Chromecast cloudflare issue

[J2ghz 11]

I am using Emby behind a cloudflare proxy. I use Emby for Kodi, Emby on web,Emby for android and emby theater from windows store, all of them work. When I try to play anything on my Chromecast, nothing happens (meaning there's emby logo and it says ready to cast). I've searched previous issues and looked and emby logs, and there are no requests from chromecast to  emby server. I have then tried to connect directly to my ip in Emby for Android, and casting worked.

 

• Doesn't work: Emby in docker, behind local nginx proxy that adds https, behind cloudflare proxy on https://emby.myhostname.com/
• Does work: Emby in docker, behind local nginx proxy that adds https, behind cloudflare proxy on https://emby.myhostname.com/ in everything except chromecast
• Does work: Emby in docker, behind local nginx proxy on http://myip:8096

 

Leading me to believe it could be either https, using hostname or cloudflare. I think cloudflare is the most probable culprit, but I can't test it, since I don't have a valid https certificate, and my domain is HSTS enabled, so I can't try just hostname without https. I have not found a way to get any log or anything from the chromecast, but on thursday I'll probably be able to capture all requests made by the chromecast, if that helps.

[Luke 39303]

It could also be that the Chromecast is rejecting your SSL cert. There is no way for us to override that so you will need to make sure to use a cert that it will accept.

[J2ghz 11]

It could also be that the Chromecast is rejecting your SSL cert. There is no way for us to override that so you will need to make sure to use a cert that it will accept.

Is there a way to check if that is the case?

[zigzagtshirt 55]

Is there a way to check if that is the case?

 

Can you swap the SSL cert with one that is known to work to test it?

[J2ghz 11]

Can you swap the SSL cert with one that is known to work to test it?

No, if you want custom certificate on cloudflare you have to upgrade to 200$ USD/month plan.

[zigzagtshirt 55]

No, if you want custom certificate on cloudflare you have to upgrade to 200$ USD/month plan.

 

Can you not provide your own SSL cert?  (Sorry, I don't know much about Cloudfare)

[J2ghz 11]

Can you not provide your own SSL cert?  (Sorry, I don't know much about Cloudfare)

https://support.cloudflare.com/hc/en-us/articles/200170466-How-do-I-upload-a-custom-SSL-certificate-Business-or-Enterprise-only-

https://www.cloudflare.com/plans/

 

You can't in the free version.

[Jdiesel 1256]

My setup through Cloudflare works with Chromecast.

 

On the Emby side I have the public port set to 443, external domain set to my domain, Report https as external address enabled, and the custom certificate field left blank to use the Emby self signed certs. On the Cloudflare side I have SSL set to full. Everything runs through Cloudflare and all my apps connect to the Cloudflare signed certificate.

Edited May 23, 2017 by Jdiesel

[J2ghz 11]

My setup through Cloudflare works with Chromecast.

 

On the Emby side I have the public port set to 443, external domain set to my domain, Report https as external address enabled, and the custom certificate field left blank to use the Emby self signed certs. On the Cloudflare side I have SSL set to full. Everything runs through Cloudflare and all my apps connect to the Cloudflare signed certificate.

So you use 443 as port for emby on local side? My setup looks like this:

 

Client -----(hostname:443)---->cloudflare------(hostname:443)------>local nginx------(localip:8097)----->docker container-------(localhost:8097)----->emby

 

http://i.imgur.com/phgZC4B.png

http://i.imgur.com/dYEx8sk.png

Edited May 23, 2017 by J2ghz

[Jdiesel 1256]

So you use 443 as port for emby on local side? My setup looks like this:

 

Client -----(hostname:443)---->cloudflare------(hostname:443)------>local nginx------(localip:8097)----->docker container-------(localhost:8097)----->emby

 

http://i.imgur.com/phgZC4B.png

http://i.imgur.com/dYEx8sk.png

Yes. At one time I was using a nginx reverse proxy but decided to get rid of it to simplify my setup. I just setup an OpenVPN connection to connect to all my other services when I need to and have port 443 open in my firewall. I was mistaken in my first post. I changed my local port to 443 not my public.

 

Depending on your OS you may have to do some routing to allow Emby to use port 443.

 

Client -----(hostname:443)---->Cloudflare------(hostname:443)------>Emby

 

Edited May 23, 2017 by Jdiesel

[pir8radio 1304]

I am using Emby behind a cloudflare proxy. I use Emby for Kodi, Emby on web,Emby for android and emby theater from windows store, all of them work. When I try to play anything on my Chromecast, nothing happens (meaning there's emby logo and it says ready to cast). I've searched previous issues and looked and emby logs, and there are no requests from chromecast to  emby server. I have then tried to connect directly to my ip in Emby for Android, and casting worked.

 

• Doesn't work: Emby in docker, behind local nginx proxy that adds https, behind cloudflare proxy on https://emby.myhostname.com/
• Does work: Emby in docker, behind local nginx proxy that adds https, behind cloudflare proxy on https://emby.myhostname.com/ in everything except chromecast
• Does work: Emby in docker, behind local nginx proxy on http://myip:8096

 

Leading me to believe it could be either https, using hostname or cloudflare. I think cloudflare is the most probable culprit, but I can't test it, since I don't have a valid https certificate, and my domain is HSTS enabled, so I can't try just hostname without https. I have not found a way to get any log or anything from the chromecast, but on thursday I'll probably be able to capture all requests made by the chromecast, if that helps.

