Jump to content

Emby not working behind a reverse proxy after updating to 3.1.0


fc7
Go to solution Solved by Luke,

Recommended Posts

Last night I updated both Emby and mono to versions 3.1.0 and 4.6.2.7.

Since then I'm not able to access Emby from the internet, through an Apache reverse proxy, anymore.

I can access the webclient without any issues within the LAN but if I try the same from the internet via the proxy I get this:

0 0 HTTP/1.1 200 OK X-UA-Compatible: IE=Edge Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS Access-Control-Allow-Origin: * Vary: Accept-Encoding ETag: "4a131dd81c597e10d17c1a65ab8851f4" Cache-Control: public Content-Encoding: deflate Expires: -1 Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50 Content-Type: text/html; charset=UTF-8 Date: Tue, 20 Dec 2016 17:41:38 GMT Content-Length: 789 VMs0WsR(=NYĢd$9iڂgKVU,\-I*9?phy*nlD$Uk?< HMyY@<Q~5bGBW5uRZ9P..!gR[JVOUA ZiSQsp*@B]jCRei]KgĎq)֥CF&4Ll~S"pNTt' 2n2 q1tE҂=aT$..x awJ^i)֏a6<s'|l 7O47F0i N*p̈  ZƐwCӨq#>sxfv:z7gGA!GtX0o\_ZaXt6&ɿkv>Ё'XiXT|f֦?{I@-XH{\My.6{Rr=C+BϦ3J%ݢR&ɧ8%P*F '*fS?KIv]$+4o0.6wݹc.*0ь׏#F7?p[0WTz(R "vB~Wr0"{} V}-:W>'h?YW[lzp{"bj}{ h݉r65N5~wb/V`Ǖcv- 

And that's all.

Trying to refresh the page, it will keep loading forever.

 

Before the upgrade I took a VM snapshot so I went ahead and roll back and everything went back to normal.

I will provide the server log as soon as possible.

 

Thanks.

  • Like 1
Link to comment
Share on other sites

Quick update: after rolling back to the VM snapshot priot to the upgrade I went ahead and updated mono *only* from version 4.6.1.5 to 4.6.2.7. After the upgrade everything works fine locally and through the proxy so the problem seems to start when upgrading Emby from 3.0.8500 to 3.1.0. :(

 

I will now go ahead and upgrade Emby too to collect the server logs and a browser trace.

Link to comment
Share on other sites

I had not updated so far because of this issue.

Today I finally decided to give it a try and possibly help debugging (read about the keepalive / chunked settings for apache in the other thread). I took a snapshot and updated to 3.1.1

and what can I say: It works without issue behind my DMZ nginx proxy. Was this fixed in 3.1.0 -> 3.1.1 ?

Just in case here is my nginx configuration:

server {
        listen                          80;
        server_name                     emby.mydomain.com;
        return                          301  https://emby.mydomain.com$request_uri;
}

server {
        listen                          443 ssl http2;
        server_name                     emby.mydomain.com;

        access_log                      /var/log/nginx/emby.mydomain.com.access.log;

        ssl                             on;
        ssl_certificate                 /etc/letsencrypt/live/emby.mydomain.com/fullchain.pem;
        ssl_certificate_key             /etc/letsencrypt/live/emby.mydomain.com/privkey.pem;
        ssl_trusted_certificate         /etc/letsencrypt/live/emby.mydomain.com/chain.pem;
        ssl_protocols                   TLSv1.2;
        ssl_dhparam                     /etc/nginx/ssl/dh4096.pem;
        ssl_prefer_server_ciphers       on;
        ssl_ciphers                     EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
        ssl_ecdh_curve                  secp384r1;
        ssl_session_cache               shared:SSL:10m;
        ssl_buffer_size                 8k;
        ssl_session_timeout             10m;
        ssl_session_tickets             off;
        ssl_stapling                    on;
        ssl_stapling_verify             on;
        resolver                        8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout                10s;

        server_tokens                   off;
        charset                         utf-8;

        client_max_body_size            10G;
        client_body_buffer_size         10K;
        client_header_buffer_size       2k;
        large_client_header_buffers     2 2k;


        location ^~ /.well-known {
                allow                   all;
                auth_basic              off;
                root                    /srv/letsencrypt;
                autoindex               off;
                try_files $uri $uri/ =404;
        }

        location / {
                proxy_http_version      1.1;
                proxy_set_header        Upgrade    $http_upgrade;
                proxy_set_header        Connection "upgrade";
                proxy_set_header        X-Forwarded-Server $host;
                proxy_pass_header       Authorization;
                proxy_pass              https://emby01.ipa.mydomain.com:8920;
                proxy_set_header        Host $host;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_buffering         off;
                client_max_body_size    0;
                proxy_read_timeout      36000s;
                proxy_redirect          off;
                proxy_ssl_session_reuse off;
        }
}

Link to comment
Share on other sites

I had not updated so far because of this issue.

