fc7 123 Posted December 20, 2016 Posted December 20, 2016 Last night I updated both Emby and mono to versions 3.1.0 and 4.6.2.7. Since then I'm not able to access Emby from the internet, through an Apache reverse proxy, anymore. I can access the webclient without any issues within the LAN but if I try the same from the internet via the proxy I get this: 0 0 HTTP/1.1 200 OK X-UA-Compatible: IE=Edge Access-Control-Allow-Headers: Content-Type, Authorization, Range, X-MediaBrowser-Token, X-Emby-Authorization Access-Control-Allow-Methods: GET, POST, PUT, DELETE, PATCH, OPTIONS Access-Control-Allow-Origin: * Vary: Accept-Encoding ETag: "4a131dd81c597e10d17c1a65ab8851f4" Cache-Control: public Content-Encoding: deflate Expires: -1 Server: Mono-HTTPAPI/1.1, UPnP/1.0 DLNADOC/1.50 Content-Type: text/html; charset=UTF-8 Date: Tue, 20 Dec 2016 17:41:38 GMT Content-Length: 789 VMs0WsR(=NYĢd$9iڂgKVU,\-I*9?phy*nlD$Uk?< HMyY@<Q~5bGBW5uRZ9P..!gR[JVOUA ZiSQsp*@B]jCRei]KgĎq)֥CF&4Ll~S"pNTt' 2n2 q1tE҂=aT$..x awJ^i)֏a6<s'|l 7O47F0i N*p̈ ZƐwCӨq#>sxfv:z7gGA!GtX0o\_ZaXt6&ɿkv>Ё'XiXT|f֦?{I@-XH{\My.6{Rr=C+BϦ3J%ݢR&ɧ8%P*F '*fS?KIv]$+4o0.6wݹc.*0ь#F7?p[0WTz(R "vB~Wr0"{} V}-:W>'h?YW[lzp{"bj}{ h݉r65N5~wb/V`Ǖcv- And that's all. Trying to refresh the page, it will keep loading forever. Before the upgrade I took a VM snapshot so I went ahead and roll back and everything went back to normal. I will provide the server log as soon as possible. Thanks. 1
fc7 123 Posted December 20, 2016 Author Posted December 20, 2016 (edited) Found a similar thread with the same behavior reported by other users: https://emby.media/community/index.php?/topic/42693-page-doesn%C2%B4t-reload-304-status-code/ Sorry if dup. I will still collect the data and share it as soon as possible. Edited December 20, 2016 by fc7
fc7 123 Posted December 20, 2016 Author Posted December 20, 2016 Quick update: after rolling back to the VM snapshot priot to the upgrade I went ahead and updated mono *only* from version 4.6.1.5 to 4.6.2.7. After the upgrade everything works fine locally and through the proxy so the problem seems to start when upgrading Emby from 3.0.8500 to 3.1.0. I will now go ahead and upgrade Emby too to collect the server logs and a browser trace.
fc7 123 Posted December 20, 2016 Author Posted December 20, 2016 Attached the log and the network tab trace from Mozilla in HAR format. You can ignore the first request since that will be the proxy asking for credentials before passing on to the requests to Emby. Archive 16-12-20 20-25-55.har.zip server-63617862009.txt
xenu 10 Posted December 22, 2016 Posted December 22, 2016 I had not updated so far because of this issue. Today I finally decided to give it a try and possibly help debugging (read about the keepalive / chunked settings for apache in the other thread). I took a snapshot and updated to 3.1.1 and what can I say: It works without issue behind my DMZ nginx proxy. Was this fixed in 3.1.0 -> 3.1.1 ? Just in case here is my nginx configuration: server { listen 80; server_name emby.mydomain.com; return 301 https://emby.mydomain.com$request_uri; } server { listen 443 ssl http2; server_name emby.mydomain.com; access_log /var/log/nginx/emby.mydomain.com.access.log; ssl on; ssl_certificate /etc/letsencrypt/live/emby.mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/emby.mydomain.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/emby.mydomain.com/chain.pem; ssl_protocols TLSv1.2; ssl_dhparam /etc/nginx/ssl/dh4096.pem; ssl_prefer_server_ciphers on; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_buffer_size 8k; ssl_session_timeout 10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 10s; server_tokens off; charset utf-8; client_max_body_size 10G; client_body_buffer_size 10K; client_header_buffer_size 2k; large_client_header_buffers 2 2k; location ^~ /.well-known { allow all; auth_basic off; root /srv/letsencrypt; autoindex off; try_files $uri $uri/ =404; } location / { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-Server $host; proxy_pass_header Authorization; proxy_pass https://emby01.ipa.mydomain.com:8920; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_redirect off; proxy_ssl_session_reuse off; } }
fc7 123 Posted December 22, 2016 Author Posted December 22, 2016 I had not updated so far because of this issue. Today I finally decided to give it a try and possibly help debugging (read about the keepalive / chunked settings for apache in the other thread). I took a snapshot and updated to 3.1.1 and what can I say: It works without issue behind my DMZ nginx proxy. Was this fixed in 3.1.0 -> 3.1.1 ? Just in case here is my nginx configuration: server { listen 80; server_name emby.mydomain.com; return 301 https://emby.mydomain.com$request_uri; } server { listen 443 ssl http2; server_name emby.mydomain.com; access_log /var/log/nginx/emby.mydomain.com.access.log; ssl on; ssl_certificate /etc/letsencrypt/live/emby.mydomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/emby.mydomain.com/privkey.pem; ssl_trusted_certificate /etc/letsencrypt/live/emby.mydomain.com/chain.pem; ssl_protocols TLSv1.2; ssl_dhparam /etc/nginx/ssl/dh4096.pem; ssl_prefer_server_ciphers on; ssl_ciphers EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; ssl_buffer_size 8k; ssl_session_timeout 10m; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 10s; server_tokens off; charset utf-8; client_max_body_size 10G; client_body_buffer_size 10K; client_header_buffer_size 2k; large_client_header_buffers 2 2k; location ^~ /.well-known { allow all; auth_basic off; root /srv/letsencrypt; autoindex off; try_files $uri $uri/ =404; } location / { proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-Server $host; proxy_pass_header Authorization; proxy_pass https://emby01.ipa.mydomain.com:8920; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_buffering off; client_max_body_size 0; proxy_read_timeout 36000s; proxy_redirect off; proxy_ssl_session_reuse off; } } Interesting. Maybe Nginx or your configuration would also worked for 3.1.0. I will upgrade my server now and report back.
