Strange 401 and 404 errors

[gardiol]

Describe the bug

Selfhosted, protected behind reverse-proxy (nginx).

Here is nginx setup:

server {
        server_name podcast.mydomain.org;
        listen 443 ssl;
        listen 80;
        auth_pam "MyAuth";
        auth_pam_service_name "nginx";
        access_log /var/log/nginx/podcast.mydomain.org_access_log main;
        error_log /var/log/nginx/podcast.mydomain.org_error_log info;
        location / {
                proxy_pass http://127.0.0.1:8000;
                proxy_set_header Connection $http_connection;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Host $host;
                proxy_set_header X-WEBAUTH-USER $remote_user;
                proxy_set_header Authorization "";
        }
        include org.mydomain/certbot.conf;
}

I am on bare metal and start the service as user podfetch with the following script:

#!/bin/bash
export SERVER_URL=https://podcast.mydomain.org/
export DATABASE_URL=sqlite:///data/daemons/podfetch/db/podcast.db
export REVERSE_PROXY=true
export REVERSE_PROXY_HEADER=X-WEBAUTH-USER
export REVERSE_PROXY_AUTO_SIGN_UP=true
export TELEGRAM_BOT_TOKEN= - omissis - 
export TELEGRAM_BOT_CHAT_ID= - omissis -
export TELEGRAM_API_ENABLED=true
export GPODDER_INTEGRATION_ENABLED=true
cd /data/daemons/podfetch/
./podfetch_amd64 &> /data/daemons/podfetch/podfetch.log

(the log file is basically empty, nothing of significance)

The web GUI seems to work fine, but i noticed that some images where missing so i did some analysis with firefox console and found out that the following URLs gives 401 errors:

https://podcast.mydomain.org/ui/assets/Homepage-H4t7scZk.js 
https://podcast.mydomain.org/ui/assets/EpisodeCard-PTpUujvz.js
https://podcast.mydomain.org/ui/assets/PlayHandler-bLilh9sX.js
https://podcast.mydomain.org/ui/assets/PodcastEpisodeAlreadyPlayed-_EHwxj9w.js

The response seems pretty similar for them all:

HTTP/1.1 401 Unauthorized
Server: nginx/1.25.3
Date: Tue, 13 Feb 2024 10:55:39 GMT
Content-Type: text/html
Content-Length: 179
Connection: keep-alive
WWW-Authenticate: Basic realm="MyAuth"

Also i have the following 404 errors:

https://podcast.mydomain.org/podcasts/%27Chiedilo%20a%20Barbero%20-%20Intesa%20Sanpaolo%20On%20Air%27/%27Episodio%2038%20-%20%20Il%20contado%27/image.jpg
https://podcast.mydomain.org/podcasts/%27Alessandro%20Barbero%20Podcast%20-%20La%20Storia%27/%27L%27identita%20Etnica%20-%20Alessandro%20Barbero%20%28Trento%2C%202009%29%27/image.png
https://podcast.mydomain.org/podcasts/%27Il%20Mondo%27/%27Ci%20sono%20troppi%20casi%20di%20morbillo.%20Un%20biglietto%20per%20entrare%20a%20Venezia%2C%20come%20in%20un%20museo.%27/image.jpg

The response seems pretty similar for them all:

HTTP/1.1 404 Not Found
Server: nginx/1.25.3
Date: Tue, 13 Feb 2024 10:55:41 GMT
Content-Length: 0
Connection: keep-alive

In the NGINX error log i have nothing, while in the access logs i see the same errors:

127.0.0.1 - - [13/Feb/2024:11:55:39 +0100] "GET /ui/assets/Homepage-H4t7scZk.js HTTP/1.1" 401 375 "https://podcast.mydomain.org/ui/home/view" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" "-"

127.0.0.1 - myuser [13/Feb/2024:11:55:41 +0100] "GET /podcasts/%27Geopop%20-%20Le%20Scienze%20nella%20vita%20di%20tutti%20i%20giorni%27/%2785%20-%20La%20sostanza%20piu%20amara%20del%20mondo%20e%20il%20Bitrex%20ed%20e%20contenuta%20nell%27alcol%20denaturato%27/image.png HTTP/1.1" 404 128 "https://podcast.mydomain.org/ui/home/view" "Mozilla/5.0 (X11; Linux x86_64; rv:102.0) Gecko/20100101 Firefox/102.0" "-"

In general i double checked my folders permissions and they seems correct (o+r for files or o+rx for folders) all the way to the assets folder.

Any hint on what is going on would be appreciated!

Reproduction

Anytime i access my server

System Info

Gentoo Linux with NGINX reverse proxy, everything exported on the internet with Let's Encrypt certificates over HTTPS. I am using reverse proxy authentication.

Used Package Manager

n/a

Validations

• Follow our Code of Conduct
• Read the Contributing Guide.
• Check that there isn't already an issue that reports the same bug to avoid creating a duplicate.
• Check that this is a concrete bug. For Q&A, please open a GitHub Discussion instead.
• The provided reproduction is a minimal reproducible of the bug.

[gardiol]

Hi, anything on this?

[SamTV12345]

I'll check this now.

[SamTV12345]

For the 404 part. There must be something wrong in your nginx setup. There is nothing that checks for the ui route which is used to serve the static html pages.

[SamTV12345]

I found an issue where a 403 is returned. That is fixed. 401 seems strange. I added some more logging if you want to check that.

[gardiol]

I don't see any new releases on GitHub, should i wait more or the fix for the 403 is somewhere else? i would also try the new logging for the 401 issues

[gardiol]

I am noticing that all podcasts names and episodes names on disk are "wrapped" into additional "'" characters. For example the podcast "My Podcast" episode "The First Episode" is instead called, on disk:
/my/podcast/storage/path/'My Podcast'/'The First Episode'/
with all the added "'" around them, which is wrong as that messes up the actual folder and filenames. It is also totally un-necessary and make thing more difficult to manage at least via shell on Linux. That looks more like a unwanted typo.

Anyway i solved my 404 errors, not a nginx misconfiguration but my "podcasts" symlink got deleted during last update and reverted to an empty folder. Now fixed. I still get the 401 errors....

for my future reference: double check your podcasts folder still exist and it's correctly linked after an update! :)

[SamTV12345]

I am noticing that all podcasts names and episodes names on disk are "wrapped" into additional "'" characters. For example the podcast "My Podcast" episode "The First Episode" is instead called, on disk: /my/podcast/storage/path/'My Podcast'/'The First Episode'/ with all the added "'" around them, which is wrong as that messes up the actual folder and filenames. It is also totally un-necessary and make thing more difficult to manage at least via shell on Linux. That looks more like a unwanted typo.

Anyway i solved my 404 errors, not a nginx misconfiguration but my "podcasts" symlink got deleted during last update and reverted to an empty folder. Now fixed. I still get the 401 errors....

for my future reference: double check your podcasts folder still exist and it's correctly linked after an update! :)

That is normal. It prevents globbing. Otherwise you can create malicious podcasts like ../../../etc/passwd and then override paths. The ' around the path segments prevents that.

[gardiol]

Never encountered any apps doing it that way. Also it breaks shell scripts, for example when trying to apply ffmpeg-normalize to episodes and such.

I think it should be done by filtering input and rebasing relative paths to absolute ones and so on, instead of like this.

It's just my two cents, but really feel weird.