Jump to content

Search the Community

Showing results for tags 'Reverse Proxy'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • General
    • Announcements
    • Emby Premiere Purchase/Subscription Support
    • Feature Requests
    • Tutorials and Guides
  • Emby Server
    • General/Windows
    • Android Server
    • Asustor
    • FreeBSD
    • Linux
    • NetGear ReadyNAS
    • MacOS
    • QNAP
    • Synology
    • TerraMaster NAS
    • Thecus
    • Western Digital
    • DLNA
    • Live TV
  • Emby Apps
    • Amazon Alexa
    • Android
    • Android TV / Fire TV
    • Windows & Xbox
    • Apple iOS / macOS
    • Apple TV
    • Kodi
    • LG Smart TV
    • Linux & Raspberry Pi
    • Roku
    • Samsung Smart TV
    • Sony PlayStation
    • Web App
    • Windows Media Center
    • Plugins
  • Language-specific support
    • Arabic
    • Dutch
    • French
    • German
    • Italian
    • Portuguese
    • Russian
    • Spanish
    • Swedish
  • Community Contributions
    • Ember for Emby
    • Fan Art & Videos
    • Tools and Utilities
    • Web App CSS
  • Testing Area
    • WMC UI (Beta)
  • Other
    • Non-Emby General Discussion
    • Developer API
    • Hardware
    • Media Clubs

