None of this is required or necessary. We recommend NOT exposing your
Notifiarr client to the Internet at all. In other words, don't do any of this. But you can if you want to access your local Notifiarr Client from the internet
While you can certainly poke a hole your firewall and send the traffic directly to this app, it is recommended that you put it behind a reverse proxy if you're going to expose it. It's pretty easy.
upstreams and urlbase client settings for your environment
192.168.3.45 then set upstreams in the Profile page of the local Notifiarr Client to 192.168.3.45/32.urlbase on the local Notifiarr Client configuration page can be left at /, but change it if you serve this app from a subfolder like /notifiarr.Cloudflare Firewall / ZeroTrust users - See this wiki entry to ensure Notifiarr is allowed through Cloudflare
/notifiarr and it's running on 127.0.0.1.# Notifiarr Client
location /notifiarr/api {
deny all; # remove this line if you really want to expose the API.
proxy_set_header X-Forwarded-For $remote_addr;
set $notifiarr http://127.0.0.1:5454;
proxy_pass $notifiarr$request_uri;
auth_request off;
}
location /notifiarr {
# <put proxy auth directives here> Optional:
# proxy_set_header X-WebAuth-User $auth_user;
proxy_set_header X-Forwarded-For $remote_addr;
set $notifiarr http://127.0.0.1:5454;
proxy_pass $notifiarr$request_uri;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_set_header Host $host;
}
Make sure the Nginx location path matches the URL base Notifiarr setting.
That's all there is to it.
If using Authelia or Organizr ensure they are passing the username header
There is working a SWAG example (with authelia, organizr, ldap) at the bottom of this page.
For example in NGINX: if auth_user is the variable your authentication app is passing (and it probably isn't) then your would need:
proxy_set_header X-WebAuth-User $auth_user;
webauthheader which maps Authelia's Remote-User header to Notifiarr's expected X-WebAuth-User header. You must then attach the webauthheader middleware to the Notifiarr client in Traefik./api and /plex endpoints to bypass authentication.http:
middlewares:
webauthheader:
plugin:
htransformation:
Rules:
- Name: 'Auth header rename'
Header: 'Remote-User'
Value: 'X-WebAuth-User'
Type: 'Rename'
includes as applicable## Version 2023/02/09
## TRaSH drop in for LSIO SWAG
## Originally from https://gist.github.com/TRaSH-/037235b0440b38c8964a2cbb64179cf3
## LSIO SWAG https://github.com/linuxserver/docker-swag
server {
listen 443 ssl;
listen [::]:443 ssl;
server_name notifiarr.*;
include /config/nginx/ssl.conf;
include /config/nginx/proxy.conf;
include /config/nginx/resolver.conf;
client_max_body_size 0;
# enable for ldap auth, fill in ldap details in ldap.conf
#include /config/nginx/ldap.conf;
# enable for Authelia
#include /config/nginx/authelia-server.conf;
set $upstream_app notifiarr;
set $upstream_port 5454;
set $upstream_proto http;
location / {
# enable the next two lines for http auth
#auth_basic "Restricted";
#auth_basic_user_file /config/nginx/.htpasswd;
# enable the next two lines for organizr auth
#include /config/nginx/orgauth.conf;
#auth_request /organizr-auth/0;
# enable the next two lines for ldap auth
#auth_request /auth;
#error_page 401 =200 /ldaplogin;
# enable for Authelia
#include /config/nginx/authelia-location.conf;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header X-WebAuth-User $auth_user;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
# API path must not be protected by auth, authelia, ldap, etc.
location ~ (/notifiarr)?/api {
deny all; # remove this line if you really want to expose the API.
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass $upstream_proto://$upstream_app:$upstream_port;
}
}
http192.168.1.25454Block common exploitsForce SSL and HTTP/2 SupportYou will need to use Notifiarr Login/Password setup, not the webauth method with the above NPM configuration. See Client UI for details