fc7 123 Posted December 22, 2016 Author Posted December 22, 2016 Same same. Still not working with Apache at least. It looked like it worked but as soon as you try connect again it fails. If you try to refresh several times it may end up loading but going back to 3.0.8500 and it works perfectly.
biour 1 Posted December 22, 2016 Posted December 22, 2016 (edited) for me it's work fine with apache (config file found in this forum) and the patch found here also <IfModule mod_ssl.c> <VirtualHost *:80> ServerName emby UseCanonicalName On Redirect permanent /secure https://emby..com/ </VirtualHost> <VirtualHost *:443> # ServerAdmin webmaster@[member="Localhost"] # DocumentRoot /var/www/html/ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn # ErrorLog ${APACHE_LOG_DIR}/error.log # CustomLog ${APACHE_LOG_DIR}/access.log combined ServerName emby UseCanonicalName On <Proxy *> Order deny,allow Allow from all </Proxy> SetEnv proxy-nokeepalive 1 SetEnv proxy-sendchunked 1 SSLEngine On SSLProxyEngine On SSLHonorCipherOrder On SSLProxyVerify require SSLProxyCheckPeerName On SSLProxyCheckPeerExpire On SSLCompression off SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AE$ ProxyRequests Off ProxyPreserveHost On Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header set Connection "Upgrade" RequestHeader setifempty Connection "Upgrade" Header set Upgrade "websocket" RequestHeader setifempty Upgrade "websocket" # Notice!!! Put me before http!!! ProxyPass /socket ws://localhost:8096/socket ProxyPassReverse /socket ws://localhost:8096/socket # Notice!!! Put me after ws!!! ProxyPass / http://localhost:8096/ ProxyPassReverse / http://localhost:8096/ ErrorLog ${APACHE_LOG_DIR}/emby-ssl-error.log CustomLog ${APACHE_LOG_DIR}/emby-ssl-access.log combined SSLCertificateFile /etc/letsencrypt/live-0002/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/-0002/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet </IfModule> Edited December 22, 2016 by biour
fc7 123 Posted December 22, 2016 Author Posted December 22, 2016 Thanks. I will compare the config and see if I can make it work. Sent from my iPhone using Tapatalk
fc7 123 Posted December 22, 2016 Author Posted December 22, 2016 for me it's work fine with apache (config file found in this forum) and the patch found here also <IfModule mod_ssl.c> <VirtualHost *:80> ServerName emby UseCanonicalName On Redirect permanent /secure https://emby..com/ </VirtualHost> <VirtualHost *:443> # ServerAdmin webmaster@[member="Localhost"] # DocumentRoot /var/www/html/ # Available loglevels: trace8, ..., trace1, debug, info, notice, warn, # error, crit, alert, emerg. # It is also possible to configure the loglevel for particular # modules, e.g. #LogLevel info ssl:warn # ErrorLog ${APACHE_LOG_DIR}/error.log # CustomLog ${APACHE_LOG_DIR}/access.log combined ServerName emby UseCanonicalName On <Proxy *> Order deny,allow Allow from all </Proxy> SetEnv proxy-nokeepalive 1 SetEnv proxy-sendchunked 1 SSLEngine On SSLProxyEngine On SSLHonorCipherOrder On SSLProxyVerify require SSLProxyCheckPeerName On SSLProxyCheckPeerExpire On SSLCompression off SSLProtocol +TLSv1.2 -TLSv1.1 -TLSv1 SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AE$ ProxyRequests Off ProxyPreserveHost On Header always set Strict-Transport-Security "max-age=63072000; includeSubDomains; preload" Header set Connection "Upgrade" RequestHeader setifempty Connection "Upgrade" Header set Upgrade "websocket" RequestHeader setifempty Upgrade "websocket" # Notice!!! Put me before http!!! ProxyPass /socket ws://localhost:8096/socket ProxyPassReverse /socket ws://localhost:8096/socket # Notice!!! Put me after ws!!! ProxyPass / http://localhost:8096/ ProxyPassReverse / http://localhost:8096/ ErrorLog ${APACHE_LOG_DIR}/emby-ssl-error.log CustomLog ${APACHE_LOG_DIR}/emby-ssl-access.log combined SSLCertificateFile /etc/letsencrypt/live-0002/fullchain.pem SSLCertificateKeyFile /etc/letsencrypt/live/-0002/privkey.pem Include /etc/letsencrypt/options-ssl-apache.conf </VirtualHost> # vim: syntax=apache ts=4 sw=4 sts=4 sr noet </IfModule> By patch you mean this? SetEnv proxy-nokeepalive 1 SetEnv proxy-sendchunked 1
dcrdev 253 Posted December 22, 2016 Posted December 22, 2016 Thanks. I will compare the config and see if I can make it work. Sent from my iPhone using Tapatalk I believe he's implemented Http/2 on the frontend - that looks like the most significant difference.
