Jump to content

Cant connect remotely


bigverm23

Recommended Posts

bigverm23

Host OS: Ubuntu Server 22.10

Docker version: Linuxserver/emby 4.7.9.0

I use traefik to expose ports 80/443 and retrieve ssl certs so all docker containers are reachable via emby.mydomain.net.  Works as designed, but I cant for the life of me figure out who to get users connected remotely/via emby connect....can someone point me in the right direction? also, I need a port open on my firewall, right?

  emby:
    image: lscr.io/linuxserver/emby:latest
    container_name: emby
    ports:
      - 8096:8096
      - 8920:8920
    networks:
      traefik_web:
        ipv4_address: 172.18.0.27
    restart: unless-stopped
    environment:
      - PUID=$PUID
      - PGID=$PGID
      - NVIDIA_VISIBLE_DEVICES=all
    runtime: nvidia      
    volumes:
      - /metadata/embyconfig:/config
      - /metadata/embytranscode:/transcode
      - /data/media/movies:/data/movies
      - /data/media/tvshows:/data/tvshows
      - /data/media/4kmovies:/data/4kmovies            
    labels:
      - "traefik.enable=true"
      ## HTTP Routers
      - "traefik.http.routers.kenemby-rtr.entrypoints=https"
      - "traefik.http.routers.kenemby-rtr.rule=Host(`kenemby.$DOMAINNAME`)"
      ## Middlewares
      - "traefik.http.routers.kenemby-rtr.middlewares=chain-authelia@file"
      ## HTTP Services
      - "traefik.http.routers.kenemby-rtr.service=kenemby-svc"
      - "traefik.http.services.kenemby-svc.loadbalancer.server.port=8096"

image.png.26fb47632019d3bdbf8a5bd8cd1fd1ab.png

Link to comment
Share on other sites

bigverm23
29 minutes ago, Luke said:

Hi, is the docker container set to bridge or host networking mode?

networks:
  traefik_web:
    external:
      name: traefik_web
  default:
    driver: bridge

 

Link to comment
Share on other sites

EODCrafter
11 hours ago, Luke said:

Hi, is the docker container set to bridge or host networking mode?

Bridge. Instead of answering OP posted a Pic.

Link to comment
Share on other sites

bigverm23
15 hours ago, bigverm23 said:
networks:
  traefik_web:
    external:
      name: traefik_web
  default:
    driver: bridge

 

sorry, thought I typed a message here too.  It's in bridge mode.  Ive tried firewall rules for port 8920 and 8096, but still cannot connect remotely.  Presumably I need to modify some setting in the Emby server, but I dont know which.

Link to comment
Share on other sites

Q-Droid
22 hours ago, bigverm23 said:

Host OS: Ubuntu Server 22.10

Docker version: Linuxserver/emby 4.7.9.0

I use traefik to expose ports 80/443 and retrieve ssl certs so all docker containers are reachable via emby.mydomain.net.  Works as designed, but I cant for the life of me figure out who to get users connected remotely/via emby connect....can someone point me in the right direction? also, I need a port open on my firewall, right?

How are you routing the remote traffic to each of the multiple application containers? Is Emby Connect the only thing failing or all remote connections to Emby?

 

Link to comment
Share on other sites

bigverm23
12 minutes ago, Q-Droid said:

How are you routing the remote traffic to each of the multiple application containers? Is Emby Connect the only thing failing or all remote connections to Emby?

 

all traffic is routed via Traefik ports 80/443 to the internal host containers.  They all work as expected, including Plex which requires port 32400 to be open on the firewall.  Only Emby is failing regarding remote connections.

Link to comment
Share on other sites

bigverm23
46 minutes ago, Q-Droid said:

Are you routing by path or subdomain? 

Are all connections to Emby failing, from browser and apps? 

 

routing by subdomain.....app.mydomain.net.  All REMOTE connections to Emby are failing,  anything outside of the LAN.

Link to comment
Share on other sites

bigverm23
53 minutes ago, Q-Droid said:

I also noticed your public ports setup are the defaults, not 80/443. The external domain field looks empty. 

 

this was part of my question, not sure how to set this fields properly for my use case...

Link to comment
Share on other sites

Q-Droid

The basics are to have the public port values match the WAN entry ports and the domain field should match the FQDN used for the service. But this wouldn't prevent access though it helps client apps work better. 

You'll have to check the traefik logs to see if the emby server is responding and how. Also check the emby logs to see if attempts are logged. 

 

Link to comment
Share on other sites

bigverm23
Quote

Traefik Reverse Proxy uses ports 80 and 443. The traffic received on these ports from the internet must be forwarded to the internal/local IP address of the docker host running Traefik 2 service.

 

which port needs to be open for Emby specifically, if any, on the firewall.  As a working example, Plex requires port 32400 forwarded to my docker host IP for remote access.

 

here's what I see in the Traefik logs when I access Emby from the LAN browser via https://kenemby.mydomain.net.  i see no logged attempts anywhere when I try to access emby from the internet (remotely).

[13/Nov/2022:13:48:25 +0000] "GET /emby/System/Info?api_key=16f3de87aeab48fdaa97f6decf9cb1f0 HTTP/2.0" 401 35 "-" "-" 439 "kenemby-rtr@docker" "http://dockernetworkIP:8096" 13ms

 

Edited by bigverm23
Link to comment
Share on other sites

Q-Droid

The default Emby ports are 8096 (http) and 8920 (https) which match your Docker compose and network settings. You can ignore the DLNA port for remote access. Port 8920 is only enabled when there's a valid cert configured in Emby but not needed if using reverse proxy.

