Make Emby behind reverse proxy require password

[Chorca 2]

Is there any way to make Emby require a password for login when it's sitting behind an nginx proxy?

I have the recommended config as far as I can tell, and accessing Emby from my web address just shows a list of users, clicking on any user instantly signs in as that user, no password required at all. The users are all generated on emby.media and linked into the server.

The authentication attempts seem to show an external IP as where the user was authenticated to, so it seems to believe the users are external, but just doesn't ask for any sort of login for any user.

 

Here's the nginx config:

listen 443 ssl;

        server_name emby.domain.com;

        access_log /var/log/nginx/emby_access.log;
        error_log /var/log/nginx/emby_error.log;

        ssl on;
        location / {
                proxy_pass http://192.168.1.120:8096;
                proxy_connect_timeout       300;
                proxy_send_timeout          300;
                proxy_read_timeout          300;
                send_timeout                300;
                proxy_set_header        X-Real-IP       $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        Host            $host;
                proxy_set_header        X-Forwarded-Proto       $remote_addr;
                proxy_set_header        X-Forwarded-Protocol    $scheme;

Checking the logs, Emby sends a list of users to the client's /users/public request, and accepts a passwordless authenticatebyname request from the client as well, even though the client is outside the network and has not authenticated at all.

 

Wondering if this is an nginx configuration issue, or if there's something i can change that will prevent it from accepting users with no authentication?

[pir8radio 1292]

what does the whole nginx config look like.  Is nginx on a different PC than emby? 

After you made nginx config changes you restarted nginx correct?   (just asking it's easy to forget)

Edited May 4, 2017 by pir8radio

[Chorca 2]

Here's the section of the nginx config, there are other sections but they are for other subdomains. There isn't any other special config in the file I'm using. Nginx is handling SSL termination as well.

# Emby

server {
        listen 443 ssl;

        server_name emby.domain.com;

        access_log /var/log/nginx/emby_access.log;
        error_log /var/log/nginx/emby_error.log;

        ssl on;
        location / {
                proxy_pass http://192.168.1.120:8096;
                proxy_connect_timeout       300;
                proxy_send_timeout          300;
                proxy_read_timeout          300;
                send_timeout                300;
                proxy_set_header        X-Real-IP       $remote_addr;
                proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
                proxy_set_header        Host            $host;
                proxy_set_header        X-Forwarded-Proto       $remote_addr;
                proxy_set_header        X-Forwarded-Protocol    $scheme;
                #proxy_redirect off
        }
}


server {
        listen          80;
        server_name     emby.domain.com;
        return          301 https://$server_name$request_uri;
}

The nginx server operates on a different server than the Emby service. Edited May 4, 2017 by Chorca

[pir8radio 1292]

how about a few access lines from the emby_access.log  

[Chorca 2]

23.122.152.96 - - [05/May/2017:13:08:19 +0000] "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"
23.122.152.96 - - [05/May/2017:13:08:19 +0000] "GET /web/index.html HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"
23.122.152.96 - - [05/May/2017:13:08:19 +0000] "GET /web/css/site.css?v=3.2.13.12 HTTP/1.1" 200 1459 "https://emby.domain.com/web/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"
23.122.152.96 - - [05/May/2017:13:08:19 +0000] "GET /web/css/librarymenu.css?v=3.2.13.12 HTTP/1.1" 200 1486 "https://emby.domain.com/web/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"
23.122.152.96 - - [05/May/2017:13:08:19 +0000] "GET /web/css/librarybrowser.css?v=3.2.13.12 HTTP/1.1" 200 2794 "https://emby.domain.com/web/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"
23.122.152.96 - - [05/May/2017:13:08:19 +0000] "GET /web/thirdparty/paper-button-style.css?v=3.2.13.12 HTTP/1.1" 200 405 "https://emby.domain.com/web/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"
23.122.152.96 - - [05/May/2017:13:08:20 +0000] "GET /web/scripts/apploader.js?v=3.2.13.12 HTTP/1.1" 200 591 "https://emby.domain.com/web/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"
23.122.152.96 - - [05/May/2017:13:08:20 +0000] "GET /web/bower_components/alameda/alameda.js?v=3.2.13.12 HTTP/1.1" 200 5310 "https://emby.domain.com/web/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"

Here ya go. I validated that the IP shown there is the remote IP of the web browser attempting to hit it, and not the external IP of the emby server.

[drakus72 17]

Show us the emby_error.log.

