TUTORIAL: Securing SABnzbd+ behind lighttpd authentication

Got a program that plays well with SABnzbd? Share it here!
Post Reply
undertow
Newbie
Newbie
Posts: 12
Joined: June 16th, 2008, 8:09 am

TUTORIAL: Securing SABnzbd+ behind lighttpd authentication

Post by undertow »

This tutorial will show you how to secure your SABnzbd+ server behind lighttpd, utilizing htpasswd authentication. The method I've chosen to use will result in all WAN access being require to authenticate, while still allowing LAN connections access without authentication.

This tutorial assumes a few things:

1. You already have lighttpd installed and working.
2. SABnzbd+ is installed on the same machine as lighttpd.
3. You're doing no virtual hosting.
4. You have basic unix skills and understanding of lighttpd configuration files.

Let's get started.

First, we'll need to ensure that the proper modules are loaded, so you'll need to edit your lighttpd.conf file:
(Note: If for some reason you don't have these modules, you'lll need to compile them)

Code: Select all

server.modules += (
            "mod_auth",
            "mod_proxy"
)
Note the order the modules are loaded in. mod_auth MUST be loaded before mod_proxy, else the connection will hang.

Next, let's add the necessary configuration:

Code: Select all

$HTTP["url"] =~ "^/sabnzbd/" {
            auth.debug = 0
            auth.backend = "htpasswd"
            auth.backend.htpasswd.userfile = "/path/to/password_file"
            auth.require = (
                        "" => (
                                    "method"         => "basic",
                                    "realm"          => "Password Protected",
                                    "require"        => "valid-user"
                        )
            )

            proxy.server = (
                        "" => ((
                                    "host"            => "127.0.0.1",
                                    "port"            => 8080
                        ))
            )
}
Now, what you've done here is setup a proxy to pass all requests for http://yoursite.com/sabnzbd/ to http://localhost:8080/sabnzbd/ once authenticated. You can now set SABnzbd+ to bind ONLY to the LAN interface (127.0.0.1) since it will be accessed directly by lighttpd rather than the WAN client. You can now access SABnzbd+ locally as before via http://localhost:8080/sabnzbd/ without need for authentication.

The final step is to create an htpasswd file, located in the path you specified in the configuration above:

Code: Select all

$ htpasswd -c password_file username
Now you can restart your lighttpd server and test your handwork!

Code: Select all

$ /etc/init.d/lighttpd restart
Good luck! If you have problems, I'll try to help the best I can -- but please, keep this topic free of questions such as, "HOW DO I INSTALL LIGHTTPD?", "WHY DOESN'T THIS WORK ON WINDOWS?", etc.
methanoid
Jr. Member
Jr. Member
Posts: 66
Joined: March 7th, 2008, 6:33 am

Re: TUTORIAL: Securing SABnzbd+ behind lighttpd authentication

Post by methanoid »

Superb, almost just what I was looking for (Lighty and SAB) - could you do a version for that? ie Same without authorisation? Or is it just "ignore the Mod_Auth stuff" and thats it?

Anyway, great "How To".. thanks very much!
alienvenom
Newbie
Newbie
Posts: 9
Joined: December 10th, 2008, 4:02 pm

Re: TUTORIAL: Securing SABnzbd+ behind lighttpd authentication

Post by alienvenom »

Yes, that's correct. Just leave out the auth.* stuff if you don't want authentication.

Code: Select all

            auth.debug = 0
            auth.backend = "htpasswd"
            auth.backend.htpasswd.userfile = "/path/to/password_file"
            auth.require = (
                        "" => (
                                    "method"         => "basic",
                                    "realm"          => "Password Protected",
                                    "require"        => "valid-user"
                        )
            )
Last edited by alienvenom on December 11th, 2008, 6:39 pm, edited 1 time in total.
s0rce
Newbie
Newbie
Posts: 8
Joined: June 25th, 2011, 7:51 pm

Re: TUTORIAL: Securing SABnzbd+ behind lighttpd authentication

Post by s0rce »

Sorry to bump a really old thread but I would really like to try and get this working on my server with sab 0.6.5 behind lighttpd 1.4 on Solaris. I followed the instructions and added the proxy to my config but when I connect to it I get this error:

500 Internal Server Error

The server encountered an unexpected condition which prevented it from fulfilling the request.

Traceback (most recent call last):
  File "/opt/SABnzbd-0.6.5/cherrypy/_cprequest.py", line 618, in respond
    cherrypy.response.body = self.handler()
  File "/opt/SABnzbd-0.6.5/cherrypy/_cpdispatch.py", line 25, in __call__
    return self.callable(*self.args, **self.kwargs)
  File "/opt/SABnzbd-0.6.5/sabnzbd/interface.py", line 492, in default
    return template.respond()
  File "_opt_SABnzbd_interfaces_Plush_templates_nzo_tmpl.py", line 386, in respond
NotFound: cannot find 'active_files'

Powered by CherryPy 3.2.0


It seems like something to do with the rewrite of the url is sending sab/cherrypy to look in the wrong place.

Any help would be great. Alternatively I guess I could try Apache but lighttpd seems, well, lighter.
Post Reply