bigverm23 2 Posted November 9, 2022 Posted November 9, 2022 Host OS: Ubuntu Server 22.10 Docker version: Linuxserver/emby 4.7.9.0 I use traefik to expose ports 80/443 and retrieve ssl certs so all docker containers are reachable via emby.mydomain.net. Works as designed, but I cant for the life of me figure out who to get users connected remotely/via emby connect....can someone point me in the right direction? also, I need a port open on my firewall, right? emby: image: lscr.io/linuxserver/emby:latest container_name: emby ports: - 8096:8096 - 8920:8920 networks: traefik_web: ipv4_address: 172.18.0.27 restart: unless-stopped environment: - PUID=$PUID - PGID=$PGID - NVIDIA_VISIBLE_DEVICES=all runtime: nvidia volumes: - /metadata/embyconfig:/config - /metadata/embytranscode:/transcode - /data/media/movies:/data/movies - /data/media/tvshows:/data/tvshows - /data/media/4kmovies:/data/4kmovies labels: - "traefik.enable=true" ## HTTP Routers - "traefik.http.routers.kenemby-rtr.entrypoints=https" - "traefik.http.routers.kenemby-rtr.rule=Host(`kenemby.$DOMAINNAME`)" ## Middlewares - "traefik.http.routers.kenemby-rtr.middlewares=chain-authelia@file" ## HTTP Services - "traefik.http.routers.kenemby-rtr.service=kenemby-svc" - "traefik.http.services.kenemby-svc.loadbalancer.server.port=8096"
Luke 39008 Posted November 9, 2022 Posted November 9, 2022 Hi, is the docker container set to bridge or host networking mode?
bigverm23 2 Posted November 10, 2022 Author Posted November 10, 2022 29 minutes ago, Luke said: Hi, is the docker container set to bridge or host networking mode? networks: traefik_web: external: name: traefik_web default: driver: bridge
EODCrafter 181 Posted November 10, 2022 Posted November 10, 2022 11 hours ago, Luke said: Hi, is the docker container set to bridge or host networking mode? Bridge. Instead of answering OP posted a Pic.
bigverm23 2 Posted November 10, 2022 Author Posted November 10, 2022 15 hours ago, bigverm23 said: networks: traefik_web: external: name: traefik_web default: driver: bridge sorry, thought I typed a message here too. It's in bridge mode. Ive tried firewall rules for port 8920 and 8096, but still cannot connect remotely. Presumably I need to modify some setting in the Emby server, but I dont know which.
Q-Droid 840 Posted November 10, 2022 Posted November 10, 2022 22 hours ago, bigverm23 said: Host OS: Ubuntu Server 22.10 Docker version: Linuxserver/emby 4.7.9.0 I use traefik to expose ports 80/443 and retrieve ssl certs so all docker containers are reachable via emby.mydomain.net. Works as designed, but I cant for the life of me figure out who to get users connected remotely/via emby connect....can someone point me in the right direction? also, I need a port open on my firewall, right? How are you routing the remote traffic to each of the multiple application containers? Is Emby Connect the only thing failing or all remote connections to Emby?
bigverm23 2 Posted November 10, 2022 Author Posted November 10, 2022 12 minutes ago, Q-Droid said: How are you routing the remote traffic to each of the multiple application containers? Is Emby Connect the only thing failing or all remote connections to Emby? all traffic is routed via Traefik ports 80/443 to the internal host containers. They all work as expected, including Plex which requires port 32400 to be open on the firewall. Only Emby is failing regarding remote connections.
Q-Droid 840 Posted November 10, 2022 Posted November 10, 2022 Are you routing by path or subdomain? Are all connections to Emby failing, from browser and apps?
