Accessing mealie with Android Firefox leads to 401 on nearly all pages and therefore to an ip ban (fail2ban)

[cyberiuz]

First Check

• This is not a feature request.
• I added a very descriptive title to this issue (title field is above this).
• I used the GitHub search to find a similar issue and didn't find it.
• I searched the Mealie documentation, with the integrated search.
• I already read the docs and didn't find an answer.
• This issue can be replicated on the demo site (https://demo.mealie.io/).

What is the issue you are experiencing?

I have set up mealie with docker on my webserver.
I use nginx-reverse-proxy with SWAG. It includes fail2ban.
fail2ban has a nginx-unauthorized.conf jail. It is defined by this:

# A fail2ban filter for unauthorized log messages
[Definition]
failregex = ^<HOST>.*"(GET|POST|HEAD).*" (401) .*$

This means, it looks for 401. The 401 error is an HTTP status code indicating the request sent to the website's server lacks valid authentication credentials.

When I access mealie with Android Firefox (without being logged into mealie), I can browse it without problems. I can access recipes, see images.

But nginx/access.log file shows, that nearly every page access returns a 401 error code:

<my-ip> - - [07/Sep/2024:23:48:07 +0200] "GET /sw.js HTTP/2.0" 304 0 "-" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:07 +0200] "GET /api/app/about HTTP/2.0" 200 226 "https://<my-subdomain>/g/home" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:07 +0200] "GET /api/explore/organizers/home/categories?page=1&perPage=-1&orderBy=name&orderDirection=asc HTTP/2.0" 200 943 "https://<my-subdomain>/g/home" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:07 +0200] "GET /api/explore/recipes/home?page=1&perPage=64&orderBy=created_at&orderDirection=desc&paginationSeed=1725745689610&searchSeed=1725745689610&search=&requireAllCategories=false&requireAllTags=false&requireAllTools=false&requireAllFoods=false HTTP/2.0" 200 7062 "https://<my-subdomain>/g/home" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:07 +0200] "GET /api/explore/organizers/home/tags?page=1&perPage=-1&orderBy=name&orderDirection=asc HTTP/2.0" 200 88 "https://<my-subdomain>/g/home" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:07 +0200] "GET /api/explore/cookbooks/home?page=1&perPage=-1&orderBy=position&orderDirection=asc HTTP/2.0" 200 88 "https://<my-subdomain>/g/home" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:07 +0200] "GET /api/explore/organizers/home/tools?page=1&perPage=-1&orderBy=name&orderDirection=asc HTTP/2.0" 200 372 "https://<my-subdomain>/g/home" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:07 +0200] "GET /api/explore/foods/home?page=1&perPage=-1&orderBy=name&orderDirection=asc HTTP/2.0" 200 12905 "https://<my-subdomain>/g/home" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:09 +0200] "GET /api/users/self/ratings HTTP/2.0" 401 43 "https://<my-subdomain>/g/home" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:09 +0200] "GET /api/explore/recipes/home?page=3&perPage=32&orderBy=created_at&orderDirection=desc&paginationSeed=1725745689610&searchSeed=1725745689610&search=&requireAllCategories=false&requireAllTags=false&requireAllTools=false&requireAllFoods=false HTTP/2.0" 200 4012 "https://<my-subdomain>/g/home" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:17 +0200] "GET /api/explore/recipes/home/apfelkuchen-mit-vanillepudding HTTP/2.0" 200 3798 "https://<my-subdomain>/g/home/r/apfelkuchen-mit-vanillepudding" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:18 +0200] "GET /api/users/self/ratings HTTP/2.0" 401 43 "https://<my-subdomain>/g/home/r/apfelkuchen-mit-vanillepudding" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:18 +0200] "GET /api/groups/self HTTP/2.0" 401 43 "https://<my-subdomain>/g/home/r/apfelkuchen-mit-vanillepudding" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:18 +0200] "GET /api/groups/recipe-actions?page=1&perPage=-1&orderBy=title&orderDirection=asc HTTP/2.0" 401 43 "https://<my-subdomain>/g/home/r/apfelkuchen-mit-vanillepudding" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:22 +0200] "GET /api/explore/organizers/home/tags?page=1&perPage=-1&orderBy=name&orderDirection=asc HTTP/2.0" 200 88 "https://<my-subdomain>/g/home" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:22 +0200] "GET /api/explore/recipes/home?page=1&perPage=64&orderBy=created_at&orderDirection=desc&paginationSeed=1725745705006&searchSeed=1725745705006&search=&requireAllCategories=false&requireAllTags=false&requireAllTools=false&requireAllFoods=false HTTP/2.0" 200 7062 "https://<my-subdomain>/g/home" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:23 +0200] "GET /api/users/self/ratings HTTP/2.0" 401 43 "https://<my-subdomain>/g/home" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:23 +0200] "GET /api/explore/recipes/home?page=3&perPage=32&orderBy=created_at&orderDirection=desc&paginationSeed=1725745705006&searchSeed=1725745705006&search=&requireAllCategories=false&requireAllTags=false&requireAllTools=false&requireAllFoods=false HTTP/2.0" 200 4013 "https://<my-subdomain>/g/home" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:24 +0200] "GET /api/media/recipes/55aa3037-da50-4c64-b2f6-9d5538bfdf1d/images/min-original.webp?rnd=1&version=46 HTTP/2.0" 499 0 "https://<my-subdomain>/g/home" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:24 +0200] "GET /api/media/recipes/2c866582-4982-4804-b51f-efda38150b88/images/min-original.webp?rnd=1&version= HTTP/2.0" 499 0 "https://<my-subdomain>/g/home" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:27 +0200] "GET /api/explore/recipes/home/apfelkuchen-mit-streuseln HTTP/2.0" 200 2885 "https://<my-subdomain>/g/home/r/apfelkuchen-mit-streuseln" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:27 +0200] "GET /api/groups/self HTTP/2.0" 401 43 "https://<my-subdomain>/g/home/r/apfelkuchen-mit-streuseln" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:27 +0200] "GET /api/users/self/ratings HTTP/2.0" 401 43 "https://<my-subdomain>/g/home/r/apfelkuchen-mit-streuseln" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"
<my-ip> - - [07/Sep/2024:23:48:27 +0200] "GET /api/groups/recipe-actions?page=1&perPage=-1&orderBy=title&orderDirection=asc HTTP/2.0" 401 43 "https://<my-subdomain>/g/home/r/apfelkuchen-mit-streuseln" "Mozilla/5.0 (Android 14; Mobile; rv:127.0) Gecko/127.0 Firefox/127.0"

This log contains ten 401 error codes. After those ten 401 errors my ip gets banned by fail2ban.

This is the log that mealie produces:

INFO     2024-09-07T23:48:07 - [<my-ip>] 304 Not Modified "GET /sw.js HTTP/1.1"
INFO     2024-09-07T23:48:07 - [<my-ip>] 200 OK "GET /api/app/about HTTP/1.1"
INFO     2024-09-07T23:48:07 - [<my-ip>] 200 OK "GET /api/explore/organizers/home/categories?page=1&perPage=-1&orderBy=name&orderDirection=asc HTTP/1.1"
INFO     2024-09-07T23:48:07 - [<my-ip>] 200 OK "GET /api/explore/recipes/home?page=1&perPage=64&orderBy=created_at&orderDirection=desc&paginationSeed=1725745689610&searchSeed=1725745689610&search=&requireAllCategories=false&requireAllTags=false&requireAllTools=false&requireAllFoods=false H
TTP/1.1"
INFO     2024-09-07T23:48:07 - [<my-ip>] 200 OK "GET /api/explore/organizers/home/tags?page=1&perPage=-1&orderBy=name&orderDirection=asc HTTP/1.1"
INFO     2024-09-07T23:48:07 - [<my-ip>] 200 OK "GET /api/explore/cookbooks/home?page=1&perPage=-1&orderBy=position&orderDirection=asc HTTP/1.1"
INFO     2024-09-07T23:48:07 - [<my-ip>] 200 OK "GET /api/explore/organizers/home/tools?page=1&perPage=-1&orderBy=name&orderDirection=asc HTTP/1.1"
INFO     2024-09-07T23:48:07 - [<my-ip>] 200 OK "GET /api/explore/foods/home?page=1&perPage=-1&orderBy=name&orderDirection=asc HTTP/1.1"
INFO     2024-09-07T23:48:09 - [<my-ip>] 401 Unauthorized "GET /api/users/self/ratings HTTP/1.1"
INFO     2024-09-07T23:48:09 - [<my-ip>] 200 OK "GET /api/explore/recipes/home?page=3&perPage=32&orderBy=created_at&orderDirection=desc&paginationSeed=1725745689610&searchSeed=1725745689610&search=&requireAllCategories=false&requireAllTags=false&requireAllTools=false&requireAllFoods=false H
TTP/1.1"
INFO     2024-09-07T23:48:11 - [127.0.0.1:33208] 200 OK "GET /api/app/about HTTP/1.1"
INFO     2024-09-07T23:48:17 - [<my-ip>] 200 OK "GET /api/explore/recipes/home/apfelkuchen-mit-vanillepudding HTTP/1.1"
INFO     2024-09-07T23:48:18 - [<my-ip>] 401 Unauthorized "GET /api/users/self/ratings HTTP/1.1"
INFO     2024-09-07T23:48:18 - [<my-ip>] 401 Unauthorized "GET /api/groups/self HTTP/1.1"
INFO     2024-09-07T23:48:18 - [<my-ip>] 401 Unauthorized "GET /api/groups/recipe-actions?page=1&perPage=-1&orderBy=title&orderDirection=asc HTTP/1.1"
INFO     2024-09-07T23:48:22 - [<my-ip>] 200 OK "GET /api/explore/organizers/home/tags?page=1&perPage=-1&orderBy=name&orderDirection=asc HTTP/1.1"
INFO     2024-09-07T23:48:22 - [<my-ip>] 200 OK "GET /api/explore/recipes/home?page=1&perPage=64&orderBy=created_at&orderDirection=desc&paginationSeed=1725745705006&searchSeed=1725745705006&search=&requireAllCategories=false&requireAllTags=false&requireAllTools=false&requireAllFoods=false H
TTP/1.1"
INFO     2024-09-07T23:48:23 - [<my-ip>] 401 Unauthorized "GET /api/users/self/ratings HTTP/1.1"
INFO     2024-09-07T23:48:23 - [<my-ip>] 200 OK "GET /api/explore/recipes/home?page=3&perPage=32&orderBy=created_at&orderDirection=desc&paginationSeed=1725745705006&searchSeed=1725745705006&search=&requireAllCategories=false&requireAllTags=false&requireAllTools=false&requireAllFoods=false H
TTP/1.1"
INFO     2024-09-07T23:48:27 - [<my-ip>] 200 OK "GET /api/explore/recipes/home/apfelkuchen-mit-streuseln HTTP/1.1"
INFO     2024-09-07T23:48:27 - [<my-ip>] 401 Unauthorized "GET /api/groups/self HTTP/1.1"
INFO     2024-09-07T23:48:27 - [<my-ip>] 401 Unauthorized "GET /api/users/self/ratings HTTP/1.1"
INFO     2024-09-07T23:48:27 - [<my-ip>] 401 Unauthorized "GET /api/groups/recipe-actions?page=1&perPage=-1&orderBy=title&orderDirection=asc HTTP/1.1"

There we also see those "401 Unauthorized" messages.

If I login first to mealie, then I don't get any 401 errors in the log file.

Also this does not happen with my PC browser (also Firefox).

So the bug is, that mealie should not create 401 error codes, while browsing with Android Firefox and not being logged in.

Steps to Reproduce

see above

Please provide relevant logs

see above

Mealie Version

Version
v1.12.0

Build
0d06494

Deployment

Docker (Linux)

Additional Deployment Details

No response

[github-actions]

This issue has been automatically marked as stale because it has not had recent activity. It will be closed if no further activity occurs. Thank you for your contributions.

[aarontraynor]

I have this same issue across various browsers & devices. @cyberiuz did you find a solution?

[michael-genson]

There are a few auth-only routes in Mealie that don't check if you're logged-in before attempting them. We should only do that if we're logged-in

[aarontraynor]

As a workaround for now, you can manually disable the nginx-unauthorized jail in your swag container to prevent IPs being banned. You can do this with this command (you may need to replace the container name depending on your docker-compose.yml):

docker exec -it swag fail2ban-client stop nginx-unauthorized

[cyberiuz]

I have this same issue across various browsers & devices. @cyberiuz did you find a solution?

Well I created an exception rule for fail2ban for my mealie subdomain, "mobile" and 401 error messages:

vim fail2ban/filter.d/nginx-unauthorized.local

# A fail2ban filter for unauthorized log messages

[Definition]

failregex = ^<HOST>.*"(GET|POST|HEAD).*" (401) .*$

# Ignore lines that contain both the subdomain "mealie.<mydomain>.de" and "Mobile"
ignoreregex = ^.*https?:\/\/mealie\.<mydomain>\.de.*Mobile.*$

Since then I did not have this problem anymore. But of course, this is just a workaround.