Login Failure when using reverse proxy

[Jibest 26]

Hi, i'd recently noticed that I was unable to connect via https from my miibox & firesticks which after a bit of reading here I realised was a certificate issue with Linux, Emby & Let's Encrypt etc (still not sure exactly where the fault lies there but anyway).

My Emby server runs on my Qnap.

This then led me to other solutions such as using a reverse proxy.

After seeing recommendations for NGinx I found a Docker container that runs NGinx as a gui & with a little bit of trial & error I got it working.

Today however I've noticed that when on an external network I'm unable to log into the Android Mobile Emby app. It says the credentials are incorrect, however there is no issue when using a mobile web browser such as Edge.

This led to more articles suggesting the headers were being changed etc and some example configs were suggested to correct the problem.

It's here I've come unstuck, in part likely because of the GUI nature of the NGinx version I'm using. Rather than being able to use a full config file I've tried to cherry pick the sections I thought most relevant and add them to the configuration with no success.

I'm hoping someone can help me with what I'm going is a small tweak to get this working......

The Docker image is here:

https://hub.docker.com/r/jlesage/nginx-proxy-manager

Below is added in "additional configuration x

 

Edited February 25, 2022 by Jibest
Additional info

[Jibest 26]

I've kept trying to resolve this and have found the location NGinx is using for the config file. (Note my ddns is replaced with "server.domain" throughout this info)

Here is the config it was using:

# ------------------------------------------------------------
# server.domain
# ------------------------------------------------------------

server {
  set $forward_scheme http;
  set $server         "192.168.0.90";
  set $port           8096;

  listen 8080;
listen [::]:8080;

listen 4443 ssl http2;
listen [::]:4443 ssl http2;

  server_name server.domain

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem;

    # Force SSL
    include conf.d/include/force-ssl.conf;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;

  access_log /config/log/proxy-host-3_access.log proxy;
  error_log /config/log/proxy-host-3_error.log warn;

  location / {

    

    
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
    

    # Proxy!
    include conf.d/include/proxy.conf;
  }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

 

I tried replacing this with the config from HOW TO: emby with NGINX - With Windows Specific Tips and CSP options - General/Windows - Emby Community

 

But NGINX was then unable to boot. So I went through the config removing the entries that were being reported as an issue which were mainly log locations etc and there was another issue with the cert breaking so i kept the original cert and ssl settings & ended up with this config:

# ------------------------------------------------------------
# server.domain
# ------------------------------------------------------------worker_processes  auto;

    ## Start of actual server blocks
server {

  listen 8080;
listen [::]:8080;

listen 4443 ssl http2;
listen [::]:4443 ssl http2;

    server_name server.domain;    ## enter your service name and domain name here example emby.domainname.com

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem;
    
     # Force SSL
        include conf.d/include/force-ssl.conf;

     location ^~ /swagger {   ## Disables access to swagger interface
        return 404;
}

     location / {
        proxy_pass http://192.168.0.90:8096;  ## Enter the IP and port of the backend emby server here.

    proxy_hide_header X-Powered-By;     ## Hides nginx server version from bad guys.
    proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        #proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
    }
}

 

 

I still however get sign in errors when trying to login externally. Here is what I find in the Emby Log:

 

2022-02-25 12:51:03.724 Info Server: http/1.1 GET http://server.domain/emby/Users/authenticatebyname?X-Emby-Client=Emby for Android&X-Emby-Device-Name=Jon's Galaxy S10e&X-Emby-Device-Id=6a1b34a9c458a6da&X-Emby-Client-Version=3.2.32. Accept=application/json, Accept-Encoding=gzip, deflate, Accept-Language=en-GB,en-US;q=0.9,en;q=0.8, Host=server.domain, User-Agent=Mozilla/5.0 (Linux; Android 12; SM-G970F Build/SP1A.210812.016; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/98.0.4758.101 Mobile Safari/537.36, X-Real-IP=85.255.236.148, X-Forwarded-For=85.255.236.148, x-requested-with=com.mb.android, sec-fetch-site=cross-site, sec-fetch-mode=cors, sec-fetch-dest=empty 2022-02-25 12:51:03.725 Error Server: Access token is invalid or expired. 2022-02-25 12:51:03.725 Info Server: http/1.1 Response 401 to 85.255.236.148. Time: 2ms. http://server.domain/emby/Users/authenticatebyname?X-Emby-Client=Emby for Android&X-Emby-Device-Name=Jon's Galaxy S10e&X-Emby-Device-Id=6a1b34a9c458a6da&X-Emby-Client-Version=3.2.32 2022-02-25 12:51:07.761 Info Server: http/1.1 GET http://server.domain/emby/System/Logs/embyserver.txt. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/98.0.4758.102 Safari/537.36 Edg/98.0.1108.56

