runtimesandbox 153 Posted April 28, 2017 Share Posted April 28, 2017 Running emby server behind nginx. Works fine. When tuning nginx to only offer secure ciphers, etc the android emby app stops working when I enable the following: ssl_session_tickets off; Any idea why? Link to comment Share on other sites More sharing options...
anderbytes 139 Posted April 28, 2017 Share Posted April 28, 2017 I'm curious about this, too. Sent from my ASUS_Z017DA using Tapatalk Link to comment Share on other sites More sharing options...
runtimesandbox 153 Posted April 28, 2017 Author Share Posted April 28, 2017 Don't have the issue with other android apps that use the proxy with that setting enabled Link to comment Share on other sites More sharing options...
pir8radio 1293 Posted April 29, 2017 Share Posted April 29, 2017 (edited) Running emby server behind nginx. Works fine. When tuning nginx to only offer secure ciphers, etc the android emby app stops working when I enable the following: ssl_session_tickets off; Any idea why? Do you have ECDHE-RSA-AES128-SHA cipher in your nginx config? maybe post your nginx config (remove domain names or whatever) Also what version of nginx? Edited April 29, 2017 by pir8radio Link to comment Share on other sites More sharing options...
shorty1483 453 Posted April 29, 2017 Share Posted April 29, 2017 (edited) Running emby server behind nginx. Works fine. When tuning nginx to only offer secure ciphers, etc the android emby app stops working when I enable the following: ssl_session_tickets off; Any idea why? Cannot reproduce. For me everything's working. According to this https://community.letsencrypt.org/t/errors-from-browsers-with-ssl-session-tickets-off-nginx/18124/5 you could try to put the ssl commands into the http block in case you have more than one server block. This is my Emby block: server { listen 80; listen 443 ssl http2; server_name emby.domain.de; if ($scheme = http) { return 301 https://$server_name$request_uri; } ssl_certificate cert/domain_ECDSA/certificate.crt; ssl_certificate_key cert/domain_ECDSA/private.key; ssl_certificate cert/domain_RSA/certificate.crt; ssl_certificate_key cert/domain_RSA/private.key; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate cert/domain_ECDSA/ca_bundle.crt; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 5s; ssl_session_timeout 30m; ssl_session_cache shared:SSL:10m; ssl_session_tickets off; ssl_prefer_server_ciphers on; ssl_ecdh_curve X25519:secp384r1:prime256v1:secp521r1; ssl_dhparam cert/domain_RSA/dhparam2048.pem; ssl_protocols TLSv1.2; ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Xss-Protection "1; mode=block" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header Content-Security-Policy "frame-ancestors bla.domain.de bla.domain.de bla.domain.de bla.domain.de bla.domain.de;"; add_header Public-Key-Pins 'pin-sha256="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXx"; pin-sha256="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; pin-sha256="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX"; max-age=5184000; includeSubDomains'; keepalive_timeout 180; client_max_body_size 1024m; ## Emby ## location / { # Send traffic to the backend proxy_pass http://127.0.0.1:8096; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $remote_addr; proxy_set_header X-Forwarded-Protocol $scheme; proxy_redirect off; # Send websocket data to the backend aswell proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400; access_log C:/nginx/logs/emby.log emby; } } Edited April 29, 2017 by shorty1483 Link to comment Share on other sites More sharing options...
runtimesandbox 153 Posted April 29, 2017 Author Share Posted April 29, 2017 (edited) I'm running nginx 1.10.3 version on ubuntu 16 My emby block is server { listen 80; server_name *.mydomain.com; return 301 https://$server_name$request_uri; include geoblocker; } server { listen 443 http2; server_name mydomain.com; ssl on; ssl_certificate /etc/ssl/mydomain.com/fullchain.cer; ssl_certificate_key /etc/ssl/mydomain.com/priv.key; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; # ssl_session_tickets off; #DISABLED - Android issues ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/ssl/mydomain.com/fullchain.cer; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 10s; proxy_set_header X-Forwarded-For $remote_addr; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" ; include geoblocker; location / { proxy_pass http://xx.xx.xx.xx:8096; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #blocks blank user_agents if ($http_user_agent = "") { return 444; } if ($limit_bots = 1) { return 444; } } } Are you both running it on windows? Edit: I'm also finding that all browsers are being reported as Emby mobile and the dashboard does not live update. Have either of you experienced that? After adding the websocket data forward from your config the dashboard is no live updating again so thanks for that! Still having every client being reported as emby mobile though. Also do either of you use the kodi addon? I'm having really inconsistent play back with that Edited April 29, 2017 by spudy12 Link to comment Share on other sites More sharing options...
