Emby behind a reverse proxy, remote control issue.

[embyuser22 0]

Hello,

I try these booth settings here but it don't work. 

    Header        set        Connection "Upgrade"
    RequestHeader setifempty Connection "Upgrade"
    Header        set        Upgrade "websocket"
    RequestHeader setifempty Upgrade "websocket"

    # Notice!!! Put me before http!!!
    ProxyPass        /embywebsocket ws://192.168.0.3:8096/embywebsocket
    ProxyPassReverse /embywebsocket ws://192.168.0.3:8096/embywebsocket

    # Notice!!! Put me after ws!!!
    ProxyPass        /emby http://192.168.0.3:8096/emby
    ProxyPassReverse /emby http://192.168.0.3:8096/emby

    Header        set        Connection "Upgrade"
    RequestHeader setifempty Connection "Upgrade"
    Header        set        Upgrade "websocket"
    RequestHeader setifempty Upgrade "websocket"

    # Notice!!! Put me before http!!!
    ProxyPass        /socket ws://localhost:8096/socket
    ProxyPassReverse /socket ws://localhost:8096/socket

    # Notice!!! Put me after ws!!!
    ProxyPass        / http://localhost:8096/
    ProxyPassReverse / http://localhost:8096/

I can call the website and play movies but I get the Error:

WebSocket connection to 'ws://emby/embywebsocket?api_key=90bac03e217b47a9b4dc5863faf6803d&deviceId=88edef1b16cfe3bb50972ceeaf6c0d88157f0cac' failed: Error during WebSocket handshake: Unexpected response code: 404

i use apache 2.4.7 und I have tried some browsers.

 

Do anyone has the same problem or a solution?

 

btw: for the tests I'm using HTTP

Edited April 5, 2016 by embyuser22

[Luke 37009]

Hello,

I try these booth settings here but it don't work. 

    Header        set        Connection "Upgrade"
    RequestHeader setifempty Connection "Upgrade"
    Header        set        Upgrade "websocket"
    RequestHeader setifempty Upgrade "websocket"

    # Notice!!! Put me before http!!!
    ProxyPass        /embywebsocket ws://192.168.0.3:8096/embywebsocket
    ProxyPassReverse /embywebsocket ws://192.168.0.3:8096/embywebsocket

    # Notice!!! Put me after ws!!!
    ProxyPass        /emby http://192.168.0.3:8096/emby
    ProxyPassReverse /emby http://192.168.0.3:8096/emby

    Header        set        Connection "Upgrade"
    RequestHeader setifempty Connection "Upgrade"
    Header        set        Upgrade "websocket"
    RequestHeader setifempty Upgrade "websocket"

    # Notice!!! Put me before http!!!
    ProxyPass        /socket ws://localhost:8096/socket
    ProxyPassReverse /socket ws://localhost:8096/socket

    # Notice!!! Put me after ws!!!
    ProxyPass        / http://localhost:8096/
    ProxyPassReverse / http://localhost:8096/

I can call the website and play movies but I get the Error:

WebSocket connection to 'ws://emby/embywebsocket?api_key=90bac03e217b47a9b4dc5863faf6803d&deviceId=88edef1b16cfe3bb50972ceeaf6c0d88157f0cac' failed: Error during WebSocket handshake: Unexpected response code: 404

i use apache 2.4.7 und I have tried some browsers.

 

Do anyone has the same problem or a solution?

 

btw: for the tests I'm using HTTP

 

Hi there, please provide the server log:

 

http://emby.media/community/index.php?/topic/739-how-to-report-a-problem/

 

Thanks.

[rubenverhoef 11]

Please provide also your apache config

 

I use 

ProxyPass /embywebsocket ws://192.168.0.3:8096/embywebsocket
ProxyPassReverse /embywebsocket ws://192.168.0.3:8096/embywebsocket


ProxyPass /emby http://192.168.0.3:8096/emby
ProxyPassReverse /emby http://192.168.0.3:8096/emby

Because i want to have emby at https://www.example.com/emby and i noticed that the websocket was at /embywebsocket in stead of /socket.

