Ability to pass custom headers on resource

[v1rusnl]

Since @hhftechnology 's request seems to be fullfilled now (Issue #1446), I'm asking myself how to use it specifically to authenticate the Emby for Android App on my Emby Server.

I've set up Custom Headers for my Emby Ressource in the following format and expected that I don't need to set path rules now since these Headers authenticate my Android device for the Emby ressource in Pangolin and Emby.

X-Emby-Client: Emby for Android
X-Emby-Device-Name: Oppo Find X5 Pro
X-Emby-Device-Id: ID Reported by Emby logs
X-Emby-Client-Version: 3.4.74
X-Emby-Token: ‌Token reported by Emby logs
X-Emby-Language: de

But it does not work. I don't see any loglines in Emby when I try to connect the App and it cannot reach the server. When checking the traefik logs Pangolin simply appends the Headers to the redirect URL.

Am I missing something or do I just don't understand the whole concept of this?

[v1rusnl]

OK, since 1.11.0 I see Header authentication via username:password for ressources.
Will this be expanded at any time in the future to be able to set specific headers like the ones from first post as authentication method? This would eliminate all struggle with apps that do not have a custom header setting for any specific application behind pangolin.

@oschwartz10612 @miloschwartz

[oschwartz10612]

Hi! Not 100% sure why emby would not be authenticating using the headers but it sounds like if they are present it would be related to emby. The resource headers add them to each request to the downstream target so it should work if just having those headers present would allow it to auth using the existing implementation. You could try temporarily pointing your target to the https://hub.docker.com/r/containous/whoami image and report back with the output to make sure the headers are there. Maybe there is a bug going on!

[v1rusnl]

Whoami as a test reports the headers correctly.

Hostname: 0b53580c00e3
IP: 127.0.0.1
IP: ::1
IP: 172.18.0.2
RemoteAddr: 172.18.0.1:35302
GET / HTTP/1.1
Host: [emby.mydomain.com](http://emby.mydomain.com/)
User-Agent: Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/141.0.0.0 Mobile Safari/537.36
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8
Accept-Encoding: gzip, deflate, br, zstd
Accept-Language: de-DE,de;q=0.8
Cookie: REDACTED
Priority: u=0, i
Remote-Email: [REDACTED](mailto:REDACTED)
Remote-User: [REDACTED](mailto:REDACTED)
Sec-Ch-Ua: "Brave";v="141", "Not?A_Brand";v="8", "Chromium";v="141"
Sec-Ch-Ua-Mobile: ?1
Sec-Ch-Ua-Platform: "Android"
Sec-Fetch-Dest: document
Sec-Fetch-Mode: navigate
Sec-Fetch-Site: none
Sec-Gpc: 1
Upgrade-Insecure-Requests: 1
X-Emby-Client: Emby for Android
X-Emby-Client-Version: 3.5.12
X-Emby-Device-Id: REDACTED
X-Emby-Device-Name: OPPO Find X5 Pro
X-Emby-Language: de
X-Emby-Token: REDACTED
X-Forwarded-For: REDACTED
X-Forwarded-Host: [emby.mydomain.com](http://emby.mydomain.com/)
X-Forwarded-Port: 443
X-Forwarded-Proto: https
X-Forwarded-Server: 11e680b20e33
X-Real-Ip: REDACTED

These are the Custom Headers set up in Pangolin Dashboard Ressource Proxy Settings:

X-Emby-Client: Emby for Android
X-Emby-Device-Name: OPPO Find X5 Pro
X-Emby-Device-Id: REDACTED
X-Emby-Client-Version: 3.5.12
X-Emby-Token: REDACTED
X-Emby-Language: de

This is the traefik log for the Emby App when connecting to the Emby Server over Pangolin/Newt:

{"ClientAddr":"CLIENTPUBLICIP:38445","ClientHost":"CLIENTPUBLICIP","DownstreamContentSize":36867,"DownstreamStatus":200,"Duration":132942658,"RequestMethod":"GET","RequestPath":"/auth/resource/7594bf95-ab1c-40f0-a8f5-468413f44b6d?redirect=https%3A%2F%2Femby.mydomain.com%2Femby%2Fsystem%2Finfo%2Fpublic","RequestProtocol":"HTTP/3.0","RetryAttempts":0,"ServiceName":"next-service@file","StartUTC":"2025-10-22T17:49:31.331379247Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_Content-Type":"text/html; charset=utf-8","downstream_X-Forwarded-Proto":"https","level":"info","msg":"","origin_Content-Type":"text/html; charset=utf-8","origin_X-Forwarded-Proto":"https","request_User-Agent":"Mozilla/5.0 (Linux; Android 15; CPH2305 Build/AP3A.240617.008; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/141.0.7390.97 Mobile Safari/537.36","request_X-Forwarded-Proto":"https","request_X-Real-Ip":"REDACTED","time":"2025-10-22T17:49:31Z"}

It's the only logline because with /emby/system/info/public Emby App determines the availability of the server before doing any further requests it seems. I also don't see any request reaching emby when examining the Emby logfiles of that time.

As a cross test, I checked via browser on same device:

{"ClientAddr":"REDACTED:46292","ClientHost":"REDACTED","DownstreamContentSize":10,"DownstreamStatus":200,"Duration":200220702,"RequestMethod":"GET","RequestPath":"/auth/resource/7594bf95-ab1c-40f0-a8f5-468413f44b6d?redirect=https%3A%2F%2Femby.mydomain.com%2FSystem%2FPing","RequestProtocol":"HTTP/2.0","RetryAttempts":0,"ServiceName":"next-service@file","StartUTC":"2025-10-22T17:59:06.499422212Z","TLSCipher":"TLS_AES_128_GCM_SHA256","TLSVersion":"1.3","downstream_Content-Type":"text/html; charset=utf-8","downstream_X-Forwarded-Proto":"https","level":"info","msg":"","request_Content-Type":"application/json","request_User-Agent":"okhttp/5.2.1","request_X-Forwarded-Proto":"https","request_X-Real-Ip":"REDACTED","time":"2025-10-22T17:59:06Z"}

In Browser I can proceed since there I am able to use the Pangolin SSO Auth screen, unlike inside the Emby App.

Shouldn't the Custom Headers be in the log? I had hoped that when I set up the Custom Headers, the app could bypass the SSO authentication so I can deactivate the path rules.

[JellyWatchteam]

Hi everyone,

I've implemented support for custom headers in my application.
I defined two custom headers like this:

xxxx: xxxx  
xxxx: xxxx

When I test using mitmproxy, I can clearly see that the headers are being sent correctly.
However, when I test the same request on an external service (like Pangonlin), it doesn’t authenticate me — it looks like the custom headers are ignored or not processed properly.

Even though the headers are there, the response I get is still in JSON format.

Is there something I'm missing, or a specific configuration needed to make custom headers work with external services?

Thanks in advance for your help!

[v1rusnl]

@oschwartz10612

@JellyWatchteam and me were trying to authenticate with the Embywatch app to a service behind Pangolin. The Headers were P-Access-Token-Id and P-Access-Token generated via the shareable links function. But not even that works lately. It did in the past for sure.

Possibly related? #1604