Guest plexman Posted October 19, 2016 Posted October 19, 2016 (edited) Continuing with this topic, I want to share my current working Apache reverse proxy setup. Before Nginx users kill me, let me say that I prefer Apache because i'm used to it (I know Nginx is better in reverse proxy scenarios), I find it simpler, I have a Nextcloud server running in the same machine and here they recommend using Apache instead of Nginx, even if i'm not using it for an enterprise deployment. At the moment, i'm having 0 issues with any App (Web, TV, Android, iOs, etc.), the chrome console is clean without any error when connecting through the Web App. My apache is redirecting all traffic including the websocket traffic. I use my server with a CNAME of my domain, so that's why I don't locate it in "/emby" location, I do it in "/". This is my apache .conf file for Emby reverse proxy (located at /etc/apache2/sites-available): <IfModule mod_ssl.c> <VirtualHost *:80> ServerName cname.domain.com ServerAdmin youremail@address.com RewriteEngine on RewriteCond %{SERVER_NAME} =cname.domain.com RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent] </VirtualHost> <VirtualHost *:443> ServerName cname.domain.com ServerAdmin youremail@address.com <proxy *> AddDefaultCharset off Order Allow,Deny Allow from all </proxy> ProxyRequests Off ProxyPreserveHost On ProxyPass "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket" ProxyPassReverse "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket" ProxyPass "/" "http://127.0.0.1:8096/" ProxyPassReverse "/" "http://127.0.0.1:8096/" SSLCertificateFile /etc/letsencrypt/live/cname.domain.com/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/cname.domain.com/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> </IfModule> As you can see I'm using Let's Encrypt certificates. As @@curtisghanson said here, I also have an "A" in Qualy SSL Labs: Well I was scared of the performance but It's true that the maximum concurrent users I have are around 5-20, it's little. This is the server usage when 7 users are connected playing content at the same time (all my content is Direct Played): And that's all, hope you liked it and find it useful! Any improvement to the Apache conf file is welcome. Edit: Forgot to say thanks to @@fc7 who was the man that did all this possible . Edited October 27, 2016 by plexman
Luke 39663 Posted October 19, 2016 Posted October 19, 2016 Thanks for the info. I'm sure others will find this very helpful.
Guest petwri Posted October 26, 2016 Posted October 26, 2016 (edited) @plexman is this the content of apache.conf, or the configuration for a new site, lets say emby.conf? I am pretty new to apache2 and have the same situation like you with nextcloud, apache2 and emby on one machine. Thanks! Edited October 26, 2016 by petwri
Guest plexman Posted October 27, 2016 Posted October 27, 2016 (edited) @plexman is this the content of apache.conf, or the configuration for a new site, lets say emby.conf? I am pretty new to apache2 and have the same situation like you with nextcloud, apache2 and emby on one machine. Thanks! This is the conf for the site (virtualhost). I name it in my server /etc/apache2/sites-available/emby-proxy.conf. I've edited the post to be more precise. Edited October 27, 2016 by plexman
Guest petwri Posted October 27, 2016 Posted October 27, 2016 This is the conf for the site (virtualhost). I name it in my server /etc/apache2/sites-available/emby-proxy.conf. I've edited the post to be more precise. Thank you, will give it a try.
Guest petwri Posted October 29, 2016 Posted October 29, 2016 So I got it to work like charm, http://my.host.net/emby gets redirected to my emby server at localhost:8096. The only issue I still have is that I can't connect from the emby android app. I can connect to the server, but the app keeps complaining about a wrong password when I want to login to the server, although the password is definitely correct. Works fine when going to app.emby.media on any browser. Just the ones on android are failing. Here's my emby.conf <VirtualHost *:80> ServerName my.host.net Redirect permanent / https://my.host.net/ </VirtualHost> <IfModule mod_ssl.c> <VirtualHost *:443> ServerName my.host.net <proxy *> AddDefaultCharset off Order Allow,Deny Allow from all </proxy> ProxyRequests Off ProxyPreserveHost On RewriteEngine on RewriteRule ^/emby$ /emby/ [R] <Location /emby> ProxyPass http://localhost:8096 ProxyPassReverse http://localhost:8096 </Location> <Location /emby/emby> ProxyPass ws://localhost:8096/emby ProxyPassReverse ws://localhost:8096/emby </Location> SSLEngine On SSLCertificateFile "/path/to/cert" SSLCertificateKeyFile "/path/to/key" </VirtualHost> </IfModule>
Guest plexman Posted October 29, 2016 Posted October 29, 2016 Compare with the first post please. The websocket part is wrong and is not in the right place. It should be before the http part. Don't use the location directive, use the proxypass as is shown in my post.