[dcrdev 251]

I think everyone is over complicating it - this works even when accessing the websocket from root /:

<If "%{HTTP_HOST} = 'media.domain.com'">
  RewriteEngine On
  RewriteCond %{HTTPS} off
  RewriteRule ^ https://%{HTTP_HOST}%{REQUEST_URI}
</If>

<VirtualHost *:443>
    ServerName media.domain.com
    RewriteEngine On
    RewriteCond %{HTTP:Connection} Upgrade [NC]
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteRule /(.*) ws://127.0.0.1:8096/$1 [P,L]

    SSLProxyEngine On
    RequestHeader set Front-End-Https "On"
    ProxyPreserveHost On
    ProxyRequests off

    <Location />
        ProxyPass http://127.0.0.1:8096/
        ProxyPassReverse /
    </Location>

    SSLEngine on
    SSLCertificateFile      /etc/httpd/ssl/server.pem
    SSLCertificateChainFile /etc/pki/CA/cacert.pem
    SSLCertificateKeyFile   /etc/httpd/ssl/server.key

    SSLProtocol             all -SSLv2 -SSLv3 -TLSv1
    SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA3$
    SSLHonorCipherOrder     on

    # HSTS (mod_headers is required) (15768000 seconds = 6 months)
    Header always set Strict-Transport-Security "max-age=15768000"
</VirtualHost>

Edited April 5, 2016 by dcrdev

[embyuser22 0]

Here my config:

<virtualhost *:443>
  ServerName emby.domain.com
  UseCanonicalName On

<proxy *>
<RequireAny>
  <RequireAll>
    Require ip 192.168.100.4
  </RequireAll>
  <RequireAll>
    AuthType Basic
    AuthName "Put in user and password!"
    AuthUserFile /etc/apache2/htpasswd
    Require valid-user
  </RequireAll>
</RequireAny>
</proxy>

#ssl browser
  SSLEngine On
  SSLProtocol ALL -SSLv2 -SSLv3
  SSLProtocol TLSv1 TLSv1.1 TLSv1.2
  SSLCertificateFile /etc/apache2/ssl/org.crt
  SSLCertificateKeyFile /etc/apache2/org.key

#ssl proxy
  SSLProxyEngine On
  SSLProxyVerify none
  SSLProxyCheckPeerCN off
  SSLProxyCheckPeerName off
  SSLProxyCheckPeerExpire off

  ProxyRequests Off
  ProxyPreserveHost On

#  Header        set        Connection "Upgrade"
#  RequestHeader setifempty Connection "Upgrade"
#  Header        set        Upgrade "websocket"
#  RequestHeader setifempty Upgrade "websocket"

# Notice!!! Put me before http!!!
    ProxyPass        /embywebsocket ws://192.168.0.102:8096/embywebsocket
	 ProxyPassReverse /embywebsocket ws://192.168.0.102:8096/embywebsocket

# Notice!!! Put me after ws!!!
    ProxyPass        / http://192.168.0.102:8096/
    ProxyPassReverse / http://192.168.0.102:8096/

</virtualhost>

and the Error:

WebSocket connection to 'wss://emby.domain.com/embywebsocket?api_key=65377b03457942beb9db9fd1ab103959&deviceId=3b822b35fef7d66d449deace28d99304795c6978' failed: Error during WebSocket handshake: Unexpected response code: 500

[sea3pea0 5]

Thanks, this apache reverse proxy works for me to access emby from web browsers:

Header set Connection "Upgrade"
RequestHeader setifempty Connection "Upgrade"
Header set Upgrade "websocket"
RequestHeader setifempty Upgrade "websocket"

# Notice!!! Put me before http!!!
ProxyPass /embywebsocket ws://192.168.0.3:8096/embywebsocket
ProxyPassReverse /embywebsocket ws://192.168.0.3:8096/embywebsocket

# Notice!!! Put me after ws!!!
ProxyPass /emby http://192.168.0.3:8096/emby
ProxyPassReverse /emby http://192.168.0.3:8096/emby

It would be nice to have the ability to access emby from "https://mysite.com/emby"from the various emby apps. I don't have the ability to assign a subdomain to emby since I am running it on a server that is already assigned to a subdomain.

