GET requests to /api for unauthenticated users #439
liability4400
started this conversation in
General
Replies: 2 comments
-
You should follow the fail2ban steps for jellyseerr in docs.overseerr.dev. As in the regex should only be looking for the sign in attempts. If you want to block api access externally you can turn on csrf but do read up on it. The s3tting is in settings > general |
Beta Was this translation helpful? Give feedback.
0 replies
-
same here but with bunkerity (software firewall) how can I stop jellyseerr making those useless request from user without admin right and external users ? |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
Hello everyone,
I'm just gonna start of by saying that I absolutely love this project and how complete it feels for my own media server.
I am running Jellyseerr 1.5.0 behind Nginx Proxy Manager. I have a couple other apps publicly accesible through NPM as well. For this reason I installed fail2ban on the host and the filter I set up is for 401, 403, 404 and 405 error codes on all of my proxy hosts. I like it this way because on Gotify, for example, an incorrect password would result in a 403 request, triggering my filter and eventually resulting in a ban. This way ( I think) I have a system-wide anti-bot system for my homelab.
The problem is that Jellyseerr apparently makes requests to the
/api/v1/settings/radarr
and/api/v1/settings/sonarr
endpoints immediately after a user logs in or when they click on a movie or show poster. This wouldn't be a problem if I were the only user with admin rights or when accesing from within my home network (as my LAN subnet is whitelisted from the filter) but when any of my other users sign in, after about 3 page loads they get banned.NPM Access logs (sanitized -
1.2.3.4
is me testing on mobile data, authenticated as a non-admin user):My fail2ban filter regex looks like this:
While the .local jail file is this:
I'm not knowledgeable at all with web apps and web requests so I have no insight to offer on this at all unfortunately. I'm not sure why unauthenticated users make API requests to the backend but I ended up "solving" the issue by adding this code block to my NPM Jellyseerr proxy host in the Advanced tab:
This fixes the unintentional banning of normal users and, as far as I can tell, it still does not expose the API through the reverse proxy. I tried other redirect codes but those resulted in loops and ultimately breaking the app. This seems to be working so far although I am still waiting for it to break something. I would love to see any better solution to this.
Beta Was this translation helpful? Give feedback.
All reactions