Re4mstr 5 Posted June 4, 2025 Posted June 4, 2025 Greetings. I come to you today because I am having issues connecting to my instance through the Android application. My proxy is currently Pangolin, which offers authentication before being able to access the URL. As with many other mobile applications, the use of api's requires me to whitelist certain URL-paths, as they do not support authenticating in the proxy first. This leads me to the following: What are the least amount of whitelistings needed, to be able to authenticate and use the app on mobile? You can read the Pangolin documentation on other applications here having guides: https://docs.fossorial.io/Pangolin/bypass-rules Thank you in advance.
Abobader 3464 Posted June 4, 2025 Posted June 4, 2025 Hello Re4mstr, ** This is an auto reply ** Please wait for someone from staff support or our members to reply to you. It's recommended to provide more info, as it explain in this thread: Thank you. Emby Team
Luke 42077 Posted June 4, 2025 Posted June 4, 2025 Hi, I would think /emby and everything underneath as well as /embywebsocket
Re4mstr 5 Posted June 5, 2025 Author Posted June 5, 2025 9 hours ago, Luke said: Hi, I would think /emby and everything underneath as well as /embywebsocket Hi, Thanks for the answer, and I landed on this solution yesterday after some more testing. The issue I have with this, is that in the browser, if I just append /emby to my base url, I bypass the auth. I hoped there were a less "wildcard" approach. 1
sh0rty 714 Posted August 3, 2025 Posted August 3, 2025 (edited) On 6/5/2025 at 10:20 AM, Re4mstr said: Hi, Thanks for the answer, and I landed on this solution yesterday after some more testing. The issue I have with this, is that in the browser, if I just append /emby to my base url, I bypass the auth. I hoped there were a less "wildcard" approach. Late to the Party. But at least these are the ones I needed to whitelist for having everything in the app functional and having Pangolin 2FA/Passkey login in the Web Browser. Perhaps Luke can elaborate if something is not necessary. Edited August 3, 2025 by sh0rty
Luke 42077 Posted August 4, 2025 Posted August 4, 2025 Yikes, that looks like it's going to be painful. I would just whitelist /emby/*
sh0rty 714 Posted August 4, 2025 Posted August 4, 2025 (edited) 5 hours ago, Luke said: Yikes, that looks like it's going to be painful. I would just whitelist /emby/* When whitelisting /emby/*, also the web login bypasses Pangolin Login page. But it could be easier mate : Edited August 4, 2025 by sh0rty
Re4mstr 5 Posted January 4 Author Posted January 4 On 8/3/2025 at 10:20 PM, sh0rty said: Late to the Party. But at least these are the ones I needed to whitelist for having everything in the app functional and having Pangolin 2FA/Passkey login in the Web Browser. Perhaps Luke can elaborate if something is not necessary. This is great, I am now only missing the top right "user menu" button (profile pic) from the app on mobile... Thanks for this, though, guess I'll look through the API docs to figure out what more needs whitelisted to get the menu up. 1
Solution sh0rty 714 Posted January 4 Solution Posted January 4 (edited) 1 hour ago, Re4mstr said: This is great, I am now only missing the top right "user menu" button (profile pic) from the app on mobile... Thanks for this, though, guess I'll look through the API docs to figure out what more needs whitelisted to get the menu up. Meanwhile things changed on the server it seems. This is working for me now: Edited January 4 by sh0rty 1
Re4mstr 5 Posted January 4 Author Posted January 4 Appreciate it, Sh0rty. Everything works as far as I can tell. I'll make sure to submit this to the Pangolin Docs as soon as possible. Marking this as solved for now. 1 1
sh0rty 714 Posted January 4 Posted January 4 (edited) 3 hours ago, Re4mstr said: Appreciate it, Sh0rty. Everything works as far as I can tell. I'll make sure to submit this to the Pangolin Docs as soon as possible. Marking this as solved for now. This whole clingy opening paths thing would not be necessary if Emby apps would support custom proxy headers. But this dream will never come true I guess. Feel free to give the proposal an upvote: Edited January 4 by sh0rty 1
sh0rty 714 Posted January 14 Posted January 14 These are the current rulesets needed for path based auth bypass. Feel free leave a reaction in the linked thread two posts above, if you also feel the need of header auth to finally ditch the following path exclusions. 1
Babatom 6 Posted yesterday at 01:02 AM Posted yesterday at 01:02 AM @sh0rty If it opens up so many paths, does it even make sense anymore?
sh0rty 714 Posted yesterday at 10:58 AM Posted yesterday at 10:58 AM 9 hours ago, Babatom said: @sh0rty If it opens up so many paths, does it even make sense anymore? Just for the feeling that the WebUI access is protected. An attacker would need to know that he need to use the Android App. But that's it. That's why I created the Feature Request for custom headers which would make the bypass rules obsolete. 2
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now