Security¶
Admin mode¶
Due to this exploit Tunarr supports "admin mode". By default, admin mode is disabled. Some settings, like FFmpeg executable paths, can only be edited in the Tunarr UI when Tunarr is running in admin mode. NOTE: This shouldn't be confused with Windows "run as administrator"!
There are several ways to update sensitive settings that require admin mode.
Running in admin mode¶
Standalone script¶
Pass the --admin flag when running the script, e.g.:
or on Windows:
You can also use an environment variable:
and again on Windows (Powershell):
or Command Prompt:
Docker¶
Start Tunarr server with the admin argument
Note
chrisbenincasa/tunarr#900 tracks simplifying running commands against Tunarr within a container.
or with the environment variable
Updating sensitive values directly¶
Tunarr supports other run modes other than server. One is updating settings.json values directly. This can be done against a running Tunarr server without admin mode enabled.
./tunarr.sh settings update --settings.ffmpeg.ffmpegExecutablePath="FFMEPG_PATH" --settings.ffmpeg.ffprobeExecutablePath="FFPROBE_PATH"
This also works with Docker
docker run --rm \
...
chrisbenincasa/tunarr -- /tunarr/bundle.js \
settings update \
settings.ffmpeg.ffmpegExecutablePath="FFMEPG_PATH" \
settings.ffmpeg.ffprobeExecutablePath="FFPROBE_PATH"
Trust proxy¶
When running Tunarr behind a reverse proxy server for HTTPS support, you will need to enable "trust proxy" for the generated XMLTV and M3U files to contain the correct protocol (e.g., http or https) and host. Without "trust proxy" enabled, Tunarr will not honor the X-Forwarded-Proto and X-Forwarded-Host headers forwarded from the reverse proxy.
There are several ways to enable "trust proxy".
Standalone script¶
Pass the --trustProxy flag when running the script, e.g.:
or on Windows:
You can also use an environment variable:
and again on Windows (Powershell):
or Command Prompt:
Docker¶
Start Tunarr server with the trustProxy argument
or with the environment variable