Q-Droid 840 Posted November 10, 2022 Posted November 10, 2022 I also noticed your public ports setup are the defaults, not 80/443. The external domain field looks empty.
bigverm23 2 Posted November 10, 2022 Author Posted November 10, 2022 46 minutes ago, Q-Droid said: Are you routing by path or subdomain? Are all connections to Emby failing, from browser and apps? routing by subdomain.....app.mydomain.net. All REMOTE connections to Emby are failing, anything outside of the LAN.
bigverm23 2 Posted November 10, 2022 Author Posted November 10, 2022 53 minutes ago, Q-Droid said: I also noticed your public ports setup are the defaults, not 80/443. The external domain field looks empty. this was part of my question, not sure how to set this fields properly for my use case...
Q-Droid 840 Posted November 10, 2022 Posted November 10, 2022 The basics are to have the public port values match the WAN entry ports and the domain field should match the FQDN used for the service. But this wouldn't prevent access though it helps client apps work better. You'll have to check the traefik logs to see if the emby server is responding and how. Also check the emby logs to see if attempts are logged.
bigverm23 2 Posted November 13, 2022 Author Posted November 13, 2022 (edited) Quote Traefik Reverse Proxy uses ports 80 and 443. The traffic received on these ports from the internet must be forwarded to the internal/local IP address of the docker host running Traefik 2 service. which port needs to be open for Emby specifically, if any, on the firewall. As a working example, Plex requires port 32400 forwarded to my docker host IP for remote access. here's what I see in the Traefik logs when I access Emby from the LAN browser via https://kenemby.mydomain.net. i see no logged attempts anywhere when I try to access emby from the internet (remotely). [13/Nov/2022:13:48:25 +0000] "GET /emby/System/Info?api_key=16f3de87aeab48fdaa97f6decf9cb1f0 HTTP/2.0" 401 35 "-" "-" 439 "kenemby-rtr@docker" "http://dockernetworkIP:8096" 13ms Edited November 13, 2022 by bigverm23
Q-Droid 840 Posted November 13, 2022 Posted November 13, 2022 The default Emby ports are 8096 (http) and 8920 (https) which match your Docker compose and network settings. You can ignore the DLNA port for remote access. Port 8920 is only enabled when there's a valid cert configured in Emby but not needed if using reverse proxy. It looks like a loopback connection (NAT hairpin) does reach the Emby server but WAN connections don't.
bigverm23 2 Posted November 13, 2022 Author Posted November 13, 2022 35 minutes ago, Q-Droid said: The default Emby ports are 8096 (http) and 8920 (https) which match your Docker compose and network settings. You can ignore the DLNA port for remote access. Port 8920 is only enabled when there's a valid cert configured in Emby but not needed if using reverse proxy. It looks like a loopback connection (NAT hairpin) does reach the Emby server but WAN connections don't. The displayed remote access address ( http://kenemby.mydomain.net:80) is likely the issue but I've tried all variations of http/https and port and still no luck for remote clients. Emby is requiring that I enter port 9820 when remote connections is enabled, not sure if that is messing anything up, I presume not.
Q-Droid 840 Posted November 13, 2022 Posted November 13, 2022 No it doesn't unless you have settings that are in conflict with reverse proxy config. What does your Emby Network settings page look like? You should have "Allow remote connections" checked. Public http and https port should match your WAN entry ports (80/443). External domain should be your FQDN used for Emby. And "Secure connection mode:" Handled by reverse proxy What you can also do as a simple temporary test is setup connections direct to Emby using 8096 from your router through to the Emby Docker, bypass Traefik. Just a test, http (no certs) to make sure you can connect remotely.
bigverm23 2 Posted November 14, 2022 Author Posted November 14, 2022 12 hours ago, Q-Droid said: No it doesn't unless you have settings that are in conflict with reverse proxy config. What does your Emby Network settings page look like? You should have "Allow remote connections" checked. Public http and https port should match your WAN entry ports (80/443). External domain should be your FQDN used for Emby. And "Secure connection mode:" Handled by reverse proxy What you can also do as a simple temporary test is setup connections direct to Emby using 8096 from your router through to the Emby Docker, bypass Traefik. Just a test, http (no certs) to make sure you can connect remotely. ok so now ensured router port forwarding for port 8096 is enabled, in Emby network settings localports are 8096 and 9820, allow remote connections, public ports are 8096 and 8920, external domain is connected and secure connections are disabled... deleted all data/cache on my android app, signed in with Emby connect email and chose my server and it worked.....so it's seemingly a setting somewhere with the Traefik reverse proxy....