Guest petwri Posted October 29, 2016 Posted October 29, 2016 Still can't sign in, complains about wrong pw.
Luke 39663 Posted October 29, 2016 Posted October 29, 2016 It could also be that certain http headers are getting dropped which is leading to an authentication failure.
Guest petwri Posted October 29, 2016 Posted October 29, 2016 It worjs fine on app.emby.media through my desktop browser. @@plexman your setup has emby at "/". Is there any working setup that has nextcloud at root and emby at /emby with the same domain?
Guest petwri Posted October 31, 2016 Posted October 31, 2016 Ok, i created a new subdomain emby.nameofmyserver.net to access emby, used the config posted here, and android app works very fast and nicely. Only problem: sync isn't doing anything. Will post logs asap.
Guest petwri Posted October 31, 2016 Posted October 31, 2016 Ok, forget my last post, the sync issue doesn't seem to be in any way related with the apache-setup, it's something with my permissions on the sdcard. Proxy access works perfectly fine!
Guest petwri Posted October 31, 2016 Posted October 31, 2016 Well done !But syncing still seems to be a little messed up, see here: https://emby.media/community/index.php?/topic/40910-ERROR-App---Error-saving-file-/-javax.net.ssl.SSLException
elcaron 1 Posted January 22, 2017 Posted January 22, 2017 (edited) Thanks, this was very helpful. I think after adding the websocket part, my Kodi now at least updates at startup. I am not quite sure if that worked before because I do not restart Kodi that often on my mediacenter. Unfortunately, stuff still doesn't seem to be added automatically during normal run, I still have to run Manual Sync from the setting. Kann anybod spot an issue in my config below? (I do not run anything on port 80, this si my full config): <VirtualHost *:443> ServerAdmin webmaster@example.org ServerName emby.example.org <proxy *> AddDefaultCharset off Order Allow,Deny Allow from all </proxy> ProxyPreserveHost On ProxyRequests Off ProxyPass "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket" ProxyPassReverse "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket" ProxyPass "/" "http://127.0.0.1:8096/" ProxyPassReverse "/" "http://127.0.0.1:8096/" ErrorLog ${APACHE_LOG_DIR}/error.log # Possible values include: debug, info, notice, warn, error, crit, alert, emerg. LogLevel warn CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined # GnuTLS Switch: Enable/Disable SSL/TLS for this virtual host. SSLEngine on Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains" SSLCertificateFile /etc/letsencrypt/live/emby.example.org/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/emby.example.org/privkey.pem SSLProtocol All -SSLv2 -SSLv3 SSLHonorCipherOrder on SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS" </VirtualHost> proxy_wstunnel is enabled and apache restarted. I haven't really fund how to debug this yet, as I don't get error messages anywhere. I do not have "/etc/letsencrypt/options-ssl-apache.conf", BTW, though it seems superhandy if that would be a safe config maintained by letsencrypt. Or is that just a file from you? Edited January 22, 2017 by elcaron
Guest plexman Posted January 22, 2017 Posted January 22, 2017 The file options-ssl-apache is created by the certbot package which installs the let's encrypt certificate. This is the content of the file: # Baseline setting to Include for SSL sites SSLEngine on # Intermediate configuration, tweak to your needs SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA SSLHonorCipherOrder on SSLCompression off SSLOptions +StrictRequire # Add vhost name to log entries: LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common #CustomLog /var/log/apache2/access.log vhost_combined #LogLevel warn #ErrorLog /var/log/apache2/error.log # Always ensure Cookies have "Secure" set (JAH 2012/1) #Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*?(.*)) "$1; Secure$3$4"
elcaron 1 Posted January 23, 2017 Posted January 23, 2017 (edited) Good to know, thanks. Anything spotted on the Apache config? Or hints where errors should pop up? There are e.g. no entries of "ws:" in the kodi.log. Since what is going on is not an event I trigger, I don't really know what (and when) to look for in the kodi log. Edited January 23, 2017 by elcaron
nwcatalyst 4 Posted February 3, 2017 Posted February 3, 2017 I had this working, now new install on debian 8 server and cannot get it stable again... What apache mods must be enabled? Is it necessary to have nextcloud and emby vhosts as separate configs? I had them all in one file using different ports and it was working fine... Thanks
Luke 39663 Posted February 3, 2017 Posted February 3, 2017 @@nwcatalyst, can you please describe your issue in more detail? Thanks !
