First, thanks for your work on this great app.

I run the following stack on my server: jackett, transmission, sonarr, radarr, lidarr all on the same docker subnetwork, so they can communicate freely between them. All this services are exposed to the web via traefik, and secured behind an SSO service (authelia). Since I cannot use nzb360 with authelia, I have a special rule setup in traefik to bypass the SSO auth on jackett, sonarr, radarr and lidarr if the request came with the approriate API key. This part is working great.

For transmission, I disabled RPC auth to simplify radarr, sonarr and lidarr configuration, since they can communicate on the docker local network, and added a special route in traefik bypassing SSO auth but requiring an http basic auth, for nzb360 to be able to connect. Then, I specified my transmission url in nzb360 with the https://user:pass@transmission.domain/special-route, and it seemed to work as expected.

However, I recently setup traefik access logging and fail2ban to watch for 401 errors and ban incriminated ip addresses. And then, it started to ban my phone IP. After looking at the traefik debug log, I noticed that I systematically receive a first request from nzb360 coming without Basic Authorization header, which is rejected with a 401 error, followed immediatly by a second request actually containing the needed header for the connection to be authorized.

I tried several things to fix the issue: using the https://user:pass@transmission.domain/special-route format in the app, filling the username and password field used for RPC auth, disabling basic auth on the traefik side and enabling RPC auth in transmission, but it did not change anything regarding the request comming from the app withaut Authorization header and filling my traefik access log with 401 errors.

I attached the relevant docker-compose.yml and traefik config file.
docker-compose.yml and traefik config file
(2.82 KiB) Downloaded 6 times