Jump to content

Emby server with Apache reverse proxy


Guest plexman

Recommended Posts

Guest plexman

Continuing with this topic,

 

I want to share my current working Apache reverse proxy setup. Before Nginx users kill me, let me say that I prefer Apache because i'm used to it (I know Nginx is better in reverse proxy scenarios), I find it simpler, I have a Nextcloud server running in the same machine and here they recommend using Apache instead of Nginx, even if i'm not using it for an enterprise deployment.

 

At the moment, i'm having 0 issues with any App (Web, TV, Android, iOs, etc.), the chrome console is clean without any error when connecting through the Web App. My apache is redirecting all traffic including the websocket traffic. I use my server with a CNAME of my domain, so that's why I don't locate it in "/emby" location, I do it in "/". This is my apache .conf file for Emby reverse proxy (located at /etc/apache2/sites-available):

<IfModule mod_ssl.c>
<VirtualHost *:80>
        ServerName cname.domain.com
        ServerAdmin youremail@address.com

	RewriteEngine on
	RewriteCond %{SERVER_NAME} =cname.domain.com
	RewriteRule ^ https://%{SERVER_NAME}%{REQUEST_URI} [END,QSA,R=permanent]
</VirtualHost>

<VirtualHost *:443>
	ServerName cname.domain.com
	ServerAdmin youremail@address.com

	<proxy *>
	AddDefaultCharset off
	Order Allow,Deny
	Allow from all
	</proxy>

	ProxyRequests     Off
	ProxyPreserveHost On

	ProxyPass "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket"
	ProxyPassReverse "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket"

	ProxyPass "/" "http://127.0.0.1:8096/"
	ProxyPassReverse "/" "http://127.0.0.1:8096/"

	SSLCertificateFile /etc/letsencrypt/live/cname.domain.com/fullchain.pem
	SSLCertificateKeyFile /etc/letsencrypt/live/cname.domain.com/privkey.pem
	Include /etc/letsencrypt/options-ssl-apache.conf
</VirtualHost>
</IfModule>

As you can see I'm using Let's Encrypt certificates. As @@curtisghanson said here, I also have an "A" in Qualy SSL Labs:

 

5807bd3cdd82e_embysllabs.png

 

Well I was scared of the performance but It's true that the maximum concurrent users I have are around 5-20, it's little. This is the server usage when 7 users are connected playing content at the same time (all my content is Direct Played):

 

5807bcb0b10f1_usoemby.png

5807bcdc7cbdc_usoemby2.png

 

And that's all, hope you liked it and find it useful! Any improvement to the Apache conf file is welcome.

 

Edit: Forgot to say thanks to @@fc7 who was the man that did all this possible ;) .

Edited by plexman
Link to comment
Share on other sites

Guest petwri

@plexman is this the content of apache.conf, or the configuration for a new site, lets say emby.conf? I am pretty new to apache2 and have the same situation like you with nextcloud, apache2 and emby on one machine. Thanks!

Edited by petwri
Link to comment
Share on other sites

Guest plexman

@plexman is this the content of apache.conf, or the configuration for a new site, lets say emby.conf? I am pretty new to apache2 and have the same situation like you with nextcloud, apache2 and emby on one machine. Thanks!

 

This is the conf for the site (virtualhost). I name it in my server /etc/apache2/sites-available/emby-proxy.conf. I've edited the post to be more precise.

Edited by plexman
Link to comment
Share on other sites

Guest petwri

This is the conf for the site (virtualhost). I name it in my server /etc/apache2/sites-available/emby-proxy.conf. I've edited the post to be more precise.

 

Thank you, will give it a try.

Link to comment
Share on other sites

Guest petwri

So I got it to work like charm, http://my.host.net/emby gets redirected to my emby server at localhost:8096. The only issue I still have is that I can't connect from the emby android app. I can connect to the server, but the app keeps complaining about a wrong password when I want to login to the server, although the password is definitely correct. Works fine when going to app.emby.media on any browser. Just the ones on android are failing. Here's my emby.conf

<VirtualHost *:80>
   ServerName my.host.net
   Redirect permanent / https://my.host.net/
</VirtualHost>

<IfModule mod_ssl.c>
<VirtualHost *:443>
	ServerName my.host.net

	<proxy *>
	AddDefaultCharset off
	Order Allow,Deny
	Allow from all
	</proxy>

	ProxyRequests     Off
	ProxyPreserveHost On

	RewriteEngine on 
	RewriteRule ^/emby$ /emby/ [R]

	<Location /emby>
    		ProxyPass        http://localhost:8096
    		ProxyPassReverse http://localhost:8096
	</Location>

	<Location /emby/emby>
    		ProxyPass        ws://localhost:8096/emby
    		ProxyPassReverse ws://localhost:8096/emby
	</Location>

	SSLEngine On
        SSLCertificateFile "/path/to/cert"
        SSLCertificateKeyFile "/path/to/key"
</VirtualHost>
</IfModule>
Link to comment
Share on other sites

Guest plexman

Compare with the first post please. The websocket part is wrong and is not in the right place. It should be before the http part. Don't use the location directive, use the proxypass as is shown in my post.

