[Support] Organzir Organizr


Recommended Posts

42 minutes ago, Roxedus said:

I have no idea how to do that on NPM, you might have some luck with adding some headers with the advanced settings for the location. We have a article on this problem in our docs.

 

This what you should add:


proxy_buffer_size          128k;
proxy_buffers              4 256k;
proxy_busy_buffers_size    256k;

 

ok thanks

Link to comment
  • 4 weeks later...
  • 4 weeks later...

I'm trying to set up my Unraid dashboard in Organizr V2. I only plan to use this locally with no access from the outside internet. When I try to log into either of my Unraid servers, I can never progress pass the logon screen. I can see in the Unraid server logs where the authentication is successful, but the page never proceeds on to the standard Unraid dashboard. Any suggestions?

Link to comment
  • 3 months later...

Just want to thank the developers for Organizr its made management of services so much easier.

I would like to share a procedure for new peeps to secure their systems when using a reverse proxy, in this case NGINX Proxy Manager.

 

 

The following I think is a typical new proxy setup:

https://domain.com

Then the docker apps are setup either as subdomains https://sub.domain.com or sub-folders https://domain.com/subfolder

In both these instances the docker is exposed to the internet for hacking (we are dismissing firewalls in this example)

You can use Organizr to collaborate them together but its still the same.

https://organizr.com might be the location to access all the apps but https://sub.domain.com or sub-folders https://domain.com/subfolder is still there providing the address is used directly.

This is where we can use Organizr API to lock down the access to the sub domains and sub-folders.

 

When I access https://sub.domain.com or sub-folders https://domain.com/subfolder I get this:

tautulli.thumb.png.62ca48328c224249db286bf01d883af2.png

 

This is because in this session I'm not logged into Organizr and so there is no authentication session to authorise me. If I did this in a browser I was logged into Organizr it would take me directly to the app but I could always go through Organizr too; thus I can do both but the public cannot.

Add this with SSO and even MFA for Organizr and we now have a secure login wall.

 

The following procedure explains how to do this for the easier NGINX app NGINX Proxy Manager (GUI based):

First you will need to have configured your NGINX PM docker, this is outside the scope of this guide so please review relevant procedures on their support forum; you will also need a configured Organizr using sub domains or sub-folders.

 

Sub-folder setup:

This setup is easier to configure and reduces complexity on domains/wildcards and SSL

 

1. In NGINX PM, edit the host relating to your Organizr which should have Organizr set on the "Details" screen and not a sub-folder; this ensures Organizr works effectively.

 

2. You have two options to configure the access:

Enter the following (with your own edit using examples below) auth_request /auth-4; into the "Advanced" tab if you want a global group block for all sub-folders.

OR

Enter the following (with your own edit using examples below) auth_request /auth-4; into the the custom configuration field (cog icon) for each sub-folder you want to restrict. This method allows for granularity. 

**Remember the restriction you place also applies to the user accessing the resources from within Organizr.

 

Replace the 4 with the match group level required to access the resource:

0=Admin
1=Co-Admin
2=Super User
3=Power User
4=User

Logged In Users=998
Guests=999

 

3. Create a new location which will contain the API call to Organizr for this to work:

Location: ~ /auth-(.*)

Scheme: http

Forward Hostname: 0.0.0.0/api/v2/auth?group=$1

Forward Port: 8040

 

**Replace the IP address values to your docker running Organizr and if you changed your default port also adjust that.

 

In the custom configuration field (cog icon) for that same location enter the following without edits:

 

internal;
proxy_set_header Content-Length "";

 

I have found this no longer works for newer NGINX versions breaking everything!

It seems the underlying config code has change which causes the 500 error.
I cannot verify what version the issue started, but if you are on version v2.9.11 you need to do this:

 

Edit the proxy host, select the far right advance tab and enter the following:

 

  location ~ /auth-(.*) {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_pass       http://0.0.0.0:8999/api/v2/auth?group=$1;
    internal;
    proxy_set_header Content-Length "";
  }

 

**Replace the IP address values to your docker running Organizr and if you changed your default port also adjust that.

 

4. [Optional] if you have your Organizr connected to dockers using API (homepage items) via the proxy (don't know why you would, instead of local IP) then you will need to exclude the API call from needing authentication. For each location pointing to a docker using API in this configuration enter the following in the custom config (cog icon):

 

Example:

 

location /tautulli/api {
        auth_request off;
        proxy_pass http://0.0.0.0:8181/tautulli/api;
        }

 

**You might also have the auth_request /auth-4 text in there too which is fine. Replace the IP and port to your docker, replacing also the app names.