biour 1 Posted December 22, 2016 Posted December 22, 2016 By patch you mean this? SetEnv proxy-nokeepalive 1 SetEnv proxy-sendchunked 1 Yes (i forgot to indicae it, it was lunch time )
xenu 10 Posted December 22, 2016 Posted December 22, 2016 (edited) I believe he's implemented Http/2 on the frontend - that looks like the most significant difference.Not sure if you are referencing my nginx configuration but my nginx/openssl doesn't actually serve http2 for current browsers as they require ALPN support (OpenSSL >= 1.0.2). My server runs CentOS 7.3 which only supports NPN (OpenSSL 1.0.1e) which is dropped from major browsers for establishing http2 connections. From what I have read only Ubuntu 16.04 ships with the required OpenSSL version. Edit - Did some testing: Firefox still works with NPN - only developer edition 52.0a2 doesn't. Edited December 22, 2016 by xenu
Luke 39631 Posted December 22, 2016 Posted December 22, 2016 I am working on changes to try and rectify this so that the configuration isn't needed. Are other apps affected or is it just the web app? Thanks.
dcrdev 253 Posted December 22, 2016 Posted December 22, 2016 I am working on changes to try and rectify this so that the configuration isn't needed. Are other apps affected or is it just the web app? Thanks. For me it's just the web app - theatre, kodi and iOS all appear fine.
fc7 123 Posted December 22, 2016 Author Posted December 22, 2016 I'm only using the webclient when connecting from the Internet because I also have proxy basic auth in place. Sent from my iPhone using Tapatalk
Solution Luke 39631 Posted December 24, 2016 Solution Posted December 24, 2016 We have a fix that will be in 3.1.2. thank you all for your patience. 3
doonze 30 Posted December 28, 2016 Posted December 28, 2016 (edited) Oh, I have an issue with this as well, I updated and it killed my reverse proxy in apache... Weird thing however is it was working at first, then stopped after I was identifying a video it hadn't auto identified correctly. Up till then all was normal.... Anyway, Luke, if I'm understanding you, the next version will have a fix for this? When is that rolling? Thanks as always for this great product!!!! Just wish we had more products for 3rd party TV's an such!!!! I hate having to have Plex too for just my Smart TV's!!! Edited December 28, 2016 by doonze
x-cimo 23 Posted December 28, 2016 Posted December 28, 2016 I am using a nginx reverse proxy on Ubuntu 16.04. Are you guys seeing significant lag in seeking into a stream with the android app? Without the proxy inline, using the scrollbar to seek into a movie is superfast, with the proxy inline, it takes 30 sec or more, and sometime it doesn't work at all. POST emby/sessions/Playing/Progress is getting a mix of status 204 and 499; I think the 499 might be a problem.
nwcatalyst 4 Posted December 28, 2016 Posted December 28, 2016 I had a fully functional setup with Apache reverse proxy that is totally broken now, not laggy, just zero connectivity. Looking fwd to the new version.
fc7 123 Posted December 28, 2016 Author Posted December 28, 2016 3.1.2 is already available. I upgraded to it from 3.0.8500 and Emby is working again from the Internet through the Apache reverse proxy. Great work @@Luke! Sent from my iPhone using Tapatalk
nwcatalyst 4 Posted January 12, 2017 Posted January 12, 2017 (edited) I am still not able to access my server via Android or iOS with the new server version "Request denied for security". Works fine via web, used to work before 3.1 server. Currently on 3.1.2, latest beta Android and latest stable iOS versions.UPDATE - Reinstalled Android webview and it works now... iOS worked using Emby Connect, but not connecting directly to server address. Edited January 12, 2017 by nwcatalyst
Luke 39631 Posted January 12, 2017 Posted January 12, 2017 it seems to be working for others here. Have you tried setting the proxy back to default settings?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now