Search the Community
Showing results for tags 'Apache'.
-
Continuing with this topic, I want to share my current working Apache reverse proxy setup. Before Nginx users kill me, let me say that I prefer Apache because i'm used to it (I know Nginx is better in reverse proxy scenarios), I find it simpler, I have a Nextcloud server running in the same machine and here they recommend using Apache instead of Nginx, even if i'm not using it for an enterprise deployment. At the moment, i'm having 0 issues with any App (Web, TV, Android, iOs, etc.), the chrome console is clean without any error when connecting through the Web App. My apache is redirecting all traffic including the websocket traffic. I use my server with a CNAME of my domain, so that's why I don't locate it in "/emby" location, I do it in "/". This is my apache .conf file for Emby reverse proxy (located at /etc/apache2/sites-available): <IfModule mod_ssl.c> <VirtualHost *:80> ServerName cname.domain.com ServerAdmin youremail@address.com RewriteEngine on RewriteCond %{SERVER_NAME} =cname.domain.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] </VirtualHost> <VirtualHost *:443> ServerName cname.domain.com ServerAdmin youremail@address.com <proxy *> AddDefaultCharset off Order Allow,Deny Allow from all </proxy> ProxyRequests Off ProxyPreserveHost On ProxyPass "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket" ProxyPassReverse "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket" ProxyPass "/" "http://127.0.0.1:8096/" ProxyPassReverse "/" "http://127.0.0.1:8096/" SSLCertificateFile /etc/letsencrypt/live/cname.domain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/cname.domain.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule> As you can see I'm using Let's Encrypt certificates. As @@curtisghanson said here, I also have an "A" in Qualy SSL Labs: Well I was scared of the performance but It's true that the maximum concurrent users I have are around 5-20, it's little. This is the server usage when 7 users are connected playing content at the same time (all my content is Direct Played): And that's all, hope you liked it and find it useful! Any improvement to the Apache conf file is welcome. Edit: Forgot to say thanks to @@fc7 who was the man that did all this possible .
- 38 replies
-
- apache
- reverse proxy
-
(and 2 more)
Tagged with:
-
I have had a few people ask me to explain how I set up my Apache server to forward to my Emby server. Here is a breakdown of how mine is set up should anyone else wish to try this. This is just my way of doing this (yeah, I know, Nginx exists but I have always been an Apache user). Note that I use RPM based distributions, and my frontend Apache server is running on Fedora Server Edition (so that I can have the http/2 goodness). My instructions will emphasize this type of Linux distribution, so you will need to read up on how your particular flavor of Linux handles Apache installations. First off, here is an overview of my network. Everyone's network is different, but this is what I have set up: edge firewall -> wireless ap/firewall -> apache server -> media server (where the media files are actually stored) On my firewalls, I only have ports 80 and 443 tcp opened up, and they forward to my Apache server. No other ports are exposed to the Internet. My Emby server is not configured with SSL. All SSL is terminated at my Apache server. This way, I can use one SSL certificate to encrypt any web services that I run on my network, without trying to get a certificate for each individual server installation. Anything that comes in on port 80 automatically gets forced over to port 443 (this is done by my Apache server itself). I am also using HTTP/2 which has helped with the various web services that my Apache frontend is exposing to the web. Also, all of my internal servers are running host-based firewalls. There is nothing wrong with security in depth here, and I have personally not heard a valid reason to not run a host-based firewall for your networking services. I use https://letsencrypt.org/ for my SSL certificate. It's free, and their tools are awesome. If you use their services, please donate to them as they are providing a valuable service to practically every community. I also have my own domain name set up and registered, with a dynamic IP from my ISP. There are a plethora of services that will let you register your dynamic IP for a domain name, so search around for the one that suits you best. Personally, I am using Google Domains for mine. My firewall assists in keeping my latest IP registered for my domain. This is