Skip to content

docs: override X-Forwarded-Host in poster-cache nginx configuration#553

Merged
cedya77 merged 1 commit into
cedya77:devfrom
rohilshah95:fix-poster-cache-forwarded-host
Jun 24, 2026
Merged

docs: override X-Forwarded-Host in poster-cache nginx configuration#553
cedya77 merged 1 commit into
cedya77:devfrom
rohilshah95:fix-poster-cache-forwarded-host

Conversation

@rohilshah95

@rohilshah95 rohilshah95 commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

summary

This PR fixes the optional poster-cache configuration documented in the README.md which got blocked by authentication proxies (like Authelia or Authentik) on cache misses.

When a request to poster-cache resulted in a cache MISS, Nginx forwarded the client's X-Forwarded-Host: poster-cache.yourdomain.com to the main aiometadata service. Because poster-cache is not (and should not be) in the whitelist of stremio-addon hostnames, Authelia blocked the request and returned a 302 redirect to the login page, causing the poster to fail to load in native streaming apps (like Stremio or Fusion).

By explicitly overriding X-Forwarded-Host to $proxy_host, Authelia correctly evaluates the whitelist of the destination domain (aiometadata) instead, allowing the request to bypass auth successfully.

linked issue

None

type of change

  • Bug fix (non-breaking change which fixes an issue)
  • Documentation update (no code change, only README documentation modified)

why this approach

Overriding the X-Forwarded-Host header in the Nginx proxy is the standard and most secure way to handle reverse proxy requests to a downstream service when running behind a forward authentication proxy. It aligns the forwarded host header with the target host header, ensuring correct rule matching in Authelia/Authentik without exposing administrative endpoints on the poster-cache domain (such as /stats or /purge) to public bypass rules.

testing

  • Tested by setting up the modified Nginx configuration behind Traefik + Authelia.
  • Verified that unauthenticated client requests for uncached posters now successfully return 200 OK and load the WebP/JPEG images directly instead of getting blocked with 302 redirects to the login portal.

documentation

  • Modified the Nginx configuration template directly in the README.md so that future setups include the fix out of the box.

author checklist

  • My code follows the style guidelines of this project
  • I have performed a self-review of my own code
  • I have commented my code, particularly in hard-to-understand areas
  • I have made corresponding changes to the documentation

ai usage disclosure

  • I used AI tools (Gemini) to help diagnose this header mismatch issue and write the PR description.

@github-actions

github-actions Bot commented Jun 20, 2026
edited
Loading

Copy link
Copy Markdown
Contributor

PR Guard

  • All automated intake checks passed.

Maintainers may still close PRs that do not match project direction or review capacity.

@cedya77 cedya77 merged commit 55b34bf into cedya77:dev Jun 24, 2026
1 of 2 checks passed
cedya77 pushed a commit that referenced this pull request Jun 24, 2026
docs: override X-Forwarded-Host in bundled poster-cache nginx config
c52c1fa 
Mirror PR #553 into the built-in cache config so cache-miss reproxies to an
Authelia/Authentik-protected addon domain match the destination host's rules
instead of the poster-cache hostname. No-op for direct image upstreams.
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@rohilshah95 @cedya77