Edited August 12, 2016 by sea3pea0

[Guest plexman]

The config from curtisghanson was not working for me because emby was connecting its websocket to /embywebsocket. So i made this config for apache with some code from curtisghanson.

Now you can go to www.domain.com/emby without a error in chrome about websockets.

Maybe this works for others as well.

    Header        set        Connection "Upgrade"
    RequestHeader setifempty Connection "Upgrade"
    Header        set        Upgrade "websocket"
    RequestHeader setifempty Upgrade "websocket"

    # Notice!!! Put me before http!!!
    ProxyPass        /embywebsocket ws://192.168.0.3:8096/embywebsocket
    ProxyPassReverse /embywebsocket ws://192.168.0.3:8096/embywebsocket

    # Notice!!! Put me after ws!!!
    ProxyPass        /emby http://192.168.0.3:8096/emby
    ProxyPassReverse /emby http://192.168.0.3:8096/emby

Other question, is it possible to use emby connect with reverse proxy so i can close the 8096 port and all the apps are connecting over HTTPS?  In the emby server settings i cannot set my outgoing address to https://www.domain.com/emby, i have to specify a port. But https://www.domain.com/emby:443 doesn't work. 

Does anyone know if this is possible?

 

This config worked perfectly on my server!! Thanks!

[Luke 37009]

Great info, thanks!

[tigrao 18]

I am using IIS on my Windows 8.1 machine to reverse proxy to Emby. I just came across this post and it prompted me to check the Chrome console. Sure enough, I was seeing a websockets error. It turned out that all I had to do was turn on the WebSocket Protocol under the IIS features. I don't have an error in Chrome anymore and remote control works.
 

[chigh 10]

Hello,

I try these booth settings here but it don't work. 

    Header        set        Connection "Upgrade"
    RequestHeader setifempty Connection "Upgrade"
    Header        set        Upgrade "websocket"
    RequestHeader setifempty Upgrade "websocket"

    # Notice!!! Put me before http!!!
    ProxyPass        /embywebsocket ws://192.168.0.3:8096/embywebsocket
    ProxyPassReverse /embywebsocket ws://192.168.0.3:8096/embywebsocket

    # Notice!!! Put me after ws!!!
    ProxyPass        /emby http://192.168.0.3:8096/emby
    ProxyPassReverse /emby http://192.168.0.3:8096/emby

    Header        set        Connection "Upgrade"
    RequestHeader setifempty Connection "Upgrade"
    Header        set        Upgrade "websocket"
    RequestHeader setifempty Upgrade "websocket"

    # Notice!!! Put me before http!!!
    ProxyPass        /socket ws://localhost:8096/socket
    ProxyPassReverse /socket ws://localhost:8096/socket

    # Notice!!! Put me after ws!!!
    ProxyPass        / http://localhost:8096/
    ProxyPassReverse / http://localhost:8096/

I can call the website and play movies but I get the Error:

WebSocket connection to 'ws://emby/embywebsocket?api_key=90bac03e217b47a9b4dc5863faf6803d&deviceId=88edef1b16cfe3bb50972ceeaf6c0d88157f0cac' failed: Error during WebSocket handshake: Unexpected response code: 404

i use apache 2.4.7 und I have tried some browsers.

 

Do anyone has the same problem or a solution?

 

btw: for the tests I'm using HTTP

 

Do you have the mod "mod_proxy_wstunnel" enabled?

[matejz 0]

Hello,

 

I tried setting up reverse proxy for my Emby today with @@curtisghanson config and web interface is working. Websockets also seem to work, as does iPhone app. At the moment, only AndroidTV app doesn't work. I can see the libraries, but playing doesn't work. All I get is a black screen with rotating circle. It does work when accessing Emby directly, so I think it must be the reverse proxy that is causing the problems.

 

I think the problem are those lines. For some reason, there is a problem with streaming data, where Emby returns an error of 500 (last line in bottom log).

