plessers@gmail.com 24 Posted March 5, 2016 Share Posted March 5, 2016 Hello, Yesterday I noticed on my router that my there was a lot of “internet” traffic. I was surprised about this, but after some testing and sniffing, I saw that my Client PC was accessing my server at the “outside” of the router (see routing on image). No real consumption of my bandwidth at my he ISP side, but still, all traffic is passed through the router... This means also Single Point of failure Bandwidth of router is shared by all clients. I have a Gb-router, but this can be a problem with older routers Monitoring of bandwidth at router is not representative anymore and all my graphs are messed up. Monitoring figures don't match information I see at my ISP I used to work with Plex, and they have a very clever setup for this:(for more information, see https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/) On my router:Dnsmasq -> Custom configuration ->rebind-domain-ok=/plex.direct/local-ttl=1 I tried to change my router to rebind-domain-ok=/plex.direct/tv.emby.media/app.emby.media/local-ttl=1 but this didn’t help. So my question here is: is it possible to configure my EMBY-server in the same was as my PLEX-server so that my clients have a direct connection to my server instead of going to the public url? Oh, and I only want to use one url for my browsers, i.e. http://tv.emby.media/#!/plugins/defaultskin/home.html... Thanx in advance, Bart Link to comment Share on other sites More sharing options...
Koleckai Silvestri 1150 Posted March 5, 2016 Share Posted March 5, 2016 I don't have this problem and connect directly to my server's internal IP of 10.0.0.4. Maybe this is an issue if you use Emby Connect. I don't use Emby Connect. Link to comment Share on other sites More sharing options...
Luke 36887 Posted March 5, 2016 Share Posted March 5, 2016 It's supposed to do that already with connect by first testing your local address for connectivity, however if by chance you entered a manual address then it will always do that. the dnsmasq method you mentioned is interesting too, so if you can get a prototype of that working, we can look into it. Link to comment Share on other sites More sharing options...
JeremyFr79 228 Posted March 5, 2016 Share Posted March 5, 2016 I just setup a DNS entry in my DNS server for all my stuff that way everything get's routed properly internally and externally as needed. 1 Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted March 9, 2016 Author Share Posted March 9, 2016 @luke: the problem is, when I go to the new web interface at http://tv.emby.media/index.html, I'mI in a kind of a loop: - I get a PIN - on another browser window, I go to https://emby.media/pin.html, login and enter that PIN - in the first window, I'm redirected to http://tv.emby.media/index.html#!/startup/selectserver.html,but my server is NOT displayed: - If I select Emby Connect, I'm goint to first step of this procedure... - if I select "new server", I have to add my server manually Here I have to choose between public name, or internal IP-adres. Is this a bug? I was expecting that -after accepting the PIN- my server was resolved automatically, and if on the same network, the internal IP was used. bart Link to comment Share on other sites More sharing options...
gstuartj 39 Posted March 10, 2016 Share Posted March 10, 2016 I do something similar to @@JeremyFr79, but what I do is set up a cname in DNSmasq on my router so that the public address points to the local address within my network. Here's an example configuration line: cname=public.domain.example,machinename.lan All local clients are automatically routed directly to the local server address. Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted May 28, 2017 Author Share Posted May 28, 2017 Hello to everybody, I have to come back on this. @@Luke suggested me in another topic to try the interface on "https://tv.emby.media/". Till now, I was experimenting locally to my embyserver, but if I want to use "https://tv.emby.media/",the above problem still rises. All network trafic is send trough my router twice (uploading AND downloading). If I use fiddler, I see all my trafic going to https://mydomain:8920 This could be done smarter: - let emby detect if server and client are on same subnet - if this is the case, let server give local IP as sources instead of public dns name This is something that that other medaserver Plex does: - if I go to http://app.plex.tv/web/app# - and if I fiddle my network traffic, I see - connections are made to https://xxx-xxx-xxx-xxxx.69948de6a51145a5be0623b766969880.plex.direct:32400, where xxx-xxx-xxx-xxx is my local IP of my server - my router is configured so that: rebind-domain-ok=/plex.direct/ local-ttl=1 - so if I ping from my client to to 192-168-4-11.69948de6a51145a5be0623b766969880.plex.direct I get response from 192.168.4.11 (IP address of my local server) So no network traffic passes my router. I this something that can be considered on emby? Kind regards, Bart Link to comment Share on other sites More sharing options...
