Rules not stateless between requests? #1303
Description
Hi,
I'm using Pangolin to secure my Immich installation but I'm having trouble with the rules that appear not to match as they should.
Setup information
- Pangolin v.1.8.0 on public vm with activated geoblock
- Selfhosted immich on local server, connected to Pangolin VM via Wireguard (connection not facilitated by Gerbil/Newt as the VM itself is creating a tunnel to my local router)
- Two resources created:
- one for immich mobile app access, secured via shareable link/access tokens (this resource works fine)
- one exclusively for immich "share link" functionality to share albums and pictures with friends and have them upload pictures. No immich user login is required nor allowed. <-- this is the one that I have trouble with
- Share URLs look like
https://mydomain/share/L66jTe8ejIrl9XFcPHo0EzccmLh4H8Lggng477usD0Uie-r2g7_Wq8S8xTwD4zuBNK4 - Using chrome's developer tools I found all the calls Immich makes to the webserver and whitelisted them in rules tab. Additionally, I blacklisted
adminandauthdirectories (see below) - On tab "Authentication" all authentication methods are disabled
Problem description
(all attempts made using chrome incognito sessions)
- Opening a shared gallery link works fine the first time, however reloading the tab results in a 401 HTTP status with
Unauthorizedin the body. - Any further page reloads continue to give 401 Unauthorized.
- The shared gallery link works again once I close the incognito window and open a new one. The next reload is then blocked again.
- It appears, that there is some sort of statefulness between requests: If I disable the final
Always deny *rule refreshing the page does not result in a 401 unauthorized!
Any ideas what this could be and how to prevent it? I'd be happy to share pangolin logs but don't know which logs would be relevant and how I would access them.
Many thanks in advance!