Jump to content

Can't sync via reverse proxy


jon_

Recommended Posts

Hi

 

( @@pir8radio )

 

I'm having some issues getting sync working via reverse proxy - everything else works fine, I can stream content with no issues, but sync results in a 'Download Unsuccessful' error on the client (which is android BTW - 3.0.33, which doesn't appear to generate any log files). 

 

I've tried via apache reverse proxy, and nginx with the same issue. Setup is fairly basic, nginx running in reverse proxy mode with letsencrypt certs. 

 

nginx proxy config (copied from somewhere on here):

##EMBY Server##

    server {
listen [::]:47699 ssl;
listen 47699 ssl;
server_name <servername>;

ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_certificate /etc/letsencrypt/live/servername/cert.pem ;
    ssl_certificate_key /etc/letsencrypt/live/servername/privkey.pem;
ssl_session_cache shared:SSL:10m;

        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors <servername>;";


location / {

proxy_pass http://<server IP>:8096;

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

#Next three lines allow websockets

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }

}

Looking at the emby logs, nothing appears amiss - no 404 errors etc:

019-02-02 11:34:56.114 Info HttpServer: HTTP GET http://<servername>:8096/emby/DisplayPreferences/usersettings?userId=17499719474942f4b1b6f1afd058edea&client=emby. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:34:56.116 Info HttpServer: HTTP Response 200 to <client IP>. Time: 1ms. http://<servername>:8096/emby/DisplayPreferences/usersettings?userId=17499719474942f4b1b6f1afd058edea&client=emby
2019-02-02 11:34:57.414 Info HttpServer: HTTP GET http://<servername>:8096/emby/Sync/Items/Ready?TargetId=e8eb333805ca3f37. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:34:57.423 Debug App: Returning 2 ready sync items for targetId e8eb333805ca3f37
2019-02-02 11:34:57.423 Info HttpServer: HTTP Response 200 to <client IP>. Time: 9ms. http://<servername>:8096/emby/Sync/Items/Ready?TargetId=e8eb333805ca3f37
2019-02-02 11:34:58.105 Info HttpServer: HTTP GET http://<servername>:8096/emby/Users/17499719474942f4b1b6f1afd058edea/Items/304511. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:34:58.111 Info HttpServer: HTTP Response 200 to <client IP>. Time: 6ms. http://<servername>:8096/emby/Users/17499719474942f4b1b6f1afd058edea/Items/304511
2019-02-02 11:34:58.794 Info HttpServer: HTTP POST http://<servername>:8096/emby/Sync/Data. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:34:58.804 Info HttpServer: HTTP Response 200 to <client IP>. Time: 10ms. http://<servername>:8096/emby/Sync/Data
2019-02-02 11:35:01.394 Info HttpServer: HTTP GET http://<servername>:8096/emby/system/info/public. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:35:01.395 Info HttpServer: HTTP Response 200 to <client IP>. Time: 1ms. http://<servername>:8096/emby/system/info/public
2019-02-02 11:35:01.515 Info HttpServer: HTTP GET http://<servername>:8096/emby/web/manifest.json. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:35:01.516 Debug HttpResultFactory: Transmit file /opt/emby-server/system/dashboard-ui/manifest.json
2019-02-02 11:35:01.516 Info HttpServer: HTTP Response 200 to <client IP>. Time: 1ms. http://<servername>:8096/emby/web/manifest.json
2019-02-02 11:35:01.614 Info HttpServer: HTTP GET http://<servername>:8096/emby/web/strings/en-US.json. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:35:01.615 Debug HttpResultFactory: Transmit file /opt/emby-server/system/dashboard-ui/strings/en-US.json
2019-02-02 11:35:01.615 Info HttpServer: HTTP Response 200 to <client IP>. Time: 1ms. http://<servername>:8096/emby/web/strings/en-US.json
2019-02-02 11:35:01.854 Info HttpServer: HTTP GET http://<servername>:8096/emby/System/Info. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:35:01.856 Info HttpServer: HTTP Response 200 to <client IP>. Time: 1ms. http://<servername>:8096/emby/System/Info
2019-02-02 11:35:01.995 Info HttpServer: HTTP GET http://<servername>:8096/emby/DisplayPreferences/usersettings?userId=17499719474942f4b1b6f1afd058edea&client=emby. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:35:01.996 Info HttpServer: HTTP Response 200 to <client IP>. Time: 1ms. http://<servername>:8096/emby/DisplayPreferences/usersettings?userId=17499719474942f4b1b6f1afd058edea&client=emby
2019-02-02 11:35:02.724 Info HttpServer: HTTP GET http://<servername>:8096/emby/Sync/Items/Ready?TargetId=e8eb333805ca3f37. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:35:02.733 Debug App: Returning 2 ready sync items for targetId e8eb333805ca3f37
2019-02-02 11:35:02.734 Info HttpServer: HTTP Response 200 to <client IP>. Time: 10ms. http://<servername>:8096/emby/Sync/Items/Ready?TargetId=e8eb333805ca3f37
2019-02-02 11:35:03.094 Info HttpServer: HTTP GET http://<servername>:8096/emby/Users/17499719474942f4b1b6f1afd058edea/Items/304511. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:35:03.100 Info HttpServer: HTTP Response 200 to <client IP>. Time: 6ms. http://<servername>:8096/emby/Users/17499719474942f4b1b6f1afd058edea/Items/304511

The nginx logs don't show anything amiss either. 