2017-02-19 13:33:28.7540 Warn App: PlaybackStart reported with null media info.
2017-02-19 13:33:28.7540 Info HttpServer: HTTP Response 204 to 184.192.1.9. Time: 2ms. http://domain.example.org:8096/emby/Sessions/Playing
2017-02-19 13:33:29.5416 Info HttpServer: HTTP GET http://domain.example.org:8096/emby/Videos/5b7f1905703fb9d12134f5e9721a10cc/stream.mkv?DeviceId=a6f8d4e7503b1cce&Static=true&Tag=c009565c69b0eba17f8c70550670b3ab&MediaSourceId=5b7f1905703fb9d12134f5e9721a10cc. UserAgent: Emby/1.3.20g (Linux;Android 5.1.1) ExoPlayerLib/2.0.4
2017-02-19 13:33:29.6597 Error HttpResultFactory: Error streaming data
    *** Error Report ***
    Version: 3.2.1.0
    Command line: /usr/lib/emby-server/bin/MediaBrowser.Server.Mono.exe -programdata /media/apps/data/emby/ -restartpath /usr/lib/emby-server/restart.sh
    Operating system: Unix 3.10.0.514
    64-Bit OS: True
    64-Bit Process: True
    Mono: 4.6.2 (Stable 4.6.2.16/ac9e222 Tue Jan  3 11:51:14 UTC 2017)
    Processor count: 2
    Program data path: /media/apps/data/emby/
    Application directory: /usr/lib/emby-server/bin
    System.IO.IOException: Unable to write data to the transport connection: Connection reset by peer. ---> System.Net.Sockets.SocketException: Connection reset by peer
      at System.Net.Sockets.Socket.EndSend (System.IAsyncResult result) [0x00033] in <5071a6e4a4564e19a2eda0f53e42f9bd>:0
      at System.Net.Sockets.NetworkStream.EndWrite (System.IAsyncResult asyncResult) [0x0005f] in <5071a6e4a4564e19a2eda0f53e42f9bd>:0
       --- End of inner exception stack trace ---
      at System.Net.Sockets.NetworkStream.EndWrite (System.IAsyncResult asyncResult) [0x000af] in <5071a6e4a4564e19a2eda0f53e42f9bd>:0
      at System.IO.Stream.<BeginEndWriteAsync>m__8 (System.IO.Stream stream, System.IAsyncResult asyncResult) [0x00000] in <8f2c484307284b51944a1a13a14c0266>:0
      at (wrapper delegate-invoke) System.Func`3[System.IO.Stream,System.IAsyncResult,System.Threading.Tasks.VoidTaskResult]:invoke_TResult_T1_T2 (System.IO.Stream,System.IAsyncResult)
      at System.Threading.Tasks.TaskFactory`1+FromAsyncTrimPromise`1[TResult,TInstance].Complete (TInstance thisRef, System.Func`3[T1,T2,TResult] endMethod, System.IAsyncResult asyncResult, System.Boolean requiresSynchronization) [0x00002] in <8f2c484307284b51944a1a13a14c0266>:0
    --- End of stack trace from previous location where exception was thrown ---
      at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0004e] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x0002e] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x0000b] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.ConfiguredTaskAwaitable+ConfiguredTaskAwaiter.GetResult () [0x00000] in <8f2c484307284b51944a1a13a14c0266>:0
      at SocketHttpListener.Net.ResponseStream+<WriteAsync>c__async0.MoveNext () [0x0020c] in <8c1f4f2ba8e148669f131698c4f504eb>:0
    --- End of stack trace from previous location where exception was thrown ---
      at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0004e] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x0002e] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x0000b] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.ConfiguredTaskAwaitable+ConfiguredTaskAwaiter.GetResult () [0x00000] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.IO.Stream+<CopyToAsyncInternal>c__async0.MoveNext () [0x0009b] in <8f2c484307284b51944a1a13a14c0266>:0
    --- End of stack trace from previous location where exception was thrown ---
