Emby behind a reverse proxy, remote control issue.

[rubenverhoef 11]

Ok that's great.

So please now, try the configuration I posted and edited in my previous post. Pay attention to the /emby location and the protocol configuration of the Proxypass directive since it must be ws:// and not http://

 

Let me know how it goes.

 

EDIT: by the way, which version of Apache and on which distro are you running your proxy?

<VirtualHost _default_:443>
   ServerName www.thuisverhoef.nl
   ProxyRequests   Off

   <Proxy *>
       Order   deny,allow
       Allow   from    all
   </Proxy>
   
<Location />
   ProxyPass                   http://192.168.0.3:8096/
   ProxyPassReverse            http://192.168.0.3:8096/
</Location>

<Location /emby>  
   ProxyPass                   ws://192.168.0.3:8096/emby
   ProxyPassReverse            ws://192.168.0.3:8096/emby
</Location>
   SSLEngine               On
   SSLCertificateFile      "/etc/certificates/www.thuisverhoef.nl_bundle.crt"
   SSLCertificateKeyFile   "/etc/certificates/www.thuisverhoef.nl_bundle.key"

</VirtualHost>

same issue:

 

 

(it is dutch    Firefox could not connect to : )

 

I use FreeNas 9.3 stable

-emby jail (192.168.0.3)

-webserver jail (forwarded to internet (443/80)) apache 2.4

installed with:

cd /usr/ports/www/apache24
make install clean

Edited September 29, 2015 by rubenverhoef

[fc7 123]

Only thing that I can think off right now is playing with the Websocket config. Please try this configuration instead:

<Location /emby>
    ProxyPass        wss://192.168.0.3:8096/emby
    ProxyPassReverse wss://192.168.0.3:8096/emby
</Location>

If that doesn't work, try this one but keep in mind that WSS (secure web socket) may not be supported by your Apache websocket module and you may need to compile it yourself:

<Location /emby>
    ProxyPass        wss://192.168.0.3:8920/emby
    ProxyPassReverse wss://192.168.0.3:8920/emby
</Location>

Also check Apache logs in case there is something interesting there (when switching to wss you may see errors related to SSL handshake between apache and Emby for example)

[fc7 123]

Oh wait. Look at the URL of the error is not trying to reach /emby?apikey, it's just trying to reach root (/?apikey)?

 

Am I correct?

 

If this is the case then the configuration will not work.

 

Give me some time to check out this behavior.

Edited September 29, 2015 by fc7

[rubenverhoef 11]

Oh wait. Look at the URL of the error is not trying to reach /emby?apikey, it's just trying to reach root (/?apikey)?

 

Am I correct?

 

If this is the case then the configuration will not work.

 

Give me some time to check out this behavior.

Yes that is correct, sorry my final setup would like to :https://www.thuisverhoef.nl/emby so i did:

ProxyPass               /emby    http://192.168.0.3:8096/emby
ProxyPassReverse        /emby    http://192.168.0.3:8096/emby

but for testing i changed it to the root like your config.

Sorry for not telling my first post and config was with /emby in stead of the root of the site.

[fc7 123]

Yes that is correct, sorry my final setup would like to :https://www.thuisverhoef.nl/emby so i did:

ProxyPass               /emby    http://192.168.0.3:8096/emby
ProxyPassReverse        /emby    http://192.168.0.3:8096/emby

but for testing i changed it to the root like your config.

Sorry for not telling my first post and config was with /emby in stead of the root of the site.

 

Even in that case, if I'm not mistaken, the configuration should instead be something like this:

ProxyPass        /emby http://192.168.0.3:8096
ProxyPassReverse /emby http://192.168.0.3:8096

Anyway let me check the websocket behavior and post back to this thread once I have something.

[rubenverhoef 11]

Even in that case, if I'm not mistaken, the configuration should instead be something like this:

ProxyPass        /emby http://192.168.0.3:8096
ProxyPassReverse /emby http://192.168.0.3:8096

Anyway let me check the websocket behavior and post back to this thread once I have something.

ProxyPass        /emby http://192.168.0.3:8096
ProxyPassReverse /emby http://192.168.0.3:8096

gives the same result like everyting.

 

Thanks for your help so far!

[rubenverhoef 11]

Remote control also didn't work i think the websocket error has to do with it

[fc7 123]

Still no news on my side. Sorry.

 

 

Sent from my iPhone using Tapatalk

[rubenverhoef 11]

Still no news on my side. Sorry.