shorty1483 453 Posted April 29, 2017 Share Posted April 29, 2017 I'm running nginx 1.10.3 version on ubuntu 16 My emby block is server { listen 80; server_name *.mydomain.com; return 301 https://$server_name$request_uri; include geoblocker; } server { listen 443 http2; server_name mydomain.com; ssl on; ssl_certificate /etc/ssl/mydomain.com/fullchain.cer; ssl_certificate_key /etc/ssl/mydomain.com/priv.key; ssl_prefer_server_ciphers on; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_ecdh_curve secp384r1; ssl_session_cache shared:SSL:10m; # ssl_session_tickets off; #DISABLED - Android issues ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/ssl/mydomain.com/fullchain.cer; resolver 8.8.8.8 8.8.4.4 valid=300s; resolver_timeout 10s; proxy_set_header X-Forwarded-For $remote_addr; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" ; include geoblocker; location / { proxy_pass http://xx.xx.xx.xx:8096; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #blocks blank user_agents if ($http_user_agent = "") { return 444; } if ($limit_bots = 1) { return 444; } } } Are you both running it on windows? Edit: I'm also finding that all browsers are being reported as Emby mobile and the dashboard does not live update. Have either of you experienced that? After adding the websocket data forward from your config the dashboard is no live updating again so thanks for that! Still having every client being reported as emby mobile though. Also do either of you use the kodi addon? I'm having really inconsistent play back with that Yep windows, but my debian configs for other services are the same. Nginx says: http://nginx.org/en/docs/http/ngx_http_ssl_module.html It is recommended to use the ssl parameter of the listen directive instead of this directive. Try that perhaps. Link to comment Share on other sites More sharing options...
runtimesandbox 153 Posted April 30, 2017 Author Share Posted April 30, 2017 this is my config now.. any reason i get the IP address reported twice in the emby dashboard eg ip address: 111.111.111.111, 111.111.111.111 proxy_set_header X-Forwarded-For $remote_addr; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; include geoblocker; location / { proxy_pass http://10.0.0.16:8096; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $remote_addr; proxy_set_header X-Forwarded-Protocol $scheme; proxy_redirect off; # Send websocket data to the backend aswell proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400; access_log /var/log/nginx/emby-access.log combined; #blocks blank user_agents if ($http_user_agent = "") { return 444; } if ($limit_bots = 1) { return 444; } Link to comment Share on other sites More sharing options...
pir8radio 1293 Posted April 30, 2017 Share Posted April 30, 2017 (edited) this is my config now.. any reason i get the IP address reported twice in the emby dashboard eg ip address: 111.111.111.111, 111.111.111.111 proxy_set_header X-Forwarded-For $remote_addr; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains"; include geoblocker; location / { proxy_pass http://10.0.0.16:8096; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $remote_addr; proxy_set_header X-Forwarded-Protocol $scheme; proxy_redirect off; # Send websocket data to the backend aswell proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_read_timeout 86400; access_log /var/log/nginx/emby-access.log combined; #blocks blank user_agents if ($http_user_agent = "") { return 444; } if ($limit_bots = 1) { return 444; } What does your nginx emby-access.log say? Is emby installed on the NGINX pc? and are the IP's both the same and of the external user? or are they different? On my setup I see the first IP is the client IP, the second ip is what proxy handled the request. I do load balancing so the second ip will change depending on what proxy server processed the traffic. The IP string comes from x-forwarded-for Edited April 30, 2017 by pir8radio Link to comment Share on other sites More sharing options...
runtimesandbox 153 Posted April 30, 2017 Author Share Posted April 30, 2017 (edited) What does your nginx emby-access.log say? Is emby installed on the NGINX pc? and are the IP's both the same and of the external user? or are they different? On my setup I see the first IP is the client IP, the second ip is what proxy handled the request. I do load balancing so the second ip will change depending on what proxy server processed the traffic. The IP string comes from x-forwarded-for emby access log reports just the one ip, external ip of the remote client. Nginx is on a different server to emby both the ip's are the same and are the external remote client Only started showing two after the last tweak of the nginx config Edit: screenshot Edit again: Does the websocket part of the config need the upstream websocket specified? upstream websocket { server 192.168.100.10:8010; } https://www.nginx.com/blog/websocket-nginx/ Edited April 30, 2017 by spudy12 Link to comment Share on other sites More sharing options...
pir8radio 1293 Posted April 30, 2017 Share Posted April 30, 2017 (edited) Edit again: Does the websocket part of the config need the upstream websocket specified? upstream websocket { server 192.168.100.10:8010; } https://www.nginx.com/blog/websocket-nginx/ I'm only about 95% sure on this, but you do not need that part because you don't load balance to multiple backends (multiple upstream servers). Upstream websockets should get handled by proxy_pass, I do not use this in my config either, even though I load-balance, I load-balance on the front end, to a single emby server. Edited April 30, 2017 by pir8radio Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now