Blogs

  • Emby Blog

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

  1. This guide will explain how to setup a Windows Server instance of Emby server with IIS as full transparent reverse proxy with SSL offload and auto-renewing certificates via Lets Encrypt. First, What is IIS? IIS or Internet Information Services is the web server service provided with Windows and Windows server installations. It is industry standard technology and is widely supported and regularly maintained by Microsoft. Second, What is a reverse proxy? A reverse proxy will take requests coming into your server (in this case HTTPS on port 443) and route them to a backend application (in this case Emby Server on port 8096 on the same box or another). Reverse proxies are very useful if you only have 1 public IP and multiple services you would like to run on a single port (443, for example is standard secure web traffic) or multiple servers that need to appear as one. Third, Why do I want a certificate for my site from Lets Encrypt? Well, most sites now days are secure (read they encrypt your traffic to prevent people from seeing your data), browsers these days flag sites that are not using properly signed certificate chains or run on insecure ports. If you use a self signed certificate in Emby, you may have difficulty getting things like the iOS app or Roku app to work properly outside your home. (Not sure about the rest of you, but Emby on the kid’s iPad is a life saver for long car rides). Let’s Encrypt provides free SSL certificates that are signed by certificate authorities that will be recognized on all devices and platforms. I will be using Windows Server 2019 with IIS 10 and AAR 3. All of this should work with Windows Server 2012R2 and Windows Server 2016 as well as Windows 10, however there may be some differences. You can use either stable or beta version of Emby Server, however in this guide we will use the stable version. At the time of writing, this guide will get you a full A+ rating from SSLlabs.com security test. (For comparison purposes, Facebook’s rating is a B.) In this guide we will: Install Emby Server Move Emby Server Installation to a non-user-locked location Setup a service user to run Emby Server as Configure Emby Server to run as a service Configure Windows Firewall Install IIS Install AAR Install IIS Rewrite module Configure AAR Configure IIS as a reverse proxy for Emby Configure SSL cypher suites for the server Install the Certify the Web client. Configure Certify the Web for auto-renewing SSL certificate for your domain Note: To be externally accessible, you will need to configure your route/modem to port forward 80 and 443 to your server. Pre-reqs/Assumptions: A physical server or VM running Windows Server An Internet Connection A DynDNS/No-IP URL (or similar routable dns name pointed at your router’s public IP) You have port forwarded ports 80 and 443 through your router to the machine you will use as a reverse proxy (in this guide we will use the same box for the reverse proxy and Emby server, but these can be run on different hosts). You have installed Notepad++ on the machine you will be setting up. Install Emby Server Download Emby Server Run the Installer Click Run when prompted If prompted by smart screen, click run anyway If prompted to install Visual C++ runtime, click install It will install to default location of %APPDATA%\Emby-Server. Move Emby Server to Non-User Locked Location Ensure that Emby Server is not running (right click icon in system tray if present and click Exit) Navigate to default location of %APPDATA% (%userprofille%\appdata\roaming) Right click the folder and click "cut" Navigate to C:\ (or root of the drive you wish to have Emby run from) Right click in the whitespace and paste. (if prompted to provide administrator permission, approve) Create a Service Account to run Emby as Note: Instructions show how to do this using local users and computers, you can also do this with Active Directory Users and Computers if your server is running that role. Right click on the start button (Windows flag) on the left side of the task bar Click Computer Management Expand Local Users and Groups on the left side Click Users Right click the whitespace and click new user Complete the new user dialog as shown (make sure you save whatever password you use as you will need it later, ProTip: don't re-use passwords) Click create Click close Close the computer management window Setup NSSM NSSM (Non-Sucking Service Manager) is needed to run Emby Server as a service as Emby Server does not include the nessicary components to run as a Windows service by default. Download here: https://nssm.cc/download Double click downloaded zip to open it in windows explorer Navigate to /win64 folder inside zip Copy/extract 64 bit version of the file to C:\Emby-Server Setup Folder Permissions Navigate to C:\ Right click the Emby-Server folder Click Properties Click Security tab Click Advanced Click Disable Inheritance Click Convert to Explicit Select CREATOR OWNER Click Remove Select Users (special) Click Remove Click Add Enter SvcEmby in the dialog Click OK Click Full Control Click OK Click Change next to owner at the top of the box Type SvcEmby in the dialog Click OK Check the Replace owner check box Check the Replace permissions checkbox Verify the dialog window looks similar to this (computer name will be different) Click OK When prompted if you want to replace permissions click Yes Verify security tab looks like this Click OK Setup Emby as a Service using NSSM Right click the start button on the left side of the task bar Click Windows Powershell (Admin) Type: "cd C:\Emby-Server" and press enter Type ".\nssm.exe install Emby" and press enter The install service dialog will launch, fill out as follows: Application Tab Details Tab Logon Tab (note, if you are using active directory it should be: YOURDOMAIN\SvcEmby) Exit Actions Tab Click Install Service Click OK Config ure Windows Firewall Click Start Click Control Panel Click Windows Defender Firewall Click Advanced Settings on the left hand side Click Inbound Rules Click New Rule on the right hand side Click Port Click Next Type 80, 443 in the ports box Click Next Click Next Click Next Name it Web Server Ports Click Finish Install IIS (Internet Information Services) Click Start Click Server Manager Click Add Roles and Features Click next on the Before you Begin page Click Role Based install Click Next Verify you are installing on your local server Click Next Check the box for "Web Server (IIS)" When prompted to install management tools Click Add Features Click Next Under Features, click Next Click Next again to get to role services Check the boxes for all of the following role services Make sure you check the box for web sockets under Application Development, this is needed for various features of Emby to work right. Click Next Click Install Once installation completes, click close Install Web Platform Installer add-on Download from: https://www.microsoft.com/web/downloads/platform.aspx Run the Web Platform Installer add-on installer Click Install Click Finish Install AAR (Advanced Application Routing) Download from: https://www.microsoft.com/en-us/download/details.aspx?id=47333 Run the Request Router installer Click Install Install IIS Re-Write Module Click Start Click Administrative Tools Open Internet Information Services (IIS) Manager Click the name of your server on the left Double Click on the Web Platform Installer In the search box type "url rewrite" Click Add Click Install Click I Agree Click Finish Configure AAR Click Start Click Administrative Tools Open Internet Information Services (IIS) Manager Click the name of your server on the left Right Click Server Farms Click Create Server Farm Name your Server Farm Click Next Enter the IP address of the server or "localhost" Click Add Click Finish Click No in the dialog that pops up Expand your newly created Server Farm Click Proxy Configure settings as shown Click Apply Click your Server Click Application Request Routing Click Server Proxy Settings Configure settings as shown Click Apply Click Your Server Configure IIS Server Variables Click Url Re-Write Click View Server Variables Click Add Type "HTTP_ACCEPT_ENCODING" Click OK Click Add Type "HTTP_X_ORIGINAL_ACCEPT_ENCODING" Click OK Click Add Type "HTTP_X_FORWARDED_FOR" Click OK Click Add Type "HTTP_X_REAL_IP" Click OK Click Your Server Create Emby Site Expand Sites on the left hand side Right Click "Default Web Site" Highlight "Manage Website" Click Stop Right Click the white space in the Sites list Click Add Website Click the "..." button to the right of Physical Path Browse to C:\inetpub\wwwroot Click it Click Make New Folder Call it Emby Click OK Under Binding Fill in with your public host name (see dynamic dns mentioned in pre-reqs) Click OK Configure Logging Click your server Click Logging Click Select Fields Click Add Field Configure as shown Click OK Click OK Click Apply Install and Configure Certify The Web client Download From: https://certifytheweb.com Run the Certify the Web installer Click Next Click Next Click Next Click Install Click Finish Click New Certificate Click on on Contact Prompt Fill in your contact email Click Register Contact Click New Certificate again Select Emby from the sites list Name and domain will populate automatically. Click Deployment Configure as shown Complete certificate verification process Click your site in IIS manager Click Bindings Verify there is an HTTPS binding and that it looks similar to this (with your domain information) Edit Web.Config for Emby Site Click HTTP Response Headers Click Add Configure as show (we are just creating a header to get the web.config to exist, we will paste in a premed one below, so these values dont really matter) Click OK Open an Explorer window and Browse to C:\inetpub\wwwroot\Emby Right click web.config and Edit with Notepad++ Replace existing content with web.config below <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rules> <clear></clear> <rule name="Redirect to https" enabled="true" patternSyntax="Wildcard" stopProcessing="true"> <match url="*" negate="false" /> <conditions logicalGrouping="MatchAny"> <add input="{HTTPS}" pattern="off" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" /> </rule> <rule name="Proxy to Emby" stopProcessing="false"> <match url="(.*)" /> <serverVariables> <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" /> <set name="HTTP_ACCEPT_ENCODING" value="" /> <set name="HTTP_X_REAL_IP" value="{REMOTE_ADDR}" /> </serverVariables> <action type="Rewrite" url="http://localhost:8096/{R:1}" logRewrittenUrl="true" /> <conditions> <add input="/{R:1}" pattern=".well-known" negate="true" /> </conditions> </rule> </rules> <outboundRules> <rule name="Add Strict-Transport-Security when HTTPS" enabled="true"> <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" /> <conditions> <add input="{HTTPS}" pattern="on" /> </conditions> <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" /> </rule> <rule name="Proxy to Emby" preCondition="ResponseIsHtml1" enabled="true"> <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://http://localhost:8096/(.*)" /> <action type="Rewrite" value="http{R:1}://media.example.com/{R:2}" /> </rule> <rule name="Restore-AcceptEncoding" preCondition="NeedsRestoringAcceptEncoding"> <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" /> <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" /> </rule> <preConditions> <preCondition name="ResponseIsHtml1"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" /> </preCondition> <preCondition name="NeedsRestoringAcceptEncoding"> <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" /> </preCondition> </preConditions> </outboundRules> </rewrite> <caching enabled="false" enableKernelCache="false" /> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> <add name="X-Xss-Protection" value="1; mode=block" /> <add name="X-Content-Type-Options" value="nosniff" /> <add name="Referrer-Policy" value="same-origin" /> <add name="Feature-Policy" value="sync-xhr 'self'" /> <add name="Cache-Control" value="no-cache" /> </customHeaders> </httpProtocol> </system.webServer> </configuration> Save changes (if prompted to restart Notepad++ in admin mode allow it and then try saving again) IIS will now be properly configured as a reverse proxy for Emby. Under IIS Manager > Rewrite you should now see the following rules: Configure Server Cyphers Download here: https://www.nartac.com/Products/IISCrypto/Download (GUI version) Run the IISCrypto too Click Templates In the template drop down box, select PCI 3.2 This will disable IIS from being able to serve via SSL 2.0, 3.0; TLS 1.0 and TLS 1.1. This will leave just the industry standard TLS 1.2. Click Apply Click OK. Reboot your server. Emby Internal Settings Navigate to your server via the localhost:8096 address Click the gear in the top right corner Click Network from the list of tabs on the right Configure as shown (use your hostname in the external domain box) Conclusion Upon rebooting your computer will start IIS services and Emby server as a service. Traffic coming in on port 80 (if someone just types your url without HTTPS in their browser's address bar) will be automatically redirected to port 443 and the HTTPS:// version of your host name. Your