 

 

Sent from my iPhone using Tapatalk

no problem, just an update on my side

[dcrdev 251]

I'm probably going to be doing this once I get emby up and running, I deliver most of my webservices via apache reverse proxy. In case you haven't got this working yet - do you have mod_proxy_wstunnel installed/enabled? Also I imagine you'll want SSLProxyEngine On as well.

[arbraini 1]

I'm also trying to setup an apache reverse proxy for emby.  And I am also having an issue setting up the proxy for the emby web sockets.

 

Could the issue be that the similar location is causing a conflict?

 

in my case my proxy looks like:

<Location /emby>
order deny,allow
deny from all
allow from all
ProxyPass http://192.168.1.201:8096/emby
ProxyPassReverse http://192.168.1.201:8096/emby
ProxyPass ws://192.168.1.201:8096/emby
ProxyPassReverse ws://192.168.1.201:8096/emby
</Location>

but here is we can see the issue.  anything on port 80 with /emby is redirected to http.  proxy does not care about the scheme coming in (http or ws) because web sockets is still over port 80 and part of the http protocol

 

As a solution would it be possible to put the websockets connection on a separate endpoint, for example: /embyws ?

Edited November 17, 2015 by arbraini

[fc7 123]

I'm also trying to setup an apache reverse proxy for emby.  And I am also having an issue setting up the proxy for the emby web sockets.

 

Could the issue be that the similar location is causing a conflict?

 

in my case my proxy looks like:

<Location /emby>
order deny,allow
deny from all
allow from all
ProxyPass http://192.168.1.201:8096/emby
ProxyPassReverse http://192.168.1.201:8096/emby
ProxyPass ws://192.168.1.201:8096/emby
ProxyPassReverse ws://192.168.1.201:8096/emby
</Location>

but here is we can see the issue.  anything on port 80 with /emby is redirected to http.  proxy does not care about the scheme coming in (http or ws) because web sockets is still over port 80 and part of the http protocol

 

I totally agree with you. Even for the sake of clearness the websocket URL should be unique. Something like "ws://emby.mydomain.com:8096/wstunnel" or whatever as far as is different from "/emby".

[Cerothen 89]

{removed}

Edited November 17, 2015 by Cerothen

[arbraini 1]

Thanks Cerothen.

 

Just to clarify mod_proxy_wstunnel is installed on the apache2 instance

Considering dependency proxy for proxy_wstunnel:
Module proxy already enabled
Module proxy_wstunnel already enabled

[Luke 37084]

nything on port 80 with /emby is redirected to http

are you certain the same port will be fine?

[arbraini 1]

I think so but I'm not 100% certain.  The <location> block is used as the first parameter for proxypass.  the first parameter is the relative path on the domain to capture for the proxy.

 

So `proxypass "/emby" http://192.168.1.201:8096/emby` will capture anything trying to access {domain}/emby and proxy it to http://291.168.1.201:8096/emby

 

If websockets was on a separate endpoint we could capture it separately and proxy it to the proper endpoint as well.

If both endpoints were on the same port it should be fine because we are capturing it based on the base relative path `/emby/` and `/embyws/`

 

an example conf would look like:

<Location /emby>
order deny,allow
deny from all
allow from all
ProxyPass http://192.168.1.201:8096/emby
ProxyPassReverse http://192.168.1.201:8096/emby
</Location>

<Location /embyws>
order deny,allow
deny from all
allow from all
ProxyPass ws://192.168.1.201:8096/embyws
ProxyPassReverse ws://192.168.1.201:8096/embyws
</Location>

Edited November 17, 2015 by arbraini

[fc7 123]

Same port will be fine but the URL must be different. I'm already proxing Guacamole that also uses ws and it works fine.

 

 

Sent from my iPad using Tapatalk

[alucryd 216]

Has anyone been running emby behind an nginx proxy recently? I have about the same config as the best answer, but music playback always stops after a few seconds with the following error, tried firefox and chrome:

net::ERR_INCOMPLETE_CHUNKED_ENCODING
Media element error code: 2

It works fine when I forward a port and access emby directly so the issue definitely comes from the reverse proxy. FWIW I already have a working nginx setup serving several other things so I'm not really keen to switch to apache

 

Edit: Disabling proxy buffering in nginx appears to work, fingers crossed.

Edited December 28, 2015 by alucryd

[rubenverhoef 11]

any updates about the websocket for apache?