 

Any help would be greatly appreciated.

[Luke 37175]

Hi, first thing I would do is check emby server network settings to see if you've applied any restrictions on connections. Then if you have, remove those and see if it helps 

Next I would suggest comparing your nginx configuration to that of @pir8radio.

Please see if that helps. Thanks.

[Jibest 26]

23 minutes ago, Luke said:

Hi, first thing I would do is check emby server network settings to see if you've applied any restrictions on connections. Then if you have, remove those and see if it helps 

Next I would suggest comparing your nginx configuration to that of @pir8radio.

Please see if that helps. Thanks.

Hi Luke, thanks for replying.

I don't have anything configured to restrict access:

I was using @pir8radio config already to try to get this working but not having much joy. I was hoping by posting the config someone might spot the issue?

 

Thanks, Jon

Edited February 25, 2022 by Jibest

[Jibest 26]

Think I've got it now.

Went back through to try to get my config as close to his as possible and changed my SSL settings from:

# Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem;
    
     # Force SSL
        include conf.d/include/force-ssl.conf;

     location ^~ /swagger {   ## Disables access to swagger interface
        return 404;
}

to:

  # Let's Encrypt SSL
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem;  ## Location of your public PEM file.
  ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem;  ## Location of your private PEM file.

     location ^~ /swagger {   ## Disables access to swagger interface
        return 404;
}

 

I'll keep my eye on this but at the moment it is working \o/

[pir8radio 1292]

looks like i came in just in time..  you already solved the problem!      

[Jibest 26]

17 minutes ago, pir8radio said:

looks like i came in just in time..  you already solved the problem!      

Thanks pir8radio!

Out of interest it seems to me that the issue was likely resolved by :

ssl_session_timeout 30m;

Is that correct?

While you're here can you take a quick look at the current config to sanity check it please?

# ------------------------------------------------------------
# server.domain
# ------------------------------------------------------------worker_processes  auto;

    ## Start of actual server blocks
server {

  listen 8080;
listen [::]:8080;

listen 4443 ssl http2;
listen [::]:4443 ssl http2;
proxy_buffering off;        ## Sends data as fast as it can not buffering large chunks.

    server_name server.domain;    ## enter your service name and domain name here example emby.domainname.com

  # Let's Encrypt SSL
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem;  ## Location of your public PEM file.
  ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem;  ## Location of your private PEM file.

     location ^~ /swagger {   ## Disables access to swagger interface
        return 404;
}

location / {
        # Send traffic to the backend
        proxy_pass http://192.168.0.90:8096;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $remote_addr;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_redirect off;

        # Send websocket data to the backend aswell
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
}

 

[pir8radio 1292]

8 minutes ago, Jibest said:

Thanks pir8radio!

Out of interest it seems to me that the issue was likely resolved by :

ssl_session_timeout 30m;

Is that correct?

While you're here can you take a quick look at the current config to sanity check it please?