      at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0004e] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x0002e] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x0000b] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.ConfiguredTaskAwaitable+ConfiguredTaskAwaiter.GetResult () [0x00000] in <8f2c484307284b51944a1a13a14c0266>:0
      at Emby.Server.Implementations.HttpServer.StreamWriter+<WriteToAsync>c__async0.MoveNext () [0x00139] in <60da0dda661040f0bc947d7e94c669aa>:0
    System.IO.IOException
      at System.Net.Sockets.NetworkStream.EndWrite (System.IAsyncResult asyncResult) [0x000af] in <5071a6e4a4564e19a2eda0f53e42f9bd>:0
      at System.IO.Stream.<BeginEndWriteAsync>m__8 (System.IO.Stream stream, System.IAsyncResult asyncResult) [0x00000] in <8f2c484307284b51944a1a13a14c0266>:0
      at (wrapper delegate-invoke) System.Func`3[System.IO.Stream,System.IAsyncResult,System.Threading.Tasks.VoidTaskResult]:invoke_TResult_T1_T2 (System.IO.Stream,System.IAsyncResult)
      at System.Threading.Tasks.TaskFactory`1+FromAsyncTrimPromise`1[TResult,TInstance].Complete (TInstance thisRef, System.Func`3[T1,T2,TResult] endMethod, System.IAsyncResult asyncResult, System.Boolean requiresSynchronization) [0x00002] in <8f2c484307284b51944a1a13a14c0266>:0
    --- End of stack trace from previous location where exception was thrown ---
      at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0004e] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x0002e] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x0000b] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.ConfiguredTaskAwaitable+ConfiguredTaskAwaiter.GetResult () [0x00000] in <8f2c484307284b51944a1a13a14c0266>:0
      at SocketHttpListener.Net.ResponseStream+<WriteAsync>c__async0.MoveNext () [0x0020c] in <8c1f4f2ba8e148669f131698c4f504eb>:0
    --- End of stack trace from previous location where exception was thrown ---
      at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0004e] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x0002e] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x0000b] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.ConfiguredTaskAwaitable+ConfiguredTaskAwaiter.GetResult () [0x00000] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.IO.Stream+<CopyToAsyncInternal>c__async0.MoveNext () [0x0009b] in <8f2c484307284b51944a1a13a14c0266>:0
    --- End of stack trace from previous location where exception was thrown ---
      at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x0000c] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x0004e] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x0002e] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x0000b] in <8f2c484307284b51944a1a13a14c0266>:0
      at System.Runtime.CompilerServices.ConfiguredTaskAwaitable+ConfiguredTaskAwaiter.GetResult () [0x00000] in <8f2c484307284b51944a1a13a14c0266>:0
      at Emby.Server.Implementations.HttpServer.StreamWriter+<WriteToAsync>c__async0.MoveNext () [0x00139] in <60da0dda661040f0bc947d7e94c669aa>:0
    InnerException: System.Net.Sockets.SocketException
    System.Net.Sockets.SocketException (0x80004005): Connection reset by peer
      at System.Net.Sockets.Socket.EndSend (System.IAsyncResult result) [0x00033] in <5071a6e4a4564e19a2eda0f53e42f9bd>:0
      at System.Net.Sockets.NetworkStream.EndWrite (System.IAsyncResult asyncResult) [0x0005f] in <5071a6e4a4564e19a2eda0f53e42f9bd>:0
      at System.Net.Sockets.Socket.EndSend (System.IAsyncResult result) [0x00033] in <5071a6e4a4564e19a2eda0f53e42f9bd>:0
      at System.Net.Sockets.NetworkStream.EndWrite (System.IAsyncResult asyncResult) [0x0005f] in <5071a6e4a4564e19a2eda0f53e42f9bd>:0

