For a while, I’ve wanted to set up some kind of public music player, to allow people to stream and download music I’ve recorded for free, without having to make an account.
First I tried using Bandcamp but I found the user interface on the free tier to be awkward, and it took too long to upload new releases and required re-entry of the metadata.
Then I tried using Navidrome which is a great self-hosted music server but requires a login. People can’t just sign up, either – the admin has to make them an account. I dived into the documentation and found that it’s possible to use an external auth proxy – and I wondered if it would be possible to create a fake auth proxy that just lets you in. Turns out, it is.
First you have to set up a Navidrome instance and create your usual admin user. Now use your admin user to create a second, non-admin user. I called my user
music, but it doesn’t matter because nobody will see it.
You configure Navidrome using environment variables, and there are a few you need to set. Firstly you need to tell Navidrome it should check the HTTP request headers. Secondly you need to disable all features that don’t make sense in an environment where all users are effectively signing in with the same account (so you don’t want them to change the password or set favourites that won’t make sense to other people).
# Enable auto login for the "music" user ND_REVERSEPROXYUSERHEADER: "Remote-User" ND_REVERSEPROXYWHITELIST: "0.0.0.0/0" # Disable any user-specific features ND_LASTFM_ENABLED: false ND_LISTENBRAINZ_ENABLED: false ND_ENABLEUSEREDITING: false ND_ENABLEFAVOURITES: false ND_ENABLESTARRATING: false ND_ENABLEEXTERNALSERVICES: false
The other piece of the puzzle is to do with the auth proxy. I’m hosting Navidrome in Kubernetes (using the k8s@home Navidrome Helm chart) so it makes sense to use an Ingress resource. My cluster is already running NGINX Ingress. It was simple to add a config snippet to the Ingress to statically set the
Remote-User header to the
music username created above.
--- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: nginx.ingress.kubernetes.io/configuration-snippet: | proxy_set_header Remote-User music; name: navidrome namespace: navidrome spec: ingressClassName: public rules: - host: music.example.com http: paths: - backend: service: name: navidrome port: number: 4533 path: / pathType: Prefix
And that’s it! Now, visiting
music.example.com automagically signs you in as the
music user without you ever seeing a login screen. The public can now browse, stream and download music freely.
The only user-specific features I couldn’t disable are playlists and themes. So anyone visiting your Navidrome instance can create, edit and delete playlists, and change the theme at will.