 

Any suggestions? :)

Edited by jon_
Link to comment
Share on other sites

Perhaps the proxy is not preserving all response headers, or is configured in some way that is affecting support for range requests?

Link to comment
Share on other sites

Not sure - it seems to be the same setup that everyone else uses, and it does exactly the same via apache or nginx.

 

It's weird that streaming works with no issues, but sync fails immediately... :(

Link to comment
Share on other sites

pir8radio

Not sure - it seems to be the same setup that everyone else uses, and it does exactly the same via apache or nginx.

 

It's weird that streaming works with no issues, but sync fails immediately... :(

What settings do you have set in emby for domain name and ports?

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

Public HTTPS port in emby is set as 47699 (same as nginx external HTTPS port). 

 

External domain is set to the publicly resolvable hostname for the nginx server. 

 

Secure connection mode is set to handled by reverse proxy. 

 

Everything else (streaming, web UI, config etc) works perfectly, apart from syncing  :(

 

HTTP isn't currently proxied - I've tried temporarily enabling it but nothing changes...

 

If I bypass nginx and port forward to the HTTPS port on emby direct then sync jumps into life... 

Edited by jon_
Link to comment
Share on other sites

Letsencrypt. The browser (either on laptop or android) doesn't prompt me to accept anything when I browse to the web console, so the cert chain should be good. 

 

The emby android app prompted me on the first connection (?) to verify that the cert was as expected, but doesn't prompt since. Other android apps connect to other services secured with the same certificate so I think it's trusted by the underlying OS. 

 

When connecting to emby on https directly (ie. not a proxied connection) it's using the same cert but converted to .pfx with openssl and sync then works... 

Edited by jon_
Link to comment
Share on other sites

pir8radio

Letsencrypt. The browser (either on laptop or android) doesn't prompt me to accept anything when I browse to the web console, so the cert chain should be good. 

 

The emby android app prompted me on the first connection (?) to verify that the cert was as expected, but doesn't prompt since. Other android apps connect to other services secured with the same certificate so I think it's trusted by the underlying OS. 

 

When connecting to emby on https directly (ie. not a proxied connection) it's using the same cert but converted to .pfx with openssl and sync then works... 

 

 

Great glad you got it working !

 

 

So.... Did you get it working?  Sounds like no, unless you bypass the proxy?

Link to comment
Share on other sites

Nope - still not working via the proxy. 

 

Has anyone else got sync working via apache / nginx? There was another problem reported a while back where streaming worked but sync didn't, but it doesn't look like it was ever resolved...

Link to comment
Share on other sites

pir8radio

Nope - still not working via the proxy. 

 

Has anyone else got sync working via apache / nginx? There was another problem reported a while back where streaming worked but sync didn't, but it doesn't look like it was ever resolved...

 

works for me..  any specifics i can test?   

Link to comment
Share on other sites

Which clients are you using? There's nothing massively different between my config and anyone elses, I'm wondering if it's an android issue..

Link to comment
Share on other sites

pir8radio

 apple devices...  you are more than welcome to test it on my guest account.. let me know when you are done, so I can turn off sync/download..

 

<removed>

Edited by pir8radio
Link to comment
Share on other sites

pir8radio

So for others, he tested and it worked on my server...      @@jon_ for your reference here is what my config looks like:  https://emby.media/community/index.php?/topic/48236-setting-up-emby-behind-a-reverse-proxy-nginx/?p=457670

 

Guessing its either the timeouts, or tcp nodelay in the  http {}  section

Edited by pir8radio
Link to comment
Share on other sites

I've basically duplicated your config (although I'm running on linux, so it's slightly different as theres 2 config files)..

 

and.....

 

It's still not working - downloads immediately fail :(

Edited by jon_
Link to comment
Share on other sites

pir8radio

I've basically duplicated your config (although I'm running on linux, so it's slightly different as theres 2 config files)..

 

and.....

 

It's still not working - downloads immediately fail :(

 

can you create a temp account and pm me the info?

Link to comment
Share on other sites

PM'd. 

 

Have also tried syncing against a windows server not linux, just to see if anything changed. It didn't :( Also updated nginx to mainline from stable... :(

Link to comment
Share on other sites

When you initially installed the android app, did you have to confirm a dialog box to accept your SSL cert?

Link to comment
Share on other sites

pir8radio

When you initially installed the android app, did you have to confirm a dialog box to accept your SSL cert?

That’s a good point I have a legit cert on my server. Widely accepted.

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

I'm guessing he's going to answer yes, and this is the problem. I think there are network requests made by the sync process that don't incorporate that override. So as a result, the server certificate ends up getting rejected.

Link to comment
Share on other sites

When you initially installed the android app, did you have to confirm a dialog box to accept your SSL cert?

 

In the app, yes, on the first connection. Chrome / other android apps accept the cert without prompting though.. It's a valid letsencrypt cert so should be widely trusted... 

Link to comment
Share on other sites

I'm guessing he's going to answer yes, and this is the problem. I think there are network requests made by the sync process that don't incorporate that override. So as a result, the server certificate ends up getting rejected.

 

I did wonder if that was the case, but if so why if I convert the cert to a .pfx and import to emby, connect directly does sync work?

Link to comment
Share on other sites

But it's not trusted by your device out of the box, otherwise you would have never seen that prompt.

Link to comment
Share on other sites

I did wonder if that was the case, but if so why if I convert the cert to a .pfx and import to emby, connect directly does sync work?

 

I'm not sure I can answer that for you as with the proxy, SSL is not handled by Emby. But clearly something is causing it to be presented differently.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...