2017-02-19 13:33:29.6667 Info HttpServer: HTTP Response 500 to 184.192.1.9. Time: 125ms. http://domain.example.org:8096/emby/Videos/5b7f1905703fb9d12134f5e9721a10cc/stream.mkv?DeviceId=a6f8d4e7503b1cce&Static=true&Tag=c009565c69b0eba17f8c70550670b3ab&MediaSourceId=5b7f1905703fb9d12134f5e9721a10cc

2017-02-19 13:33:29.7086 Info HttpServer: HTTP GET http://domain.example.org:8096/emby/Videos/5b7f1905703fb9d12134f5e9721a10cc/stream.mkv?DeviceId=a6f8d4e7503b1cce&Static=true&Tag=c009565c69b0eba17f8c70550670b3ab&MediaSourceId=5b7f1905703fb9d12134f5e9721a10cc. UserAgent: Emby/1.3.20g (Linux;Android 5.1.1) ExoPlayerLib/2.0.4

 

 

 

Apache configuration

Listen 3030 https

<VirtualHost _default_:3030>
    ServerName       host.domain.com
    UseCanonicalName On

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    SSLEngine               On
    SSLProxyEngine          On
    SSLProtocol             ALL -SSLv2 -SSLv3
    SSLHonorCipherOrder     On
    SSLProxyVerify          None
    SSLProxyCheckPeerCN     Off
    SSLProxyCheckPeerName   Off
    SSLProxyCheckPeerExpire Off
    SSLCertificateFile      /etc/letsencrypt/live/host.domain.com/cert.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/host.domain.com/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/host.domain.com/fullchain.pem
    SSLCipherSuite          ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!MD5:!DSS

    ProxyRequests     Off
    ProxyPreserveHost On

    Header        set        Connection "Upgrade"
    RequestHeader setifempty Connection "Upgrade"
    Header        set        Upgrade "websocket"
    RequestHeader setifempty Upgrade "websocket"

    # Notice!!! Put me before http!!!
    ProxyPass        /embywebsocket ws://localhost:8096/embywebsocket
    ProxyPassReverse /embywebsocket ws://localhost:8096/embywebsocket

    # Notice!!! Put me after ws!!!
    ProxyPass        / http://localhost:8096/
    ProxyPassReverse / http://localhost:8096/

    ErrorLog  /var/log/httpd/emby-ssl-error.log
    CustomLog /var/log/httpd/emby-ssl-access.log combined
</VirtualHost>

Server log when starting stream is attached.

 

Anyone with same troubles who managed to solved them?

 

emby-server-log.txt

[Luke 37009]

Is that the default config for apache?

[matejz 0]

What do you mean by default?

 

I have a fresh apache installation with the upper configuration added to my vhost for emby and disabled unused modules. I will try and enable all disabled modules, just in case I accidentally disabled too many:)

 

More info about my system:

* CentOS 7

* apache 2.4.25

* emby 3.2.1

* mono 4.6.2.16

 

I will try also try with nginx, just to see if that works. That way, it will be easier to search for problems:)

Edited February 19, 2017 by matejz

[matejz 0]

I tried enabling all modules on apache, but it still wasnt working. After a few hours I gave up and switched to nginx config from @@Karbowiak. I changed some parts to get better result on ssllabs.com (A+).

    server {
            server_name server.domain.org
            listen 442 ssl;

            ssl_certificate                 /etc/letsencrypt/live/server.domain.org/fullchain.pem;
            ssl_certificate_key             /etc/letsencrypt/live/server.domain.org/privkey.pem;
            ssl_dhparam                     /etc/ssl/certs/dhparam.pem;

            ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
            ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:ECDHE-ECDSA-DES-CBC3-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:DES-CBC3-SHA:!DSS';
            #ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
            ssl_prefer_server_ciphers on;

            ssl_session_timeout 1d;
            ssl_session_cache shared:SSL:50m;
            ssl_session_tickets off;

            ssl_stapling on;
            ssl_stapling_verify on;

            resolver                        8.8.8.8 8.8.4.4 valid=300s;
            resolver_timeout                5s;
            keepalive_timeout               180;

            add_header Strict-Transport-Security max-age=15768000;

            client_max_body_size 1024M;

            location / {
                    # Send traffic to the backend
                    proxy_pass http://127.0.0.1:8096;
                    proxy_set_header X-Real-IP $remote_addr;
                    proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
                    proxy_set_header Host $host;
                    proxy_set_header X-Forwarded-Proto $remote_addr;
                    proxy_set_header X-Forwarded-Protocol $scheme;
                    proxy_redirect off;