Luke 36887 Posted May 28, 2017 Share Posted May 28, 2017 When you use tv.emby.media it will connect locally when possible. Try the http version. Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted May 29, 2017 Author Share Posted May 29, 2017 Hi Luke, Just did the test: - connect to http://tv.emby.media - login with emby connect - added my server http://mydomain:8098 (I'm running on a different port) - logged in to my server with local account and pass If I snif my network traffic, all requests are done to http://mydomain, wich means the PUBLIC side of my router. Thus traffic passing trough router and back again. This can easily be seen on the router itself: when playing a movie, traffic is taken into account, so network traffic is following my "green path" (see original picture) Kind regards, Bart Link to comment Share on other sites More sharing options...
Luke 36887 Posted May 29, 2017 Share Posted May 29, 2017 And I just tested as well - no problem found, worked as expected. The point being, it will always try to connect to the local lan address that is listed on the emby server dashboard. It will only switch to remote if that fails, or if you originally connected by manually entering a specific address. if you did a manual address then it will always use that particular value. Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted May 29, 2017 Author Share Posted May 29, 2017 Hi Luke, I don't understand that. What am I doing wrong? Here are my settings: As I said before, here are the steps connecting to http://tv.emby.media from an internal client (on same network segment as server) connect to http://tv.emby.media logon with emby connect account add server enter public domainname and port logon with local account: enter libraries: however, on my client: so I can't see any traffic going to my server directly.... What am I doing wrong? Sincerely Bart Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted May 29, 2017 Author Share Posted May 29, 2017 oh, BTW, when I connect to http://app.emby.media instead of http://tv.emby.media, my client IS using local IP are you sure you were using tv.emby.media? Link to comment Share on other sites More sharing options...
Luke 36887 Posted May 30, 2017 Share Posted May 30, 2017 Yes, you must have manually entered an ip address during the connection process, in which case that is always the first address used. Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted May 30, 2017 Author Share Posted May 30, 2017 (edited) Hello Luke, I don't get this. On my home PC on local network - logged in with emby connect user - I removed server from my server list - added server again with local IP Connected to other PC on external network - logged in with same emby connect user - NO servers are listed so how can I connect to my server from an external PC? From what I know right now: - I can add my server based on local IP -> it's working on local subnet and streaming is done peer-to-peer OR - I can add server based on public DNS name --> it's working on local subnet AND external subnet, but streaming is done, based on public DNS name. So again: networkflow according to my original picture. Can you confirm this? Kind regards, Bart Edited May 30, 2017 by plessers@gmail.com Link to comment Share on other sites More sharing options...
Luke 36887 Posted May 31, 2017 Share Posted May 31, 2017 I would use Emby Connect. The server is probably not listed anymore due to you removing it. Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted May 31, 2017 Author Share Posted May 31, 2017 Luke, can you elaborate this a little bit more? I AM using Emby Connect, and added the server with it's IP address. Also: logging on from another PC with Emby Connect, does NOT list my server at all... Maybe there is something wrong with Emby Connect? Or with my profile? Bart Link to comment Share on other sites More sharing options...
ebr 14862 Posted May 31, 2017 Share Posted May 31, 2017 I AM using Emby Connect, and added the server with it's IP address. If you are manually adding a server by IP you are not using Emby Connect. Try re-linking the user in the server dashboard or recreating it if it is a guest. 1 Link to comment Share on other sites More sharing options...
Luke 36887 Posted May 31, 2017 Share Posted May 31, 2017 Exactly. To learn more about setting up Emby Connect, check out our wiki: https://github.com/MediaBrowser/Wiki/wiki/Emby%20Connect 1 Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted May 31, 2017 Author Share Posted May 31, 2017 Indeed, what happened: - I added a new user to my server(s) - made this user admin (because admin sees all libraries, me as "normal" user only want to see few of them) - I forgot to add the admin email adress to it's profile --> things went wrong here - so using Emby connect, I had to add the server manually - and of course connection was made by the url added However: - after using Emby connect correctly (thus email user configured at server, invitement accepted) - I had to clear all my caches of my browser. Somehow, settings were cached and even after using Emby Connect, I still was using the public domain name - I started incognito session --> local IP was used - I cleard all caches --> everything works as designed now: using local IP's on local subnet, using public domain name on wan. thanx all for your patience and support, much appreciated! Bart Just one suggestion: in the whole discussion above, I was confused and NOT using Emby Connect, although I followed the procedure on screen (see above), witch clearly indicates : to use Emby Connect, visit https://emby.media/pin and enter pincode. So by doing this, I thought I was using connect, but clearly not. My mistake, but I guess some other user may also be in this situation... Link to comment Share on other sites More sharing options...