# ------------------------------------------------------------
# server.domain
# ------------------------------------------------------------worker_processes  auto;

    ## Start of actual server blocks
server {

  listen 8080;
listen [::]:8080;

listen 4443 ssl http2;
listen [::]:4443 ssl http2;
proxy_buffering off;        ## Sends data as fast as it can not buffering large chunks.

    server_name server.domain;    ## enter your service name and domain name here example emby.domainname.com

  # Let's Encrypt SSL
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem;  ## Location of your public PEM file.
  ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem;  ## Location of your private PEM file.

     location ^~ /swagger {   ## Disables access to swagger interface
        return 404;
}

location / {
        # Send traffic to the backend
        proxy_pass http://192.168.0.90:8096;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $remote_addr;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_redirect off;

        # Send websocket data to the backend aswell
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
}

 

yea that looks like chunks of my config  at least the # notes sounds like me.. lol      that is a basic config... should work..   you might see issues with mp4 files i would add the below bit.    I'm sure you have heard this before, and im not redirecting     its just nice to visually compare to others.. but if you click my avatar here and then the "About Me" tab I share my config there for people to kind of compare against.      I try to keep it up to date if things change.      So to be clear you said you thought the issue was related to ssl_session_timeout 30m;    does that mean that line was not in your original config?    or you had a different time set?   I think if you don't have that line it will default to 5 mins... FYI

	proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
	proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.

[Jibest 26]

Hi thanks for the tips, i've added the lines you've suggested and its all still working fine. Glad I did as virtually all my media is mp4!

I just found it odd that changing a few lines for the SSL settings suddenly got it working and was speculating it was that line that had resolved the issue when:

# Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem;

changed to

# Let's Encrypt SSL
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem;  ## Location of your public PEM file.
  ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem;  ## Location of your private PEM file

Although looking again perhaps it was the removal of the include lines that had more to do with it.

At this point i'm just relieved its working!

I'll take a look at the config in your info, thanks again for the advice

[Jibest 26]

Looks like I spoke too soon.

I've noticed that when using a web browser to access the emby site it does not always direct to HTTPS. So far I can't seem to fathom why this is intermittent however using private browsing seems to consistently show a HTTP connection.

If I include the lines below then HTTPS is forced for the connection:

if ($scheme = "http") {
    return 301 https://$host$request_uri;
}
 

Unfortunately this is when I get the issue of not being able to login remotely (incorrect password) from the Android App. If I remove the lines I can login remotely but then get the intermittent HTTPS behavior again?

I also noticed that removing the "listen 8080" lines from the config appears to produce the same effect?

Feels so close, can you please cast your eye over the config again?

# ------------------------------------------------------------
# ServerDomain
# ------------------------------------------------------------

    ## The below will force all nginx traffic to SSL, make sure all other server blocks only listen on 443
server {
    listen 80 default_server;
    server_name _;

    return 301 https://$host$request_uri;
}

    ## Start of actual server blocks
server {

  listen 8080;
listen [::]:8080;

listen 4443 ssl http2;
listen [::]:4443 ssl http2;
proxy_buffering off;        ## Sends data as fast as it can not buffering large chunks.

    server_name serverdomain;    ## enter your service name and domain name here example emby.domainname.com

  # Let's Encrypt SSL
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
  ssl_certificate /etc/letsencrypt/live/npm-1/fullchain.pem;  ## Location of your public PEM file.
  ssl_certificate_key /etc/letsencrypt/live/npm-1/privkey.pem;  ## Location of your private PEM file.

     location ^~ /swagger {   ## Disables access to swagger interface
        return 404;
}

location / {
        # Send traffic to the backend
        proxy_pass http://192.168.0.90:8096;
        proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
        proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $remote_addr;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_redirect off;

        # Send websocket data to the backend aswell
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
}

[Jibest 26]

Still not resolved the above issue. However i've noticed that if I connect the Emby Android app using HTTPS (as below):

https:\\servnamename

port - empty

instead of

servername

port - 80

The app then works correctly.

Was this simply me not understanding that this is what the setup should have been to begin with on the app? Or should the config above work even if sending the app over http?

[Luke 37175]

Are you sure port 80 is correct? Omitting the port for https is normally equivalent to 443.

[Jibest 26]

44 minutes ago, Luke said:

Are you sure port 80 is correct? Omitting the port for https is normally equivalent to 443.

Sorry probably didn't explain that clearly.

I've found that the external logon issue only happens if I configure the app to connect over port 80 (non-https). I'd assumed that this is the way the app should be configured and that the reverse proxy redirect would sort the rest.

As long as I configure the app to use HTTPS (so yes blank or put in 443) then the external logons work fine.