 

5. If you save it here you will block all users from accessing Organizr. This is because you need to be logged into Organizr to access Organizr, catch 22.

We fix this with one final location:

 

Location: /

Scheme: http

Forward Hostname / IP: 0.0.0.0

Forward Port: 8040

 

**Replace the IP address values to your docker running Organizr and if you changed your default port also adjust that.

 

In the custom configuration field (cog icon) for that same location enter the following without edits:

 

auth_request off;

 

This means when we go to https://domain.com it will automatically append a "/" to the end and the location bypasses the need to authenticate so we can login.

 

6. Setup complete :)

 

 

Sub-domain setup:

This is similar but with more repeating steps.

 

1. In NGINX PM, edit the host relating to your sub domain you want to restrict.

 

2. Enter the following (with your own edit using examples below) auth_request /auth-4; into the "Advanced" tab.
 

**Remember the restriction you place also applies to the user accessing the resources from within Organizr.

 

Replace the 4 with the match group level required to access the resource:

0=Admin
1=Co-Admin
2=Super User
3=Power User
4=User

Logged In Users=998
Guests=999

 

3. Create a new location which will contain the API call to Organizr for this to work:

Location: ~ /auth-(.*)

Scheme: http

 

Forward Hostname: 0.0.0.0/api/v2/auth?group=$1

Forward Port: 8040

 

**Replace the IP address values to your docker.

 

In the custom configuration field (cog icon) for that same location enter the following without edits:

 

proxy_pass_request_body off;

proxy_set_header Content-Length "";

 

I have found this no longer works for newer NGINX versions breaking everything!

It seems the underlying config code has change which causes the 500 error.
I cannot verify what version the issue started, but if you are on version v2.9.11 you need to do this:

 

Edit the proxy host, select the far right advance tab and enter the following:

 

  location ~ /auth-(.*) {
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-Scheme $scheme;
    proxy_set_header X-Forwarded-Proto  $scheme;
    proxy_set_header X-Forwarded-For    $remote_addr;
    proxy_pass       http://0.0.0.0:8999/api/v2/auth?group=$1;
    internal;
    proxy_set_header Content-Length "";
  }

 

**Replace the IP address values to your docker running Organizr and if you changed your default port also adjust that.

 

4. [Optional] if you have your Organizr connected to dockers using API (homepage items) via the proxy (don't know why you would, instead of local IP) then you will need to exclude the API call from needing authentication. Click the "Advanced" settings tab and enter the following:

 

Example:

 

location /tautulli/api {
        auth_request off;
        proxy_pass http://0.0.0.0:8181/tautulli/api;
        }

 

**Replace the IP and port to your docker, replacing also the app names.

 

5. Repeat steps 1-4 for each sub domain.

 

6. Setup complete :)

 

 

Additions:

For those wanting to get deluge working in a subfolder environment configure the following:

 

  1. Remove your Deluge location, it needs to be added manually.
     
  2. In the advance tab for the proxy host site add the following:

      location /deluge {
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Scheme $scheme;
        proxy_set_header X-Forwarded-Proto  $scheme;
        proxy_set_header X-Forwarded-For    $remote_addr;
        proxy_pass       http://0.0.0.0:8112/;
        proxy_set_header X-Deluge-Base "/deluge/";
        include /nginxv/proxy-control.conf;
        add_header X-Frame-Options SAMEORIGIN;
        auth_request /auth-1;
      }


    **Replace the IP address values to your docker running Deluge and if you changed your default port also adjust that. Its ok if you already have code in the box, add a few lines and add the new code.
     
  3. Download the proxy-control.conf attached to the guide and put in the main NGINX folder. You can change the location but you will need to change the include /nginxv/proxy-control.conf; to the correct location.
     
  4. Restart the NGINX container as its need to load the addition config and Deluge will now work.
Edited by ados
Errors and adding new information
  • Like 2
Link to comment
  • 2 weeks later...

@ados intro in the write-up above convinced me to try Organizr and it's now running. It looks beautiful and is so flexible. Heimdall is deleted forever and you are now on my beer supply list.
My last step resulted in a problem though and I question my understanding.