Q-Droid 840 Posted November 14, 2022 Posted November 14, 2022 So now you know that Emby is good, including firewall. I agree that your issue is in traefik.
rbjtech 4838 Posted November 14, 2022 Posted November 14, 2022 (edited) I'm not familiar with this reverse proxy - but you may be missing what it is actually doing in this configuration. It should be terminating the TLS connection using the cert for the domain you have chosen - at this point, technically emby is irrelevant. In your RP config - you should then be saying what to do with this subdomain or folder - usually you want to passthough to your emby server over HTTP - port 8096. ie the RP initiates a new connection to emby and forwards the traffic. You do not need to open any ports other than 80/443 on your router/firewall (that is one of the advantages of an RP) - the RP is doing the Port/Network Address translation (amongst other things) for you to use HTTP 8096. Now you can if you wish, use HTTPS from the RP to Emby - but at this point you are already inside your network - so the majority just use http. if you did want to use https - then remember it's the RP doing the connection initiation - not the internet, so a locally signed cert is perfectly good here - as long as the RP and Emby trust each other. So in summary - it looks like this - TCP 80/443 > RP > TCP 8096 > Emby Have a look at the nginx pages on this forum - they may give you some clues on the RP setup. https://emby.media/community/index.php?/topic/93074-how-to-emby-with-nginx-with-windows-specific-tips-and-csp-options/#comment-961068 Edited November 14, 2022 by rbjtech
bigverm23 2 Posted November 14, 2022 Author Posted November 14, 2022 35 minutes ago, rbjtech said: I'm not familiar with this reverse proxy - but you may be missing what it is actually doing in this configuration. It should be terminating the TLS connection using the cert for the domain you have chosen - at this point, technically emby is irrelevant. In your RP config - you should then be saying what to do with this subdomain or folder - usually you want to passthough to your emby server over HTTP - port 8096. ie the RP initiates a new connection to emby and forwards the traffic. You do not need to open any ports other than 80/443 on your router/firewall (that is one of the advantages of an RP) - the RP is doing the Port/Network Address translation (amongst other things) for you to use HTTP 8096. Now you can if you wish, use HTTPS from the RP to Emby - but at this point you are already inside your network - so the majority just use http. if you did want to use https - then remember it's the RP doing the connection initiation - not the internet, so a locally signed cert is perfectly good here - as long as the RP and Emby trust each other. So in summary - it looks like this - TCP 80/443 > RP > TCP 8096 > Emby Have a look at the nginx pages on this forum - they may give you some clues on the RP setup. https://emby.media/community/index.php?/topic/93074-how-to-emby-with-nginx-with-windows-specific-tips-and-csp-options/#comment-961068 yeah that all makes sense...I believe the issue lies in the way emby handles reverse proxy (at least Traefik). Traefik works flawlessly for all of my other containers, including Plex, but not so much for Emby. I'll keep researching.
rbjtech 4838 Posted November 14, 2022 Posted November 14, 2022 2 hours ago, bigverm23 said: yeah that all makes sense...I believe the issue lies in the way emby handles reverse proxy (at least Traefik). Traefik works flawlessly for all of my other containers, including Plex, but not so much for Emby. I'll keep researching. So this is my RP setup in emby on the Networks Page - not much too it as the RP handles it all before it even gets to emby. Once 'though' the RP via https, the RP passes the emby traffic via http on tcp 8096 to emby. I could remove the TCP 8920 private listener and 8096 public listener if I wanted to, as it's simply not used/configured/allowed on the firewall.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now