certificate will auto-renew every so often and re-bind to the site in IIS without any interaction on your part. This allows for a server that you can for the most part setup, and forget about and just manage your Emby installation via its web ui. There are a lot of ways to set up Emby server depending on your environment and other factors. For my environment this made the most sense and since large portions of this took quite a bit of digging and research to get working just right, I figured Id make someone else's life a little easier if they were trying to do something similar. These instructions can be adapted for Windows Server 2012 R2, Windows Server 2016, Windows 8 and Windows 10. In the end browsing to your domain should look like this in the browser Additional Information for Updating When Updating your Emby installation. Simply stop the service for Emby, install like you normally would, then just cut the system folder inside the %appdata%\emby-server folder and paste it into the C:\Emby-Server folder. When prompted replace all files, then start the service again once the copy completes. Additional Information about Connecting with Emby Apps When connecting to your Emby installation remotely with Emby apps remember to prefix your domain name with https:// and use 443 for the port number. <Edit> Additional Information about changing Emby Server Title: For those users who wish to change their page title in browser (as discussed here), here is additional Web.Config information that will let you do just that! Using IIS Re-Write rules to change the page title means, you don't have to edit files to reset it every time you upgrade your Emby Server! Add these 3 rules at the bottom of the rules list, replace whole <preConditions> block too.: NOTE: Make sure you replace ALL 4 instances of NAME_OF_YOUR_SERVER with what you want your server to display in the tab bar. <rule name="RewriteTitle" preCondition="ResponseIsHtml1" enabled="true"> <match filterByTags="None" pattern="&lt;title>(.*)&lt;/title>" /> <action type="Rewrite" value="&lt;title>NAME_OF_YOUR_SERVER&lt;/title>" /> </rule> <rule name="RewriteAppHeaderJs" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="document.title=&quot;Emby&quot;" /> <action type="Rewrite" value="document.title=&quot;NAME_OF_YOUR_SERVER&quot;" /> </rule> <rule name="RewriteAppHeaderJs2" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="title.Name||&quot;Emby&quot;:&quot;Emby&quot;" /> <action type="Rewrite" value="title.Name||&quot;NAME_OF_YOUR_SERVER&quot;:&quot;NAME_OF_YOUR_SERVER&quot;" /> </rule> <preConditions> <preCondition name="ResponseIsHtml1"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" /> </preCondition> <preCondition name="ResponseIsJS"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="application/javascript|text/javascript" /> </preCondition> <preCondition name="NeedsRestoringAcceptEncoding"> <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" /> </preCondition> </preConditions> </Edit>
  2. I have spent alot of time trying to make Emby secure with https and I have now hit a brick wall. My knowledge on this topic is zero, so im hoping with some guidance I can get this working. OS: Windows Port Forward: 443 Domain: YES SSL: Lets Encrypt via Win-Acme (No passphrase) Reverse Proxy: NGINX Most of the infomation is taken from https://emby.media/community/index.php?/topic/44757-setting-up-ssl-for-emby-wip/#comment-419091 Where I have hit a brick wall is when i try and start NGINX. It fails to start and nothing shows in the logs. Below is my nginx.conf, Thanks in advance. worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } ##EMBY Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate C:\\nginx-1.26.2\conf\SSL\mydomain.com-crt.pem; ssl_certificate_key C:\\nginx-1.26.2\conf\SSL\mydomain.com-key.pem; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; proxy_hide_header X-Powered-By; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com; emby.mydomain.com; location / { proxy_pass http://192.167.178.21:8096; proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } }
  3. Hey all, I used a Caddy guide and Caddy combined with a domain from noip to try to set up my Emby server through a reverse proxy. Everything seems to be working correctly when I go to my domain name remotely in a web browser or by manually entering my domain name and port in the apps, but for whatever reason, EmbyConnect is not saving the proper connection or is not connecting properly. Every time I try to log in with EmbyConnect, it says it can't connect. Here's what Caddy shows me when it runs: 2024/09/02 21:55:55.834 INFO using adjacent Caddyfile 2024/09/02 21:55:55.835 INFO adapted config to JSON {"adapter": "caddyfile"} 2024/09/02 21:55:55.835 WARN Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies {"adapter": "caddyfile", "file": "Caddyfile", "line": 2} 2024/09/02 21:55:55.842 INFO admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]} 2024/09/02 21:55:55.842 INFO tls.cache.maintenance started background certificate maintenance {"cache": "0xc000430e80"} 2024/09/02 21:55:55.842 INFO http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443} 2024/09/02 21:55:55.842 INFO http.auto_https enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"} 2024/09/02 21:55:55.844 INFO http.log server running {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]} 2024/09/02 21:55:55.844 INFO http enabling HTTP/3 listener {"addr": ":443"} 2024/09/02 21:55:55.844 INFO http.log server running {"name": "srv0", "protocols": ["h1", "h2", "h3"]} 2024/09/02 21:55:55.844 INFO http enabling automatic TLS certificate management {"domains": ["my doman"]} 2024/09/02 21:55:55.845 INFO autosaved config (load with --resume flag) {"file": "C:\\Users\\Andy\\AppData\\Roaming\\Caddy\\autosave.json"} 2024/09/02 21:55:55.845 INFO serving initial configuration 2024/09/02 21:55:55.848 INFO tls storage cleaning happened too recently; skipping for now {"storage": "FileStorage:C:\\Users\\Andy\\AppData\\Roaming\\Caddy", "instance": "f9be30e8-14fd-4b07-9fdd-7dd8f1b965ad", "try_again": "2024/09/03 21:55:55.848", "try_again_in": 86400} 2024/09/02 21:55:55.848 INFO tls finished cleaning storage units I'm pretty sure I set port forwarding up correctly, but I have a question about that as well. When I go to forward ports 80 and 443, do I forward the external ports 80 & 443 to internal ports 80 & 443, or do I forward them to the internal Emby local ports 8096 and 8290? If anyone has any ideas as to why I can connect to the server in a web browser using the domain name and why I can connect to it using manual entry in the Emby apps, but not with Emby Connect, I would be greatly appreciative of any assistance you might be able to offer. I'm kind of a newbie when it comes to some of this stuff, so if you need more information from me that I didn't think to provide in order to accurately assess or help me troubleshoot my issue, please let me know! Thanks!
  4. It took me a while to get Caddy v2 setup and working by itself. Then there were some struggles with getting it to work with Cloudflare. I thought I would share a guide to assist those who want to go that route. Prerequisites: Have your own domain Have the DNS of your domain setup with Cloudflare Have your Cloudflare API key/token "For this checkout my other article on setting up DNS updates via API" Have your Emby server set with a static internal IP Step 1: Download Caddy Visit https://caddyserver.com/download to download your binary. You will need to add a couple plugins for this to work. You will want to select 'caddy-dns/cloudflare' and 'kirsch33/realip' Review at the top that it shows "Extra features = 2' and select 'Download' Step 2: Download NSSM from https://nssm.cc/download "We will use this to run Caddy as a service" Step 3: Create folders for NSSM and Caddy on the root of the C:\ drive Step 4: Rename the caddy binary to just caddy.exe and put it in C:\Caddy\. Extract NSSM so you just have the nssm.exe and put that in your NSSM folder. Step 5: Create your caddyfile The caddyfile has no extension. You can open this with your favorite text editor. I use Notepad++. Below is the a sample caddyfile. The first email is the email address that you want to use to receive notifications if there are issues with the cert Adjust your domain to what you are using for Emby. Either 'domain.com', 'login.domain.com' or 'emby.domain.com' etc. The second email address is your email address for your Cloudflare account This also sets up logging for the reverse proxy which is really handy I choose to use the actual IP address of the server instead of localhost. Either will work. { email email@gmail.com } yourdomain.com { tls email@gmail.com { dns cloudflare 'Your Cloudflare API Key No Quotes' } log { output file C:\caddy\logs\emby_access.log { roll true # Rotate logs, enabled by default roll_size_mb 10 # Set max size X MB roll_gzip true # Whether to compress rolled files roll_local_time true # Use localhost time roll_keep 3 # Keep at most X log files roll_keep_days 7 # Keep log files for X days } } encode gzip reverse_proxy http://10.0.0.5:8096 { header_up X-Real-IP {remote_host} } } If you wanted to run any of the arr's as subsites to your main reverse proxy you can add the following to your caddyfile If you are running it on the same box instead of using the full domain name you would just use http://yourip:port You need to login to each of the arr applications and setup the base URL Login go to settings/general/base url Add the correct subsite. So for Radarr you would add /movies save and restart. { email email@gmail.com } yourdomain.com { tls email@gmail.com { dns cloudflare 'Your Cloudflare API Key No Quotes' } log { output file C:\caddy\logs\emby_access.log { roll true # Rotate logs, enabled by default roll_size_mb 10 # Set max size X MB roll_gzip true # Whether to compress rolled files roll_local_time true # Use localhost time roll_keep 3 # Keep at most X log files roll_keep_days 7 # Keep log files for X days } } encode gzip reverse_proxy http://10.0.0.5:8096 { header_up X-Real-IP {remote_host} } reverse_proxy /movies/* https://radarr.domain.com { header_up Host {upstream_hostport} header_up X-Forwarded-Host {host} } redir /movies /movies/ reverse_proxy /tv/* https://sonarr.domain.com { header_up Host {upstream_hostport} header_up X-Forwarded-Host {host} } redir /tv /tv/ reverse_proxy /music/* https://lidarr.domain.com { header_up Host {upstream_hostport} header_up X-Forwarded-Host {host} } redir /music /music/ reverse_proxy /audiobooks/* https://readarr.domain.com { header_up Host {upstream_hostport} header_up X-Forwarded-Host {host} } redir /audiobooks /audiobooks/ } Step 6: Create a user for caddy to run as and set password. You will need this password later down when we setup the service. I'm going to use srvcaddy. Step 7: Allow srvcaddy user to run as service You want to open up Local Security Policy Go to 'Local Policies/User Rights Assignment/Log on as a service' and add our new user srvcaddy Step 8: Add your domain under Emby network settings Login go to settings/network/external domain and add your domain name Step 9 : Launch cmd prompt as administrator Step 10: Install Caddy as a service We will need to type cd "C:\NSSM" in cmd prompt. Then you will need to type nssm install Caddy We will want to edit Log on to our service account Then select 'Install service' Now you can open up services and start caddy The first time this runs it will take a few minutes to generate your certificate on the computer. Step 11: Adjust firewall rules You now only want the local computer to talk on Emby's port 8096. All other devices you will want to have it connect via ports 80,443. Open up windows firewall Make sure all of Emby's rules are disabled Create a new rule Step 12: Create a port forward in your router/firewall from external port 443 to your server port 443. Do to the differences in every router/firewall you will need to refer to manual or Google on this step. For even more security you can lock down only Cloudflare's IP addresses to be able to route to your server. Since we are updating the cert via API you only need port 443 open to Cloudflare. No need for port 80 to be open external. Step 13: Create a DNS entry in your router/firewall for your server. Again do to to many differences you will need to consult your device's manual or google on how to accomplish this. You will want to create an internal record that takes your domain name for your Emby server and points it to the local IP. This way you can take advantage of local login with pin. Step 14: Set Cloudflare's SSL/TLS Encryption Login to Cloudflare, select your domain, and go to SSL/TLS You want to set this to Full/Strict That's it... you should now have a fully encrypted connection to your Emby server internal and external. You will now be connecting to your server via port 443 instead of 8096. Hope this helps anyone struggling with setting this up.
  5. As subject say’s because I’d like to disable TLSv1.2 in my reverse proxy for security reasons. I remember reading a post quite while back the there were some clients that don’t but I can’t find that post at the moment. If not is there a list of clients that don’t yet support 1.3 ? As all main browsers have done so for a while now.. TLS1.3 caniuse.com
  6. cp41

