Jump to content

Search the Community

Showing results for tags 'haproxy'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • General
    • Announcements
    • Emby Premiere Purchase/Subscription Support
    • Feature Requests
    • Tutorials and Guides
  • Emby Server
    • General/Windows
    • Android Server
    • Asustor
    • FreeBSD
    • Linux
    • NetGear ReadyNAS
    • MacOS
    • QNAP
    • Synology
    • TerraMaster NAS
    • Thecus
    • Western Digital
    • DLNA
    • Live TV
  • Emby Apps
    • Amazon Alexa
    • Android Mobile
    • Android TV / Fire TV
    • Emby Theater
    • iOS
    • Apple TV
    • Kodi
    • Raspberry Pi
    • Roku
    • Samsung Smart TV
    • Sony PlayStation
    • LG Smart TV
    • Web App
    • Windows Media Center
    • Plugins
  • Language-specific support
    • Arabic
    • Dutch
    • French
    • German
    • Italian
    • Portuguese
    • Russian
    • Spanish
    • Swedish
  • Community Contributions
    • Ember for Emby
    • Fan Art & Videos
    • Tools and Utilities
    • Web App CSS
  • Other
    • General Discussion
    • Developer API
    • Hardware
    • Media Clubs
    • Legacy Support

Blogs

  • Emby Blog

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 3 results

  1. I am running Emby on a TrueNAS server behind a haproxy reverse proxy that is configured to use LetEncrypt certificates so the cert configuration doesn't have to be done in Emby. My domain provider is Google Domains and I have a synthetic record configured to point to my subdomain. When users attempt to login to my Emby server through any of the Emby apps using my subdomain URL they can access the server and see their profile but when they attempt to login they get the following error: Invalid username or password. Please try again. The Emby logs show: 2020-11-28 20:05:49.428 Info HttpServer: HTTP GET http://emby.domain.io:8096/Users/authenticatebyname?X-Emby-Client=Emby for Android&X-Emby-Device-Name=SAMSUNG_DEVICE&X-Emby-Device-Id=180dd06ae38b4c18&X-Emby-Client-Version=3.1.64. Host=emby.domain.io, accept=application/json, User-Agent=Mozilla/5.0 (Linux; Android 10; SM-G975U1 Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/86.0.4240.198 Mobile Safari/537.36, X-Requested-With=com.mb.android, Sec-Fetch-Site=cross-site, Sec-Fetch-Mode=cors, Sec-Fetch-Dest=empty, Accept-Encoding=gzip, deflate, Accept-Language=en-US,en;q=0.9 2020-11-28 20:05:49.429 Error HttpServer: Access token is invalid or expired. 2020-11-28 20:05:49.429 Info HttpServer: HTTP Response 401 to 192.168.50.10. Time: 1ms. http://emby.domain.io:8096/Users/authenticatebyname?X-Emby-Client=Emby for Android&X-Emby-Device-Name=SAMSUNG_DEVICE&X-Emby-Device-Id=180dd06ae38b4c18&X-Emby-Client-Version=3.1.64. ConnectionId: null My haproxy configuration is as follows: global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend www-http bind *:80 bind *:443 ssl crt /etc/ssl/domain.io/domain.pem redirect scheme https code 301 if !{ ssl_fc } acl letsencrypt-acl path_beg /.well-known/acme-challenge/ use_backend letsencrypt-backend if letsencrypt-acl use_backend gitlab-backend if { hdr_dom(host) -i gitlab.domain.io } use_backend gitlab-backend if { hdr_dom(host) -i pages.domain.io } use_backend nextcloud-backend if { hdr_dom(host) -i nextcloud.domain.io } use_backend emby-backend if { hdr_dom(host) -i emby.domain.io } default_backend gitlab-backend backend gitlab-backend server gitlab 192.168.50.9:80 backend pages-backend server pages 192.168.50.9:8090 backend nextcloud-backend server nextcloud 192.168.50.12:80 backend emby-backend server emby 192.168.50.13:8096 backend letsencrypt-backend server letsencrypt 127.0.0.1:8888 If users navigate to my Emby subdomain in a browser and login they have no issue. Only when using the app do they have trouble. I should also note that if a user has an Emby Connect account and I have set their account email in their profile then they can use the Connect account to login from the apps. While this is a work around, not all my users want Connect accounts so I would like to avoid this if possible.
  2. Mr.Berzerk