[aptalca 70]

Not sure why emby doesn't ask for password, but alternatively, you can set a password in nginx through htpasswd

[pir8radio 1292]

23.122.152.96 - - [05/May/2017:13:08:19 +0000] "GET / HTTP/1.1" 302 5 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"
23.122.152.96 - - [05/May/2017:13:08:19 +0000] "GET /web/index.html HTTP/1.1" 304 0 "-" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"
23.122.152.96 - - [05/May/2017:13:08:19 +0000] "GET /web/css/site.css?v=3.2.13.12 HTTP/1.1" 200 1459 "https://emby.domain.com/web/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"
23.122.152.96 - - [05/May/2017:13:08:19 +0000] "GET /web/css/librarymenu.css?v=3.2.13.12 HTTP/1.1" 200 1486 "https://emby.domain.com/web/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"
23.122.152.96 - - [05/May/2017:13:08:19 +0000] "GET /web/css/librarybrowser.css?v=3.2.13.12 HTTP/1.1" 200 2794 "https://emby.domain.com/web/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"
23.122.152.96 - - [05/May/2017:13:08:19 +0000] "GET /web/thirdparty/paper-button-style.css?v=3.2.13.12 HTTP/1.1" 200 405 "https://emby.domain.com/web/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"
23.122.152.96 - - [05/May/2017:13:08:20 +0000] "GET /web/scripts/apploader.js?v=3.2.13.12 HTTP/1.1" 200 591 "https://emby.domain.com/web/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"
23.122.152.96 - - [05/May/2017:13:08:20 +0000] "GET /web/bower_components/alameda/alameda.js?v=3.2.13.12 HTTP/1.1" 200 5310 "https://emby.domain.com/web/index.html" "Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36"

Here ya go. I validated that the IP shown there is the remote IP of the web browser attempting to hit it, and not the external IP of the emby server.

 

 

Weird everything looks good...  The only thing I see in your config that you probably don't need for emby is:

proxy_set_header X-Forwarded-Proto $remote_addr;

proxy_set_header X-Forwarded-Protocol $scheme;

You connect to your emby server from nginx with http..  Maybe something is passing that emby doesn't care for.

 

What happens if you comment those two lines out, restart nginx?

 

Also, has nothing to do with the login issue, but you have no lines in your config to cover web sockets.

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection "upgrade";

 

Are you binding to any particular IP within emby?

Edited May 5, 2017 by pir8radio

[pir8radio 1292]

You get it figured out @@Chorca, Just curious what the issue was.

[Chorca 2]

Those two lines didn't exist when I started troubleshooting, but I changed my config to one listed on the forums here so it would match up to eliminate that as a source of the issue.

 

Emby is just bound to all interfaces, it's running in an LXC container on the server along with another container which holds the nginx server. They have different IP addresses and the nginx server handles communications to various other services on the local network.

 

I attempted to comment out those lines and add in the one for websockets, no change, it still does not require password.

 

I should mention this is the latest beta, Version 3.2.15.1 beta.

[pir8radio 1292]

Those two lines didn't exist when I started troubleshooting, but I changed my config to one listed on the forums here so it would match up to eliminate that as a source of the issue.

 

Emby is just bound to all interfaces, it's running in an LXC container on the server along with another container which holds the nginx server. They have different IP addresses and the nginx server handles communications to various other services on the local network.

 

I attempted to comment out those lines and add in the one for websockets, no change, it still does not require password.

 

I should mention this is the latest beta, Version 3.2.15.1 beta.

 

huh,  I kind of want to figure this one out lol, I enjoy a good puzzle...  That's not cool if it lets people into your admin account with no password...  People can delete your media.. 

[Chorca 2]

Show us the emby_error.log.

The only line in that log is this:

2017/05/04 09:32:36 [error] 17640#17640: *69430 connect() failed (111: Connection refused) while connecting to upstream, client: 23.122.152.96, server: emby.domain.com, request: "OPTIONS /Sessions/Playing/Progress HTTP/1.1", upstream: "http://192.168.1.120:8096/Sessions/Playing/Progress", host: "emby.domain.com", referrer: "https://mediabrowser.github.io/Emby.Chromecast/index.html"

Currently trying to figure out if there's any other way to get a deeper debug log from Emby about what it's doing.

 

This is a log from a clean client (no emby-related cookies or anything) accessing from a remote network:

