Using Reverse proxy - login fail

[mortstar 2]

I have a valid SSL certificate and use different /paths to access webapps exposed via reverse-proxy. For example https://mydomain.com/emby is proxied to http://192.168.0.1:8096/emby

 

Using the desktop and Android version of Chrome I'm able to log in and access the Emby Server and use all features. When using the Android app, I'm able to connect to the server using these settings:

Host: https://mydomain.com/emby

Port: (left blank)

 

The app shows my user which I select and then enter the password (which is very simple at the moment to rule out complex password problems). I get this error message in the app:

Invalid username or password. Please try again.

 

The server logs show this error:

2015-09-04 13:24:55.5755 Error - DtoUtils: ServiceBase<TRequest>::Service Exception
    *** Error Report ***
    Version: 3.0.5724.3
    Command line: /usr/lib/emby-server/MediaBrowser.Server.Mono.exe -programdata /config -ffmpeg /usr/bin/ffmpeg -ffprobe /usr/bin/ffprobe -restartpath /Restart.sh -restartargs
    Operating system: Unix 4.0.4.0
    Processor count: 4
    64-Bit OS: True
    64-Bit Process: True
    Program data path: /config
    Mono: 4.0.3 (Stable 4.0.3.20/d6946b4 Thu Aug 13 12:46:26 UTC 2015)
    Application Path: /usr/lib/emby-server/MediaBrowser.Server.Mono.exe
    Argument cannot be null.
    Parameter name: username
    System.ArgumentNullException
     at MediaBrowser.Server.Implementations.Library.UserManager+<AuthenticateUser>c__async1.MoveNext () [0x00000] in <filename unknown>:0
    --- End of stack trace from previous location where exception was thrown ---
     at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x00000] in <filename unknown>:0
     at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x00000] in <filename unknown>:0
     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00000] in <filename unknown>:0
     at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00000] in <filename unknown>:0
     at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[System.Boolean].GetResult () [0x00000] in <filename unknown>:0
     at MediaBrowser.Server.Implementations.Session.SessionManager+<AuthenticateNewSession>c__asyncC.MoveNext () [0x00000] in <filename unknown>:0
    --- End of stack trace from previous location where exception was thrown ---
     at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw () [0x00000] in <filename unknown>:0
     at System.Runtime.CompilerServices.TaskAwaiter.ThrowForNonSuccess (System.Threading.Tasks.Task task) [0x00000] in <filename unknown>:0
     at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification (System.Threading.Tasks.Task task) [0x00000] in <filename unknown>:0
     at System.Runtime.CompilerServices.TaskAwaiter.ValidateEnd (System.Threading.Tasks.Task task) [0x00000] in <filename unknown>:0
     at System.Runtime.CompilerServices.ConfiguredTaskAwaitable`1+ConfiguredTaskAwaiter[MediaBrowser.Model.Users.AuthenticationResult].GetResult () [0x00000] in <filename unknown>:0
     at MediaBrowser.Api.UserService+<Post>c__async1.MoveNext () [0x00000] in <filename unknown>:0
    
2015-09-04 13:24:55.5755 Error - HttpServer: Error processing request for /emby/Users/authenticatebyname
    *** Error Report ***
    Version: 3.0.5724.3
    Command line: /usr/lib/emby-server/MediaBrowser.Server.Mono.exe -programdata /config -ffmpeg /usr/bin/ffmpeg -ffprobe /usr/bin/ffprobe -restartpath /Restart.sh -restartargs
    Operating system: Unix 4.0.4.0
    Processor count: 4
    64-Bit OS: True
    64-Bit Process: True
    Program data path: /config
    Mono: 4.0.3 (Stable 4.0.3.20/d6946b4 Thu Aug 13 12:46:26 UTC 2015)
    Application Path: /usr/lib/emby-server/MediaBrowser.Server.Mono.exe
    Argument cannot be null.
    Parameter name: username
    ServiceStack.HttpError
    No Stack Trace Available

Here is a snippit of the log from Android showing that a Username field is being sent in the request:

