Traefik Reverse Proxy Security Headers
  • Hi Ben,

    I would just like to see if you already know the answer to this before I dig into the documentation to figure out what the issue is please.

    I use Traefik as a reverse proxy to externally access resources within my home network. This excellent guide is what I've used to set this up: https://www.smarthomebeginner.com/traefik-2-docker-tutorial/

    All my Docker containers and non-docker apps such as SecuritySpy have security headers set up as described here: https://www.smarthomebeginner.com/traefik-2-docker-tutorial/#Security_Headers_as_Labels

    I don't really know what these do or the benefits they bring to the reverse proxy side of things, but I found that if I used them for SecuritySpy, the iOS app doesn't work, yet the web interface is fine. If I remove the security headers option, both the app and web work (it's still using https via Lets Encrypt).

    I could continue to run without the secure headers, but I wonder if the connection to SecuritySpy is less secure as a result.

    Can you see anything obvious from the above linked security headers that would prevent the iOS app from working by any chance please?

    On a related but different issue, what I would really like is the ability to hide SecuritySpy behind either OAuth or Authelia (both in the same guide). The web interface will easily manage behind them, but the app just fails because it can't handle a redirect to OAuth or Authelia. I realise this is well beyond the scope of the app though because your own implementation of Letsencrypt works fine for the majority of users, but I thought I'd mention it in case you have any ideas.

    Thanks,
    Paul.
  • The good news is I've narrowed it down to the following header that prevents it from working via the iOS app:

    [http.middlewares.middlewares-secure-headers.headers.customResponseHeaders]
    X-Robots-Tag = "none,noarchive,nosnippet,notranslate,noimageindex,"
    server = ""

    Specifically, 'server = ""'

    If I remove that line it works, so I consider this issue closed. :)

    I would still be interested in your thoughts about redirecting the request for OAuth or Authelia please (my last paragraph).

    Thanks.
  • Good to hear you found the solution to your first issue. I'm sorry but I'm not sure I can help with the OAuth/Authelia question - I don't think a solution exists whereby you can use our iOS app behind these mechanisms. Our iOS app requires a direct (or functionally direct) connection to your SecuritySpy server in order to function.
  • Thanks Ben, no worries with the OAuth/Authelia side of things. From what I've read, Plex needs a direct connection as well when using their clients.
  • Just in case it helps anyone coming across this post in the future, I've figured out how to enable OAuth/Authelia when accessing via the web interface but bypass that when using the iOS app!

    What I realised when looking at the reverse proxy Traefik logs was that the headers from the iOS app contained the following:

    \"User-Agent\":[\"SecuritySpyViewer/123\"],

    As a result, I can look for this specific header and send the request to a different middleware. e.g.

    rule: "Host(`example.com`) && (HeadersRegexp(`User-Agent`, `SecuritySpyViewer`))"

    A full example can be found here:
    https://pastebin.com/Bb3Kpzz4
  • Turns out recorded video playback didn't work, so to fix I used the following line instead:

    rule: "Host(`example.com`) && (HeadersRegexp(`User-Agent`, `SecuritySpyViewer`) || HeadersRegexp(`User-Agent`, `AppleCoreMedia`))"
  • @Ben 1. Do you think it's possible to remove the SecuritySpy Mobile app requirement that the Server header have BVSS? Even if it was a checkbox somewhere. I have reverse proxied security spy through nginx, and even cloudflare, but cloudflare changes the Server header, and I have no way what-so-ever to control that at that layer. I'd really like to get the mobile app working through a CDN.

    2. Also curious if the port bug was fixed. Re: mobile app always goes back to port 8000 or 8001 (I forget now..) no matter what is typed in. When I'm on my home network I just use 8001, but externally I have no easy solution except to pass port 8001 directly through.

    3. Last request, and sorry to change the thread a bit, but it's related to reverse proxying. Do you think you can add a subfolder option? I realize this is asking a lot, but it would be epic if security spy could serve from https://0.0.0.0:8001/cameras/ (or a folder/path of ones' choosing). Most of the apps I run are all in their own sub folder on one domain, so I don't need a bunch of host names for each "thing" I run. My reverse proxy config for security spy is ugly, and its success changes with every release: https://github.com/Go-Lift-TV/organizr-nginx/blob/master/golift/securityspy.conf#L11

    @paul2000 It is not possible to use an external auth provider with the security spy mobile app. It currently only support basic http auth. Great job getting the rest of it to work out the way you did. That's good stuff!

    Thank you! <3
    -captain

    PS. Recordings are going very well. Thanks for the support recently!

Howdy, Stranger!

It looks like you're new here. If you want to get involved, click one of these buttons!