• Enable Basic Auth for 6.8


    demonspork
    • Annoyance

    I am trying 6.8rc7 at the moment and I need to disable the new login form. Is this possible? I need my basic HTTP Auth back.

     

    I am using a reverse proxy with http-authorization header to sign into unraid. The reverse proxy uses an oauth2 flow to authorize me then passes the http-authorization headers with the base64 encoded user:password to unraid so I don't have to also type in those details.




    User Feedback

    Recommended Comments

    You can comment out the auth_request directive in /etc/nginx/*.conf, but that doesn't reenable basic auth. I can look at the version from 6.7 to see how basic auth was implemented.

     

    This change has broken the way I use unraid, so definitely a bug, or at the very least a feature only half implemented.

    Link to comment

    It is a change in the /etc/nginx/conf.g/emhttp-servers.conf

     

    They did write a login form (auth_request.php) but they use nginx to implement it by adding:

     

    deny all;
    auth_request /auth_request.php;

     

    Then in certain locations like /login they have an allow all; so that you don't have to be authed through the auth_request directive to access it.

     

    I don't have a copy of the nginx config from 6.7 at the moment. If someone could show me the authentication section that would be great or I can revert back to find it. Also do the nginx conf files revert on reboot or will I need to handle my modifications in the go file? Not super familiar with modifying unraid yet.

     

    My current plan is to work through setting up basic auth directly in the nginx config on unraid and just use a copy of it running on an alternate port because nginx.conf includes /etc/nginx/conf.d/*.conf so any .conf file I put in the conf.d folder should be loaded. This way I can keep the normal login form and my reverse proxy at the same time just running on a different ports.

     

    Still rooting for a toggle in the unraid settings that turns on and off the basic auth. The ultimate solution would be for auth_request.php to handle the "proxy_set_header Authorization "Basic dn7jaDczpA9yeyM9NYT="; that my reverse proxy is sending for previous versions to authorize the user. (Password has been scrambled randomly)

     

     

    Link to comment
    1 hour ago, demonspork said:

    Also do the nginx conf files revert on reboot or will I need to handle my modifications in the go file?

    This would be required.

    Link to comment

    Ok. I implemented it fully. Here's how:

     

    I created a version of the primary nginx server statement that uses my oauth2 authentication and runs on an alternate port. It sets auth_request /validate; which has the code and redirects to auth (and replaces the http global auth_request set in the emthtp-servers.conf for requests to the alternative port.

     

    I then in my go file I added

     

    cp /boot/config/oauth-emhttp.conf /etc/nginx/conf.d/oauth-emhttp.conf
    nginx -s reload. 

     

    My reverse proxy points to the alternate port specified in my alternative nginx conf so I can load https://unraid.example.com and it uses oauth2 then lets me in.

    I can still load http://10.0.0.200:8080 and it takes me to the new fancy login form. This is important because part of the login flow runs in a docker container. Eventually that login flow and the entire nginx reverse proxy will move to a raspberry pi to remove the complications encountered by the inability for docker containers on br0 to talk to the host unraid server.

     

    That being said, all of this work is replaced by a single line in the reverse proxy if I can just natively enable basic auth in the unraid management page to restore the way it has behaved for years and years.

    Edited by demonspork
    • Thanks 1
    Link to comment

    This is a bad decision. There is no reason to be stopping support for basic auth you can easily do both I literally run form auth and if it fails fall back to basic auth. Just like applications like sonarr, radarr, lidarr, etc can. This breaks a lot of external access to plugin files. I imagine this might break the controlr plugin and also breaks my JSON API plugin it also stops me adding my stats from the Corsair power supply plugin to my home assistant installations. If you are going to implement form authentication you really need to have a method to programmatically access unraid such as a API key or something. 

    Link to comment

    So i looked at the nginx conf for unraid 6.7
     

    deny all;
    auth_basic            "unRAID";
    auth_basic_user_file  /etc/nginx/htpasswd;


    the 6.8 config is this

    deny all;
    auth_request /auth_request.php;

    There is no reason at all that i can think of on why you can't have it fall back to BASIC auth if the php auth_request fails

     

    I do similar to the following for services like sonarr, radarr, lidarr, ombi, etc by using the organizr auth_request and if organizr fails to verify i'm valid then it falls back to auth_basic for use by things like NZB360 a android app for sonarr/radarr/lidarr/nzbget etc.

     

    auth_request /auth_request.php;   
    satisfy any;
    auth_basic "Unraid";
    auth_basic_user_file  /etc/nginx/htpasswd;   

    EDIT: here are the dumped config, auth and login files from 6.7 / 6.8 (htpasswd is obviously just a htpasswd file)

    https://gist.github.com/Fma965/0d79beeece0a52969ec22093b9e70990

     

    I see there are mentions of a node REST api so that looks promising but i still think it's wrong to disable the only programmatic access to unraid before a API is implemented.

    Edited by Fma965
    Link to comment

    Upon further inspection of the code i can see there is already work in progress code for an API in 6.8 via a plugin called unraid.net so this may solve my issue, it doesn't solve the OP's issue though.

