Reverse Proxy not working

[dseguin 0]

Hello all,

I'm trying to configure Emby using a Reverse proxy with no success. I'm using a Synology DS218j on DSM 7. The NAS already has a working Let's Encrypt SSL certificate and I can access my NAS securely through HTTPS. The Emby application is also installed on my NAS. I can successfully remotely access Emby by using port 8096. All requred ports are forwarded from my router to my NAS (80, 443, 8096, 8920).

I have configured the NAS part as followed :

 

The Emby part setup :

 

It is my understanding that when you select the Reverse Proxy connection mode, the Synology NAS takes over the SSL authentication part. I have also tried populating the exterior domain field with my domain name with a valid SSL PKCS #12 certificate with no success. When I try connecting remotely, it never reaches the Emby page. I have tried many many other "working" solutions regarding Reverse Proxy but none work for me.

Anyone out there has this working ? If yes, can you share the exact method used ? Or direct me to a step by step tutorial specifically aimed at Synology - Emby Reverse Proxy ?

Thanks !!! 

[Gaba90 4]

My reverse proxy setup looks almost same, but here the differences:

Synology - Hostname: * (you have your whole address, but i don't think this makes a difference. You can still try just inserting *) 

On emby network settings I deactivated remote access. 

On router settings I set port forwarding for the port specified on the reverse proxy settings (so in your case local port 8920, external port 8920) - > this had me confused during setup and took me a while to realize

[Dreakon13 132]

Mine is working, though I wouldn't be shocked if my setup isn't optimal lol.

I use 443 as the source port on the reverse proxy, and disable remote access altogether in the Emby settings.  If you got the cert from Let's Encrypt through the Synology NAS, I guess make sure you've included the wildcard in the Subject Alternative Name when you set it up, like this...

 

... but the importance of that may depend on whether or not you're using subdomains.  ie. emby.testname.synology.me

Edited January 10, 2022 by Dreakon13

[dseguin 0]

I will try both setups and let you know !

[dseguin 0]

If I uncheck the Emby "Authorize Remote Access" checkbox, a good majority of the Emby network configuration is unavailable and remote access is no longer possible. I am using Emby version 4.7.0.19.

[Dreakon13 132]

29 minutes ago, dseguin said:

If I uncheck the Emby "Authorize Remote Access" checkbox, a good majority of the Emby network configuration is unavailable and remote access is no longer possible. I am using Emby version 4.7.0.19.

Someone can correct me if I'm not getting the technical details right... but the reverse proxy is effectively just re-routing remote traffic through the localhost but with https and certs and whatnot.  So the remote configuration in Emby wouldn't really apply even if you had it turned on.  To use those settings it'd probably involve more of a manual setup and not Synology's automated domains and certs (or at least figure out how to pull that stuff out of your Synology NAS to use externally, which I haven't been able to figure out).

EDIT: Using your "synology.me" URL should work with the remote settings turned off, if set up correctly.  Make sure you're actually typing in the https:// part in your browser and Emby app settings like "https://emby.blahblah.synology.me"

Edited January 10, 2022 by Dreakon13

[Carlo 4330]

Hi, you need to have remote access enabled.  You will use port 8096 (not 80) for Emby if not using a cert directly setup in Emby.
Use port 8920 (not 443) if you have setup Emby Network section with a proper certificate.

Do not run Emby through Synology's proxy service which is why you can't use 80 and 443 as DSM's proxy will answer/forward those ports.
Synology does not give you enough control of proxy settings to use it properly with Emby.

Because you can't run this through Synology proxy you must setup the cert info directly in Emby and can not use the proxy setting.

Start with port 8096 and get that working properly, then if you like work on getting a proper cert setup for use with Emby and then test that.

[dseguin 0]

Hi Cayars,

So if I understand correctly, you are saying that the Reverse Proxy setting in Emby does not work with Synology ? 

[Carlo 4330]

There is no reverse proxy built into Emby.  There is just a setting that tells Emby if you are using a reverse proxy or not.
This changes the way Emby works for certain things such as IP addresses. With the reverse proxy setting Emby know to look into the header for a special header the proxy writes telling us the real IP as this becomes the Proxy's job. It allows Emby to answer on non-secured ports as well because the reverse proxy is going to be responsible for this. Things like that.

The reverse proxy needs to be configured to do these things Emby is going to expect. That's the problem as Synology doesn't give you the needed control for this kind of basic configuration.  You also can't configure port usage or use of web services, etc...

