TUTORIAL: Securing SABnzbd+ behind lighttpd authentication

[undertow]

This tutorial will show you how to secure your SABnzbd+ server behind lighttpd, utilizing htpasswd authentication. The method I've chosen to use will result in all WAN access being require to authenticate, while still allowing LAN connections access without authentication.

This tutorial assumes a few things:

1. You already have lighttpd installed and working.
2. SABnzbd+ is installed on the same machine as lighttpd.
3. You're doing no virtual hosting.
4. You have basic unix skills and understanding of lighttpd configuration files.

Let's get started.

First, we'll need to ensure that the proper modules are loaded, so you'll need to edit your lighttpd.conf file:
(Note: If for some reason you don't have these modules, you'lll need to compile them)

Code: Select all

server.modules += (
            "mod_auth",
            "mod_proxy"
)

Note the order the modules are loaded in. mod_auth MUST be loaded before mod_proxy, else the connection will hang.

Next, let's add the necessary configuration:

Code: Select all

$HTTP["url"] =~ "^/sabnzbd/" {
            auth.debug = 0
            auth.backend = "htpasswd"
            auth.backend.htpasswd.userfile = "/path/to/password_file"
            auth.require = (
                        "" => (
                                    "method"         => "basic",
                                    "realm"          => "Password Protected",
                                    "require"        => "valid-user"
                        )
            )

            proxy.server = (
                        "" => ((
                                    "host"            => "127.0.0.1",
                                    "port"            => 8080
                        ))
            )
}

Now, what you've done here is setup a proxy to pass all requests for http://yoursite.com/sabnzbd/ to http://localhost:8080/sabnzbd/ once authenticated. You can now set SABnzbd+ to bind ONLY to the LAN interface (127.0.0.1) since it will be accessed directly by lighttpd rather than the WAN client. You can now access SABnzbd+ locally as before via http://localhost:8080/sabnzbd/ without need for authentication.

The final step is to create an htpasswd file, located in the path you specified in the configuration above:

Code: Select all

$ htpasswd -c password_file username

Now you can restart your lighttpd server and test your handwork!

Code: Select all

$ /etc/init.d/lighttpd restart

Good luck! If you have problems, I'll try to help the best I can -- but please, keep this topic free of questions such as, "HOW DO I INSTALL LIGHTTPD?", "WHY DOESN'T THIS WORK ON WINDOWS?", etc.

[methanoid]

Superb, almost just what I was looking for (Lighty and SAB) - could you do a version for that? ie Same without authorisation? Or is it just "ignore the Mod_Auth stuff" and thats it?

Anyway, great "How To".. thanks very much!

[alienvenom]

Yes, that's correct. Just leave out the auth.* stuff if you don't want authentication.

Code: Select all

            auth.debug = 0
            auth.backend = "htpasswd"
            auth.backend.htpasswd.userfile = "/path/to/password_file"
            auth.require = (
                        "" => (
                                    "method"         => "basic",
                                    "realm"          => "Password Protected",
                                    "require"        => "valid-user"
                        )
            )

[s0rce]

Sorry to bump a really old thread but I would really like to try and get this working on my server with sab 0.6.5 behind lighttpd 1.4 on Solaris. I followed the instructions and added the proxy to my config but when I connect to it I get this error:

500 Internal Server Error

The server encountered an unexpected condition which prevented it from fulfilling the request.

Traceback (most recent call last):
  File "/opt/SABnzbd-0.6.5/cherrypy/_cprequest.py", line 618, in respond
    cherrypy.response.body = self.handler()
  File "/opt/SABnzbd-0.6.5/cherrypy/_cpdispatch.py", line 25, in __call__
    return self.callable(*self.args, **self.kwargs)
  File "/opt/SABnzbd-0.6.5/sabnzbd/interface.py", line 492, in default
    return template.respond()
  File "_opt_SABnzbd_interfaces_Plush_templates_nzo_tmpl.py", line 386, in respond
NotFound: cannot find 'active_files'

Powered by CherryPy 3.2.0


It seems like something to do with the rewrite of the url is sending sab/cherrypy to look in the wrong place.

Any help would be great. Alternatively I guess I could try Apache but lighttpd seems, well, lighter.