Forgot Password "try again within your home network"

[DER31K]

This bug is not the fault of the jf-accounts tool, since the "bug" is actually a result of jellyfin feature/design, but how are others getting around jellyfin's reluctance to reset password when connecting via reverse proxy?

Have you just convinced Jellyfin that all traffic coming via your proxy is local traffic?
Is there a hidden setting somewhere in Jellyfin that enables password reset even on remote connections?

[hrfee]

This doesn't appear for me personally, and it appears my reverse proxy (nginx) is set up correctly, as Jellyfin reports granting access from my phone's IP when testing on mobile data. What does your networking tab look like in jellyfin? Here's mine:

[hrfee]

Do you have anything in the LAN networks box? I think by leaving it blank, it treats all connections as local.

[DER31K]

My jellyfin network config page matches yours. As for the "LAN networks box blank = all connections local" i believe that statement is incorrect based on the caption under the box, it seems only IP addresses "on the server's subnet are considered local"

Comma separated list of IP addresses or IP/netmask entries for networks that will be considered on local network when enforcing bandwidth restrictions. If set, all other IP addresses will be considered to be on the external network and will be subject to the external bandwidth restrictions. If left blank, only the server's subnet is considered to be on the local network."

I believe your reverse proxy might be setup to not pass the origin of the requests, instead masking all external requests as internal/local requests. Personally, for reverse proxy I'm just using jc21/nginx-proxy-manager docker and have my SSL enforced domain forwarded to http port 8096 on my jellyfin server.

…

On Fri, Apr 24, 2020 at 4:56 AM Harvey Tindall ***@***.***> wrote: Do you have anything in the LAN networks box? I think by leaving it blank, it treats all connections as local. — You are receiving this because you authored the thread. Reply to this email directly, view it on GitHub <#12 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ACBLM6QAZRCH5VFQMZPLXPTROFH3BANCNFSM4MPX7EEA> .

[hrfee]

Did you ever figure this out? If so i'd like to add it to the wiki.

[hrfee]

It also just occured to me that putting 0.0.0.0/32 in the LAN networks setting would probably make jellyfin treat all connections as local, although I still don't understand why i don't have the same issue.

[DER31K]

No sorry, I did not figure this out.
I ended up just removing the forgot password button via custom CSS.

Not a real solution... as It'd be great for remote users to still be able to reset their password; but I think the only way to get around this is to convince Jellyfin into believing that all remote connections are local, as you suggested - but doing that has some implications on other aspects of how Jellyfin operates (ie bandwidth limits for remote connections)

As for why you aren't seeing the same issue, likely its in your reverse proxy setup.
If Jellyfin is seeing the local IP of your reverse proxy host, Jellyfin would assume the connection is local as opposed to the actual remote origin.

[ElevonsJKeloids]

I had the same issue. I was able to get Jellyfin to consider all networks as local by setting the LAN networks to 0.0.0.0/0

[hrfee]

Ah ok, a zero for the cidr at the end makes more sense. I'll add this to the wiki.

[kuantek]

The problem with this approach is that remote connections won't be rate limited. All connections will appear local and will bypass all remote connection limitations.

Ideally, there should be a way to allow forgot password to be accessed from remote connections.

[hrfee]

@kuantek completely true, just did some experimenting and I think you can avoid this by having a separate proxy path for `/Users/ForgotPassword` that doesn't include the `X-Real-IP` header. Once I've confirmed I'll add it to the jfa-go wiki.

[kuantek]

That doesn't seem to work for me. I have nginx running on the same server and passing traffic to the localhost from the localhost. I have the proxy headers set and tcpdump is showing that they are working correctly, but jellyfin is seeing everything as coming from local.

[hrfee]

@kuantek This setup seems to work for me, remote bandwidth limits and everything. It seems even if the reverse proxy IP is included in the 'known proxies' setting, access from it is treated as local unless X-Forwarded-For/X-Real-IP is set.

nginx.conf

...
    location /Users/ForgotPassword {
        proxy_pass http://<jf-ip>:8096/Users/ForgotPassword;
        proxy_set_header Host $host;
    }

    location /Users/ForgotPassword/Pin {
        proxy_pass http://<jf-ip>:8096/Users/ForgotPassword/Pin;
        proxy_set_header Host $host;
    }
...

networking settings

[kuantek]

Yeah, I think my issue is that I don't have that known proxies option in the settings on my jellyfin server. This is how I have the traffic setup now, I have the proxy SSL offloading on the localhost to keep traffic encrypted, the X-Real-IP and X-Forwarded-For are both appearing correctly, but the traffic is still not being denied. Because I don't have an exception for the password portion, I shouldn't be able to reset passwords externally with this setup, but I can.

    location / {
        proxy_pass http://127.0.0.1:8096;
        proxy_pass_header  Set-Cookie;

        proxy_set_header  Host  $host;
        proxy_set_header  X-Real-IP       $http_x_forwarded_for;
    }

This pcap was captured on localhost after ssl offloading: