I've done some more testing. All of my above reports were accessing the Content Server via an NGINX reverse proxy (running on 10.192.0.26) The actual Content Server is running on 10.192.0.2.
If I access the Content Server directly, not via the NGINX proxy, then the strange behavior does NOT happen. It works just fine. So is NGINX possible caching something that is causing me this problem? I have set "proxy_buffering off", so I wouldn't expect that, but I am still learning NGINX and could be missing something. I'll have to investigate more.
FWIW, here are my Content Server reverse proxy settings. You can see that eventually I plan to require a client cert to access the Content Server, but that is commented-out now since I haven't gotten to that step yet.
Code:
# ssl_verify_client optional;
location /calibre {
# if ($ssl_client_verify != SUCCESS) {
# return 403;
# }
proxy_buffering off;
proxy_set_header X-Forwarded-For $remote_addr;
proxy_pass http://10.192.0.2:8080$request_uri;
}
The entire reason I an using NGINX is because I want to use HTTP
S with the Content Server, and also require client cert authentication. I realize that the Content Server allows for login/password authentication. My preference is for a higher level of security than that, hence the client certs. While I don't really desire the Content Servers login/password authentication, this is required when setting up "users", which also provides me with the ability to restrict access to only one virtual library (this is desirable, but not absolutely essential). The reason why ssl_verify_client is "optional" is because there are other "locations" that NGINX reverse proxies (unrelated to Calibre), and these other locations do not require client cert authentication. By doing things this way, I only have one set of SSL directives up at the "server" block level, and then I can choose to require/omit client cert authentication at the "location" level with the "if" statement. At least that's the plan - I haven't tested it yet.
I believe what I will finally end up doing is removing the user configuration from the Content Server. This should get rid of the authentication problems I am addressing in this thread. Getting rid of Content Server user configs will also get rid of my ability to lock users into only one virtual library. But that can be overcome by setting a bookmark that points to the library. With such a bookmark, but no user configuration, the user would be able to "escape" from the initial virtual library that the bookmark points them to, and view other vl's. That's not a terribly big deal. If they want to go to that effort, they deserve to confuse themselves. The confusion might come because I have a separate vl named "Wanted". These are books that I don't have, but want to obtain. I use that in conjunction with the excellent "Overdrive" Calibre plugin to search for wanted books in various public libraries (traditional physical buildings). If the user escapes from my "Novels" virtual library into my entire Calibre library, then my Novels (which I own) will be intermixed with my Wanted books (which are empty placeholders), possibly causing confusion.