2017-05-09 03:46:27.6142 Info HttpClient: HttpClientManager GET: https://connect.emby.media/service/ServerAuthorizations?serverId=75f0xxxxxxxxxxxxxxxxxxxxxxx
2017-05-09 03:46:27.7355 Info HttpClient: HttpClientManager HEAD: https://www.gravatar.com/avatar/(avatar.png)
2017-05-09 03:48:05.2406 Info HttpServer: HTTP GET http://emby.domain.com:8096/. UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36
2017-05-09 03:48:05.2406 Info HttpServer: HTTP Response 302 to (web client IP). Time: 0ms. http://emby.domain.com:8096/
2017-05-09 03:48:05.6349 Info HttpServer: HTTP GET http://emby.domain.com:8096/System/Info/Public. UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36
2017-05-09 03:48:05.6354 Debug NetworkManager: Querying interface: lo. Type: Loopback. Status: Unknown
2017-05-09 03:48:05.6354 Debug NetworkManager: Querying interface: eth0. Type: Ethernet. Status: Up
2017-05-09 03:48:05.6354 Info HttpServer: HTTP Response 200 to (web client IP). Time: 1ms. http://emby.domain.com:8096/System/Info/Public
2017-05-09 03:48:05.7032 Info HttpServer: HTTP GET http://emby.domain.com:8096/web/strings/en-us.json?v=1494301685593. UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36
2017-05-09 03:48:05.7032 Info HttpServer: HTTP Response 200 to (web client IP). Time: 1ms. http://emby.domain.com:8096/web/strings/en-us.json?v=1494301685593
2017-05-09 03:48:05.7080 Info HttpServer: HTTP GET http://emby.domain.com:8096/web/bower_components/emby-webcomponents/strings/en-us.json?v=1494301685593. UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36
2017-05-09 03:48:05.7085 Info HttpServer: HTTP Response 200 to (web client IP). Time: 1ms. http://emby.domain.com:8096/web/bower_components/emby-webcomponents/strings/en-us.json?v=1494301685593
2017-05-09 03:48:06.1267 Info HttpServer: HTTP GET http://emby.domain.com:8096/emby/system/info/public. UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36
2017-05-09 03:48:06.1280 Info HttpServer: HTTP Response 200 to (web client IP). Time: 1ms. http://emby.domain.com:8096/emby/system/info/public
2017-05-09 03:48:06.1964 Info HttpServer: HTTP GET http://emby.domain.com:8096/users/public. UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36
2017-05-09 03:48:06.1975 Info HttpServer: HTTP Response 200 to (web client IP). Time: 1ms. http://emby.domain.com:8096/users/public
2017-05-09 03:48:06.2792 Info HttpServer: HTTP GET http://emby.domain.com:8096/users/public. UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36
2017-05-09 03:48:06.2792 Info HttpServer: HTTP GET http://emby.domain.com:8096/Branding/Configuration. UserAgent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.96 Safari/537.36
2017-05-09 03:48:06.2792 Info App: App Activity: app: Emby Mobile, version: 3.2.15.1, deviceId: 3a9c1742655cae297b93252ae143d88f7e195e3d, deviceName: Chrome
2017-05-09 03:48:06.2804 Info HttpServer: HTTP Response 200 to (web client IP). Time: 1ms. http://emby.domain.com:8096/Branding/Configuration
2017-05-09 03:48:06.2804 Info HttpServer: HTTP Response 200 to (web client IP). Time: 1ms. http://emby.domain.com:8096/users/public

Edited May 9, 2017 by Chorca

[Chorca 2]

Any other ideas on this?

Updated to the latest version, still having this problem.

 

Wondering if there's some more data i can provide or some way that I can get info on what the server is doing.. why it's thinking with all the headers coming in from nginx that the IP is internal even though it's not.

 

Maybe even an option or way to disable 'internal network detection' so it just asks for a password regardless, especially in case your local network isn't extremely secure, or you want to prevent local users from authenticating without a password..

Edited July 8, 2017 by Chorca

[pir8radio 1292]

Post the nginx access log.

[Luke 37120]

Maybe even an option or way to disable 'internal network detection' so it just asks for a password regardless, especially in case your local network isn't extremely secure, or you want to prevent local users from authenticating without a password..

 

There's nothing that allows local users to login without a password, unless you specifically enabled this for a user. So if that's the case then just turn that off.

[Chorca 2]

There's nothing that allows local users to login without a password, unless you specifically enabled this for a user. So if that's the case then just turn that off.

 

I don't see any option for enabling or disabling passwords in the server options under Users, under the User options, or anywhere else for that matter. I just get a big grid of users to login as when I visit the base site, click on one, and it lets you in. This is on a fresh browser, no cookies from the site.

 

Hang on, it looks like I may just need to use the "hide user" option on each user on the server to prevent them from being displayed on the sign on screen.

 

If I do that, the user doesn't show.

 

Confirmed, making all user accounts 'hidden' via the last check box on the user page will revert the page back to a simple sign-on screen instead of listing the users.

Edited July 8, 2017 by Chorca

[Luke 37120]

When you click on a user you can configure their password in the Passwords tab. Explore the settings there. Again, there is nothing by default that allows users to login without entering their password - unless their password is blank of course.

[Chorca 2]

Alright, I think I have it figured out.

 

The confusing part is that if you create an account with Emby Connect, and generate a local user that's linked to that account, it will need a password to login via emby connect, but the local user will have a blank password until it is set locally, so it needs to be set in both places.

 

Connecting via Emby Connect looks like it bypasses the local password and uses the user link to login, otherwise a local login is needed.

 

So, this was two things, me not understanding that above part, and not knowing to disable the users from the intro screen.

 

Thanks Pir8radio and Luke for your help with getting this figured out!

[Luke 37120]

It sounds like you want to be using the Guest feature instead of what you are doing.

[Chorca 2]

It sounds like you want to be using the Guest feature instead of what you are doing.

 

YES

 

This was also a bit confusing because of the 'cloud link' thing in the Users options.. Made me think that was how it had to be done but you're right, the guest feature is what I should have been using this whole time.