[curtisghanson 5]

For those who are using apache, I have websockets working.  Here is my config file:

<VirtualHost *:80>
    ServerName       emby.domain.com
    UseCanonicalName On
    Redirect         permanent / https://emby.domain.com/
</VirtualHost>

<VirtualHost _default_:443>
    ServerName       emby.domain.com
    UseCanonicalName On

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    SSLEngine               On
    SSLProxyEngine          On
    SSLProtocol             ALL -SSLv2 -SSLv3
    SSLHonorCipherOrder     On
    SSLProxyVerify          None
    SSLProxyCheckPeerCN     Off
    SSLProxyCheckPeerName   Off
    SSLProxyCheckPeerExpire Off
    SSLCertificateFile      /etc/letsencrypt/live/emby.domain.com/cert.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/emby.domain.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/emby.domain.com/chain.pem
    SSLCipherSuite          ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

    ProxyRequests     Off
    ProxyPreserveHost On

#    # Notice!!! Put me before http!!!
#    <Location /socket>
#        ProxyPass         ws://localhost:8096/socket
#        ProxyPassReverse  ws://localhost:8096/socket
#    </Location>

#    # Notice!!! Put me after ws!!!
#    <Location />
#        ProxyPass         http://localhost:8096/
#        ProxyPassReverse  http://localhost:8096/
#    </Location>

    Header        set        Connection "Upgrade"
    RequestHeader setifempty Connection "Upgrade"
    Header        set        Upgrade "websocket"
    RequestHeader setifempty Upgrade "websocket"

    # Notice!!! Put me before http!!!
    ProxyPass        /socket ws://localhost:8096/socket
    ProxyPassReverse /socket ws://localhost:8096/socket

    # Notice!!! Put me after ws!!!
    ProxyPass        / http://localhost:8096/
    ProxyPassReverse / http://localhost:8096/

    ErrorLog  ${APACHE_LOG_DIR}/emby-ssl-error.log
    CustomLog ${APACHE_LOG_DIR}/emby-ssl-access.log combined
</VirtualHost>

Notes:

• I read in a few places that the websocket (ws) directives have to go before your http directives. I tried it and so far it's a true statement. I reversed them and websocket requests failed.
• I also noticed that my version of Emby sends ws requests to /socket. I don't know if that's new because I don't remember that path being used in the past. Regardless, this is how I configured it.
• In addition, I have the same ProxyRequests in the Location directives commented out. Either way works, using the Location directives or not. Just swap or remove the commented sections as needed.
• Note that port 8096 is used for both ws and http. Ws does not use 8945 like I originally worked with.
• Lastly, it is quite possible many of my directives in my config file are not necessary. I just got tired of experimenting trying to get sockets to work.
• Bonus. I provided my SSL directives. My server currently get's an "A" on Qualy's SSL Labs Test. So this configuration seems to be working well for me now.

Edited for spelling.

 

Edited February 5, 2016 by curtisghanson

[Luke 37084]

Well done

[zserrbo 0]

curtisghanson: It works for me, If I am not wrong. You save my day!!! Very appreciate!

[rubenverhoef 11]

The config from curtisghanson was not working for me because emby was connecting its websocket to /embywebsocket. So i made this config for apache with some code from curtisghanson.

Now you can go to www.domain.com/emby without a error in chrome about websockets.

Maybe this works for others as well.

    Header        set        Connection "Upgrade"
    RequestHeader setifempty Connection "Upgrade"
    Header        set        Upgrade "websocket"
    RequestHeader setifempty Upgrade "websocket"

    # Notice!!! Put me before http!!!
    ProxyPass        /embywebsocket ws://192.168.0.3:8096/embywebsocket
    ProxyPassReverse /embywebsocket ws://192.168.0.3:8096/embywebsocket

    # Notice!!! Put me after ws!!!
    ProxyPass        /emby http://192.168.0.3:8096/emby
    ProxyPassReverse /emby http://192.168.0.3:8096/emby

Other question, is it possible to use emby connect with reverse proxy so i can close the 8096 port and all the apps are connecting over HTTPS?  In the emby server settings i cannot set my outgoing address to https://www.domain.com/emby, i have to specify a port. But https://www.domain.com/emby:443 doesn't work. 

Does anyone know if this is possible?

[dcrdev 251]

You can't currently work around that limitation. I have Emby set up as a sub domain via an Apache virtual host, this works wonderfully as in Emby it translates to https://media.domain.com:443.

[rubenverhoef 11]

You can't currently work around that limitation. I have Emby set up as a sub domain via an Apache virtual host, this works wonderfully as in Emby it translates to https://media.domain.com:443.

  that's sadly, i have no ssl certificate to emby.domain.com

 

​is this feature coming to emby?