Link to comment
Share on other sites

It could also be that certain http headers are getting dropped which is leading to an authentication failure.

Link to comment
Share on other sites

Guest petwri

It worjs fine on app.emby.media through my desktop browser. @@plexman your setup has emby at "/". Is there any working setup that has nextcloud at root and emby at /emby with the same domain?

Link to comment
Share on other sites

Guest petwri

Ok, i created a new subdomain emby.nameofmyserver.net to access emby, used the config posted here, and android app works very fast and nicely. Only problem: sync isn't doing anything. Will post logs asap.

Link to comment
Share on other sites

Guest petwri

Ok, forget my last post, the sync issue doesn't seem to be in any way related with the apache-setup, it's something with my permissions on the sdcard. Proxy access works perfectly fine!

Link to comment
Share on other sites

  • 2 months later...

Thanks, this was very helpful. I think after adding the websocket part, my Kodi now at least updates at startup. I am not quite sure if that worked before because I do not restart Kodi that often on my mediacenter. Unfortunately, stuff still doesn't seem to be added automatically during normal run, I still have to run Manual Sync from the setting. Kann anybod spot an issue in my config below? (I do not run anything on port 80, this si my full config):

<VirtualHost *:443>
    ServerAdmin webmaster@example.org
    ServerName emby.example.org

    <proxy *>
        AddDefaultCharset off
        Order Allow,Deny
        Allow from all
    </proxy>

    ProxyPreserveHost On
    ProxyRequests Off

    ProxyPass "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket"
    ProxyPassReverse "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket"

    ProxyPass "/" "http://127.0.0.1:8096/"
    ProxyPassReverse "/" "http://127.0.0.1:8096/"

    ErrorLog ${APACHE_LOG_DIR}/error.log
    # Possible values include: debug, info, notice, warn, error, crit, alert, emerg.
    LogLevel warn
    CustomLog ${APACHE_LOG_DIR}/ssl_access.log combined
    #   GnuTLS Switch: Enable/Disable SSL/TLS for this virtual host.

    SSLEngine on
    Header always set Strict-Transport-Security "max-age=15552000; includeSubDomains"
    SSLCertificateFile    /etc/letsencrypt/live/emby.example.org/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/emby.example.org/privkey.pem

    SSLProtocol All -SSLv2 -SSLv3
    SSLHonorCipherOrder on
    SSLCipherSuite "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH EDH+aRSA !RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS"
</VirtualHost>

proxy_wstunnel is enabled and apache restarted.

I haven't really fund how to debug this yet, as I don't get error messages anywhere.

 

I do not have "/etc/letsencrypt/options-ssl-apache.conf", BTW, though it seems superhandy if that would be a safe config maintained by letsencrypt. Or is that just a file from you?

Edited by elcaron
Link to comment
Share on other sites

Guest plexman

The file options-ssl-apache is created by the certbot package which installs the let's encrypt certificate. This is the content of the file:

# Baseline setting to Include for SSL sites

SSLEngine on

# Intermediate configuration, tweak to your needs
SSLProtocol             all -SSLv2 -SSLv3
SSLCipherSuite          ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA
SSLHonorCipherOrder     on
SSLCompression          off

SSLOptions +StrictRequire

# Add vhost name to log entries:
LogFormat "%h %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-agent}i\"" vhost_combined
LogFormat "%v %h %l %u %t \"%r\" %>s %b" vhost_common

#CustomLog /var/log/apache2/access.log vhost_combined
#LogLevel warn
#ErrorLog /var/log/apache2/error.log

# Always ensure Cookies have "Secure" set (JAH 2012/1)
#Header edit Set-Cookie (?i)^(.*)(;\s*secure)??((\s*?(.*)) "$1; Secure$3$4"

Link to comment
Share on other sites

Good to know, thanks. Anything spotted on the Apache config? Or hints where errors should pop up? There are e.g. no entries of "ws:" in the kodi.log. Since what is going on is not an event I trigger, I don't really know what (and when) to look for in the kodi log.

Edited by elcaron
Link to comment
Share on other sites

  • 2 weeks later...
nwcatalyst

I had this working, now new install on debian 8 server and cannot get it stable again... 

