connexions | |
| #not necessary for inter.conf to work | |
| #but for when jellyfin finally fixes its issues with disabling port hosting | |
| server { | |
| listen localhost:80; | |
| server_name jellyfin; | |
| return 307 https://$server_name$request_uri; | |
| } | |
| server { | |
| include intra.ssl; | |
| listen localhost:443 ssl; | |
| server_name jellyfin; | |
| location / { | |
| proxy_pass http://unix:/etc/jellyfin/socket; | |
| proxy_http_version 1.1; | |
| proxy_set_header Upgrade $http_upgrade; | |
| proxy_set_header Connection "upgrade"; | |
| } | |
| } |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| #!/bin/bash | |
| #necessary for inter.conf to work | |
| #because I couldn't figure out how to get nginx to do the rewrite and internal proxy_pass for auth :( | |
| authorization=$(echo "$authorization" | sed 's/^"\|"$//g') | |
| server=$(echo "$SERVER_ADDR" | sed "s#^unix:\(.*\)\$#--unix-socket \\1 $REQUEST_SCHEME://tmp/#") | |
| response=$(curl -k -H "Authorization: $authorization" -s -o /dev/null -w "%{http_code}" $server) | |
| if [[ $response == '307' ]] | |
| then | |
| printf 'Content-type: text/plain; charset=utf-8\r\n\r\nOkay!' | |
| else | |
| echo $response >&2 | |
| fi | |
| printf '%s\n' "$SERVER_ADDR" "$http_host" >'/home/lounge/test.txt' |
Author
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
jellyfin/jellyfin-android#123 (comment)
sudo -u jellyfin -g jellyfin -D /var/lib/jellyfin \ JELLYFIN_kestrel__socket=true \ JELLYFIN_kestrel__socketPath=/etc/jellyfin/socket \ JELLYFIN_kestrel__socketPermissions=0777 \ LD_PRELOAD=/usr/lib/jellyfin/libjemalloc.so \ MALLOC_TRIM_THRESHOLD_=131072 \ COMPlus_gcServer=1 \ /usr/bin/jellyfin \ --webdir '/usr/share/jellyfin/web' \ --ffmpeg '/usr/lib/jellyfin-ffmpeg/ffmpeg' \ --datadir '/var/lib/jellyfin' \ --configdir '/etc/jellyfin' \ --logdir '/var/log/jellyfin' \ --cachedir '/var/cache/jellyfin' # --nowebclient