nwcatalyst 4 Posted February 7, 2017 Posted February 7, 2017 Actually, I think my issue was related to this: https://emby.media/community/index.php?/topic/19415-debian/page-12&do=findComment&comment=417031Server config is working now - if anyone else wants to see my vhosts let me know.
godfuture 4 Posted March 4, 2017 Posted March 4, 2017 It worjs fine on app.emby.media through my desktop browser. @@plexman your setup has emby at "/". Is there any working setup that has nextcloud at root and emby at /emby with the same domain? I have exactly the same question. I have NC on my root and want to hide emby behind a reverseproxy, because letsencrypt does not automatically create pfx certs on renewal. But when I apply @@plexman settings, I end up in "page not found" error and "https://myserverdomain/emby"replaced by "https://myserverdomain/web/index.html". Is the subdomain the only solution for that or can I work that out with ProxyPass itself?
Guest plexman Posted March 6, 2017 Posted March 6, 2017 I have exactly the same question. I have NC on my root and want to hide emby behind a reverseproxy, because letsencrypt does not automatically create pfx certs on renewal. But when I apply @@plexman settings, I end up in "page not found" error and "https://myserverdomain/emby"replaced by "https://myserverdomain/web/index.html". Is the subdomain the only solution for that or can I work that out with ProxyPass itself? I can't really tell you a solution but check your Rewrite rules in the vhost.conf. Maybe it has some impact on it.
Animosity022 6 Posted April 2, 2017 Posted April 2, 2017 I think I'm missing something easy. I had no problem setting up the reverse proxy and I just used a CNAME to reverse back to the root dir. I'm assuming my goal with the reverse proxy is to have the dashboard show: "https://blah.domain.com:443"as my Remote WAN Address so I can just use 443 as opposed to 8920 or some other port. If I got into my Dashboard->Advanced and I change the port to 443 and leave my cert in there I created, that seems to make the dashboard show properly. If I remove the Custom Certificate Path, it goes back to the "http" remote WAN port. I'm assuming I can just leave the cert as is since it is using the Apache SSL cert anyway via the remote proxy. Am I missing something silly or is that all the proper way to configure Emby?
mbo 12 Posted April 15, 2017 Posted April 15, 2017 (edited) I have the same setup with apache for ssl offloading and letsencrypt certs. The only thing that is not working is playing videos in the android app. The desktop webapp is working fine. The posted configurations use different pathes for the websocket streaming. How do i figure out which one is correct? emby or embywebsocket ? Anyway - this is my config - any help is appreciated: <VirtualHost x.x.x.x:443> ServerName "emby.xxx.xxx" ErrorLog /var/log/apache2/media-error.log CustomLog /var/log/apache2/media-custom.log combined SSLEngine on SSLCertificateFile /etc/letsencrypt/live/emby.xxx.xxx/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/emby.xxx.xxx/privkey.pem ProxyRequests Off ProxyPreserveHost On ProxyPass "/embywebsocket" "ws://127.0.0.1:18096/embywebsocket" ProxyPassReverse "/embywebsocket" "ws://127.0.0.1:18096/embywebsocket" ProxyPass "/emby" "ws://127.0.0.1:18096/emby" ProxyPassReverse "/emby" "ws://127.0.0.1:18096/emby" ProxyPass "/" "http://127.0.0.1:18096/" ProxyPassReverse "/" "http://127.0.0.1:18096/" </VirtualHost> Edited April 15, 2017 by mbo
Animosity022 6 Posted April 15, 2017 Posted April 15, 2017 If you setup a separate site, you don't need any extra base URL as it all works on the server name. My entire config that works. ServerName emby.blah.us ExtendedStatus On <VirtualHost *:443> ServerName emby.blah.us DocumentRoot /var/www/emby.blah.us ProxyTimeout 1200 CustomLog /var/log/apache2/emby-access.log combined ErrorLog /var/log/apache2/emby-error.log SSLEngine on SSLCertificateFile /etc/letsencrypt/live/ombi.blah.us/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/ombi.blah.us/privkey.pem #<proxy *> #AddDefaultCharset off #Order Allow,Deny #Allow from all #</proxy> # #ProxyRequests Off #ProxyPreserveHost On # #ProxyPass "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket" #ProxyPassReverse "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket" # #ProxyPass "/" "http://127.0.0.1:8096/" #ProxyPassReverse "/" "http://127.0.0.1:8096/" </VirtualHost>
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now