    NGINX Setup for Emby on Mac

    I have been running Emby off my Mac mini M1 for a while now without issue. I setup SSL certification for remote access and everything has been working great. Right now, though, I have to renew my certificates every 90 days and then restart the Server for the new Certs to take effect. I have been using CertBot and OpenSSL for my certificate creation. I was trying to explore the use of NGINX Reverse Proxy as a way to automate the SSL Certificate process. Specifically, I could have a powershell script run to generate my certificates using CertBot and then I wouldn't have to worry about restarting the Emby Server as part of the process. I went though the recommended HOW TO: NGINX for Windows Topic that is recommended. And that was very useful for generating my Config file. However, I have not yet been able to get the Reverse Proxy to work. Here is my Config File (this is taken directly from the other HOW TO post): worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } ##EMBY Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name mydomain.com; # ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate /private/etc/letsencrypt/live/mydomain.com/cert.pem; ssl_certificate_key /private/etc/letsencrypt/live/mydomain.com/privkey.pem; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; proxy_hide_header X-Powered-By; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;"; #add your domainname and all subdomains listed on your cert location / { proxy_pass http://192.168.86.21:8096; # This is my local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } } I know the syntax works because I ran the command sudo nginx -t and the test was successful. So I guess where I am struggling is the Emby Network Settings and/or the Port Forwarding. As I mentioned, I have Remote Access with mydomain.com working already, so I am at least familiar with these areas (in so much that I know the router works if the ports are set up correctly). But I am not 100% sure that I have these setup the way they are supposed to be configured. I have local http/https as 8096/8920. I have public http/https as 80/443. I forwarded the 80 and 443 ports on my router to the computer that is running NGINX (which is the same computer where Emby runs). Does anyone see where I may have gone wrong, or where I might be missing a step?
  7. Mr.Berzerk

    Emby behind reverse haproxy on pfSense

    Hey everyone. I've been running emby for a while, and know I want to get remote access working, but Emby is one of 6 servers, so it is a must to be behind a reverse-proxy. I got http working, but I can't get Emby to work on https/ssl. I have a certificate setup, but, I get this error in my browser when going https. R_END_OF_FILE_ERROR From searching the web, it is common for proxies to give this error, but I can't figure out what I need to change in haproxy to correct it. Emby is using a letsenecrypt certificate, and is is running remote access through 443. Any help would be appreciated.
  8. Hi All, I have forwarded my synology https port and I am making use of the same to reverse proxy to Emby. I am able to access my Emby server remotely via https via browsers on phone or laptop. However, I am not able to connect to the same link via Apple TV. Could someone throw some light here. 1. tried the link with and without Port number. 2. tried reinstalling the app and restarted the server 3. Tried with and without automatic port mapping setting on Emby server the certificate I am using is from synology. The default certificate that is user for quick connect. I have forwarded the https synology port to local http port on LAN and enabled reverse proxy. Thanks in advance
  9. Hey, Hoping someone can help me with this. I use IIS/AAR to reverse proxy Emby to be publicly accessible and handle SSL offload. I have had everything working beautifully for quite sometime with one small exception. The client IPs in the Admin Dashboard all show ::1 regardless of where the user signs in from (tested using cellular and my little brothers computer in another state). I have verified that X-Forwarded-For and the client's IP are showing correctly in the logs for IIS however they do not display in the dashboard. My stack is: Windows Server 2019 IIS 10 AAR 3 Flow is: Internet -> IIS -> Emby My Web.Config looks like: <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rules> <clear></clear> <rule name="Redirect to https" enabled="true" patternSyntax="Wildcard" stopProcessing="true"> <match url="*" negate="false" /> <conditions logicalGrouping="MatchAny"> <add input="{HTTPS}" pattern="off" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" /> </rule> <rule name="Proxy to Emby" stopProcessing="true"> <match url="(.*)" /> <serverVariables> <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" /> <set name="HTTP_ACCEPT_ENCODING" value="" /> </serverVariables> <action type="Rewrite" url="http://localhost:8096/{R:1}" /> </rule> </rules> <outboundRules> <rule name="Add Strict-Transport-Security when HTTPS" enabled="true"> <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" /> <conditions> <add input="{HTTPS}" pattern="on" /> </conditions> <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" /> </rule> <rule name="Proxy to Emby" preCondition="ResponseIsHtml1" enabled="true"> <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://http://localhost:8096/(.*)" /> <action type="Rewrite" value="http{R:1}://publicurl.mydomain.com/{R:2}" /> </rule> <rule name="Restore-AcceptEncoding" preCondition="NeedsRestoringAcceptEncoding"> <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" /> <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" /> </rule> <preConditions> <preCondition name="ResponseIsHtml1"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" /> </preCondition> <preCondition name="NeedsRestoringAcceptEncoding"> <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" /> </preCondition> </preConditions> </outboundRules> </rewrite> <caching enabled="false" enableKernelCache="false" /> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> <add name="X-Xss-Protection" value="1; mode=block" /> <add name="X-Content-Type-Options" value="nosniff" /> <add name="Referrer-Policy" value="same-origin" /> <add name="Feature-Policy" value="sync-xhr 'self'" /> <add name="Cache-Control" value="no-cache" /> </customHeaders> </httpProtocol> </system.webServer> </configuration> As I said, feature-wise everything works fantastic, it does appear that the bit-rate limiting for external streams does not apply due to this either. Thanks in advance!
  10. Hi, I have been having what seems to be a common issue which is the video player going to the start when attempting to skip. From what I could tell this has something to do with my Nginx reverse-proxy setup. Found out about this from this comment I went to their post and tried to use their Nginx reverse-proxy configuration. Post can be found here https://emby.media/community/index.php?/topic/93074-how-to-emby-with-nginx-with-windows-specific-tips-and-csp-options/ But I am getting a error every time I run it. I am unsure if this configuration is supposed to work on ubuntu as it is posted under general/windows and my server is on Ubuntu 20.04.4 LTS x86_64. The error is as follows This is the configuration used to achieve this error. https://pastebin.com/Vyfhkrb6 . I am also using cloud flare so take that into account when reviewing the configuration.
  11. Hello all, If you want to simplify ssl connexion and don't care anymore to renew every 3 months your SSL certificate for emby, you can use reverse proxy like this (i already try to generate it automatically via crontab but i never success to make it work correctly.) Prerequisite : 1 - create the reverse proxy locally on your nas and not remotely 2 - be with adm 4.0, i already try to make it work with 3.5.2 but not working Go to reverse proxy menu and click on add, and fill it like this, fill your own domain name and choose the port that you want. You can use ez connect or declare your redirection directly on your router then click "next" Fill like below and clck on "test connexion" now you have your Emby reverse proxy active and working Under emby network options you can choose this option "managed by a reverse proxy" That's all.
  12. sagefallon

