Funkie 0 Posted July 15, 2022 Posted July 15, 2022 Hi @Luke I am running emby server 4.7.5.0 on Ubuntu 20.04.4 LTS. Not sure when this stopped working as I mainly access my server locally via http but setup HTTPS on port 8920 behind HAProxy and was working fine. I saw an error no backend to emby in HAProxy so investigated and indeed I cannot access the server at all on https. If I curl from the emby server I get this error curl: (7) Failed to connect to localhost port 8920: Connection refused
Funkie 0 Posted July 15, 2022 Author Posted July 15, 2022 (edited) embyserver.txt Sorry @Luke attached log file and screen shots of config Edited July 15, 2022 by Funkie
Luke 38551 Posted July 15, 2022 Posted July 15, 2022 Ok so this is all handled by your reverse proxy, so that's where you'll need to look into the issue. there's no evidence that the ssl attempt over localhost ever reached your emby server. Maybe don't use localhost for testing this and use an actual remote connection.
Funkie 0 Posted July 15, 2022 Author Posted July 15, 2022 @Luke the reverse proxy is only handling external traffic everything internally is going direct to the emby server port 8096 works but 8920 does not a curl from the emby server rules out all other network traffic issues because its requesting itself curl: (7) Failed to connect to 192.168.3.36 port 8920: Connection refused curl http://192.168.3.36:8096/web/index.html <!DOCTYPE html> <html data-appversion="4.7.5.0" data-culture="en-GB" lang="en" class="preload"> <head> etc
Luke 38551 Posted July 15, 2022 Posted July 15, 2022 Then you can't do that. You've configured ssl in emby to be handled by the reverse proxy so that's the only way you can use ssl.
Funkie 0 Posted July 15, 2022 Author Posted July 15, 2022 yes ssl is configured at the proxy and like I said it was working but the emby server is not responding on port 8920 so the proxy cannot reach it, I would expect the service to respond to a curl with an ssl error not connection refused
Luke 38551 Posted July 15, 2022 Posted July 15, 2022 Then I would look at your reverse proxy configuration, but you can't communicate directly with emby server on port 8920, not with the way you've configured it.
Funkie 0 Posted July 15, 2022 Author Posted July 15, 2022 (edited) @Luke Hmm seems to be my understanding of what handled by reverse proxy does, the only way I can get this to work again is to add the cert domain and password details back into the network config of emby, I wasn't expecting to have to maintain certs at proxy and server levels but will investigate and test this further. Its working for now with certs in 2 places at least. Can you delete this thread so my ip details, screenys and logs etc are not acceptable to every user. Edited July 15, 2022 by Funkie
Luke 38551 Posted July 15, 2022 Posted July 15, 2022 I think you probably want to keep it handled by reverse proxy, but then figure out what's going on with your configuration.
Q-Droid 806 Posted July 15, 2022 Posted July 15, 2022 (edited) Are you pointing haproxy to 8096? That's how it should work with your current settings. Edited for clarity. Edited July 15, 2022 by Q-Droid
Funkie 0 Posted July 15, 2022 Author Posted July 15, 2022 Just now, Q-Droid said: Are you pointing haproxy to 8096? That's how it should work. @Q-Droid no, I have the HA backend pointing to the https port 8920, if I change this to 8096 I get the ssl handshake error
Q-Droid 806 Posted July 15, 2022 Posted July 15, 2022 Haproxy is handling SSL and where the error is coming from, not Emby. The haproxy backend connection to Emby should be http, not https.
Funkie 0 Posted July 15, 2022 Author Posted July 15, 2022 @Q-Droid I guess that depends on if you are configured to pass though, terminate or end to end. My current config being end to end but downside is ssl in two places, will investigate if I can automate copying the ssl across during renewal.
Q-Droid 806 Posted July 15, 2022 Posted July 15, 2022 Exactly. If you want full end to end encryption then you have to install and enable SSL in both places. Passthru with haproxy for Emby is sort of a waste because it has no HA.
Q-Droid 806 Posted July 15, 2022 Posted July 15, 2022 Or, you could create a long life self signed cert to be used only between haproxy and Emby. Then only the front end would have to be renewed.
Funkie 0 Posted July 15, 2022 Author Posted July 15, 2022 (edited) 18 minutes ago, Q-Droid said: Or, you could create a long life self signed cert to be used only between haproxy and Emby. Then only the front end would have to be renewed. @Q-Droid nice suggestion, will look into that, thanks mate. Edited July 15, 2022 by Funkie
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now