emby behind a traefik2 proxy - can't login in IOS

[davidpenn2001 0]

Hi, 

I can't login my emby server from LAN in IOS app. My server name/port is like: https://emby.example.com:8443. My traefik2 container will forward it to emby docker at port 8096. 

Quote

  emby:
    image: emby/embyserver
    restart: unless-stopped
    container_name: emby
    environment:
      - TZ=Asia/Shanghai
      - UID=1000
      - GID=984
    volumes:
      - ./emby:/config
      - /ndisk1/media/:/data
    ports:
      - 8096:8096
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.emby-rtr.entrypoints=https"
      - "traefik.http.routers.emby-rtr.rule=Host(`emby.$DOMAINNAME`)"
      - "traefik.http.routers.emby-rtr.tls=true"
      ## Middlewares
      - "traefik.http.routers.emby-rtr.middlewares=chain-no-auth@file" # No Authentication
      ## HTTP Services
      - "traefik.http.routers.emby-rtr.service=emby-svc"
      - "traefik.http.services.emby-svc.loadbalancer.server.port=8096"
    networks:
      - t2_proxy

If I use local port and ip address (192.168.1.3:8096) in emby app, I can login.

If I use domain name and https port (https://emby.example.com:8443) in safari, I can login.

But if I use domain name and https port in emby app, I can't login.

Any suggestion? Thanks in advance,

David

[Q-Droid 670]

Does the Emby dashboard show https://emby.example.com:8443 as the Remote (WAN) access URL?

[GWTPqZp6b 41]

I have this issue too! I think its something CORS related, I just haven't had time to debug yet.

The same Traefik config works fine on Mac OSX both web and app, but not iOS web or app. Its on my list to look at. 

EDIT: Actually your issue may be different to mine, I have a stricter CORS policy applied where yours is pretty bare bones. 

Edited October 1, 2021 by GWTPqZp6b
hmm

[davidpenn2001 0]

14 hours ago, Q-Droid said:

Does the Emby dashboard show https://emby.example.com:8443 as the Remote (WAN) access URL?

No. The emby dashboard show ip address. http://<my wan ip>:8096. 

[davidpenn2001 0]

13 hours ago, GWTPqZp6b said:

I have this issue too! I think its something CORS related, I just haven't had time to debug yet.

The same Traefik config works fine on Mac OSX both web and app, but not iOS web or app. Its on my list to look at. 

EDIT: Actually your issue may be different to mine, I have a stricter CORS policy applied where yours is pretty bare bones. 

Mine seems different. iOS web works but app fails.

[davidpenn2001 0]

Previously I am using Traefik 1.7 and no problem at all. It seems header forwarding issue for ios app. Do I need any special setting for Traefik 2 or emby?

[Q-Droid 670]

Apps and browsers interact differently with Emby.

In your Emby network setup and even behind a proxy you want to enable remote access, fill in the external details and set Secure Connection Mode to handled by reverse proxy.

 

[GWTPqZp6b 41]

These headers work on OSX web & application, and iOS Web & app, BUT uncommenting the four lines breaks the applications on both platforms. Will spend some time debugging. 
@pir8radio for vis as they are the header-pro round these parts I think. 

 

    semi-secure-headers-emby:
      headers:
        frameDeny: true
        stsIncludeSubdomains: true
        stsPreload: true
        stsSeconds: 15552000
        contentTypeNosniff: true
#        addVaryheader: true
#        accessControlAllowMethods: ["GET", "OPTIONS", "POST"]
#        accessControlAllowHeaders: ["Origin", "Accept", "Authorization", "Accept-Encoding", "Accept-Language", "Content-Type", "Content-Length", "Cache-Control"]
#        accessControlMaxAge: 100
        customFrameOptionsValue: "SAMEORIGIN"
        browserXssFilter: true
        referrerPolicy: origin-when-cross-origin
        contentSecurityPolicy: "default-src 'none';
                                font-src 'self';
                                connect-src 'self' wss: ws: https://mb3admin.com;
                                media-src 'self' blob: data:;
                                manifest-src 'self';
                                base-uri 'none';
                                form-action 'self';
                                frame-ancestors 'self';
                                object-src 'none';
                                worker-src 'self' blob:;
                                script-src 'self' https://www.gstatic.com;
                                img-src data: https: http: ;
                                style-src 'unsafe-inline' 'self'"

 

[Luke 37214]

The server already sets some of those headers, so if you're overwriting that with your own values, then yes it's going to break things.

[GWTPqZp6b 41]

Thanks Luke. Is there any docs or references that might help me understand which & how the headers Im setting are causing issues with app but not web? Im keen to learn more and understand why theres a delta between web and app. 

 

[Luke 37214]

Having not tried Traefik myself, I can't really be sure why you're getting lucky with the web app.

Best guess though is that none of them are being used in the web app because the browser is not sending any cors preflight requests.