I haven't tried it for the apps but for the webui I have it sitting behind a reverse proxy.
Currently using CaddyServer - http://caddyserver.com
Config is below - Note mine does more than just Emby and mydomain uses an older SSL cert issued by wosign, mydomain2 is using lets encrypt.
:80 {
redir https://{host}{uri}
}
https://subdomain.mydomain.com {
tls /usr/share/caddy/ssl/mydomain.bundle.crt /usr/share/caddy/ssl/mydomain.key
log /var/log/caddy/mydomain.log {
rotate {
age 90 }
}
redir /owncloud /owncloud/ 302
proxy /owncloud/ http://10.0.244.184/ {
proxy_header X-Forwarded-For {remote}
proxy_header X-Real-HOST {host}
proxy_header Proxy_hostname {scheme}{host}
}
proxy /emby http://10.0.244.188:8096
}
https://nms.mydomain2.com
log /var/log/caddy/mydomain2.log {
rotate {
age 90 }
}
tls myemail@mydomain.com
proxy / http://10.0.244.193
}
For Emby only the config could probably be shortened to. (Note I haven't tested this config for syntax errors, it's possible I might have missed some {} somewhere.
:80 {
redir https://{host}{uri}
}
https://subdomain.mydomain.com {
tls myemail@mydomain.com
proxy /emby http://<embyIP>:8096
}
Breaking it down as follows:
:80 {
redir https://{host}{uri}
}
This part essentially told the server to listen on port 80 and redirect any request to the same URL but on https (port 443)
https://subdomain.mydomain.com {
tls myemail@mydomain.com
proxy /emby http://<embyIP>:8096
}
This 2nd block defines the domain to use for https, the email address to use for the lets encrypt account, it then proxies /emby on port 443 to the emby UI, The communication between the proxy and emby is on HTTP not HTTPS (you can use https if you want). But as they are on my internal network I don't really care at that point.
Edit:
Just tested with the android app and it seems to work through the proxy 
Edit2: Fixed caddyserver url, sorry it's .com not .org
Edited by dragon2611, 20 December 2015 - 11:04 AM.