    Missing image from Continue Watching

    This was working, however all of a sudden the image is blank on the Continued Watching tile for any movie I watch. Any ideas on why this may have started happening? Is this a setting or a configurable item? My setup is emby in docker on synology using let's encrypt, reverse proxy and https.
  13. Continuing with this topic, I want to share my current working Apache reverse proxy setup. Before Nginx users kill me, let me say that I prefer Apache because i'm used to it (I know Nginx is better in reverse proxy scenarios), I find it simpler, I have a Nextcloud server running in the same machine and here they recommend using Apache instead of Nginx, even if i'm not using it for an enterprise deployment. At the moment, i'm having 0 issues with any App (Web, TV, Android, iOs, etc.), the chrome console is clean without any error when connecting through the Web App. My apache is redirecting all traffic including the websocket traffic. I use my server with a CNAME of my domain, so that's why I don't locate it in "/emby" location, I do it in "/". This is my apache .conf file for Emby reverse proxy (located at /etc/apache2/sites-available): <IfModule mod_ssl.c> <VirtualHost *:80> ServerName cname.domain.com ServerAdmin youremail@address.com RewriteEngine on RewriteCond %{SERVER_NAME} =cname.domain.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] </VirtualHost> <VirtualHost *:443> ServerName cname.domain.com ServerAdmin youremail@address.com <proxy *> AddDefaultCharset off Order Allow,Deny Allow from all </proxy> ProxyRequests Off ProxyPreserveHost On ProxyPass "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket" ProxyPassReverse "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket" ProxyPass "/" "http://127.0.0.1:8096/" ProxyPassReverse "/" "http://127.0.0.1:8096/" SSLCertificateFile /etc/letsencrypt/live/cname.domain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/cname.domain.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule> As you can see I'm using Let's Encrypt certificates. As @@curtisghanson said here, I also have an "A" in Qualy SSL Labs: Well I was scared of the performance but It's true that the maximum concurrent users I have are around 5-20, it's little. This is the server usage when 7 users are connected playing content at the same time (all my content is Direct Played): And that's all, hope you liked it and find it useful! Any improvement to the Apache conf file is welcome. Edit: Forgot to say thanks to @@fc7 who was the man that did all this possible .
  14. Preface All of the media I'm testing have previously worked flawlessly in the current environment. Meaning my network topography/speed has not changed. I cannot say for sure when this problem began as I rarely need to use a browser to access my Emby personally, however I had a user report issues a few weeks ago. I gave it very little thought until I had reason to use a browser recently and I ran into problems. Problem Recently (within the last few weeks), Emby playback within my web-browser has begun giving me the following error: Testing I have tested with various browser on various machines with results as such Ubuntu - Chrome: FAIL Windows - Chrome: FAIL Ubuntu - Firefox: FAIL Windows - Firefox: FAIL Windows - Edge: SUCCESS I have deduced that this happens for all Matroska contained media as far as I can tell. Container WebM w/ VP9/Opus codecs works correctly. I'd have to really go fishing for other types of media to test as my libraries are 99.99% Matroska or WebM. Logs NOTE: Firefox actually attempted transcoding, though still resulted in the same error. I zipped the result transcode logs for each occurrence, though I know they will not be helpful for debugging this. 20180926-Emby.Server.DEBUG-Ubuntu.Chrome.v69.0.3497.81-1.log 20180926-Emby.Server.DEBUG.Windows.Chrome.v68.0.3440.100-1.log 20180926-Emby.Server.DEBUG-Ubuntu.Firefox.v57.0.1-1.log 20180926-Emby.Server.DEBUG-Ubuntu.Firefox.v57.0.1.zip 20180926-Emby.Server.DEBUG.Windows.Firefox.v62.0.2-1.log 20180926-Emby.Server.DEBUG.Windows.Firefox.v62.0.2.zip 20180926-Emby.Server.DEBUG.Windows.Edge.log UPDATE -- 20180927 -- Official Embyserver Docker Container results -- 20180927-Emby.Server.DEBUG-Ubuntu.Chrome.v69.0.3497.81-3-1.log UPDATE It appears I may have opened a duplicate post from someone else with a similar problem (though to be fair, when I searched I did not find it as their topic is very misleading) https://emby.media/community/index.php?/topic/63309-docker/?p=627055 Also at a glance at their log, their ffmpeg doesn't even start, whereas this is not my issue.
  15. How to secure Emby using LetsEncrypt and Nginx Reverse Proxy by modifying Docker containers in Openmediavault. https://youtu.be/jYoDyoH2C0A
  16. Inspired by this article on how to host a website using cloudflare and nginx, i intend to do the same for my emby server. Like swynol, i have nginx server and emby server running on the very same machine which i station on my local home network. My OS however is ubuntu instead of windows. Ive tried both swynol's and lukecarrier's github codes, no avail, it wont redirect to the emby server no matter what. My nginx server was indeed running as both ports 80 and 443 are opened as tested by canyouseeme.org. It just wont redirect whenever i go to https://emby.mydomainname.com I dont even know where should i put the code, of the guides online, some say /etc/nginx/conf.d/mydomain.com, some say /etc/nginx/sites-available/mydomain.com with /etc/nginx/sites-enabled linked to earlier. I highly suspect that the code is the culprit. sudo nginx -t show no error, systemctl status nginx operational Shed some light anyone? Appreciate it. Update 16/12/2020 Here's my nginx code where I put under sites-available and then linked to sites-enabled via ln -s server { listen [::]:80; ## Listens on port 80 IPv6 listen 80; ## Listens on port 80 IPv4 listen [::]:443 ssl http2; ## Listens on port 443 IPv6 with http2 and ssl enabled listen 443 ssl http2; ## Listens on port 443 IPv4 with http2 and ssl enabled proxy_buffering off; ## Sends data as fast as it can not buffering large chunks. server_name emby.mydomainname.com; ## enter your service name and domain name here access_log /var/log/nginx/embyaccess.log; ## Creates a log file with this name and the log info above. ## SSL SETTINGS ## ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate /etc/ssl/mydomainname/cert.pem; ## Location of your public ssl_certificate_key /etc/ssl/mydomainname/key.pem; ## Location of your private PEM file. ssl_client_certificate /etc/ssl/mydomainname/cloudflare.crt; ##Authenticated Origin Pulls ssl_verify_client on; ##Authenticated Origin Pulls ssl_session_cache shared:SSL:10m; location ^~ /swagger { ## Disables access to swagger interface return 404; } location / { proxy_pass http://localhost:8096; ## Enter the IP here proxy_hide_header X-Powered-By; ## Hides nginx server version from bad guys. proxy_set_header Range $http_range; ## Allows specific chunks of a file to be requested. proxy_set_header If-Range $http_if_range; ## Allows specific chunks of a file to be requested. #proxy_set_header X-Real-IP $remote_addr; ## Passes the real client IP to the backend server. proxy_set_header X-Real-IP $http_CF_Connecting_IP; ## if you use cloudflare un-comment this line and comment out above line. proxy_set_header Host $host; ## Passes the requested domain name to the backend server. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## Adds forwarded IP to the list of IPs that were forwarded to the backend server. ## ADDITIONAL SECURITY SETTINGS ## ## Optional settings to improve security ## ## add these after you have completed your testing and ssl setup ## ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ## ## See https://hstspreload.org/ read through the "Deployment Recommendations" section first! ## add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header Strict-Transport-Security "max-age=15552000; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client. proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; } } Big thanks to @pir8radio for the configuration, my configuration is based on his. Setting up authenticated origin pulls is optional, here's where I download the cert. https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls#section6
  17. Ok this is going to be a long post. In this thread I will show you 2 different ways in which I setup a HTTPS connection to my emby server. Both ways require a certificate which again I will show you how i got mine using Lets Encrypt on Windows. I will break the posts up into Sections. Part.1 - Setting up a DDNS (Dynamic DNS host) Only require if you ISP IP is dynamic i.e. changes. Part.1.A - Setting Up DDNS using your own Domain Name Part.2 - Getting a Domain Name (Optional but looks fancier) Part.3 - Getting a SSL Cert from Lets Encrypt the easy way. Part 3a - Using LE.exe to get Certificates (recommended) Part.4 - Setting up HTTPS by changing default port to 443 Part.5 - Setting up HTTPS using reverse proxy