                    # Send websocket data to the backend aswell
                    proxy_http_version 1.1;
                    proxy_set_header Upgrade $http_upgrade;
                    proxy_set_header Connection "upgrade";
            }
    }

Current ciphers support the following browsers: Firefox 1, Chrome 1, IE 7, Opera 5, Safari 1, Windows XP IE8, Android 2.3, Java 7

If you comment that one and uncomment the bottom one, you get more secure ciphers and TLS1.2 only. In that case only the following browsers are supported: Firefox 27, Chrome 30, IE 11 on Windows 7, Edge, Opera 17, Safari 9, Android 5.0, and Java 8

[Luke 37009]

Thanks for the report.

[matejz 0]

Also, be aware that my config has HTTP Strict Transport Security enabled, so after visiting the emby vhost, all connections to this host will be forced via https. So if you have other services running on the host, browser will always visit the URL via https.

[tigrao 18]

I don't know if this is the appropriate place to post this or not.  This post seems like one of the best resources for correct configuration of reverse proxies though.

 

Back in October I posted that I successfully configured IIS as a reverse proxy with full support for remote control.  Well, I recently added a music library to my Emby server.  Music seemed to play okay on a computer web browser, but it wouldn't play on my iOS Emby app when I was out of my home network.  I troubleshooted this for a long time and finally decided that it might be IIS not playing nice as a reverse proxy.  I switched to using nginx on an Ubuntu VM and now music plays on my IOS apps just fine.  I used the configuration posted by @@Karbowiak and it is working flawlessly for me.

 

Long story short:  Don't use IIS as a reverse proxy.  Use one of the tried and true open source solutions.

 

I am using IIS on my Windows 8.1 machine to reverse proxy to Emby. I just came across this post and it prompted me to check the Chrome console. Sure enough, I was seeing a websockets error. It turned out that all I had to do was turn on the WebSocket Protocol under the IIS features. I don't have an error in Chrome anymore and remote control works.
 

[Karbowiak 27]

Just to do a tiny update to this - i have since the original post switched to Caddy, and my god, the config files of Caddy are short..

A full Caddyfile to run Embt through it, with automatic ssl cert management, websocket etc. amounts to a total of 7 lines..

yourdomain.tld {
        gzip
        timeouts none
        proxy / 127.0.0.1:8096 {
                transparent
                websocket
        }
}

If you want to use Caddy for this (and other websites on your server) i'm willing to post a setup guide to getting it to run via SystemD and whatnots.
Coincidentally, the above config, also works with Plex - just change the ports and voila

[Luke 37009]

Great info, thanks !

[Tur0k 143]

I purchased a domain from google and created a DDNS/A+ record that is updated from the dynamic DNS client on my PFsense firewall. I have a few CNAME records that point back to the DDNS records.

 

I use let's encrypt certificates that I manage from an acme client package also installed on my PFsense firewall. The acme client automatically restarts the services tied to different services I have running when it renews a certificate.

 

I hosted an HAProxy reverse proxy package on my PFsense firewall pretty easily. I ACL requests to my internal resources by the hostname request. And dynamically provision the appropriate SSL certificate based on the request.

 

I have tied in a handful of other internal resources including a service that allows my home automation app on my phone to access my home automation server.

 

From my firewall I limited the open ports on the wan to 443. HAproxy only listens on 443 and is configured on secured connections. I have configured the supported ciphers to only modern types, and forced TLS 1.2 or higher as the supported protocol.

 

I'm working on

1. setting up proper auditing and logging and the.

2. automating brute force attacks for any request instead of by application.

3. configuring client certificate authentication enforcement.

 

 

Sent from my iPhone using Tapatalk

Edited August 3, 2017 by Tur0k

[africano 0]

anyone, please, 

How to setup reverse proxy with apache on wampserver? Step by step.

[Luke 37009]

18 hours ago, africano said:

anyone, please, 

How to setup reverse proxy with apache on wampserver? Step by step.

Re: