sh0rty 714 Posted January 4 Posted January 4 (edited) My proposal is a setting in the Emby client apps to set custom proxy headers like e.g. in Immich, Conduit or Embywatch. Currently you need to open a ton of paths like /emby/web/* or /emby/Items/* to be able to use an Emby app from the outside of LAN via Reverse Proxy with an authentication layer in front of Emby. Pangolin/Traefik Reverse Proxy is used in this example: You would set up the custom proxy header "P-Access-Token: xxx" and "P-Access-Token-Id: yyy" inside the Emby app and it can connect successfully to your Emby Server behind the Reverse Proxy with all the bells and whistles like 2FA, Passkeys etc since the Request Headers tell the Proxy: "Hey, I'm a trusted app because of your set up Headers for the resource requested but not able to use your Pangolin Login Prompt like a Browser". Edited January 4 by sh0rty 1 4
Luke 42077 Posted January 4 Posted January 4 HI, the challenge is that I assume you would need these included on every single request? On most data requests this would be simple, but it's hard to guarantee that this would be possible for things like images, audio/video playback, etc. In the web app for example it's not possible to apply custom headers to image elements. Therefore we'd have to design our own way to fetch and render images, and while this might be doable, there is no way it would perform as well as the browser's native methods.
sh0rty 714 Posted January 4 Author Posted January 4 (edited) Yes, the headers would need to be appended on every request. But somehow Immich was able to implement it and the app is mainly about images and videos, isn't it? These are the commits: https://github.com/immich-app/immich/commit/c2313f7a99ff0d311d616cd5c0af3d3a39896f0e https://github.com/immich-app/immich/commit/13d43e193e9fdb69428d8eece3c31d2cd6f2ca5f https://github.com/immich-app/immich/commit/fe554c3a5bb0139d874ccd34cc947c7628543e5b Regarding the web app, for this part custom headers are not needed imo since there you can login via Reverse proxy Web login form. This proposal is just for the mobile apps where using the Web Login form is not possible. Edited January 4 by sh0rty 1
Luke 42077 Posted January 5 Posted January 5 Right I didn’t say it was not possible but it’s definitely not optimal for images in the web app. 1
Re4mstr 5 Posted January 5 Posted January 5 (edited) I want this very much. Edited January 5 by Re4mstr
Skyobliwind 7 Posted yesterday at 05:50 PM Posted yesterday at 05:50 PM From a security perspective this would be great. Locking down emby behind a vpn is uncomfortable, opening it directly to the internet is rather risky, but Pangolin and custom proxy headers would be a nice compromise between comfort and security. 1 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now