  18. Hi. In the past I used emby in Windows behind a Traefik Container. Now I had to change everything because I don't want to use Windows anymore. I decided to switch to UnRAID. Now I've created a Docker Compose File to create my new emby container. version: '3.7' networks: emby-net: driver: bridge traefik_traefik-net: external: true services: emby: container_name: Emby image: emby/embyserver:latest ports: - "8096:8096" - "8920:8920" - "1900:1900/udp" restart: unless-stopped devices: - /dev/dri:/dev/dri environment: - UID=18 - GID=18 - GIDLIST=18 volumes: - emby-config:/config - type: bind source: /mnt/user/Downloads target: /mnt/Downloads - type: bind source: /mnt/user/Aufzeichnungen target: /mnt/Aufzeichnungen - type: bind source: /mnt/user/Sicherungen/Musik target: /mnt/Musik - type: bind source: /mnt/user/Sicherungen/Bilder & Videos target: /mnt/Bilder & Videos - type: bind source: /mnt/user/Docker/Zertifikate target: /mnt/Zertifikate - type: bind source: /mnt/user/Backups/Docker/Emby target: /mnt/Backup networks: - emby-net - traefik_traefik-net labels: - "traefik.docker.network=traefik_traefik-net" - "traefik.enable=true" - "traefik.http.routers.emby.entrypoints=http" - "traefik.http.routers.emby.rule=Host(`emby.mydomain.de`)" - "traefik.http.routers.emby.middlewares=https-redirect" - "traefik.http.routers.emby-s.entrypoints=https" - "traefik.http.routers.emby-s.rule=Host(`emby.mydomain.de`)" - "traefik.http.routers.emby-s.tls=true" - "traefik.http.routers.emby-s.tls.certresolver=letsencrypt" - "traefik.http.routers.emby-s.tls.domains[0].main=mydomain.de" - "traefik.http.routers.emby-s.tls.domains[0].sans=cloud.mydomain.de,emby.mydomain.de,blog.mydomain.de" - "traefik.http.middlewares.https-redirect.redirectscheme.scheme=https" - "traefik.http.services.emby-s.loadbalancer.server.port=8920" volumes: emby-config: Now I got the Problem, that emby isn't reachable, if I use my domain name. Its just reachable, when I use the local IP. I use the emby standard ports for http (8096) and https (8920). These are the logs from emby: 2020-09-21 17:37:26.559 Error HttpServer: Error in ProcessAccept *** Error Report *** Version: 4.4.3.0 Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3 Operating system: Unix 5.7.8.0 64-Bit OS: True 64-Bit Process: True User Interactive: True Runtime: file:///system/System.Private.CoreLib.dll System.Environment.Version: 3.1.2 Processor count: 4 Program data path: /config Application directory: /system System.IO.IOException: System.IO.IOException: The handshake failed due to an unexpected packet format. at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken) at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__68_1(X509Certificate arg1, Boolean arg2, SslProtocols arg3, AsyncCallback callback, Object state) at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2,TArg3](Func`6 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state) at System.Net.Security.SslStream.AuthenticateAsServerAsync(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) at SocketHttpListener.Net.HttpConnection.Init() at SocketHttpListener.Net.HttpEndPointListener.ProcessAccept(SocketAsyncEventArgs args) Source: System.Net.Security TargetSite: Void StartReadFrame(Byte[], Int32, System.Net.AsyncProtocolRequest) 2020-09-21 17:37:26.624 Error HttpServer: Error in ProcessAccept *** Error Report *** Version: 4.4.3.0 Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3 Operating system: Unix 5.7.8.0 64-Bit OS: True 64-Bit Process: True User Interactive: True Runtime: file:///system/System.Private.CoreLib.dll System.Environment.Version: 3.1.2 Processor count: 4 Program data path: /config Application directory: /system System.IO.IOException: System.IO.IOException: The handshake failed due to an unexpected packet format. at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken) at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__68_1(X509Certificate arg1, Boolean arg2, SslProtocols arg3, AsyncCallback callback, Object state) at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2,TArg3](Func`6 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state) at System.Net.Security.SslStream.AuthenticateAsServerAsync(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) at SocketHttpListener.Net.HttpConnection.Init() at SocketHttpListener.Net.HttpEndPointListener.ProcessAccept(SocketAsyncEventArgs args) Source: System.Net.Security TargetSite: Void StartReadFrame(Byte[], Int32, System.Net.AsyncProtocolRequest) 2020-09-21 17:37:31.661 Error HttpServer: Error in ProcessAccept *** Error Report *** Version: 4.4.3.0 Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3 Operating system: Unix 5.7.8.0 64-Bit OS: True 64-Bit Process: True User Interactive: True Runtime: file:///system/System.Private.CoreLib.dll System.Environment.Version: 3.1.2 Processor count: 4 Program data path: /config Application directory: /system System.IO.IOException: System.IO.IOException: The handshake failed due to an unexpected packet format. at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken) at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__68_1(X509Certificate arg1, Boolean arg2, SslProtocols arg3, AsyncCallback callback, Object state) at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2,TArg3](Func`6 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state) at System.Net.Security.SslStream.AuthenticateAsServerAsync(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) at SocketHttpListener.Net.HttpConnection.Init() at SocketHttpListener.Net.HttpEndPointListener.ProcessAccept(SocketAsyncEventArgs args) Source: System.Net.Security TargetSite: Void StartReadFrame(Byte[], Int32, System.Net.AsyncProtocolRequest) 2020-09-21 17:37:31.706 Error HttpServer: Error in ProcessAccept *** Error Report *** Version: 4.4.3.0 Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3 Operating system: Unix 5.7.8.0 64-Bit OS: True 64-Bit Process: True User Interactive: True Runtime: file:///system/System.Private.CoreLib.dll System.Environment.Version: 3.1.2 Processor count: 4 Program data path: /config Application directory: /system System.IO.IOException: System.IO.IOException: The handshake failed due to an unexpected packet format. at System.Net.Security.SslStream.StartReadFrame(Byte[] buffer, Int32 readBytes, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.StartReceiveBlob(Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ForceAuthentication(Boolean receiveFirst, Byte[] buffer, AsyncProtocolRequest asyncRequest) at System.Net.Security.SslStream.ProcessAuthentication(LazyAsyncResult lazyResult, CancellationToken cancellationToken) at System.Net.Security.SslStream.BeginAuthenticateAsServer(SslServerAuthenticationOptions sslServerAuthenticationOptions, CancellationToken cancellationToken, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.BeginAuthenticateAsServer(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation, AsyncCallback asyncCallback, Object asyncState) at System.Net.Security.SslStream.<>c.<AuthenticateAsServerAsync>b__68_1(X509Certificate arg1, Boolean arg2, SslProtocols arg3, AsyncCallback callback, Object state) at System.Threading.Tasks.TaskFactory`1.FromAsyncImpl[TArg1,TArg2,TArg3](Func`6 beginMethod, Func`2 endFunction, Action`1 endAction, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state, TaskCreationOptions creationOptions) at System.Threading.Tasks.TaskFactory.FromAsync[TArg1,TArg2,TArg3](Func`6 beginMethod, Action`1 endMethod, TArg1 arg1, TArg2 arg2, TArg3 arg3, Object state) at System.Net.Security.SslStream.AuthenticateAsServerAsync(X509Certificate serverCertificate, Boolean clientCertificateRequired, SslProtocols enabledSslProtocols, Boolean checkCertificateRevocation) at SocketHttpListener.Net.HttpConnection.Init() at SocketHttpListener.Net.HttpEndPointListener.ProcessAccept(SocketAsyncEventArgs args) Source: System.Net.Security TargetSite: Void StartReadFrame(Byte[], Int32, System.Net.AsyncProtocolRequest) and from Traefik: [21/Sep/2020:17:37:26 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 10952 "emby-s@docker" "http://172.21.0.3:8920" 4ms [21/Sep/2020:17:37:26 +0000] "GET /favicon.ico HTTP/2.0" 499 21 "-" "-" 10953 "emby-s@docker" "http://172.21.0.3:8920" 1ms [21/Sep/2020:17:37:31 +0000] "GET / HTTP/2.0" 502 11 "-" "-" 10955 "emby-s@docker" "http://172.21.0.3:8920" 10ms [21/Sep/2020:17:37:31 +0000] "GET /favicon.ico HTTP/2.0" 502 11 "-" "-" 10956 "emby-s@docker" "http://172.21.0.3:8920" 3ms The IP 172.21.0.3 is used by emby in the traefik_traefik-net. Any Ideas what the problem could be? I use the same configuration for nextcloud and a wordpress blog without any problems. Thanks in advance!
  19. johntankard