Today I finally decided to give it a try and possibly help debugging (read about the keepalive / chunked settings for apache in the other thread). I took a snapshot and updated to 3.1.1

and what can I say: It works without issue behind my DMZ nginx proxy. Was this fixed in 3.1.0 -> 3.1.1 ?

Just in case here is my nginx configuration:

server {
        listen                          80;
        server_name                     emby.mydomain.com;
        return                          301  https://emby.mydomain.com$request_uri;
}

server {
        listen                          443 ssl http2;
        server_name                     emby.mydomain.com;

        access_log                      /var/log/nginx/emby.mydomain.com.access.log;

        ssl                             on;
        ssl_certificate                 /etc/letsencrypt/live/emby.mydomain.com/fullchain.pem;
        ssl_certificate_key             /etc/letsencrypt/live/emby.mydomain.com/privkey.pem;
        ssl_trusted_certificate         /etc/letsencrypt/live/emby.mydomain.com/chain.pem;
        ssl_protocols                   TLSv1.2;
        ssl_dhparam                     /etc/nginx/ssl/dh4096.pem;
        ssl_prefer_server_ciphers       on;
        ssl_ciphers                     EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH;
        ssl_ecdh_curve                  secp384r1;
        ssl_session_cache               shared:SSL:10m;
        ssl_buffer_size                 8k;
        ssl_session_timeout             10m;
        ssl_session_tickets             off;
        ssl_stapling                    on;
        ssl_stapling_verify             on;
        resolver                        8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout                10s;

        server_tokens                   off;
        charset                         utf-8;

        client_max_body_size            10G;
        client_body_buffer_size         10K;
        client_header_buffer_size       2k;
        large_client_header_buffers     2 2k;


        location ^~ /.well-known {
                allow                   all;
                auth_basic              off;
                root                    /srv/letsencrypt;
                autoindex               off;
                try_files $uri $uri/ =404;
        }

        location / {
                proxy_http_version      1.1;
                proxy_set_header        Upgrade    $http_upgrade;
                proxy_set_header        Connection "upgrade";
                proxy_set_header        X-Forwarded-Server $host;
                proxy_pass_header       Authorization;
                proxy_pass              https://emby01.ipa.mydomain.com:8920;
                proxy_set_header        Host $host;
                proxy_set_header        X-Real-IP $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_buffering         off;
                client_max_body_size    0;
                proxy_read_timeout      36000s;
                proxy_redirect          off;
                proxy_ssl_session_reuse off;
        }
}

 

Interesting.

 

Maybe Nginx or your configuration would also worked for 3.1.0.

 

I will upgrade my server now and report back.

Link to comment
Share on other sites

Same same. Still not working with Apache at least.

It looked like it worked but as soon as you try connect again it fails.

If you try to refresh several times it may end up loading but going back to 3.0.8500 and it works perfectly.

Link to comment
Share on other sites

for me it's work fine with apache (config file found in this forum) and the patch found here also


<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerName emby

UseCanonicalName On
Redirect         permanent /secure https://emby..com/

</VirtualHost>

<VirtualHost *:443>
        # ServerAdmin webmaster@[member="Localhost"]
        # DocumentRoot /var/www/html/



        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        # ErrorLog ${APACHE_LOG_DIR}/error.log
        # CustomLog ${APACHE_LOG_DIR}/access.log combined
        ServerName emby

        UseCanonicalName On


    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
SetEnv proxy-nokeepalive 1
SetEnv proxy-sendchunked 1

    SSLEngine               On
    SSLProxyEngine          On
    SSLHonorCipherOrder     On
    SSLProxyVerify          require
    SSLProxyCheckPeerName   On
    SSLProxyCheckPeerExpire On
    SSLCompression off
    SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AE$


    ProxyRequests     Off
    ProxyPreserveHost On
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header        set        Connection "Upgrade"
    RequestHeader setifempty Connection "Upgrade"
    Header        set        Upgrade "websocket"
    RequestHeader setifempty Upgrade "websocket"

    # Notice!!! Put me before http!!!
    ProxyPass        /socket ws://localhost:8096/socket
    ProxyPassReverse /socket ws://localhost:8096/socket

    # Notice!!! Put me after ws!!!
    ProxyPass        / http://localhost:8096/
    ProxyPassReverse / http://localhost:8096/


    ErrorLog  ${APACHE_LOG_DIR}/emby-ssl-error.log
    CustomLog ${APACHE_LOG_DIR}/emby-ssl-access.log combined


SSLCertificateFile /etc/letsencrypt/live-0002/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/-0002/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf


</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>

 
Edited by biour
Link to comment
Share on other sites

Thanks. I will compare the config and see if I can make it work.

