Wrong username or password - Nginx with path prefix

[b0nk]

Hi

Following the setup to host Euterpe server with a path prefix I am unable to login using the app either manually or scanning a QR code.

If I use a browser to access Euterpe on my server there are no issues.

Relevant info:
Hosted at a domain with this format and with http authentication via nginx
https://subdomain.domain.com/media/

config.json

{
  "listen": "localhost:9996",
  "ssl_certificate": {},
  "authentication": {
    "secret": "REDACTED"
  },
  "libraries": [
    "/home/REDACTED"
  ],
  "library_scan": {
    "initial_wait_duration": "1s",
    "files_per_operation": 1500,
    "sleep_after_operation": "15ms"
  },
  "download_artwork": false
}

nginx.conf

user REDACTED;
# pid /run/nginx.pid;
worker_processes 2;
worker_rlimit_nofile 8192;
load_module "/usr/lib/nginx/modules/ngx_http_fancyindex_module.so";

events {
        multi_accept on;
        worker_connections 1024;
}

http {
        charset utf-8;
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        server_tokens off;
        log_not_found off;
        types_hash_max_size 2048;
        client_max_body_size 16M;

        # MIME
        include mime.types;
        default_type application/octet-stream;

        # logging
        access_log logs/access.log;
        error_log logs/error.log;

        # SSL
        ssl_session_timeout 1d;
        ssl_session_cache shared:SSL:10m;
        ssl_session_tickets off;

        # Diffie-Hellman parameter for DHE ciphersuites
        ssl_dhparam /etc/nginx/dhparam.pem;

        # Mozilla Intermediate configuration
        ssl_protocols TLSv1.2 TLSv1.3;
        ssl_ciphers ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RS>

        # OCSP Stapling
        ssl_stapling on;
        ssl_stapling_verify on;

        # load configs
        include /etc/nginx/conf.d/*.conf;

        server {
                listen *:443 ssl;

                server_name REDACTED;
                set $base /home/REDACTED;
                root $base/;

                # SSL
                ssl_certificate REDACTED;
                ssl_certificate_key REDACTED;
                ssl_prefer_server_ciphers on;

                # security headers
                add_header X-Frame-Options "SAMEORIGIN" always;
                add_header X-XSS-Protection "1; mode=block" always;
                add_header X-Content-Type-Options "nosniff" always;
                add_header Referrer-Policy "no-referrer-when-downgrade" always;
                add_header Content-Security-Policy "default-src 'self' http: https: data: blob: 'unsafe-inline'" always;
                add_header Strict-Transport-Security "max-age=31536000" always;

                # logging
                access_log logs/REDACTED.access.log;
                error_log logs/error.log;

                large_client_header_buffers 8 32k;

# reverse proxy music
                location /media/ {
                        proxy_pass http://127.0.0.1:9996/;
                        proxy_redirect / /media/;
                        sub_filter 'href="/' 'href="/media/';
                        sub_filter 'src="/' 'src="/media/';
                        sub_filter 'content="/' 'content="/media/';
                        sub_filter 'case "/":' 'case "/media/":';
                        sub_filter 'case "/login/":' 'case "/media/login/":';
                        sub_filter 'case "/add_device/":' 'case "/media/add_device/":';
                        sub_filter '/v1/' '/media/v1/';
                        sub_filter '/new_qr_token/' '/media/new_qr_token/';
                        sub_filter 'serverAddress = window.location.protocol + "//" + window.location.host' 'serverAddress = window.location.protocol + "//" + window.location.host + "/media/"';
                        sub_filter_types *;
                        sub_filter_once off;
                        sub_filter_last_modified on;
                        proxy_set_header Accept-Encoding "";

                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                        proxy_set_header X-Forwarded-Proto http;
                        proxy_set_header X-Forwarded-Port 80;
                        proxy_set_header Host $host;
                        auth_basic              "Media";
                        auth_basic_user_file    /etc/nginx/.htpasswd;
                }
        # HTTPS redirect
        server {
                listen *:80;
                server_name REDACTED;
                return 301 https://REDACTED$request_uri;
        }

nginx access.log

X.X.X.X - - [14/Mar/2022:22:45:33 +0000] "POST /media/v1/login/token/ HTTP/1.1" 401 574 "-" "okhttp/3.12.12"

This line repeats on each attempt of logging in via the app pressing "Continue" and it always gives me the error of wrong username and password.

I'd like to show what the android logcat outputs but as far as I can tell nothing relevant comes up when I press the button on the app.

Anything else you might need (logs / configs) just ask.

[b0nk]

I suspect the issue is I am being asked for a password at the nginx level and not at Euterpe.