SSL connect- iOS and FireTV apps not behaving the same as Android app

[Garbonzo17 26]

Problem: When connecting to emby.my.domain in a web browser from anywhere, it shows the lock and is forced to ssl (by nginx).  However I can use the app on my phone, and use the settings of emby.my.doman and port 80 (which nginx routes to my machine with emby 8096 and "handled by reverse proxy" selected -- and as I said, works in the browser correctly while not specifying a port, so 80.. )  and it works fine... on my Android phone with the Android app... but have the same information typed into my sisters iPhone, and get an unable to connect message (wifi disabled, so using LTE) both connect fine with wifi on... (her firetv device at her home has similar results, and its frustrating.)

Setup:
own "my.domain"
running nginx and nginx proxy manager in docker.
I am not a pro with nginx (why I use the NPM gui) so I am not sure of what logs would be helpful, but this is the gist.. emby.my.domain points to http://192.168.111.104:8096 with these ssl toggles all ENABLED: Force SSL - HTTP/2 Support - HSTS Enabled and HSTS Subdomains... and like I said, its all peachy in a web browser and it pulls an A+ from SSLLabs... it seems like these apps are just not liking the port 80 (but android jdgaf and works)... I am not sure why this is, but my whole point of using nginx was to not have to have any ports but 80/443 open on my router.. .

any insight much appreciated.

tia.

-G

[ebr 14942]

Hi.  Is your certificate from LetsEncrypt and did this start around Sep 29th?

[Carlo 4330]

Hi, I guess I'd have to ask why do you have nginx set to forward port 80 to Emby's 8096?
Why do you even have port 80 forwarded on your router?

If you want to stop any port other than 443 then don't allow it through your router and/or setup nginx to handle this.

@pir8radio has done a fantastic overview of how to setup nginx for use with Emby.

 

[Garbonzo17 26]

5 hours ago, ebr said:

Hi.  Is your certificate from LetsEncrypt and did this start around Sep 29th?

It is lets encrypt, and it was happening before everything that went down on the 29th. 

[Garbonzo17 26]

3 hours ago, cayars said:

Hi, I guess I'd have to ask why do you have nginx set to forward port 80 to Emby's 8096?
Why do you even have port 80 forwarded on your router?

If you want to stop any port other than 443 then don't allow it through your router and/or setup nginx to handle this.

Because port 80 on my openmediavault was already doing things (I'll attach image) and it seemed like the way to do it..  I tried looking through the posts you attached before I even asked for help, it is frankly above my head with the ammount I time I can put in on learning (not using the Nginx Proxy manager gui, that is) But I suppose there were a few posts talking about including additional options in the gui, I will read back through and see if anything clicks.

At this point everything works in all of my uses for Emby, Sonarr, Radarr, Qbittorrent, ombi, etc... just not firetv/ios app. It still gets an A+ from SSLLabs, so I want to believe the certs are fine, but I am hitting the limits of my deduction abilities.  At this point I just opened 8096 on router and let her connect directly (without the emby. sub domain) and that is unencryped do defeats the purpose (I surely an go back to creating a cert/password for emby to use, but I thought thats what nginx was fixing (me having to do that part every 3 months when nginx is doing that automatically for me).

Anyway, I appreciate you guys trying to help me solve this.

-G

[Garbonzo17 26]

On 10/10/2021 at 11:23 AM, cayars said:

@pir8radio has done a fantastic overview of how to setup nginx for use with Emby.

Yeah, I am still not sure what about my setup is the issue, Sonarr/Radarr/Ombi/Organizr and so on are all fine, but then again so is emby in a browser, so it may be the letsencrypt cert being the hangup for some of the emby app implementations... at least using Nginx Proxy Manager... So I was considering using SWAG instead and ZeroSSL, but I may use @pir8radio stuff and give it a go on vanilla nginx (without a manager) but I can't do anymore testing this evening as several people are watching stuff...

Thanks again, and if anyone has ideas that might fix things remaining where i am with NPM I am all ears.

-G 

[Carlo 4330]

If you don't feel like dealing with cert management maybe consider using the free version of Cloudflare.
You can generate a private cloudflare cert on their website that you can use locally either in Emby or nginx (or both).

You won't need to renew the cloudflare cert.  The advantage to this is that Cloudflare can cache all your image files, making your system load faster for remote clients.
@pir8radio uses Cloudflare as well so his configs will worth with this.

[Garbonzo17 26]

12 hours ago, cayars said:

If you don't feel like dealing with cert management maybe consider using the free version of Cloudflare.
You can generate a private cloudflare cert on their website that you can use locally either in Emby or nginx (or both).

You won't need to renew the cloudflare cert.  The advantage to this is that Cloudflare can cache all your image files, making your system load faster for remote clients.
@pir8radio uses Cloudflare as well so his configs will worth with this.

Yeah, I redircted my domains dns to cloudflare today... And I like the tools better.

BUT, I think I resolved everything by just using 443 in the app.

It wasn't clicking for me that I needed to, because nginx forces port 80 to ssl (so I don't have to specify a port in a browser) so I figured 80 would work in the apps.  and it does on my oneplus phone, but not on iphone... quirky. but definitely a thing.