Android app refuses to connect with secure SSL settings

[runtimesandbox 153]

Running emby server behind nginx. Works fine.

When tuning nginx to only offer secure ciphers, etc the android emby app stops working when I enable the following:

 ssl_session_tickets off;

Any idea why?

 

[anderbytes 139]

I'm curious about this, too.

 

Sent from my ASUS_Z017DA using Tapatalk

[runtimesandbox 153]

Don't have the issue with other android apps that use the proxy with that setting enabled

[pir8radio 1293]

Running emby server behind nginx. Works fine.

When tuning nginx to only offer secure ciphers, etc the android emby app stops working when I enable the following:

 ssl_session_tickets off;

Any idea why?

 

Do you have ECDHE-RSA-AES128-SHA cipher in your nginx config?  maybe post your nginx config (remove domain names or whatever) Also what version of nginx?

Edited April 29, 2017 by pir8radio

[shorty1483 453]

Running emby server behind nginx. Works fine.

When tuning nginx to only offer secure ciphers, etc the android emby app stops working when I enable the following:

 ssl_session_tickets off;

Any idea why?

 

 

Cannot reproduce. For me everything's working. According to this https://community.letsencrypt.org/t/errors-from-browsers-with-ssl-session-tickets-off-nginx/18124/5 you could try to put the ssl commands into the http block in case you have more than one server block.

 

 This is my Emby block:

server {
		listen 80;
		listen 443 ssl http2;
		server_name emby.domain.de;
		 if ($scheme = http) {
			return 301 https://$server_name$request_uri;
			}
		 
		 ssl_certificate                 	cert/domain_ECDSA/certificate.crt;
                 ssl_certificate_key             	cert/domain_ECDSA/private.key;
		 ssl_certificate                 	cert/domain_RSA/certificate.crt;
                 ssl_certificate_key             	cert/domain_RSA/private.key;
		 
		 ssl_stapling 				on;
		 ssl_stapling_verify 		        on;
		 ssl_trusted_certificate         	cert/domain_ECDSA/ca_bundle.crt;
		 resolver 				8.8.8.8 8.8.4.4 valid=300s;
		 resolver_timeout 			5s;

		 ssl_session_timeout 			30m;
		 ssl_session_cache 			shared:SSL:10m;
		 ssl_session_tickets 		        off;
		 ssl_prefer_server_ciphers 		on;
		 ssl_ecdh_curve 			X25519:secp384r1:prime256v1:secp521r1;
		 ssl_dhparam 				cert/domain_RSA/dhparam2048.pem;
		 ssl_protocols				TLSv1.2;
		 ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256;
		 
		 add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always;
		 add_header X-Content-Type-Options "nosniff" always;
		 add_header X-Xss-Protection "1; mode=block" always;
		 add_header X-Frame-Options "SAMEORIGIN" always;
		 add_header Content-Security-Policy "frame-ancestors bla.domain.de bla.domain.de bla.domain.de bla.domain.de bla.domain.de;";
		 add_header Public-Key-Pins 'pin-sha256="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx"; pin-sha256="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; pin-sha256="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; max-age=5184000; includeSubDomains';
		 
		 keepalive_timeout               	180;
		 
		 client_max_body_size            	1024m;
		
		 ## Emby ##
		 location / {
			# Send traffic to the backend
                        proxy_pass http://127.0.0.1:8096;
                        proxy_set_header X-Real-IP $remote_addr;
                        proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
                        proxy_set_header Host $host;
                        proxy_set_header X-Forwarded-Proto $remote_addr;
                        proxy_set_header X-Forwarded-Protocol $scheme;
                        proxy_redirect off;

                        # Send websocket data to the backend aswell
                        proxy_http_version 1.1;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
		        proxy_read_timeout 86400;
				
			access_log C:/nginx/logs/emby.log emby;
				
			}	
	}

Edited April 29, 2017 by shorty1483

[runtimesandbox 153]

I'm running nginx 1.10.3 version on ubuntu 16

 

My emby block is 

server {
      listen 80;
      server_name *.mydomain.com;
      return 301 https://$server_name$request_uri;

      include geoblocker;

}

server {
      listen 443 http2;
      server_name mydomain.com;
      ssl on;
      ssl_certificate /etc/ssl/mydomain.com/fullchain.cer;
      ssl_certificate_key /etc/ssl/mydomain.com/priv.key;

      ssl_prefer_server_ciphers on;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve secp384r1;
        ssl_session_cache shared:SSL:10m;
#       ssl_session_tickets off;                #DISABLED - Android issues
        ssl_stapling on;
        ssl_stapling_verify on;

        ssl_trusted_certificate /etc/ssl/mydomain.com/fullchain.cer;
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 10s;

      proxy_set_header X-Forwarded-For $remote_addr;

      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"                                                                                                                                                             ;

      include geoblocker;

      location / {

      proxy_pass              http://xx.xx.xx.xx:8096;
      proxy_set_header        Host            $host;
      proxy_set_header        X-Real-IP       $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

      #blocks blank user_agents
        if ($http_user_agent = "") { return  444; }

        if ($limit_bots = 1) {
        return  444;
        }
   }

}

Are you both running it on windows?

 

Edit: I'm also finding that all browsers are being reported as Emby mobile and the dashboard does not live update. Have either of you experienced that?

 

After adding the websocket data forward from your config the dashboard is no live updating again so thanks for that! Still having every client being reported as emby mobile though.