So knowing these limitations and issues it's best to avoid use Synology's proxy by using ports it won't touch. You could also setup a 2nd proxy to run on Synology that you have manual control over and use that with Emby but you still won't be able to use any ports the built in proxy listens to. It's really difficult to impossible to use the 2nd proxy for automatic cert renewal as the built in proxy hijacks this process. Because of all these issues if you aren't experienced with Linux and know how to work around the issues it's best to KISS and keep it simple excluding the proxy completely using different ports and setting up the cert as normal directly in Emby.

Hope that makes sense.

[dseguin 0]

Yep, got it ! I'll be avoiding the reverse proxy for now and make it work a different way.

Thank you all for replying to my question !

[Dreakon13 132]

2 hours ago, cayars said:

Hi, you need to have remote access enabled.  You will use port 8096 (not 80) for Emby if not using a cert directly setup in Emby.
Use port 8920 (not 443) if you have setup Emby Network section with a proper certificate.

Do not run Emby through Synology's proxy service which is why you can't use 80 and 443 as DSM's proxy will answer/forward those ports.
Synology does not give you enough control of proxy settings to use it properly with Emby.

Because you can't run this through Synology proxy you must setup the cert info directly in Emby and can not use the proxy setting.

Start with port 8096 and get that working properly, then if you like work on getting a proper cert setup for use with Emby and then test that.

Not to derail, but is it really this unadvisable to use Synology's reverse proxy functionality?  I genuinely haven't had a single issue with it (that I wouldn't have had regardless).

This makes it sound totally unusable.

Edited January 10, 2022 by Dreakon13

[Carlo 4330]

6 hours ago, Dreakon13 said:

Someone can correct me if I'm not getting the technical details right... but the reverse proxy is effectively just re-routing remote traffic through the localhost but with https and certs and whatnot. 

 

3 hours ago, Dreakon13 said:

Not to derail, but is it really this unadvisable to use Synology's reverse proxy functionality?  I genuinely haven't had a single issue with it (that I wouldn't have had regardless).

This makes it sound totally unusable.

It doesn't route per say be copies or relays things back and forth at a simple level.  That's not the problem. It the way it does it and lack of control. How do you get web sockets to work through it? How long does it hold open ports? Does it share open ports? Does it keep keep data separate for connections outside or "proxy" them? How does it handle the IPs?  Inside emby are you only seeing the IP of the proxy or do you see the IP of the original address?

Those are the kinds of things that can cause issues. That doesn't mean a system is broke if running behind it.  It's just that what Emby receives and thinks is accurate may not be. For simpler setup it may not be a problem but when trying to use other functionality it won't work.  If for example you try and setup your domain behind Cloudflare it's a mess as the version of nginx that Synology uses is old. It also doesn't allow you to makes changes that are required otherwise streams playing back remotely do goofy things, pause, stop playing from miscommunication between your local nginx and Cloudflare.

@pir8radio has a whole guide here on the proper way to setup nginx to work with Emby. If you read the first post you'll likely understand a bit better why it's not a good idea.

With that said.  If you already have it setup and haven't noticed anything strange just leave it.  You may be lucky or happen to not be using any features that would cause you a problem. Just keep it in mind for the future if something seems strange as it could be related.

But if it's not setup already, I would avoid it and the problems it can bring.

Hope that makes better sense.

[xyliavandyck 0]

Did you manage to solve that? I'm using a similar setup to the one used by Dreakon13, and everything seems to be working perfectly.

[xyliavandyck 0]

On 4/20/2022 at 11:48 PM, xyliavandyck said:

Did you manage to solve that? I'm using a similar setup to the one used by Dreakon13, and everything seems to be working perfectly.

Moreover, I'm also using 443 as the source port on the reverse proxy, disabling the remote access altogether in the Emby settings, and everything is working incredibly well. Did you try to use his setup? I think it has to be one of the best setups. Or, you could just try to use the basic setup provided by the datacenter proxy and their server, as I tried to use that and everything is looking fine.

[Q-Droid 642]

I'm curious. If it works when remote access is disabled in Emby this would also mean that your server is treating all connections as if they were local? So features meant to differentiate between external and internal connections are not in play?

All users are connected locally: do you list them on the main page? 

Local connections may not need password or PIN: do you make sure you enforce this?

Remote/internet streaming limits not in effect. There are likely quite a few other things I'm not thinking of.