 

I run Organizer in a docker on Unraid 6.9.2. My services are reverse proxied (swag) with subdomain setup. My problem started when I started with authentication via Organizer. Worked brilliant as I wanted with different groups, level, on/off LAN access. Everything as I wanted until I came to Ombi.

Now, Ombi access works fine in browser, but not the mobile app and I guess that is because it can't authenticate through Organizer and it's here that I question my understanding when I configure nginx.

 

Following https://docs.organizr.app/books/setup-features/page/serverauth#bkmrk-swag%2Fletsencrypt-doc I have:

  • added and edited the /config/nginx/proxy-confs/organizr-auth.subfolder.conf file
  • edited all /config/nginx/proxy-confs/*.subdomain.conf files by adding this in the first location block:
    include /config/nginx/proxy-confs/organizr-auth.subfolder.conf;
    auth_request /auth-4;

    I have only added the above in the first location block even if the config file have more location blocks and it seems to work, but is this correct?

The next section (Subdomain and How to include the authorization block in a reverse proxy) in the instruction I don't understand. I though I was using subdomains and reverse proxy, but it seems to work any way?

 

What am I missing and is there a way to get the Ombi app to work or should I just exclude that from authentication?

Link to comment

Having problems with getting organizr to communicate with deluge docker (using binhex-delugevpn). I have followed the instructions and downloaded the egg file WebAPI-0.4.0-py3.7.egg. Renamed it WebAPI-0.4.0-py3.9.egg and installed it. I can however not tick the box for enable and getting API Error (no. 2) when testing the connection.
All the other configured arrs and media apps works great. Looks beautiful 🤘
I also can not find out how to remove the plugin to start over again 😐

Link to comment
On 5/2/2021 at 2:03 AM, tetrapod said:

@ados intro in the write-up above convinced me to try Organizr and it's now running. It looks beautiful and is so flexible. Heimdall is deleted forever and you are now on my beer supply list.
My last step resulted in a problem though and I question my understanding.

 

I run Organizer in a docker on Unraid 6.9.2. My services are reverse proxied (swag) with subdomain setup. My problem started when I started with authentication via Organizer. Worked brilliant as I wanted with different groups, level, on/off LAN access. Everything as I wanted until I came to Ombi.

Now, Ombi access works fine in browser, but not the mobile app and I guess that is because it can't authenticate through Organizer and it's here that I question my understanding when I configure nginx.

 

Following https://docs.organizr.app/books/setup-features/page/serverauth#bkmrk-swag%2Fletsencrypt-doc I have:

  • added and edited the /config/nginx/proxy-confs/organizr-auth.subfolder.conf file
  • edited all /config/nginx/proxy-confs/*.subdomain.conf files by adding this in the first location block:
    
    
    
    include /config/nginx/proxy-confs/organizr-auth.subfolder.conf;
    auth_request /auth-4;

    I have only added the above in the first location block even if the config file have more location blocks and it seems to work, but is this correct?

The next section (Subdomain and How to include the authorization block in a reverse proxy) in the instruction I don't understand. I though I was using subdomains and reverse proxy, but it seems to work any way?

 

What am I missing and is there a way to get the Ombi app to work or should I just exclude that from authentication?

Ha ha let me know when virtual beers are a thing.

Sorry for the delay, work has been keeping me busy.

 

Good to hear your liking Organizr, it does incorporate all your instances into one place for easy management.

Since your using Swag and I don't have too much knowledge on that other than its also NGINX I might not be able to provide much direction.

The "include" shouldn't be needed, as for the "auth_request" part you can either have this specified for each sub domain or in the main function of the config file.

The reason you would divide it would be to allow greater control over which sub domains are authorisation controlled.

However, you can just specify in the sub domain "auth_request off;" to omit it from authentication.

 

As for Ombi, I didn't have that issue as I stopped using it in favor of another platform and I never liked the mobile app. All my interaction was from the web interface which I found better and can be pinned as such to the mobile home screen it more or less functions as an app.

Since the Ombi app would have its own http/s requests to the docker instance it would have its own cookies and authentication, this causes an issue as it never contains the authentication cookie for Organiser which is passed in any web browser.

I don't think there will be an easy way around this without using a firewall.

Edited by ados
Errors
Link to comment
On 5/3/2021 at 9:39 PM, tetrapod said:

Having problems with getting organizr to communicate with deluge docker (using binhex-delugevpn). I have followed the instructions and downloaded the egg file WebAPI-0.4.0-py3.7.egg. Renamed it WebAPI-0.4.0-py3.9.egg and installed it. I can however not tick the box for enable and getting API Error (no. 2) when testing the connection.
All the other configured arrs and media apps works great. Looks beautiful 🤘
I also can not find out how to remove the plugin to start over again 😐

The main issue with that application is support which has decreased over time.

