General Information
HTTP basic access authentication allows you to secure your Invidious or Piped instance from unauthorized access. Only users with login credentials (not to be confused with the user account) are allowed to use your instance.
Configuration
To make sure Yattee works with your secured instance, there are two ways to configure them.
- Your HTTP basic access authentication login credentials (username and password) are the same as your account credentials.
- Your HTTP basic access authentication login credentials (username and password) are different from your account credentials.
Yattee Configuration
- Add your instance to the locations, using the following scheme:
http(s)://username:password@domain.org - Add your account to the location.
- If your credentials are the same, you're good to go. Otherwise, you need to configure your web server appropriately.
Web server configuration
If your account and HTTP basic access authentication credentials are different, you need to make sure that the web server excludes the authentication endpoints, e.g., api/v1/auth/ for Invidious, from HTTP basic access authentication. These endpoints are still secured because the account's credentials are required to access them.
Invidious (nginx)
server {
listen 80;
listen [::]:80;
listen 443 ssl http2;
listen [::]:443 ssl http2;
server_name domain.org;
access_log off;
error_log /var/log/nginx/error.log crit;
ssl_certificate /etc/letsencrypt/live/domain.org/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/domain.org/privkey.pem;
# Enable basic authentication globally
auth_basic "Restricted Content";
auth_basic_user_file /etc/nginx/.htpasswd;
# Exclude the /api/v1/auth/* endpoints from basic authentication
location ~ ^/api/v1/auth/ {
# Disable basic authentication for these endpoints
auth_basic off;
proxy_pass http://127.0.0.1:3000;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_set_header Authorization $http_authorization; # Allow the API auth header to pass through
}
# All other locations require basic authentication
location / {
proxy_pass http://127.0.0.1:3000;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_set_header Host $host;
proxy_http_version 1.1;
proxy_set_header Connection "";
}
if ($https = '') { return 301 https://$host$request_uri; }
}
Invidious (Apache)
<VirtualHost *:80>
ServerName domain.org
# Redirect all HTTP traffic to HTTPS
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI} [L,R=301]
</VirtualHost>
<VirtualHost *:443>
ServerName domain.org
# SSL configuration
SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/domain.org/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/domain.org/privkey.pem
# Log configuration
ErrorLog ${APACHE_LOG_DIR}/error.log
LogLevel crit
CustomLog /dev/null combined
# Enable basic authentication globally
<Location />
AuthType Basic
AuthName "Restricted Content"
AuthUserFile /etc/apache2/.htpasswd
Require valid-user
</Location>
# Exclude the /api/v1/auth/* endpoints from basic authentication
<Location /api/v1/auth/>
Satisfy Any
Allow from all
AuthType None
Require all granted
</Location>
# Proxy settings
ProxyPreserveHost On
ProxyRequests Off
ProxyPass / http://127.0.0.1:3000/
ProxyPassReverse / http://127.0.0.1:3000/
ProxyPassMatch ^/api/v1/auth/ http://127.0.0.1:3000/
# Allow headers to pass through to backend
SetEnvIf Authorization "(.*)" HTTP_AUTHORIZATION=$1
</VirtualHost>
Piped (nginx)
HTTP basic access authentication for Piped has not been implemented in Yattee — yet.
Piped (Apache)
HTTP basic access authentication for Piped has not been implemented in Yattee — yet.