extremely handy for mobile devices and family members who wish to use my Emby server remotely. Here are the general steps I would recommend to someone setting this up for themselves: Use an edge firewall. The extra protection is worth it. Use your edge firewall to keep track of your public IP, and use whatever agent that your dynamic DNS provider provides to keep your latest IP registered for your domain. I do not recommend doing this from your Apache server, as your Apache server should be further into your network and protected by your other firewall(s). Set up an SSL certificate for your domain. Again, LetsEncrypt is pretty awesome. Install Apache on a server that can handle a fair amount of network traffic. If you are using LetsEncrypt, set up the agent to keep up with your SSL certificate on this server. dnf groupinstall "Web Server" dnf install mod_http2 Configure your Apache server. On a Fedora, CentOS, RHEL system create a file called /etc/httpd/conf.d/00_yourdomain.conf (the two zeroes are there to make sure that your domain file is loaded first). Here are snippets of my configuration (cleaned up a bit for, you know, security): <VirtualHost *:80> Protocols h2c http/1.1 # Send everything over to https instead, best practice over mod_rewrite ServerName example.com Redirect / https://example.com/ </VirtualHost> <VirtualHost _default_:443> # Enable http/2 Protocols h2 http/1.1 <IfModule http2_module> LogLevel http2:info </IfModule> SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DH-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 SSLHonorCipherOrder On SSLCompression off Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains" Header always set X-Frame-Options SAMEORIGIN Header always set X-Content-Type-Options nosniff SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 ServerName example.com ServerAlias example.com ErrorLog logs/example-error_log RewriteEngine on RewriteRule ^/emby(.*) http://127.0.0.1:8096/emby$1 [proxy] RewriteRule ^/emby http://127.0.0.1:8096 [proxy] RewriteRule ^/embywebsocket(.*) http://127.0.0.1:8096/embywebsocket$1 [proxy] RewriteRule ^/embywebsocket http://127.0.0.1:8096 [proxy] <location /emby> ProxyPass http://127.0.0.1:8096/ ProxyPassReverse http://127.0.0.1:8096/ </location> <location /embywebsocket> ProxyPass http://127.0.0.1:8096/ ProxyPassReverse http://127.0.0.1:8096/ </location> </VirtualHost> So what this does for me is let Apache handle all incoming port 80 requests, and turns them into encrypted traffic. All connections to and from the server (that can support it) are encapsulated in HTTP/2 packets. All of my SSL encrypted web traffic is handled by one certificate, so I can have multiple URL paths served by the same domain name, with only the https port used, and it just plain looks cleaner. For example, you can have: https://example.com/emby https://example.com/nextcloud https://example.com/hello_kitty_island_adventure Or whatever suits your needs. My Emby server doesn't have to worry about any proxy configurations or SSL, as Apache takes care of all of that. My example is using the localhost IP address to direct all incoming and outgoing Emby requests, but if you are using a separate host that runs Emby, just make sure to use the IP of that system instaed and that you have port 8096 open and available. I hope that others may find this helpful.
-
Last night I updated both Emby and mono to versions 3.1.0 and 4.6.2.7. Since then I'm not able to access Emby from the internet, through an Apache reverse proxy, anymore. I can access the webclient without any issues within the LAN but if I try the same from the internet via the proxy I get this: 0 0 HTTP/1.1 200 OK X-UA-Compatible: IE=Edge Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS Access-Control-Allow-Origin: * Vary: Accept-Encoding ETag: "4a131dd81c597e10d17c1a65ab8851f4" Cache-Control: public Content-Encoding: deflate Expires: -1 Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50 Content-Type: text/html; charset=UTF-8 Date: Tue, 20 Dec 2016 17:41:38 GMT Content-Length: 789 VMs0WsR(=NYĢd$9iڂgKVU,\-I*9?phy*nlD$Uk?< HMyY@<Q~5bGBW5uRZ9P..!gR[JVOUA ZiSQsp*@B]jCRei]KgĎq)֥CF&4Ll~S"pNTt' 2n2 q1tE҂=aT$..x awJ^i)֏a6<s'|l 7O47F0i N*p̈ ZƐwCӨq#>sxfv:z7gGA!GtX0o\_ZaXt6&ɿkv>Ё'XiXT|f֦?{I@-XH{\My.6{Rr=C+BϦ3J%ݢR&ɧ8%P*F '*fS?KIv]$+4o0.6wݹc.*0ь#F7?p[0WTz(R "vB~Wr0"{} V}-:W>'h?YW[lzp{"bj}{ h݉r65N5~wb/V`Ǖcv- And that's all. Trying to refresh the page, it will keep loading forever. Before the upgrade I took a VM snapshot so I went ahead and roll back and everything went back to normal. I will provide the server log as soon as possible. Thanks.