You need to stay on older versions if you wish to have plugin support.

Keeping it short as this belongs over on the Deluge forum, you need to be on a 2.0.X version. 2.0.4 is a good one. 😉

Link to comment
9 minutes ago, ados said:

Ha ha let me know when virtual beers are a thing.

Sorry for the delay, work has been keeping me busy.

 

Good to hear your liking Organizr, it does incorporate all your instances into one place for easy management.

Since your using Swag and I don't have too much knowledge on that other than its also NGINX I might not be able to provide much direction.

The "include" shouldn't be needed, as for the "auth_request" part you can either have this specified for each sub domain or in the main function of the config file.

The reason you would divide it would be to allow greater control over which sub domains are authorisation controlled.

However, you can just specify in the sub domain "auth_request off;" to omit it from authentication.

 

As for Ombi, I didn't have that issue as I stopped using it in favor of another platform and two I never used the mobile app. All my interaction was from the web interface which I found better and can be pinned as such to the mobile home screen it more or less functions as an app.

Since the Ombi app would have its own http/s requests to the docker instance it would have its own cookies and authentication, this causes an issue as it never contains the authentication cookie for Organiser which is passed in any web browser.

I don't think there will be an easy way around this without using a firewall.

No problem with time buddy. I'm just glad to get answers and still trying to figure out where to best ask the questions. I think my knowledge profile is an outlier in this home server arena and a lot of the time the answers I get are just over my head, or my questions are not understood at all and are ignored. But, I'm starting to understand enough to help other people - that feels good.

 

I think I need the "include". How would nginx know where to go for authentication other vice?

 

Yeah I have included the auth_request in all the subdomain config files. Need the granularity for different authentication levels.

Link to comment
  • 2 months later...

I Need help to run this behind a proxy. Im using Swag.

I have a few other dockers runing fin behind Swag but i cant seem to get this to run. 😕
Im Using Swag in combination with Cloudflare.

Could someone help me with this? (it seems like swag does not see the config beeing renamed from samble to .conf)

image.png.2f5f325b81aeb306eaf211ffa3f5c909.png

 

i dont know what im doing wrong.

is there someone who could help me with that matter?

Link to comment
5 hours ago, stFfn said:

 

no it says site not reachable

Docker Name: image.thumb.png.d72afc49186fef3a1a52dd5b4648843b.png

 

Organizr Config: image.png.3a3cb8a984a63f10d677cc05d04e8ad8.png

 

Cloudflare entry: image.png.1f1a3e42ff97b58a95436d420402be7d.png

 

and when i try to reach itexternal :

500 Internal Server Error

 

image.png.2f1c2a86ebb83ff2ec4f2870e86f5d81.png

 

 

and Internal as well:

500 Internal Server Error
image.png.2a78d510b7526927e4bb0f8d909f7b76.png

 

image.png

image.png

Edited by stFfn
Link to comment
49 minutes ago, stFfn said:

Hello? didnt you see my other messages?

Yes, we did, but you didn't answer the question. Are you LITERALLY browsing to organizr.domain.com or are you replacing domain.com with your ACTUAL domain?

 

Also, those error pages show Nginx version 1.18. Both the SWAG and Organizr containers are running Nginx version 1.20 so you're either VERY out of date or you're running something else that is using Nginx.

Edited by tronyx
Nginx versions
Link to comment
25 minutes ago, tronyx said:

Yes, we did, but you didn't answer the question. Are you LITERALLY browsing to organizr.domain.com or are you replacing domain.com with your ACTUAL domain?

 

Also, those error pages show Nginx version 1.18. Both the SWAG and Organizr containers are running Nginx version 1.20 so you're either VERY out of date or you're running something else that is using Nginx.

why would i use organizr.domain.com?

of course im using my own domain.. where did you see that i use organizr.domain.com?

 

the swag and organizr dockers are up to date.

 

i dont know how anything else with nginx could interfere? port 443 is redirected to swag. how could anything else be taking over only this docker but not the others that im running?

Link to comment

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.
Note: Your post will require moderator approval before it will be visible.

Guest
Reply to this topic...

×   Pasted as rich text.   Restore formatting

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.