What apache mods must be enabled? 

Is it necessary to have nextcloud and emby vhosts as separate configs? I had them all in one file using different ports and it was working fine... 

Thanks

Link to comment
Share on other sites

  • 4 weeks later...
godfuture

It worjs fine on app.emby.media through my desktop browser. @@plexman your setup has emby at "/". Is there any working setup that has nextcloud at root and emby at /emby with the same domain?

I have exactly the same question. I have NC on my root and want to hide emby behind a reverseproxy, because letsencrypt does not automatically create pfx certs on renewal. But when I apply @@plexman settings, I end up in "page not found" error and "https://myserverdomain/emby"replaced by "https://myserverdomain/web/index.html".

 

Is the subdomain the only solution for that or can I work that out with ProxyPass itself?

Link to comment
Share on other sites

Guest plexman

I have exactly the same question. I have NC on my root and want to hide emby behind a reverseproxy, because letsencrypt does not automatically create pfx certs on renewal. But when I apply @@plexman settings, I end up in "page not found" error and "https://myserverdomain/emby"replaced by "https://myserverdomain/web/index.html".

 

Is the subdomain the only solution for that or can I work that out with ProxyPass itself?

I can't really tell you a solution but check your Rewrite rules in the vhost.conf. Maybe it has some impact on it.
Link to comment
Share on other sites

  • 4 weeks later...
Animosity022

I think I'm missing something easy.

 

I had no problem setting up the reverse proxy and I just used a CNAME to reverse back to the root dir.

 

I'm assuming my goal with the reverse proxy is to have the dashboard show:

 

"https://blah.domain.com:443"as my Remote WAN Address so I can just use 443 as opposed to 8920 or some other port.

 

If I got into my Dashboard->Advanced and I change the port to 443 and leave my cert in there I created, that seems to make the dashboard show properly.

 

If I remove the Custom Certificate Path, it goes back to the "http" remote WAN port. I'm assuming I can just leave the cert as is since it is using the Apache SSL cert anyway via the remote proxy.

 

Am I missing something silly or is that all the proper way to configure Emby? 

Link to comment
Share on other sites

  • 2 weeks later...

I have the same setup with apache for ssl offloading and letsencrypt certs. The only thing that is not working is playing videos in the android app. The desktop webapp is working fine. The posted configurations use different pathes for the websocket streaming. How do i figure out which one is correct? emby or embywebsocket ?

 

Anyway - this is my config - any help is appreciated:

	<VirtualHost x.x.x.x:443>
		ServerName "emby.xxx.xxx"

		ErrorLog /var/log/apache2/media-error.log
		CustomLog /var/log/apache2/media-custom.log combined
		SSLEngine on
		SSLCertificateFile /etc/letsencrypt/live/emby.xxx.xxx/fullchain.pem
		SSLCertificateKeyFile /etc/letsencrypt/live/emby.xxx.xxx/privkey.pem
		ProxyRequests Off
		ProxyPreserveHost On

		ProxyPass "/embywebsocket" "ws://127.0.0.1:18096/embywebsocket"
		ProxyPassReverse "/embywebsocket" "ws://127.0.0.1:18096/embywebsocket"

		ProxyPass "/emby" "ws://127.0.0.1:18096/emby"
		ProxyPassReverse "/emby" "ws://127.0.0.1:18096/emby"

		ProxyPass "/" "http://127.0.0.1:18096/"
		ProxyPassReverse "/" "http://127.0.0.1:18096/"

	</VirtualHost>
Edited by mbo
Link to comment
Share on other sites

Animosity022

If you setup a separate site, you don't need any extra base URL as it all works on the server name.

 

My entire config that works.

ServerName emby.blah.us
ExtendedStatus On

<VirtualHost *:443>
ServerName emby.blah.us
DocumentRoot /var/www/emby.blah.us
ProxyTimeout 1200

CustomLog /var/log/apache2/emby-access.log combined
ErrorLog /var/log/apache2/emby-error.log

SSLEngine on
SSLCertificateFile /etc/letsencrypt/live/ombi.blah.us/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/ombi.blah.us/privkey.pem

#<proxy *>
#AddDefaultCharset off
#Order Allow,Deny
#Allow from all
#</proxy>
#
#ProxyRequests     Off
#ProxyPreserveHost On
#
#ProxyPass "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket"
#ProxyPassReverse "/embywebsocket" "ws://127.0.0.1:8096/embywebsocket"
#
#ProxyPass "/" "http://127.0.0.1:8096/"
#ProxyPassReverse "/" "http://127.0.0.1:8096/"

</VirtualHost>
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...