Emby server on DSM 7, DSM built-in rev. proxy, no compatibl stream iOS

[Delor3an91 0]

Hi @cayars,

Sorry for the big delay. I have found where the matter come from !

The problem was the SSL level settings on my NAS. Maximum SSL certificate security make the Emby apps not to be able to run a media file.

When I choose the medium SSL certificate security level, everything works fine.

When I use a web browser it always work. No matter the security level I choose.

The reverse proxy is a kind of xxx.domain.ext and it works great.

So the Emby apps dev must take a look about the SSL level security of their apps (they probably use old root certs and need to be upgrades for a better security).

 

Regards

[Carlo 4330]

There is nothing wrong with Emby.  The problem is (unless you've change this) your setup.
Its been mentioned a couple times already that you can't use the built in proxy on Synology as it doesn't support functionality you require.
Synology doesn't give you any tools to edit the configuration and if you edit the config file manually from the command line your changes get overwritten.

The solution is to install a proper reverse proxy such as HA, NGINX, Traefix, etc and configure that to handle the apps which can also be DMS apps turning off the built in proxy.
The only other alternative is not to use Emby through any proxy and keep it on a unique port you forward from your router straight to Emby.

This would be a default setup using the stock ports of either 8096 or 8920.

We can point you to a few guides on proxy setup if we know which you're using.
This will cover settings needed for the proxy itself as well as changes needed to Emby configuration of networks to work properly with the proxy.
They need to understand each other, be setup so one is handling certs properly, have specific header rewrites done by the proxy so the server knows the user's IP address and doesn't use the proxy IP address, etc...  If using notification or web sockets that needs special setup too.

I'm not sure what you're referring to about the Maximum SSL certificate security setting but it sounds like you might be making changes that have nothing to do with the actual issue. It may mask a problem but isn't fixing the issue.

Browsers and apps are two completely different things.  The apps emulate some browser functionality like get, put, use URLs to access APIs but they are not browsers and can't be expected to function as such.  The Emby Apps can use this technique talking to Emby Servers because both sides understand what's taking place.  The proxy will not have this knowledge which in part is why it needs some configuration to work with the apps getting and putting information by emulating browser functionality.

OSes manage certs so in this case it would be DSM. Synology has been good keeping all utilities up to date that manage certs and the complete cert chain.  I've not seen a problem at all, even last year when a certain cert provider made a giant blunder which required every OS, instance, pod, jail, docker, pod and container to have to reload it's cert chain and replace files. Some IOT devices still can't be used and probably never will from the change.  Synology was quick with a fix that handled it situation automatically.  If you have automatic updates on you probably never knew there was a problem.  Since Emby allows you to use a cert provider of your choice we had many people affected. We also found out that certain OS's virtual instances had no proper means to update the cert chains properly and you couldn't even compile and older version of 2 utils that were needed to update the chain. That was bad and many  commercial firewalls, IPS and IDS systems couldn't function correctly.  But Synology had it fixed up quickly in the host, docker as well as it's virtual machines. So based on how familiar the team is now with all things certs and how each OS handles them I'd not think there is any issue on Synology with expired or strange cert handling.

I'd first look if anything like a proxy was inline and verify it's setup as an incorrect configuration will do what you see as we mentioned previously.