It looks like a loopback connection (NAT hairpin) does reach the Emby server but WAN connections don't. 

 

 

 

Link to comment
Share on other sites

bigverm23
35 minutes ago, Q-Droid said:

The default Emby ports are 8096 (http) and 8920 (https) which match your Docker compose and network settings. You can ignore the DLNA port for remote access. Port 8920 is only enabled when there's a valid cert configured in Emby but not needed if using reverse proxy.

It looks like a loopback connection (NAT hairpin) does reach the Emby server but WAN connections don't. The displayed remote access address ( http://kenemby.mydomain.net:80) is likely the issue but I've tried all variations of http/https and port and still no luck for remote clients.

 

 

 

Emby is requiring that I enter port 9820 when remote connections is enabled, not sure if that is messing anything up, I presume not.

Link to comment
Share on other sites

Q-Droid

No it doesn't unless you have settings that are in conflict with reverse proxy config.

What does your Emby Network settings page look like?

You should have "Allow remote connections" checked.

Public http and https port should match your WAN entry ports (80/443).

External domain should be your FQDN used for Emby.

And "Secure connection mode:" Handled by reverse proxy

What you can also do as a simple temporary test is setup connections direct to Emby using 8096 from your router through to the Emby Docker, bypass Traefik. Just a test, http (no certs) to make sure you can connect remotely.

Link to comment
Share on other sites

bigverm23
12 hours ago, Q-Droid said:

No it doesn't unless you have settings that are in conflict with reverse proxy config.

What does your Emby Network settings page look like?

You should have "Allow remote connections" checked.

Public http and https port should match your WAN entry ports (80/443).

External domain should be your FQDN used for Emby.

And "Secure connection mode:" Handled by reverse proxy

What you can also do as a simple temporary test is setup connections direct to Emby using 8096 from your router through to the Emby Docker, bypass Traefik. Just a test, http (no certs) to make sure you can connect remotely.

ok so now ensured router port forwarding for port 8096 is enabled, in Emby network settings localports are 8096 and 9820, allow remote connections, public ports are 8096 and 8920, external domain is connected and secure connections are disabled...

deleted all data/cache on my android app, signed in with Emby connect email and chose my server and it worked.....so it's seemingly a setting somewhere with the Traefik reverse proxy....

 

Link to comment
Share on other sites

rbjtech

I'm not familiar with this reverse proxy - but you may be missing what it is actually doing in this configuration.

It should be terminating the TLS connection using the cert for the domain you have chosen - at this point, technically emby is irrelevant.    In your RP config - you should then be saying what to do with this subdomain or folder - usually you want to passthough to your emby server over HTTP - port 8096.  ie the RP initiates a new connection to emby and forwards the traffic.

You do not need to open any ports other than 80/443 on your router/firewall (that is one of the advantages of an RP) - the RP is doing the Port/Network Address translation (amongst other things) for you to use HTTP 8096.

Now you can if you wish, use HTTPS from the RP to Emby - but at this point you are already inside your network - so the majority just use http.   if you did want to use https - then remember it's the RP doing the connection initiation - not the internet, so a locally signed cert is perfectly good here - as long as the RP and Emby trust each other.

So in summary - it looks like this -

TCP 80/443 > RP > TCP 8096 > Emby

Have a look at the nginx pages on this forum - they may give you some clues on the RP setup.

https://emby.media/community/index.php?/topic/93074-how-to-emby-with-nginx-with-windows-specific-tips-and-csp-options/#comment-961068

Edited by rbjtech
Link to comment
Share on other sites

bigverm23
35 minutes ago, rbjtech said:

I'm not familiar with this reverse proxy - but you may be missing what it is actually doing in this configuration.

It should be terminating the TLS connection using the cert for the domain you have chosen - at this point, technically emby is irrelevant.    In your RP config - you should then be saying what to do with this subdomain or folder - usually you want to passthough to your emby server over HTTP - port 8096.  ie the RP initiates a new connection to emby and forwards the traffic.

You do not need to open any ports other than 80/443 on your router/firewall (that is one of the advantages of an RP) - the RP is doing the Port/Network Address translation (amongst other things) for you to use HTTP 8096.

Now you can if you wish, use HTTPS from the RP to Emby - but at this point you are already inside your network - so the majority just use http.   if you did want to use https - then remember it's the RP doing the connection initiation - not the internet, so a locally signed cert is perfectly good here - as long as the RP and Emby trust each other.

So in summary - it looks like this -

TCP 80/443 > RP > TCP 8096 > Emby

Have a look at the nginx pages on this forum - they may give you some clues on the RP setup.

https://emby.media/community/index.php?/topic/93074-how-to-emby-with-nginx-with-windows-specific-tips-and-csp-options/#comment-961068

yeah that all makes sense...I believe the issue lies in the way emby handles reverse proxy (at least Traefik).  Traefik works flawlessly for all of my other containers, including Plex, but not so much for Emby.  I'll keep researching.

Link to comment
Share on other sites

rbjtech
2 hours ago, bigverm23 said:

yeah that all makes sense...I believe the issue lies in the way emby handles reverse proxy (at least Traefik).  Traefik works flawlessly for all of my other containers, including Plex, but not so much for Emby.  I'll keep researching.

So this is my RP setup in emby on the Networks Page - not much too it as the RP handles it all before it even gets to emby.

Once 'though' the RP via https, the RP passes the emby traffic via http on tcp 8096 to emby.   I could remove the TCP 8920 private listener and 8096 public listener if I wanted to, as it's simply not used/configured/allowed on the firewall. 

 

image.png.19c53604e8012f89b7e6a6eb78411af1.png

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...