bybrooklyn/tunarr
1
0
Fork 0
mirror of https://github.com/chrisbenincasa/tunarr.git synced 2026-04-18 09:03:35 -04:00
Code Issues Packages Projects Releases Wiki Activity
Files
080994213c449edd019c2661c919a01c3601031a
tunarr/docs/configure/system/security.md
Christian Benincasa 4a5c1e2666 docs: rework security docs to use correct binary paths
2025-05-10 08:08:49 -04:00

3.0 KiB
Raw Blame History

Security

Admin mode

Due to this exploit Tunarr supports "admin mode". By default, admin mode is disabled. Some settings, like FFmpeg executable paths, can only be edited in the Tunarr UI when Tunarr is running in admin mode. NOTE: This shouldn't be confused with Windows "run as administrator"!

There are several ways to update sensitive settings that require admin mode.

Running in admin mode

Standalone binary

Pass the --admin flag when running the executable, e.g.:

 ./tunarr --admin

or on Windows:

.\tunarr.exe --admin

You can also use an environment variable:

TUNARR_SERVER_ADMIN_MODE=true ./tunarr

and again on Windows (Powershell):

$Env:TUNARR_SERVER_ADMIN_MODE='true'
.\tunarr.exe

or Command Prompt:

set TUNARR_SERVER_ADMIN_MODE=true
.\tunarr.exe

Docker

Start Tunarr server with the admin argument

docker run ... chrisbenincasa/tunarr:latest -- /tunarr/tunarr --admin

!!! note

<a href="https://github.com/chrisbenincasa/tunarr/issues/900" target="_blank">chrisbenincasa/tunarr#900</a> tracks simplifying running commands against Tunarr within a container.

or with the environment variable

docker run -e 'TUNARR_SERVER_ADMIN_MODE=true' ... chrisbenincasa/tunarr

Updating sensitive values directly

Tunarr supports other run modes other than server. One is updating settings.json values directly. This can be done against a running Tunarr server without admin mode enabled.

./tunarr.sh settings update --settings.ffmpeg.ffmpegExecutablePath="FFMEPG_PATH" --settings.ffmpeg.ffprobeExecutablePath="FFPROBE_PATH"

This also works with Docker

docker run --rm \
  ...
  chrisbenincasa/tunarr -- /tunarr/tunarr \
  settings update \
  settings.ffmpeg.ffmpegExecutablePath="FFMEPG_PATH" \
  settings.ffmpeg.ffprobeExecutablePath="FFPROBE_PATH"

Trust proxy

When running Tunarr behind a reverse proxy server for HTTPS support, you will need to enable "trust proxy" for the generated XMLTV and M3U files to contain the correct protocol (e.g., http or https) and host. Without "trust proxy" enabled, Tunarr will not honor the X-Forwarded-Proto and X-Forwarded-Host headers forwarded from the reverse proxy.

There are several ways to enable "trust proxy".

Standalone script

Pass the --trustProxy flag when running the script, e.g.:

 ./tunarr --trustProxy

or on Windows:

.\tunarr.exe --trustProxy

You can also use an environment variable:

TUNARR_SERVER_TRUST_PROXY=true ./tunarr

and again on Windows (Powershell):

$Env:TUNARR_SERVER_TRUST_PROXY='true'
.\tunarr.exe

or Command Prompt:

set TUNARR_SERVER_TRUST_PROXY=true
.\tunarr.exe

Docker

Start Tunarr server with the trustProxy argument

docker run ... chrisbenincasa/tunarr:latest -- /tunarr/tunarr --trustProxy

or with the environment variable

docker run -e 'TUNARR_SERVER_TRUST_PROXY=true' ... chrisbenincasa/tunarr