Skip to content

Notifiarr Client Reverse Proxy

Danger

None of this is required or necessary. We recommend NOT exposing your Notifiarr client to the Internet at all. In other words, don't do any of this. But you can if you want to access your local Notifiarr Client from the Internet.

While you can certainly poke a hole your firewall and send the traffic directly to this app, it is recommended that you put it behind a reverse proxy if you're going to expose it. It's pretty easy.

  • You'll want to tune the upstreams and urlbase client settings for your environment.
  • If your reverse proxy IP is 192.168.3.45 then set upstreams in the Trust Profile page of the local Notifiarr Client to 192.168.3.45/32
  • The urlbase on the local Notifiarr client configuration page can be left at /, but change it if you serve this app from a subfolder like /notifiarr.

Cloudflare Users

If you use Cloudflare Firewall or ZeroTrust see the CloudFlare Proxy page to ensure Notifiarr is allowed through Cloudflare.

NGINX Subfolder Example

  • We'll assume you want to serve the client from /notifiarr and it's running on 127.0.0.1.
  • Here's a sample nginx config to do that:
# Notifiarr Client
location /notifiarr/api {
    proxy_set_header X-Forwarded-For $remote_addr;
    set $notifiarr http://127.0.0.1:5454;
    proxy_pass $notifiarr$request_uri;
    auth_request off;
}

location /notifiarr {
    # <put proxy auth directives here> Optional:
    # proxy_set_header X-WebAuth-User $auth_user;
    proxy_set_header X-Forwarded-For $remote_addr;
    set $notifiarr http://127.0.0.1:5454;
    proxy_pass $notifiarr$request_uri;
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_set_header Host $host;
}

Make sure the Nginx location path matches the URL Base Notifiarr setting. That's all there is to it.

Reverse Proxy Authentication

Info

If using Authelia or Organizr ensure they are passing the username header.

There is working a SWAG example (with authelia, organizr, ldap) at the bottom of this page.

For example in NGINX: if auth_user is the variable your authentication app is passing (and it probably isn't) then your would need:

proxy_set_header X-WebAuth-User $auth_user;

Traefik

Make sure to select the correct Remote-User header on the Trust Profile page in the client's Web UI.

NGINX Subdomain Example

  • We'll assume you're running LSIO's SWAG docker container
  • Non-SWAG users will need to update the file - including the includes as applicable
## Version 2023/02/09
## TRaSH drop in for LSIO SWAG
## Originally from https://gist.github.com/TRaSH-/037235b0440b38c8964a2cbb64179cf3
## LSIO SWAG https://github.com/linuxserver/docker-swag

server {
    listen 443 ssl;
    listen [::]:443 ssl;

    server_name notifiarr.*;

    include /config/nginx/ssl.conf;
    include /config/nginx/proxy.conf;
    include /config/nginx/resolver.conf;

    client_max_body_size 0;

    # enable for ldap auth, fill in ldap details in ldap.conf
    #include /config/nginx/ldap.conf;

    # enable for Authelia
    #include /config/nginx/authelia-server.conf;

    set $upstream_app notifiarr;
    set $upstream_port 5454;
    set $upstream_proto http;

    location / {
        # enable the next two lines for http auth
        #auth_basic "Restricted";
        #auth_basic_user_file /config/nginx/.htpasswd;

        # enable the next two lines for organizr auth
        #include /config/nginx/orgauth.conf;
        #auth_request /organizr-auth/0;

        # enable the next two lines for ldap auth
        #auth_request /auth;
        #error_page 401 =200 /ldaplogin;

        # enable for Authelia
        #include /config/nginx/authelia-location.conf;

        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-WebAuth-User $auth_user;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }

    # API path must not be protected by auth, authelia, ldap, etc.
    location ~ (/notifiarr)?/api {
        deny all; # remove this line if you really want to expose the API.
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_pass $upstream_proto://$upstream_app:$upstream_port;
    }
}

Nginx Proxy Manager

  • You will need a registered domain name with ddns services.
  • Add a subdomain thru aliases on your domain/ddns provider and point it to your external ip.
  • Add a proxy host in NPM.

Details Tab

  1. Domain names: subdomain you just created
  2. Scheme: http
  3. Forwarded Hostname/IP: Your Internal LAN IP hosting Notifiarr E.g. 192.168.1.2
  4. Forward Port : The port Notifiarr is running on, default: 5454
  5. Check Block common exploits

SSL Tab

  1. Choose a certificate ( or make a fresh one pointing to your freshly made subdomain )
  2. Check Force SSL and HTTP/2 Support
  3. Save

You will need to use Notifiarr Login/Password setup, not the webauth method with the above NPM configuration. See client Web UI for more details