Jump to content

https Mobile issues


Malleyc94

Recommended Posts

Malleyc94

Hi, new user here!

I'm running emby inside docker on unraid and am loving it so far

I've generated SSL certs with LetsEncrypt and Nginx in another docker

 

I found instructions on how to turn these .pem files into something emby will accept

sudo openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out emby.pfx

 

I can acess the web server https://mydns.afraid.org and another docker https://mydns.afraid.org:8123 with no issues from any device

however when i acess https://mydns.afraid.org:8920 from a mobile device sometimes it will dispay one of the two follwing errors

 

This site cannot be reached

ERR_TUNNEL_CONNECTION_FAILED

 

or

 

Your connection is not private

NET::ERR_CERT_AUTHORITY_INVALID

 

other times it will work totally fine!

Is this a known issue (i read a post talking about mono only supporting TLS1.0) or is this an issue with how i have set up https access 

 

any help appreciated

Link to comment
Share on other sites

The first one looks like connectivity.

 

The second one looks like the browser rejecting the cert by default. You can override this in the browser page by clicking proceed anyway, although I think that override might first require clicking something else in order to show it. Then once you do this, it will remember this for a little while before you have to do it again. I am guessing you may have overridden it once, then it worked for a bit and now you need to do it again.

Link to comment
Share on other sites

Malleyc94

Thanks for that.

I was expecting to find the option to click proceed but it was never avaible.

 

I'm currently working on setting up a reverse proxy to handle the HTTPS side of things along with auto renewal of certs.

 

Sent from my Nexus 5X using Tapatalk

Link to comment
Share on other sites

Malleyc94

I've been able to secure the server using lets encrypt for auto renewing certs and nginx web server to reverse proxy.

Its working for all clients mobile and other and is using TLS 1.2

 

57f31735c1d8f_SSL.png

Link to comment
Share on other sites

Guest plexman

I've been able to secure the server using lets encrypt for auto renewing certs and nginx web server to reverse proxy.

Its working for all clients mobile and other and is using TLS 1.2

 

57f31735c1d8f_SSL.png

 

Could you please post how you did it, and if it wokrs with everything like remote control, chromecast, etc.

Link to comment
Share on other sites

Malleyc94

Update, I'm currently having an issue with websocket traffic. Interesting the Android mobile app continued to work after I made the change but re connecting to the server failed. I've still got a bit more testing to do but believe I need to also redirect the websocket traffic.

 

@@plexman my setup is on UnRaid so is a bit different but basically once you have a Nginx Webserver secured with let's encrypt (pre packaged docker on UnRaid) you change some conf files in ngix to allow the redirect. Can post conf if you'd like

 

Sent from my Nexus 5X using Tapatalk

Link to comment
Share on other sites

Fyi - the web socket is used for features like remote control but will not prevent basic connectivity if it is not working.

Link to comment
Share on other sites

Malleyc94

Attached are the configuration files for Nginx,

I've been getting most of my info regrarding that from this forum here

https://lime-technology.com/forum/index.php?topic=43696.60

 

@ Luke the only port i have open is 443

So when connecting via the android app i should use 

 

Host:

https://my.subdomain.tld/emby (working link for browser traffic that nginx redirects to internal ip:8096)

 

Port:

443

 

Should this be working or am i going about this the wrong way?

 

Nginx Conf.zip

Link to comment
Share on other sites

  • 3 weeks later...
Malleyc94

Finally got everything working the way i wanted

 

My system is

unRAID OS

Emby Docker

Aptalca's letsEncrypt docker (Also contains Nginx Webserver)

 

This works for all devices and remote control function is working fine too

 

i connect to the web app using https://mydomain.net/emby

i connect emby apps to the server using https://mydomain.net port 443

 

Here's the 3 files you need to modify inside the lets encrypt appdata directory

 

appdata/Nginx-letsencrypt/nginx/site-confs/default

server {

	listen 443 ssl default_server;
	
	
	ssl_certificate /config/keys/fullchain.pem;
	ssl_certificate_key /config/keys/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

    location / {
	root /config/www;
	index index.html index.htm index.php;
	}

	location /emby {
	# Send traffic to the backend
	proxy_pass http://192.168.###.###:8096/emby;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
	proxy_set_header Host $host;
	proxy_set_header X-Forwarded-Proto $remote_addr;
	proxy_set_header X-Forwarded-Protocol $scheme;
	proxy_redirect off;
	
	# Send websocket data to the backend aswell
	proxy_http_version 1.1;
	proxy_set_header Upgrade $http_upgrade;
	proxy_set_header Connection "upgrade";
    }
}

appdata/Nginx-letsencrypt/nginx/nginx.conf

user nobody users;
worker_processes 4;
pid /run/nginx.pid;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	# server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	client_max_body_size 0;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# Logging Settings
	##

	access_log /config/log/nginx/access.log;
	error_log /config/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;
	gzip_disable "msie6";

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript;

	include /etc/nginx/conf.d/*.conf;
	include /config/nginx/site-confs/*;
    
        ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
	ssl_prefer_server_ciphers on;
	ssl_session_cache shared:SSL:10m;
	add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;";
	add_header X-Frame-Options SAMEORIGIN;
	add_header X-Content-Type-Options nosniff;
	add_header X-XSS-Protection "1; mode=block";
	add_header X-Robots-Tag none;
	ssl_stapling on; # Requires nginx >= 1.3.7
	ssl_stapling_verify on; # Requires nginx => 1.3.7

}

appdata/Nginx-letsencrypt/nginx/proxy.conf

client_max_body_size 10m;
client_body_buffer_size 128k;

# Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...