Swynol 375 Posted June 4, 2017 Share Posted June 4, 2017 i use a static-hostname on my router which points to my internal IP. so for example emby.mydomain.com. If i am internal it goes to 192.168.10.10:8096. if i am external i have a cname with my registrar which points it to my DDNS. Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted June 5, 2017 Author Share Posted June 5, 2017 @swynol: this would be a solution if all my public services were running on same server. internally, but I have some other servers with different IP's, but with same public name... anyway, thanx for response! B Link to comment Share on other sites More sharing options...
Swynol 375 Posted June 5, 2017 Share Posted June 5, 2017 @swynol: this would be a solution if all my public services were running on same server. internally, but I have some other servers with different IP's, but with same public name... anyway, thanx for response! B i have many public services on my lan. for example internally - emby.mydomain.com --> 192.168.10.10 sophos.mydomain.com --> 192.168.10.9 etc then externally emby.mydomain.com --> CNAME to DDNS --> DDNS AAA record to my WAN IP port 443 ---> NGINX reverse proxy --> 192.168.10.10 sophos.mydomain.com --> CNAME to DDNS --> DDNS AAA Record to my WAN IP port 443 --> NGINS reverse proxy --> 192.168.10.9 i have another 10-15 services on my LAN which i can access Internally using the same URL as external however it doesnt get routed externally. Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted June 6, 2017 Author Share Posted June 6, 2017 yep, but in my setup: everything is routed to https://MyOneAndOnlyPublicDomainName:xyz. Depending on port, a reverse proxy is forwarding requests to different internal IP's. So this is a bit more difficult to use a HOST file of diff.DINS for the routing internally. But you're right, maybe I should use starting different DNS names... Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted June 6, 2017 Share Posted June 6, 2017 yep, but in my setup: everything is routed to https://MyOneAndOnlyPublicDomainName:xyz. Depending on port, a reverse proxy is forwarding requests to different internal IP's. So this is a bit more difficult to use a HOST file of diff.DINS for the routing internally. But you're right, maybe I should use starting different DNS names... The reason for reverse proxy, is in your case say you have 10 "services" running you have 10 ports on your firewall open, and that's 10 security risks. With nginx or some other reverse proxy, you usually open http and https (80 & 443) then you just give your services names either like service1.domain.com or domain.com/service1 The second is harder to setup and maintain in my opinion. The back-end services will still be using the ports you assigned them so you can switch back easily or run nginx and the way you are doing it today side by side as a test. service1.domain.com:80---->nginx--->service1:8374 and so on. 1 Link to comment Share on other sites More sharing options...
plessers@gmail.com 24 Posted June 10, 2017 Author Share Posted June 10, 2017 @@Swynol, @@pir8radio, thanx for input. This was a project that I had been postponed for a long time, but with your feedback, I spended some time to it. Glad I did. So for now: - running tomato software on a ASUS-RT-N18U router - port forwarding 80 to IP of router - NGINX is currently running on router - NGINX HTTP Section Custom configuration Custom settings: server { listen 80; server_name app1.mydomain.org; location / { proxy_pass http://InternalIP-App1:80/; } } server { listen 80; server_name app2.mydomain.org; location / { proxy_pass http://InternalIP-App2:80/; } } server { listen 80; server_name app3.mydomain.org; location / { proxy_pass http://InternalIP-App3:32400/; } } server { listen 80; server_name app4.mydomain.org; location / { proxy_pass http://InternalIP-App4:8096/; } } Everythings works smoothly now and I can access my services over http with their own app-subdomain. I am planning to do this also with https, but currently struggling with certificates I have a config running (cert.pem and cert.key are internally generated on the router if you enable admin over https, see also http://blog.nguyenvq.com/blog/tag/reverse-proxy/ ) server { listen 443; ssl on; ssl_certificate /tmp/etc/cert.pem; ssl_certificate_key /tmp/etc/key.pem; ssl_session_timeout 5m; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_prefer_server_ciphers on; ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"; location / { proxy_pass http://InternalIP:32400; proxy_redirect http://InternalIP:32400/ $scheme://$host:$server_port/; } } This works, but you get an certificate error of course. I have certificates (Let's Encrypt) for all my app subdomains, but still need to covert them from *.pfx to *.cert/key.pem Anybody experience with that? Another question: can you do the same thing with https as with http? Listen on SAME port (443) for different domains and different certificates? How should my config look like? Can I do this: Is this possible? Kind regards, Bart 2 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now