Also do either of you use the kodi addon? I'm having really inconsistent play back with that 

Edited April 29, 2017 by spudy12

[shorty1483 453]

I'm running nginx 1.10.3 version on ubuntu 16

 

My emby block is 

server {
      listen 80;
      server_name *.mydomain.com;
      return 301 https://$server_name$request_uri;

      include geoblocker;

}

server {
      listen 443 http2;
      server_name mydomain.com;
      ssl on;
      ssl_certificate /etc/ssl/mydomain.com/fullchain.cer;
      ssl_certificate_key /etc/ssl/mydomain.com/priv.key;

      ssl_prefer_server_ciphers on;
      ssl_protocols TLSv1 TLSv1.1 TLSv1.2;

        ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH";
        ssl_ecdh_curve secp384r1;
        ssl_session_cache shared:SSL:10m;
#       ssl_session_tickets off;                #DISABLED - Android issues
        ssl_stapling on;
        ssl_stapling_verify on;

        ssl_trusted_certificate /etc/ssl/mydomain.com/fullchain.cer;
        resolver 8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout 10s;

      proxy_set_header X-Forwarded-For $remote_addr;

      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"                                                                                                                                                             ;

      include geoblocker;

      location / {

      proxy_pass              http://xx.xx.xx.xx:8096;
      proxy_set_header        Host            $host;
      proxy_set_header        X-Real-IP       $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;

      #blocks blank user_agents
        if ($http_user_agent = "") { return  444; }

        if ($limit_bots = 1) {
        return  444;
        }
   }

}

Are you both running it on windows?

 

Edit: I'm also finding that all browsers are being reported as Emby mobile and the dashboard does not live update. Have either of you experienced that?

 

After adding the websocket data forward from your config the dashboard is no live updating again so thanks for that! Still having every client being reported as emby mobile though.

Also do either of you use the kodi addon? I'm having really inconsistent play back with that 

 

Yep windows, but my debian configs for other services are the same.

 

Nginx says: http://nginx.org/en/docs/http/ngx_http_ssl_module.html It is recommended to use the ssl parameter of the listen directive instead of this directive. Try that perhaps.

[runtimesandbox 153]

this is my config now.. any reason i get the IP address reported twice in the emby dashboard 

 

eg ip address: 111.111.111.111, 111.111.111.111

 proxy_set_header X-Forwarded-For $remote_addr;

      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

      include geoblocker;

      location / {

      proxy_pass              http://10.0.0.16:8096;
      proxy_set_header        Host            $host;
      proxy_set_header        X-Real-IP       $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        Host $host;
      proxy_set_header        X-Forwarded-Proto $remote_addr;
      proxy_set_header        X-Forwarded-Protocol $scheme;
      proxy_redirect          off;

      # Send websocket data to the backend aswell
      proxy_http_version      1.1;
      proxy_set_header        Upgrade $http_upgrade;
      proxy_set_header        Connection "upgrade";
      proxy_read_timeout      86400;

      access_log /var/log/nginx/emby-access.log combined;

      #blocks blank user_agents
        if ($http_user_agent = "") { return  444; }

        if ($limit_bots = 1) {
        return  444;
        }

[pir8radio 1293]

 

this is my config now.. any reason i get the IP address reported twice in the emby dashboard 

 

eg ip address: 111.111.111.111, 111.111.111.111

 proxy_set_header X-Forwarded-For $remote_addr;

      add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";

      include geoblocker;

      location / {

      proxy_pass              http://10.0.0.16:8096;
      proxy_set_header        Host            $host;
      proxy_set_header        X-Real-IP       $remote_addr;
      proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
      proxy_set_header        Host $host;
      proxy_set_header        X-Forwarded-Proto $remote_addr;
      proxy_set_header        X-Forwarded-Protocol $scheme;
      proxy_redirect          off;

      # Send websocket data to the backend aswell
      proxy_http_version      1.1;
      proxy_set_header        Upgrade $http_upgrade;
      proxy_set_header        Connection "upgrade";
      proxy_read_timeout      86400;

      access_log /var/log/nginx/emby-access.log combined;

      #blocks blank user_agents
        if ($http_user_agent = "") { return  444; }

        if ($limit_bots = 1) {
        return  444;
        }

 

What does your nginx emby-access.log say?  Is emby installed on the NGINX pc?  and are the IP's both the same and of the external user? or are they different?   On my setup I see the first IP is the client IP, the second ip is what proxy handled the request. I do load balancing so the second ip will change depending on what proxy server processed the traffic.  The IP string comes from x-forwarded-for

 

Edited April 30, 2017 by pir8radio

[runtimesandbox 153]

 

 

What does your nginx emby-access.log say?  Is emby installed on the NGINX pc?  and are the IP's both the same and of the external user? or are they different?   On my setup I see the first IP is the client IP, the second ip is what proxy handled the request. I do load balancing so the second ip will change depending on what proxy server processed the traffic.  The IP string comes from x-forwarded-for

 

emby access log reports just the one ip, external ip of the remote client.

 

Nginx is on a different server to emby

 

both the ip's are the same and are the external remote client

 

Only started showing two after the last tweak of the nginx config

 

Edit: screenshot

 

Edit again: Does the websocket part of the config need the upstream websocket specified?

 upstream websocket {
        server 192.168.100.10:8010;
    }

https://www.nginx.com/blog/websocket-nginx/

Edited April 30, 2017 by spudy12

[pir8radio 1293]

Edit again: Does the websocket part of the config need the upstream websocket specified?

 upstream websocket {
        server 192.168.100.10:8010;
    }

https://www.nginx.com/blog/websocket-nginx/

 

I'm only about 95% sure on this, but you do not need that part because you don't load balance to multiple backends (multiple upstream servers).  Upstream websockets should get handled by proxy_pass, I do not use this in my config either, even though I load-balance, I load-balance on the front end, to a single emby server.

Edited April 30, 2017 by pir8radio