A request is not passing Basic Auth and being blocked

9b2c8d00-84e1-41ae-8 · February 11, 2024, 5:43pm

Issue description:

I am using a self-hosted Navidrome instance and I access it using CloudFlare Tunnels which acts as a reverse proxy. To avoid that anyone can even connect to my instance, I’m blocking on CloudFlare any request which has not the correct Basic Auth header.

I noticed that there is this specific request( screenshot below) which is being blocked because it doesn’t pass the Basic Auth Header. The app works fine with no issues, I’m not sure which feature it may be blocking, but I couldn’t notice one.

Logs:

Upload description: d643176b-8cbc-4c21-869c-ac19ffa85de1

Additional information:

From the logs, it seems that the blocked request cause an exception to be thrown:

Error/TranscoderManager: FFProbe: No media information extracted (https://REDACTED:REDACTED@HOST_REDACTED:443/rest/stream.view?id=022c9882dd8bba1042d8d2e9220be3d4&u=REDACTED&t=REDACTED&s=REDACTED&v=1.13.0&c=Symfonium&f=json&format=raw) - {
https://REDACTED:REDACTED@HOST_REDACTED:443/rest/stream.view?id=022c9882dd8bba1042d8d2e9220be3d4&u=REDACTED&t=REDACTED&s=REDACTED&v=1.13.0&c=Symfonium&f=json&format=raw: Server returned 403 Forbidden (access denied)

}

Error/TranscoderManager: FFProbe: Failure
java.io.IOException: empty/http-403
	at l8.r.e(Unknown Source:460)
	at l8.m.t(Unknown Source:12)
	at eu.a.p(Unknown Source:5)
	at bv.i0.run(Unknown Source:109)
	at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1145)
	at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:644)
	at java.lang.Thread.run(Thread.java:1012)

Reproduction steps:

Media provider:

Subsonic

Screenshots:

Tolriq · February 11, 2024, 6:04pm

Well it is correct basic auth this is as valid as the header.

Next release will support custom headers that will always be headers so you will be able to control this better.

9b2c8d00-84e1-41ae-8 · February 11, 2024, 6:18pm

Custom headers for every request would be awesome to have. In this way it will be possible to use Service Accounts with Client-Id and Secret-Id headers.

mouth · April 26, 2024, 10:33am

@9b2c8d00-84e1-41ae-8
Could you explain how you got it working please?
I have Jellyfin accessible behind a CF tunnel, with Google & Pin auth, and can access it via web browser.
I tried creating a CF Service Token, and putting those two into Symfonium media provider headers, but Symfonium still fails to connect when outside of home LAN.

9b2c8d00-84e1-41ae-8 · April 26, 2024, 12:19pm

When you access it from the browser, it is an interactive session and the CF’s bot controls pass. But when you try to access it from API, it is not an interactive session and CF blocks the requests.
You have to remove some of the security checks in CF for Jellyfin. You can do that in the CF Dashboard by adding a WAF rule to skip some of the security checks.

mouth · April 26, 2024, 1:00pm

Thx. CF WAF rules are paid functionality, unfortunately. I was hoping settings within Zero Trust config for headers.

9b2c8d00-84e1-41ae-8 · April 26, 2024, 1:19pm

WAF offers 5 free rules to use.

mouth · April 27, 2024, 11:04am

@9b2c8d00-84e1-41ae-8 care to supply a link to instructions, or provide some step? I’m using WAF with skip ‘All remaining custom rules’ on header name/value pairs, supplying those header name/value pairs within Synfonium, but Synfonium is still not connecting. CF WAF events are showing the skip being matched for connection attempts, but Symfonium is still offline.