    Reverse Proxy - unknown ip

    Hi guys, Need a little help please. I've setup cloudflare reverse Proxy pointing to my emby server, in addition I've secured the incoming port to only allow ip ranges that belong to cloudflare. For a while all was fine but today I couldn't access the emby server, while examining the firewall logs I noticed the cloudflare ip was allowed through but also noticed a single ip address that tried access at the same time that belonged to Google namely (35.214.82.167) was being blocked - once I allowed this ip through, the emby android app connected fine. Does emby rely on some additional Google ownes ip addresses? It doesn't make sense. Thanks John.
  20. What I have done so far, I have a domain name purchased from namecheap i'll call it <mydomain> I used namecheap's DDNS on my emby server which creates an A record on the domain. for whatever reason, I had to use www.<mydomain>.com I don't know why but i had to add the www's to get it to work, I had also tried @<mydomain>.com but it would never update I have let this run for a week so everything should be updated and ready to go On my router I forwarded ports 80 and 443 to the emby server with my particular router I can't figure out a way to permit it through the firewall but my test has the firewall turned off so I dont think it is causing the issue. Emby's setting local http 8096 https 8920 public http 80 https 443 allow remote is checked caddy v2 I downloaded the zip, unzipped it on the root directory. Created the extension-less "caddyfile" its contents are, { email <mygmail>@gmail.com } www.<mydomain>.com { reverse_proxy http://192.168.0.18:80 } I know I can use localhost instead of the IP, this should work though because I know it's internal IP and I have it set to not change as I use it to connect using RDP. Running everything I use command prompt and navigate to the Caddy directory with router firewall on and the server's firewall off, I run # caddy run C:\Caddy>caddy run 2020/06/21 14:46:17.402 [34mINFO[0m using adjacent Caddyfile 2020/06/21 14:46:17.413 [34mINFO[0m admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]} 2020/06/21 08:46:17 [INFO][cache:0xc0005ff7c0] Started certificate maintenance routine 2020/06/21 14:46:17.415 [34mINFO[0m http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443} 2020/06/21 14:46:17.415 [34mINFO[0m http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"} 2020/06/21 14:46:17.418 [34mINFO[0m tls cleaned up storage units 2020/06/21 14:46:17.418 [34mINFO[0m http enabling automatic TLS certificate management {"domains": ["www.<mydomain>.com"]} 2020/06/21 08:46:17 [INFO][www.<mydomain>.com] Obtain certificate; acquiring lock... 2020/06/21 14:46:17.425 [34mINFO[0m autosaved config {"file": "C:\\Users\\<myuser>\\AppData\\Roaming\\Caddy\\autosave.json"} 2020/06/21 14:46:17.428 [34mINFO[0m serving initial configuration 2020/06/21 08:46:17 [INFO][www.<mydomain>.com] Obtain: Lock acquired; proceeding... 2020/06/21 08:46:17 [INFO][www.<mydomain>.com] Waiting on rate limiter... 2020/06/21 08:46:17 [INFO][www.<mydomain>.com] Done waiting 2020/06/21 08:46:17 [INFO] [www.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR 2020/06/21 08:46:18 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387022605 2020/06/21 08:46:18 [INFO] [www.<mydomain>.com] acme: Could not find solver for: tls-alpn-01 2020/06/21 08:46:18 [INFO] [www.<mydomain>.com] acme: use http-01 solver 2020/06/21 08:46:18 [INFO] [www.<mydomain>.com] acme: Trying to solve HTTP-01 2020/06/21 08:46:25 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387022605 2020/06/21 08:46:25 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387022605 2020/06/21 08:46:25 [ERROR] acme: Error -> One or more domains had a problem: [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.<mydomain>.com/.well-known/acme-challenge/P-jvWvwSBjkK_9PQepBe5puAo_TLpsdonnZVunocu-I: Connection reset by peer, url: (challenge=http-01 remaining=[tls-alpn-01]) 2020/06/21 08:46:27 [INFO] [www.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR 2020/06/21 08:46:27 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387024673 2020/06/21 08:46:27 [INFO] [www.<mydomain>.com] acme: use tls-alpn-01 solver 2020/06/21 08:46:27 [INFO] [www.<mydomain>.com] acme: Trying to solve TLS-ALPN-01 2020/06/21 08:46:28 http: TLS handshake error from 127.0.0.1:61875: EOF 2020/06/21 08:46:28 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387024673 2020/06/21 08:46:28 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387024673 2020/06/21 08:46:28 [ERROR] acme: Error -> One or more domains had a problem: [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url: (challenge=tls-alpn-01 remaining=[]) 2020/06/21 08:46:30 [ERROR] attempt 1: [www.<mydomain>.com] Obtain: [www.<mydomain>.com] acme: Error -> One or more domains had a problem: [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url: - retrying in 1m0s (13.0492981s/720h0m0s elapsed)... 2020/06/21 14:46:34.960 [34mINFO[0m shutting down {"signal": "SIGINT"} 2020/06/21 08:46:34 [INFO][cache:0xc0005ff7c0] Stopped certificate maintenance routine 2020/06/21 08:46:34 [INFO][www.<mydomain>.com] Obtain: Releasing lock 2020/06/21 14:46:34.963 [34mINFO[0m shutdown done {"signal": "SIGINT"} with both router and caddy server's firewalls off I run caddy and it does this, C:\Caddy>caddy run 2020/06/21 14:47:55.788 [34mINFO[0m using adjacent Caddyfile 2020/06/21 14:47:55.794 [34mINFO[0m admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]} 2020/06/21 14:47:55.795 [34mINFO[0m http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443} 2020/06/21 14:47:55.795 [34mINFO[0m http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"} 2020/06/21 08:47:55 [INFO][cache:0xc0002e3b80] Started certificate maintenance routine 2020/06/21 14:47:55.796 [34mINFO[0m http enabling automatic TLS certificate management {"domains": ["www.<mydomain>.com"]} 2020/06/21 14:47:55.797 [34mINFO[0m tls cleaned up storage units 2020/06/21 14:47:55.798 [34mINFO[0m autosaved config {"file": "C:\\Users\\<myuser>\\AppData\\Roaming\\Caddy\\autosave.json"} 2020/06/21 14:47:55.799 [34mINFO[0m serving initial configuration 2020/06/21 08:47:55 [INFO][www.<mydomain>.com] Obtain certificate; acquiring lock... 2020/06/21 08:47:55 [INFO][www.<mydomain>.com] Obtain: Lock acquired; proceeding... 2020/06/21 08:47:55 [INFO][www.<mydomain>.com] Waiting on rate limiter... 2020/06/21 08:47:55 [INFO][www.<mydomain>.com] Done waiting 2020/06/21 08:47:55 [INFO] [www.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR 2020/06/21 08:47:56 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387042878 2020/06/21 08:47:56 [INFO] [www.<mydomain>.com] acme: Could not find solver for: tls-alpn-01 2020/06/21 08:47:56 [INFO] [www.<mydomain>.com] acme: use http-01 solver 2020/06/21 08:47:56 [INFO] [www.<mydomain>.com] acme: Trying to solve HTTP-01 2020/06/21 08:48:03 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387042878 2020/06/21 08:48:03 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387042878 2020/06/21 08:48:03 [ERROR] acme: Error -> One or more domains had a problem: [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.<mydomain>.com/.well-known/acme-challenge/fZqo0DmEmVjo9sElqDlmfJv6r_y50shAJ87QeOgb_rE: Connection reset by peer, url: (challenge=http-01 remaining=[tls-alpn-01]) 2020/06/21 08:48:05 [INFO] [www.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR 2020/06/21 08:48:06 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387045568 2020/06/21 08:48:06 [INFO] [www.<mydomain>.com] acme: use tls-alpn-01 solver 2020/06/21 08:48:06 [INFO] [www.<mydomain>.com] acme: Trying to solve TLS-ALPN-01 2020/06/21 08:48:06 http: TLS handshake error from 127.0.0.1:62306: EOF 2020/06/21 08:48:11 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387045568 2020/06/21 08:48:11 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387045568 2020/06/21 08:48:11 [ERROR] acme: Error -> One or more domains had a problem: [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url: (challenge=tls-alpn-01 remaining=[]) 2020/06/21 08:48:13 [ERROR] attempt 1: [www.<mydomain>.com] Obtain: [www.<mydomain>.com] acme: Error -> One or more domains had a problem: [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url: - retrying in 1m0s (17.8656781s/720h0m0s elapsed)... 2020/06/21 14:48:24.865 [34mINFO[0m shutting down {"signal": "SIGINT"} 2020/06/21 08:48:24 [INFO][cache:0xc0002e3b80] Stopped certificate maintenance routine 2020/06/21 08:48:24 [INFO][www.<mydomain>.com] Obtain: Releasing lock 2020/06/21 14:48:24.867 [34mINFO[0m shutdown done {"signal": "SIGINT"} The emby server is running windows server 2019 like a lot of server's it doesn't have any additional antivirus or firewall beyond windows defender. This is what I am referring to when I say in the test that the firewall is turned off. Both Private and Public network settings are set to 'Turn off Windows Defender Firewall'. Any help with why this isn't working would be appreciated. If I left out anything that is important please let me know. I am unfamiliar with all of this so if I didn't mention it I almost certainly didn't do it.
  21. Hello Emby community! So today I decided to give Emby a try in order to maybe replace Plex that I have been using for years. So far, I loved almost everything about Emby (maybe not the fact that we can't change the green accent in the AndroidTV app, but that's a story for another day ). I have one question though, for which I couldnt seem to find precise info. I run all my services from a machine in my house, which runs OpenMediaVault (i.e. Debian). I use Docker for most of the services, with bridge mode for their network interface. I also have, among those services, an Nginx container that serves as a reverse-proxy, so I can access my services more easily. The OpenMediaVault web interface proposes the option to connect using a self-signed SSL certificate, which I decided to use when I set it all up. I then re-used this same SSL certificate for all my other reverse-proxies, by mounting the certificate files as read-only into the Nginx container, so that I only had one exception to add to my browsers in order to reach all my services like so: https://servicename.hostname.lan So far, so good, as I only access these services from my home lan, and since I used Plex until now, I never had to mess with secure remote access: since the connection is routed through their servers, it was an easy setup with no configuration on my side (only authorizing the default Plex port for outgoing connections in my machine's iptables as well as ESTABLISHED,RELATED incoming connections, then once it was connected I had nothing more to do for their servers to detect my machine, not even setting port redirection on my router or allowing anything through my router's firewall). But now, I'd like to switch to Emby, and here's my question: am I not able to allow secure remote access if I don't have a domain name pointing to my home router's IP? What else could I do? I can post the nginx configs (with purged personal info) if needed. Many thanks in advance!
  22. plaidstallion

    Recommended HTTP headers?

    I was hoping someone could take a look at the HTTP headers I have my reverse proxy (Traefik v2) apply to Emby (and other apps) and let me know what might be causing issues with the app? customFrameOptionsValue: SAMEORIGIN browserXssFilter: true stsSeconds: 155520011 referrerPolicy: no-referrer contentTypeNosniff: true sslRedirect: true forceSTSHeader: true stsIncludeSubdomains: true stsPreload: true featurePolicy: true sslForceHost: true contentSecurityPolicy: "default-src ‘self’; script-src ‘self’ ‘unsafe-eval’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *;" accessControlAllowOriginList: [“<origin>”] featurePolicy: "geolocation 'none'; camera 'none'; microphone 'none'" The web interface is accessible but sometimes it doesn't load all the assets (cover art, etc) and movies will randomly not play. If I take all the headers off, everything works fine as if I am connecting inside the LAN but then I lose that nice A+ security rating for headers scan. I suppose I can start taking them off one by one and see what might be the issue but thought the devs or forum mods may just be able to look at my list and spot what is wrong. I looked for documentation of recommended headers but didn't see any articles through Google searches. Seems like a good wiki item.
  23. Hey guys, first of all: Emby for Kodi is the reason why i came to emby. Great app, much appreciated. @@Angelblue05 @@sualfred I'm still testing a lot of stuff but i found some errors in my kodi.log. Every five seconds it gives me a never ending loop of these: NOTICE: EMBY.entrypoint.service -> [ onNotification/plugin.video.emby/WebSocketRestarting ] NOTICE: Emby.emby.core.ws_client -> ERROR:: Handshake Status 503 Debug logging within emby for kodi will add these two lines: NOTICE: EMBY.helper.utils -> DEBUG:: ---[ event: plugin.video.emby/WebSocketRestarting ] "[{}]" NOTICE: EMBY.entrypoint.service -> DEBUG:: [ plugin.video.emby: WebSocketRestarting ] {} The http error code 503 comes from my haproxy, which does SNI and SSL-offloading (e.g. by emby.domain.com) on port 443 and will return a 503, if you use none or a non existent hostname in your request. Making emby server and emby.domain.com my the default (fallback), the websocket will work with haproxy. For obvious reasons i don't want to use my emby server as 'default backend' on any request on port 443. Haproxy logs show, that the request is: "GET /embywebsocket?api_key=<removed>&device_id=<removed> HTTP/1.1" (See update at the end) Unfortunately i could not figure a way to make haproxy or emby for kodi show me the whole request with the hostname, so one can only guess, that is might not be the hostname but maybe only the ip address? While searching about this, i only found this locked topic, from which i didn't get any helping hints. I understand there was a fix in the websockets request in 2017 which added a slash before the 'embywebsocket': https://emby.media/community/index.php?/topic/50062-web-sockets-and-reverse-proxy/ Since i can see the get request with the leading slash, i figure this can't be the reason for the 503. Of cause i'd like to rule out a configuration error on the haproxy side. Since streaming and database updates seem to work as long with the workaround using emby server as default backend for SNI, in my opinion this has to be a websocket request specific problem. So my first question would be: Does anybody have this working with reverse proxy and SNI (without emby as default backend)? On the other hand i'm not sure what the websocket is used for. I figured it might be the 'send message' feature from server to client or the 'inform about new content' over 'server is restarting' and so on. Which features depend on a websocket to the emby server? Is it 'required'? I'd also like to look further into this, but i can't seem to find the full websocket request in any log. Is there a way to see the whole request somewhere in emby for kodi? I'm running: - emby for kodi 4.1.19 - Libreelec 9.2.2 with Kodi 18.6 - Emby server 4.4.2.0 Thanks for your help or hints in advance. Steve UPDATE: I figured how to make haproxy capture the sent host headers from the http request and log them. The problems seems to be that an additonal colon from the appending port remains inside the host header (e.g. emby.domain.com: ). This seems to be the reason why haproxy can't find the hostname. Is this a bug inside Kodi for Emby? I use 'manual server' with 'https://emby.domain.com:443'.This still only happens with the websockets request. Can someone tell, how this request does handle the host header differently from the other requests? SOLUTION: Emby for Kodi does SNI correctly. It turned out i had my haproxy configuration wrong. It was redirecting to emby server based on the host header within the http request, but it should have redirected by the SNI within the tcp request. I set it to sni and now it works perfect. Thanks for pointing me back to the haproxy logs and sorry for wasting your time @@Luke.
  24. I've been looking, but I cannot find any examples of how to self-host Emby behind an NGINX reverse proxy at anything other than the root path on port 80. I host a website under the www subdomain at the root path on port 80, so that's not an option. I'm fine with any of these solutions: Use a different port (http://www.mydomain.com:8096/) Use a different subdomain (http://emby.mydomain.com/) Use a different path (http://www.mydomain.com/emby/) My current configuration is an attempt at solution #3 because that's the one I was able to get furthest on. I think I'd prefer solution #1 or #2, but I'm not picky. I'd also like to setup SSL, but I need to get this working before I can worry about encryption. That said, the SSL configuration for my website might be responsible for my current problem. All requests to port 80 are redirected to 443, which has SSL enabled. The server just directs everything on the /emby path to localhost:8096, which Emby binds to. I'm able to load the index page, but it fails to load the Javascript used to render any actual content. It looks like the server isn't able to serve the Javascript file over HTTPS. I have very limited experience with NGINX and Emby and I have no idea how to fix it. Here's my NGINX server configuration: server { listen 443 ssl default_server; listen [::]:443 ssl default_server; root /█████/website; server_name █████; ssl on; ssl_certificate /█████/cert.pem; ssl_certificate_key /█████/privkey.pem; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.4.4 8.8.8.8; location /static { alias /█████/website/static; } location / { try_files $uri @wsgi; } location @wsgi { proxy_pass http://unix:/tmp/gunicorn.sock; include proxy_params; } location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { access_log off; log_not_found off; expires max; } location /emby { proxy_pass http://127.0.0.1:8096; } } server { listen 80 default_server; listen [::]:80 default_server; server_name █████; return 301 https://$host$request_uri; }
  25. I'm a newbie - recently started using emby on an unraid server, accessible through reverse proxy using personal subdomain. All working well, but I'm having trouble setting up on Samsung smart TV. Works OK to sign on to server via web browser on the TV, but not ideal. However unable to sign on using the Samsung emby app. Fails to connect, despite the same url as working on the web browser. Any help would be welcome.
×
×
  • Create New...