-
Hello guys, Yes another apache reverse proxy tuto but I'm a bit stuck ! I found a vhost config that works in my case : <VirtualHost *:80> ServerName my.website Redirect permanent /emby https://my.website/emby </VirtualHost> <VirtualHost *:443> ServerName my.website ErrorLog ${APACHE_LOG_DIR}/emby-error_log LogFormat "%t \"%r\" %>s" common CustomLog ${APACHE_LOG_DIR}/emby-access_log common RewriteEngine on RewriteRule ^/emby$ /emby/ [R] <proxy *> AddDefaultCharset off Order Allow,Deny Allow from all </proxy> ProxyRequests Off ProxyPreserveHost On <Location /emby> ProxyPass http://localhost:8096 ProxyPassReverse http://localhost:8096 </Location> <Location /emby/emby> ProxyPass ws://localhost:8096/emby ProxyPassReverse ws://localhost:8096/emby </Location> </VirtualHost> If I only enable this vhost it's working. But ! I also have transmission running with the following configuration: <VirtualHost *:443> ServerName my.website ServerAlias www.my.website Redirect permanent /transmission https://my.website/transmission RewriteEngine on RewriteRule /transmission[/]?$ /transmission/web/ [R=permanent] ProxyRequests On ProxyPreserveHost Off <Proxy *> Order allow,deny Allow from all </Proxy> ProxyPass /transmission http://127.0.0.1:9091/transmission ProxyPassReverse /transmission http://127.0.0.1:9091/transmission </Virtualhost> <VirtualHost *:80> ServerName my.website ServerAlias www.my.website Redirect permanent /transmission https://my.website/transmission </Virtualhost> If I enable emby first (by renaming the file 01-emby and 03-transmission) : emby is working but transmission is not. If I enable transmission first (01-transmission and 03-emby) : transmission is working and emby is not with the following error message : You don't have permission to access /emby on this server. So I guess there is some issue with the rewrite rule. In emby dashboard I selected the "Secure connection mode" parameter to "Handled by reverse proxy". For info https://my.website:8920/emby is working. I'm not really familiar with Apache so I may have missed something obvious. Thanks for your help guys !
-
Hi. I'm new to Emby and I have everything up and going except for one thing; I would like to integrate it into my own domain as a sub-domain using Webmin/Virtualmin. I am running Ubuntu 16.04 LTS server with the latest version of Webmin/Virtualmin and a main plus 7 sub domains (including Emby). However, if I create a site using Webmin/Virtualmin it creates an Apache site and as a result is not functional with Emby. The site must be HTTPS and I have now configured the Emby server's SSL (using Let's Encrypt) but if I enter the sub-domain using HTTPS it defaults to my parent / holding domain which is simply that, a holding domain with no functionality except a simple "Offline" page. I can tell you the domain and sub-domain here but before that I want to make sure that it's OK to post private domain names in the forums. Is there a way to "move" the default installation into a pre-created structure which I use for my sites without messing things up or are there configuration files I need to change in order to accomplish this? I keep reading about nginx on here and also reverse proxies but I'm not sure if that's what I need to do or whether a simple move / reconfiguration would be adequate. Sorry if this sounds simple to some but to me in my current state and wisdom (currently on long term sick which unfortunately effects my mind and how I can or can't explain things) I'm finding it hard to comprehend how I can go about doing this. 10 years or so ago this would have been a doddle but these days I'm afraid not so well;.please be gentle with me. Thanks for taking the time to read and I hope someone can hold my hand and lead me up the correct path. Chris
-
I am running a Kodi instance with Emby plugin remotely. The access is proxied via Apache to provide secure SSL. This works perfectly in almost all regards. I can stream FullHD video and all (200/25 connection). The only thing that does not work is the automatic library update. I have to make a manual update each time anything changes. I know the server is ok: - There are local instances that are not proxied, which pick up the changes fine. - Also the remote machine does pick up the changes when I connect to the server via the site-to-site VPN, but that is too slow for actual streaming. So I am pretty sure the problem is in the Apache proxy system. What do I have to make available to allow instantaneous library updates? This is quite a bummer for me right now, because the update already takes a few minutes, and I haven't even integrated the Music library.
-
After updating to latest Emby stable version 3.0.5781.8, I can no longer login to the server while connecting from the Internet through an Apache SSL reverse-proxy, as I was before the update. The login screen doesn't finish to load and any attempt to manually login will result in a "Invalid username or password error". My setup is very specific so I would like to detail it in case it helps to narrow down the actual issue: Webclient ==> Internet (SSL) ==> Apache Reverse-Proxy (SSL Termination) ==> LAN (no SSL) ==> Emby Server On top of it I'm also authenticating clients using basic auth against the proxy. This means, that before anything gets to Emby, the proxy will request a username and password to the client. Until last update this worked flawlessly. The client will connect, the proxy will request for a username and password and once provided the connection will go on as normal. After yesterday's upgrade, this is not the case anymore. The client will connect, the proxy will request for a username and password and once provided the connection will go on and parts of the web will load as normal but other parts, will fail with a 401 response from the proxy server (unauthorize request). My default browser is Firefox (v43) but I also tried with a different browser, Midori, based on webkit. With Midori I'm able to connect and login as usual. I'm a little bit lost. I don't know if the problem is the browser, the new version of Emby and the changes in the webclient or something else. As I said before, this setup was working flawlessly until I upgraded Emby.