13:30:08.257 [JavaBridge] INFO App - Setting server address to https://mydomain.com/emby
13:30:08.381 [JavaBridge] INFO App - event.trigger connected
13:30:08.388 [JavaBridge] INFO App - event.trigger pagebeforeshowready
13:30:08.401 [JavaBridge] INFO App - event.trigger pageshowbeginready
13:30:08.404 [JavaBridge] INFO App - event.trigger pageshowready
13:30:08.418 [JavaBridge] INFO App - Requesting https://mydomain.com/emby/users/public
13:30:08.420 [JavaBridge] INFO App - Sending request: {"Method":"GET","Url":"https://mydomain.com/emby/users/public","RequestHeaders":{"accept":"application/json"},"Timeout":30000}
13:30:08.436 [JavaBridge] DEBUG App - Adding request to queue: https://mydomain.com/emby/users/public
13:30:08.443 [JavaBridge] INFO App - event.on response4
13:30:08.447 [JavaBridge] INFO App - Requesting https://mydomain.com/emby/Branding/Configuration
13:30:08.449 [JavaBridge] INFO App - Sending request: {"Method":"GET","Url":"https://mydomain.com/emby/Branding/Configuration","RequestHeaders":{"Authorization":"MediaBrowser Client=\"Emby Mobile\", Device=\"HTC One\", DeviceId=\"bc9523ea-476a-e124-3578-640518168078\", Version=\"3.0.5679.20282\"","accept":"application/json"},"Timeout":30000}
13:30:08.476 [JavaBridge] DEBUG App - Adding request to queue: https://mydomain.com/emby/Branding/Configuration
13:30:08.482 [JavaBridge] INFO App - event.on response5
13:30:08.564 [main] INFO App - Response received from: https://mydomain.com/emby/Branding/Configuration
13:30:08.570 [JavaBridge] INFO App - event.trigger response5
13:30:08.575 [JavaBridge] INFO App - event.off response5
13:30:08.608 [main] INFO App - Response received from: https://mydomain.com/emby/users/public
13:30:08.617 [JavaBridge] INFO App - event.trigger response4
13:30:08.619 [JavaBridge] INFO App - event.off response4
13:30:15.637 [JavaBridge] INFO App - Requesting url without automatic networking: https://mydomain.com/emby/Users/authenticatebyname
13:30:15.644 [JavaBridge] INFO App - Sending request: {"Method":"POST","Url":"https://mydomain.com/emby/Users/authenticatebyname","RequestHeaders":{"Authorization":"MediaBrowser Client=\"Emby Mobile\", Device=\"HTC One\", DeviceId=\"bc9523ea-476a-e124-3578-640518168078\", Version=\"3.0.5679.20282\"","accept":"application/json"},"RequestContent":"{\"password\":\"5baa61e4c9b93f3f0682250b6cxxxxxxxxxxxxxx\",\"Username\":\"Sam\"}","RequestContentType":"application/json"}
13:30:15.663 [JavaBridge] DEBUG App - Adding request to queue: https://mydomain.com/emby/Users/authenticatebyname
13:30:15.668 [JavaBridge] INFO App - event.on response6
13:30:15.811 [main] ERROR App - VolleyError com.android.volley.ServerError: null
com.android.volley.ServerError
com.android.volley.toolbox.BasicNetwork.performRequest(BasicNetwork.java:178)
com.android.volley.NetworkDispatcher.run(NetworkDispatcher.java:112)
13:30:15.822 [JavaBridge] INFO App - event.trigger response6
13:30:15.827 [JavaBridge] INFO App - event.off response6
13:30:15.830 [JavaBridge] INFO App - event.trigger requestfail

Edited September 4, 2015 by mortstar

[Luke 36997]

make sure the proxy isn't dropping or changing request headers, something we've seen before

[mortstar 2]

Ah, this could be where I fall down. I did see a working nginx config here: http://emby.media/community/index.php?/topic/22889-emby-behind-a-reverse-proxy-remote-control-issue/

 

with the relevant section being:

location / {
		# Send traffic to the backend
		proxy_pass http://127.0.0.1:8096;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-Proto $remote_addr;
		proxy_set_header X-Forwarded-Protocol $scheme;
		proxy_redirect off;

		# Send websocket data to the backend aswell
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		}

My system is running apache as the reverse proxy so I wasn't able to translate that (I'm not an Apache pro)....anybody got any pointers on how to make sure headers are being forwarded properly in Apache reverse proxy? My setup is currently:

##Emby##
<Location /emby>
	ProxyPass http://192.168.0.1:8096/emby
	ProxyPassReverse http://192.168.0.1:8096/emby
	ProxyPreserveHost On
	RequestHeader append X-Real-IP $remote_addr
	Order deny,allow
	Deny from all
	Allow from all
</Location>	

[mortstar 2]

All fixed - moved to nginx and copied the above config.

[skug67 1]

I'm in much the same boat except that I use apache as my main webserver and would strongly prefer to avoid setting up nginx running alongside it. Can anyone give me the Apache conf that would allow me to authenticate via apache when I'm away from home and still stream via the Android app?

[nwcatalyst 4]

@skug67 I had success using Emby Connect login to connect to the server (after linking the server to my Emby account locally) rather than manual connection. Not sure why this would matter. I have a few webservices configured through Apache but here is my emby.conf part
 

<VirtualHost *:8920>
    ServerName SERVERNAME
    UseCanonicalName On

    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>

    SSLEngine               On
    SSLProxyEngine          On
    SSLProtocol             ALL -SSLv2 -SSLv3
    SSLHonorCipherOrder     On
    SSLProxyVerify          None
    SSLProxyCheckPeerCN     Off
    SSLProxyCheckPeerName   Off
    SSLProxyCheckPeerExpire Off
    SSLCertificateFile      /etc/letsencrypt/live/SERVERNAME/cert.pem
    SSLCertificateKeyFile   /etc/letsencrypt/live/SERVERNAME/privkey.pem
    SSLCertificateChainFile /etc/letsencrypt/live/SERVERNAME/chain.pem
    SSLCipherSuite          ECDH+AESGCM:DH+AESGCM:ECDH+AES256:DH+AES256:ECDH+AES128:DH+AES:ECDH+3DES:DH+3DES:RSA+AESGCM:RSA+AES:RSA+3DES:!aNULL:!M$

    ProxyRequests     Off
    ProxyPreserveHost On

    Header        set        Connection "Upgrade"
    RequestHeader setifempty Connection "Upgrade"
    Header        set        Upgrade "websocket"
    RequestHeader setifempty Upgrade "websocket"

    # Notice!!! Put me before http!!!
    ProxyPass        /socket ws://localhost:8096/socket
    ProxyPassReverse /socket ws://localhost:8096/socket

    # Notice!!! Put me after ws!!!
    ProxyPass        / http://localhost:8096/
    ProxyPassReverse / http://localhost:8096/

    ErrorLog  ${APACHE_LOG_DIR}/emby-ssl-error.log
    CustomLog ${APACHE_LOG_DIR}/emby-ssl-access.log combined
</VirtualHost>

I realize that much of the server SSL cert stuff is redundant as I believe the Emby services and browsers are actually using the .pfx version of my SSL set in Emby server config, but I got it working and this is how it is set

I have a few other config files that relate to other services I'm running, one which does a basic rewrite for http->https, so this might not be a complete solution for you, but hopefully it helps.