    Emby behind reverse haproxy on pfSense

    Hey everyone. I've been running emby for a while, and know I want to get remote access working, but Emby is one of 6 servers, so it is a must to be behind a reverse-proxy. I got http working, but I can't get Emby to work on https/ssl. I have a certificate setup, but, I get this error in my browser when going https. R_END_OF_FILE_ERROR From searching the web, it is common for proxies to give this error, but I can't figure out what I need to change in haproxy to correct it. Emby is using a letsenecrypt certificate, and is is running remote access through 443. Any help would be appreciated.
  3. Hey guys, first of all: Emby for Kodi is the reason why i came to emby. Great app, much appreciated. @@Angelblue05 @@sualfred I'm still testing a lot of stuff but i found some errors in my kodi.log. Every five seconds it gives me a never ending loop of these: NOTICE: EMBY.entrypoint.service -> [ onNotification/plugin.video.emby/WebSocketRestarting ] NOTICE: Emby.emby.core.ws_client -> ERROR:: Handshake Status 503 Debug logging within emby for kodi will add these two lines: NOTICE: EMBY.helper.utils -> DEBUG:: ---[ event: plugin.video.emby/WebSocketRestarting ] "[{}]" NOTICE: EMBY.entrypoint.service -> DEBUG:: [ plugin.video.emby: WebSocketRestarting ] {} The http error code 503 comes from my haproxy, which does SNI and SSL-offloading (e.g. by emby.domain.com) on port 443 and will return a 503, if you use none or a non existent hostname in your request. Making emby server and emby.domain.com my the default (fallback), the websocket will work with haproxy. For obvious reasons i don't want to use my emby server as 'default backend' on any request on port 443. Haproxy logs show, that the request is: "GET /embywebsocket?api_key=<removed>&device_id=<removed> HTTP/1.1" (See update at the end) Unfortunately i could not figure a way to make haproxy or emby for kodi show me the whole request with the hostname, so one can only guess, that is might not be the hostname but maybe only the ip address? While searching about this, i only found this locked topic, from which i didn't get any helping hints. I understand there was a fix in the websockets request in 2017 which added a slash before the 'embywebsocket': https://emby.media/community/index.php?/topic/50062-web-sockets-and-reverse-proxy/ Since i can see the get request with the leading slash, i figure this can't be the reason for the 503. Of cause i'd like to rule out a configuration error on the haproxy side. Since streaming and database updates seem to work as long with the workaround using emby server as default backend for SNI, in my opinion this has to be a websocket request specific problem. So my first question would be: Does anybody have this working with reverse proxy and SNI (without emby as default backend)? On the other hand i'm not sure what the websocket is used for. I figured it might be the 'send message' feature from server to client or the 'inform about new content' over 'server is restarting' and so on. Which features depend on a websocket to the emby server? Is it 'required'? I'd also like to look further into this, but i can't seem to find the full websocket request in any log. Is there a way to see the whole request somewhere in emby for kodi? I'm running: - emby for kodi 4.1.19 - Libreelec 9.2.2 with Kodi 18.6 - Emby server 4.4.2.0 Thanks for your help or hints in advance. Steve UPDATE: I figured how to make haproxy capture the sent host headers from the http request and log them. The problems seems to be that an additonal colon from the appending port remains inside the host header (e.g. emby.domain.com: ). This seems to be the reason why haproxy can't find the hostname. Is this a bug inside Kodi for Emby? I use 'manual server' with 'https://emby.domain.com:443'.This still only happens with the websockets request. Can someone tell, how this request does handle the host header differently from the other requests? SOLUTION: Emby for Kodi does SNI correctly. It turned out i had my haproxy configuration wrong. It was redirecting to emby server based on the host header within the http request, but it should have redirected by the SNI within the tcp request. I set it to sni and now it works perfect. Thanks for pointing me back to the haproxy logs and sorry for wasting your time @@Luke.
×
×
  • Create New...