Can't sync via reverse proxy

[jon_ 23]

Hi

 

( @@pir8radio )

 

I'm having some issues getting sync working via reverse proxy - everything else works fine, I can stream content with no issues, but sync results in a 'Download Unsuccessful' error on the client (which is android BTW - 3.0.33, which doesn't appear to generate any log files). 

 

I've tried via apache reverse proxy, and nginx with the same issue. Setup is fairly basic, nginx running in reverse proxy mode with letsencrypt certs. 

 

nginx proxy config (copied from somewhere on here):

##EMBY Server##

    server {
listen [::]:47699 ssl;
listen 47699 ssl;
server_name <servername>;

ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_certificate /etc/letsencrypt/live/servername/cert.pem ;
    ssl_certificate_key /etc/letsencrypt/live/servername/privkey.pem;
ssl_session_cache shared:SSL:10m;

        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors <servername>;";


location / {

proxy_pass http://<server IP>:8096;

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

#Next three lines allow websockets

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }

}

Looking at the emby logs, nothing appears amiss - no 404 errors etc:

019-02-02 11:34:56.114 Info HttpServer: HTTP GET http://<servername>:8096/emby/DisplayPreferences/usersettings?userId=17499719474942f4b1b6f1afd058edea&client=emby. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:34:56.116 Info HttpServer: HTTP Response 200 to <client IP>. Time: 1ms. http://<servername>:8096/emby/DisplayPreferences/usersettings?userId=17499719474942f4b1b6f1afd058edea&client=emby
2019-02-02 11:34:57.414 Info HttpServer: HTTP GET http://<servername>:8096/emby/Sync/Items/Ready?TargetId=e8eb333805ca3f37. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:34:57.423 Debug App: Returning 2 ready sync items for targetId e8eb333805ca3f37
2019-02-02 11:34:57.423 Info HttpServer: HTTP Response 200 to <client IP>. Time: 9ms. http://<servername>:8096/emby/Sync/Items/Ready?TargetId=e8eb333805ca3f37
2019-02-02 11:34:58.105 Info HttpServer: HTTP GET http://<servername>:8096/emby/Users/17499719474942f4b1b6f1afd058edea/Items/304511. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:34:58.111 Info HttpServer: HTTP Response 200 to <client IP>. Time: 6ms. http://<servername>:8096/emby/Users/17499719474942f4b1b6f1afd058edea/Items/304511
2019-02-02 11:34:58.794 Info HttpServer: HTTP POST http://<servername>:8096/emby/Sync/Data. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:34:58.804 Info HttpServer: HTTP Response 200 to <client IP>. Time: 10ms. http://<servername>:8096/emby/Sync/Data
2019-02-02 11:35:01.394 Info HttpServer: HTTP GET http://<servername>:8096/emby/system/info/public. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:35:01.395 Info HttpServer: HTTP Response 200 to <client IP>. Time: 1ms. http://<servername>:8096/emby/system/info/public
2019-02-02 11:35:01.515 Info HttpServer: HTTP GET http://<servername>:8096/emby/web/manifest.json. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:35:01.516 Debug HttpResultFactory: Transmit file /opt/emby-server/system/dashboard-ui/manifest.json
2019-02-02 11:35:01.516 Info HttpServer: HTTP Response 200 to <client IP>. Time: 1ms. http://<servername>:8096/emby/web/manifest.json
2019-02-02 11:35:01.614 Info HttpServer: HTTP GET http://<servername>:8096/emby/web/strings/en-US.json. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:35:01.615 Debug HttpResultFactory: Transmit file /opt/emby-server/system/dashboard-ui/strings/en-US.json
2019-02-02 11:35:01.615 Info HttpServer: HTTP Response 200 to <client IP>. Time: 1ms. http://<servername>:8096/emby/web/strings/en-US.json
2019-02-02 11:35:01.854 Info HttpServer: HTTP GET http://<servername>:8096/emby/System/Info. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:35:01.856 Info HttpServer: HTTP Response 200 to <client IP>. Time: 1ms. http://<servername>:8096/emby/System/Info
2019-02-02 11:35:01.995 Info HttpServer: HTTP GET http://<servername>:8096/emby/DisplayPreferences/usersettings?userId=17499719474942f4b1b6f1afd058edea&client=emby. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:35:01.996 Info HttpServer: HTTP Response 200 to <client IP>. Time: 1ms. http://<servername>:8096/emby/DisplayPreferences/usersettings?userId=17499719474942f4b1b6f1afd058edea&client=emby
2019-02-02 11:35:02.724 Info HttpServer: HTTP GET http://<servername>:8096/emby/Sync/Items/Ready?TargetId=e8eb333805ca3f37. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:35:02.733 Debug App: Returning 2 ready sync items for targetId e8eb333805ca3f37
2019-02-02 11:35:02.734 Info HttpServer: HTTP Response 200 to <client IP>. Time: 10ms. http://<servername>:8096/emby/Sync/Items/Ready?TargetId=e8eb333805ca3f37
2019-02-02 11:35:03.094 Info HttpServer: HTTP GET http://<servername>:8096/emby/Users/17499719474942f4b1b6f1afd058edea/Items/304511. UserAgent: Mozilla/5.0 (Linux; Android 8.0.0; SM-G930F Build/R16NW; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/72.0.3626.76 Mobile Safari/537.36
2019-02-02 11:35:03.100 Info HttpServer: HTTP Response 200 to <client IP>. Time: 6ms. http://<servername>:8096/emby/Users/17499719474942f4b1b6f1afd058edea/Items/304511

The nginx logs don't show anything amiss either. 

 

Any suggestions?