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

 

for me it's work fine with apache (config file found in this forum) and the patch found here also


<IfModule mod_ssl.c>
<VirtualHost *:80>
ServerName emby

UseCanonicalName On
Redirect         permanent /secure https://emby..com/

</VirtualHost>

<VirtualHost *:443>
        # ServerAdmin webmaster@[member="Localhost"]
        # DocumentRoot /var/www/html/



        # Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
        # error, crit, alert, emerg.
        # It is also possible to configure the loglevel for particular
        # modules, e.g.
        #LogLevel info ssl:warn

        # ErrorLog ${APACHE_LOG_DIR}/error.log
        # CustomLog ${APACHE_LOG_DIR}/access.log combined
        ServerName emby

        UseCanonicalName On


    <Proxy *>
        Order deny,allow
        Allow from all
    </Proxy>
SetEnv proxy-nokeepalive 1
SetEnv proxy-sendchunked 1

    SSLEngine               On
    SSLProxyEngine          On
    SSLHonorCipherOrder     On
    SSLProxyVerify          require
    SSLProxyCheckPeerName   On
    SSLProxyCheckPeerExpire On
    SSLCompression off
    SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1
    SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AE$


    ProxyRequests     Off
    ProxyPreserveHost On
    Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload"
    Header        set        Connection "Upgrade"
    RequestHeader setifempty Connection "Upgrade"
    Header        set        Upgrade "websocket"
    RequestHeader setifempty Upgrade "websocket"

    # Notice!!! Put me before http!!!
    ProxyPass        /socket ws://localhost:8096/socket
    ProxyPassReverse /socket ws://localhost:8096/socket

    # Notice!!! Put me after ws!!!
    ProxyPass        / http://localhost:8096/
    ProxyPassReverse / http://localhost:8096/


    ErrorLog  ${APACHE_LOG_DIR}/emby-ssl-error.log
    CustomLog ${APACHE_LOG_DIR}/emby-ssl-access.log combined


SSLCertificateFile /etc/letsencrypt/live-0002/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/-0002/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf


</VirtualHost>

# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
</IfModule>

 

 

By patch you mean this?

 

SetEnv proxy-nokeepalive 1

SetEnv proxy-sendchunked 1
Link to comment
Share on other sites

dcrdev

Thanks. I will compare the config and see if I can make it work.

 

 

Sent from my iPhone using Tapatalk

 

I believe he's implemented Http/2 on the frontend - that looks like the most significant difference.

Link to comment
Share on other sites

I believe he's implemented Http/2 on the frontend - that looks like the most significant difference.

Not sure if you are referencing my nginx configuration but my nginx/openssl doesn't actually serve http2 for current browsers as they require ALPN support (OpenSSL >= 1.0.2).

My server runs CentOS 7.3 which only supports NPN (OpenSSL 1.0.1e) which is dropped from major browsers for establishing http2 connections.

From what I have read only Ubuntu 16.04 ships with the required OpenSSL version.

 

Edit - Did some testing: Firefox still works with NPN - only developer edition 52.0a2 doesn't.

Edited by xenu
Link to comment
Share on other sites

I am working on changes to try and rectify this so that the configuration isn't needed. Are other apps affected or is it just the web app? Thanks.

Link to comment
Share on other sites

dcrdev

I am working on changes to try and rectify this so that the configuration isn't needed. Are other apps affected or is it just the web app? Thanks.

 

For me it's just the web app - theatre, kodi and iOS all appear fine. 

Link to comment
Share on other sites

I'm only using the webclient when connecting from the Internet because I also have proxy basic auth in place. :)

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

Oh, I have an issue with this as well, I updated and it killed my reverse proxy in apache...

 

Weird thing however is it was working at first, then stopped after I was identifying a video it hadn't auto identified correctly. Up till then all was normal....

 

Anyway, Luke, if I'm understanding you, the next version will have a fix for this? When is that rolling? 

 

Thanks as always for this great product!!!! Just wish we had more products for 3rd party TV's an such!!!! I hate having to have Plex too for just my Smart TV's!!! ;)

Edited by doonze
Link to comment
Share on other sites

I am using a nginx reverse proxy on Ubuntu 16.04.

 

Are you guys seeing significant lag in seeking into a stream with the android app?

 

Without the proxy inline, using the scrollbar to seek into a movie is superfast, with the proxy inline, it takes 30 sec or more, and sometime it doesn't work at all.

 

POST emby/sessions/Playing/Progress is getting a mix of status 204 and 499; I think the 499 might be a problem.

Link to comment
Share on other sites

nwcatalyst

I had a fully functional setup with Apache reverse proxy that is totally broken now, not laggy, just zero connectivity. Looking fwd to the new version.

Link to comment
Share on other sites

3.1.2 is already available. I upgraded to it from 3.0.8500 and Emby is working again from the Internet through the Apache reverse proxy. Great work @@Luke!

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

  • 2 weeks later...
nwcatalyst

I am still not able to access my server via Android or iOS with the new server version "Request denied for security". Works fine via web, used to work before 3.1 server. Currently on 3.1.2, latest beta Android and latest stable iOS versions.

UPDATE - Reinstalled Android webview and it works now... iOS worked using Emby Connect, but not connecting directly to server address.

Edited by nwcatalyst
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...