     

    in the /boot/config/plugins/dynamix/dynamix.cfg file you have this

    [remote]
    apikey="bbff6d7320a3cfa74964c58b5c5d3b0XXXXXXXXXXXXXXXXXXXXXXe2bc79518f2e4f0c4"
    wanaccess="no"
    wanport="0"

     

    Edited by Fma965
    • Like 1
    Link to comment

    Well as it's unlikely that this is going to be added any time soon @demonspork

     

    Here are some on the fly sed commands to patch the nginx conf file

     

    Create a htpasswd file in /boot/config with a valud basic authentication

    cp /boot/config/htpasswd /etc/nginx/basic
    sed -i 's%return 302 \$scheme:\/\/\$http_host\/login;%# return 302 \$scheme:\/\/\$http_host\/login;%' /etc/nginx/conf.d/emhttp-servers.conf
    sed -i '/^auth_request\ \/auth_request.php;/a auth_basic "Unraid";\nauth_basic_user_file  /etc/nginx/basic;' /etc/nginx/conf.d/emhttp-servers.conf
    nginx -s reload

    This will break the auto redirect to /login but also makes it possible to use basic auth

     

    Using the CA User Scripts Plugin

    3HStaeD.png

     

    Then in the /boot/config/plugins/user.scripts/scripts/Fix Basic Auth/script file

    #!/bin/bash
    while [ ! -f /var/run/nginx.pid ]
    do
      sleep 2 # or less like 0.2
    done
    cp /boot/config/htpasswd /etc/nginx/basic
    sed -i 's%return 302 \$scheme:\/\/\$http_host\/login;%# return 302 \$scheme:\/\/\$http_host\/login;%' /etc/nginx/conf.d/emhttp-servers.conf
    sed -i '/^auth_request\ \/auth_request.php;/a auth_basic "Unraid";\nauth_basic_user_file  /etc/nginx/basic;' /etc/nginx/conf.d/emhttp-servers.conf
    nginx -s reload

     

    UPDATE: i have made it work with the /boot/config/go file
     

    #!/bin/bash
    # Start the Management Utility
    /usr/local/sbin/emhttp &
    
    # Wait for Nginx to be running before patching Basic Auth
    while [ ! -f /var/run/nginx.pid ]
    do
      sleep 2 # or less like 0.2
    done
    
    # Patch Basic Auth back in to Unraid 6.8+ (Make sure /boot/config/htpasswd exists and is valid)
    cp /boot/config/htpasswd /etc/nginx/basic
    sed -i 's%return 302 \$scheme:\/\/\$http_host\/login;%# return 302 \$scheme:\/\/\$http_host\/login;%' /etc/nginx/conf.d/emhttp-servers.conf
    sed -i '/^auth_request\ \/auth_request.php;/a auth_basic "Unraid";\nauth_basic_user_file  /etc/nginx/basic;' /etc/nginx/conf.d/emhttp-servers.conf
    nginx -s reload
    # End Nginx Basic Auth Patch

     

    Edited by Fma965
    Link to comment

    6.10-rc1 breaks the above code work around, is there any plans to enable basic auth or a "Bearer Token" ?

     

    for now i have worked around it with this 

    #!/bin/bash
    # Start the Management Utility
    /usr/local/sbin/emhttp &
    
    # Add Un-Authenticated access to Unraid 6.10-RC1+ for SystemTemp.php and Status.php (Corsair Plugin)
    while [ ! -f /var/run/nginx.pid ]
    do
      sleep 2 # or less like 0.2
    done
    
    echo -e "# Fma965 Un-Authenticated Access\nlocation ~ /plugins\/corsairpsu\/status.php {\nallow all;\ninclude fastcgi_params;\n}\n\nlocation ~ /plugins\/dynamix.system.temp\/include\/SystemTemp.php {\nallow all;\ninclude fastcgi_params;\n}\n# End Fma965 Un-Authenticated Access\n\n$(cat /etc/nginx/conf.d/locations.conf)" > /etc/nginx/conf.d/locations.conf;
    nginx -s reload
    # End Nginx Basic Auth Patch

     

    Edited by Fma965
    Link to comment


    Join the conversation

    You can post now and register later. If you have an account, sign in now to post with your account.
    Note: Your post will require moderator approval before it will be visible.

    Guest
    Add a comment...

    ×   Pasted as rich text.   Restore formatting

      Only 75 emoji are allowed.

    ×   Your link has been automatically embedded.   Display as a link instead

    ×   Your previous content has been restored.   Clear editor

    ×   You cannot paste images directly. Upload or insert images from URL.


  • Status Definitions

     

    Open = Under consideration.

     

    Solved = The issue has been resolved.

     

    Solved version = The issue has been resolved in the indicated release version.

     

    Closed = Feedback or opinion better posted on our forum for discussion. Also for reports we cannot reproduce or need more information. In this case just add a comment and we will review it again.

     

    Retest = Please retest in latest release.


    Priority Definitions

     

    Minor = Something not working correctly.

     

    Urgent = Server crash, data loss, or other showstopper.

     

    Annoyance = Doesn't affect functionality but should be fixed.

     

    Other = Announcement or other non-issue.