Edited February 2, 2019 by jon_

[Luke 37487]

Perhaps the proxy is not preserving all response headers, or is configured in some way that is affecting support for range requests?

[jon_ 23]

Not sure - it seems to be the same setup that everyone else uses, and it does exactly the same via apache or nginx.

 

It's weird that streaming works with no issues, but sync fails immediately...

[pir8radio 1294]

Not sure - it seems to be the same setup that everyone else uses, and it does exactly the same via apache or nginx.

 

It's weird that streaming works with no issues, but sync fails immediately...

What settings do you have set in emby for domain name and ports?

 

 

Sent from my iPhone using Tapatalk

[jon_ 23]

Public HTTPS port in emby is set as 47699 (same as nginx external HTTPS port). 

 

External domain is set to the publicly resolvable hostname for the nginx server. 

 

Secure connection mode is set to handled by reverse proxy. 

 

Everything else (streaming, web UI, config etc) works perfectly, apart from syncing 

 

HTTP isn't currently proxied - I've tried temporarily enabling it but nothing changes...

 

If I bypass nginx and port forward to the HTTPS port on emby direct then sync jumps into life... 

Edited February 4, 2019 by jon_

[Luke 37487]

What kind of SSL cert?

[jon_ 23]

Letsencrypt. The browser (either on laptop or android) doesn't prompt me to accept anything when I browse to the web console, so the cert chain should be good. 

 

The emby android app prompted me on the first connection (?) to verify that the cert was as expected, but doesn't prompt since. Other android apps connect to other services secured with the same certificate so I think it's trusted by the underlying OS. 

 

When connecting to emby on https directly (ie. not a proxied connection) it's using the same cert but converted to .pfx with openssl and sync then works... 

Edited February 4, 2019 by jon_

[Luke 37487]

Great glad you got it working !

[pir8radio 1294]

Letsencrypt. The browser (either on laptop or android) doesn't prompt me to accept anything when I browse to the web console, so the cert chain should be good. 

 

The emby android app prompted me on the first connection (?) to verify that the cert was as expected, but doesn't prompt since. Other android apps connect to other services secured with the same certificate so I think it's trusted by the underlying OS. 

 

When connecting to emby on https directly (ie. not a proxied connection) it's using the same cert but converted to .pfx with openssl and sync then works... 

 

 

Great glad you got it working !

 

 

So.... Did you get it working?  Sounds like no, unless you bypass the proxy?

[Luke 37487]

Sorry, my mistake. I misread.

[jon_ 23]

Nope - still not working via the proxy. 

 

Has anyone else got sync working via apache / nginx? There was another problem reported a while back where streaming worked but sync didn't, but it doesn't look like it was ever resolved...

[pir8radio 1294]

Nope - still not working via the proxy. 

 

Has anyone else got sync working via apache / nginx? There was another problem reported a while back where streaming worked but sync didn't, but it doesn't look like it was ever resolved...

 

works for me..  any specifics i can test?   

[jon_ 23]

Which clients are you using? There's nothing massively different between my config and anyone elses, I'm wondering if it's an android issue..

[pir8radio 1294]

 apple devices...  you are more than welcome to test it on my guest account.. let me know when you are done, so I can turn off sync/download..

 

<removed>

Edited February 6, 2019 by pir8radio

[pir8radio 1294]

So for others, he tested and it worked on my server...      @@jon_ for your reference here is what my config looks like:  https://emby.media/community/index.php?/topic/48236-setting-up-emby-behind-a-reverse-proxy-nginx/?p=457670

 

Guessing its either the timeouts, or tcp nodelay in the  http {}  section

Edited February 6, 2019 by pir8radio

[jon_ 23]

I've basically duplicated your config (although I'm running on linux, so it's slightly different as theres 2 config files)..

 

and.....

 

It's still not working - downloads immediately fail

Edited February 6, 2019 by jon_

[pir8radio 1294]

I've basically duplicated your config (although I'm running on linux, so it's slightly different as theres 2 config files)..

 

and.....

 

It's still not working - downloads immediately fail

 

can you create a temp account and pm me the info?

[jon_ 23]

PM'd. 

 

Have also tried syncing against a windows server not linux, just to see if anything changed. It didn't Also updated nginx to mainline from stable...

[Luke 37487]

When you initially installed the android app, did you have to confirm a dialog box to accept your SSL cert?

[pir8radio 1294]

When you initially installed the android app, did you have to confirm a dialog box to accept your SSL cert?

That’s a good point I have a legit cert on my server. Widely accepted.

 

 

Sent from my iPhone using Tapatalk

[Luke 37487]

I'm guessing he's going to answer yes, and this is the problem. I think there are network requests made by the sync process that don't incorporate that override. So as a result, the server certificate ends up getting rejected.

[jon_ 23]

When you initially installed the android app, did you have to confirm a dialog box to accept your SSL cert?

 

In the app, yes, on the first connection. Chrome / other android apps accept the cert without prompting though.. It's a valid letsencrypt cert so should be widely trusted... 

[jon_ 23]

I'm guessing he's going to answer yes, and this is the problem. I think there are network requests made by the sync process that don't incorporate that override. So as a result, the server certificate ends up getting rejected.

 

I did wonder if that was the case, but if so why if I convert the cert to a .pfx and import to emby, connect directly does sync work?

[Luke 37487]

But it's not trusted by your device out of the box, otherwise you would have never seen that prompt.

[Luke 37487]

I did wonder if that was the case, but if so why if I convert the cert to a .pfx and import to emby, connect directly does sync work?

 

I'm not sure I can answer that for you as with the proxy, SSL is not handled by Emby. But clearly something is causing it to be presented differently.