 

 

Lets make sure this is not a local issue first...  Try mine, login to my server see this post.   See if chromecast works using my server.   I am behind nginx and cloudflare.  My setup looks like:  Cloudflare----(cloud)----->Nginx (forcing ssl HSTS)---(internal network)--->Emby server NO SSL

Edited May 24, 2017 by pir8radio

[J2ghz 11]

Lets make sure this is not a local issue first...  Try mine, login to my server see this post.   See if chromecast works using my server.   I am behind nginx and cloudflare.  My setup looks like:  Cloudflare----(cloud)----->Nginx (forcing ssl HSTS)---(internal network)--->Emby server NO SSL

It works. I'll try to find out what's the difference between your setup and mine. I won't be able to test anything today.

[pir8radio 1304]

Cloudflare: Under Speed tab make sure non of the "minify" options are checked. Disable Rocket Loader.   Under Crypto settings, Mine is set to Full, Opportunistic Encryption is ON, HSTS is enabled, TLS 1.3 is enabled+ORTT.

 

This may also be your nginx config even though it works without cloudflare, but lets rule out cloudflare first. 

[pir8radio 1304]

It works. I'll try to find out what's the difference between your setup and mine. I won't be able to test anything today.

 

What did you find?  I'm always curious to know issue & fix.

[J2ghz 11]

Cloudflare: Under Speed tab make sure non of the "minify" options are checked. Disable Rocket Loader.   Under Crypto settings, Mine is set to Full, Opportunistic Encryption is ON, HSTS is enabled, TLS 1.3 is enabled+ORTT.

 

This may also be your nginx config even though it works without cloudflare, but lets rule out cloudflare first. 

 

I use Full (strict), otherwise the same.

I have looked at the traffic using Mikrotik Torch, it seems when connecting to ip, it connects to ip, but when using hostname, I can't see any requests to cloudflare servers (104.31.*.*) but I can see a lot of requests to 10.0.0.13:8096 which is the ip of the docker container emby is running inside (they all fail, the server is remote).

[pir8radio 1304]

I use Full (strict), otherwise the same.

I have looked at the traffic using Mikrotik Torch, it seems when connecting to ip, it connects to ip, but when using hostname, I can't see any requests to cloudflare servers (104.31.*.*) but I can see a lot of requests to 10.0.0.13:8096 which is the ip of the docker container emby is running inside (they all fail, the server is remote).

 

you may want to post your nginx config, and maybe a few lines from the nginx log for that site, if you keep one.

[J2ghz 11]

server {
    listen      443 ssl http2;
    server_name emby.example.com;

    ssl on;
    ssl_certificate     /etc/nginx/cert.pem;
    ssl_certificate_key /etc/nginx/cert.key;
    ssl_client_certificate /etc/nginx/origin-pull-ca.pem;
    ssl_verify_client on;
    location / {
        proxy_pass   https://127.0.0.1:8097;

        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Protocol $scheme;
    }
}

The problem is, when I try to play something, the only line in access log I get is

 

my.router.i.p - - [29/May/2017:23:12:25 +0200] "GET /Users/3ddfb7a4b5a84d20b5a5ca76eaaff2f0/Items/2a243ad2b3fd3e35bd49e08db9cdbd59 HTTP/1.1" 200 1935 "https://emby.example.com/web/home.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" "m.y.i.p" "emby.example.com" sn="emby.example.com" rt=0.007 ua="127.0.0.1:8097" us="200" ut="0.007" ul="1935" cs=-

I'll try to use just nginx without cloudflare tomorrow.

[pir8radio 1304]

server {
    listen      443 ssl http2;
    server_name emby.example.com;

    ssl on;
    ssl_certificate     /etc/nginx/cert.pem;
    ssl_certificate_key /etc/nginx/cert.key;
    ssl_client_certificate /etc/nginx/origin-pull-ca.pem;
    ssl_verify_client on;
    location / {
        proxy_pass   https://127.0.0.1:8097;

        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Protocol $scheme;
    }
}

The problem is, when I try to play something, the only line in access log I get is

 

my.router.i.p - - [29/May/2017:23:12:25 +0200] "GET /Users/3ddfb7a4b5a84d20b5a5ca76eaaff2f0/Items/2a243ad2b3fd3e35bd49e08db9cdbd59 HTTP/1.1" 200 1935 "https://emby.example.com/web/home.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" "m.y.i.p" "emby.example.com" sn="emby.example.com" rt=0.007 ua="127.0.0.1:8097" us="200" ut="0.007" ul="1935" cs=-

I'll try to use just nginx without cloudflare tomorrow.

 

 

comment out x forwarded-port and x forwarded-protocol.  and change your x forwarded for to:  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

 

I would also connect to emby from nginx using http NOT https, (proxy_pass http://127.0.0.1:XXXX;) its on the same PC so no real security concerns of someone sniffing the link between the two applications because it never leaves the localhost, it it makes things go way smoother.  Let nginx handle SSL. 

 

Here is what my config looks like as a reference..   You can ignore the "security settings"   my ssl is also setup for http2 fyi.

 

 

 

 

server {

    listen [::]:80;

    listen 80;

    listen [::]:443 ssl http2;

    listen 443 ssl http2;

    server_name servername_andsuch.com;

 

    include userId.Emby;

 

access_log  logs/music.log  music;

 

        ssl_session_timeout 30m;

        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

        ssl_certificate      ssl/pub.pem;

        ssl_certificate_key  ssl/pvt.pem;

        ssl_session_cache shared:SSL:10m;

 

     location / {

        proxy_pass http://127.0.0.1:8080;

 

        proxy_hide_header X-Powered-By;

        proxy_set_header Range $http_range;

        proxy_set_header If-Range $http_if_range;

        proxy_set_header X-Real-IP $remote_addr;

        proxy_set_header Host $host;

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

 

     ## SECURITY SETTINGS ##

        add_header 'Referrer-Policy' 'origin-when-cross-origin';

        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" always;

        add_header X-Frame-Options "SAMEORIGIN" always;

        add_header X-Content-Type-Options "nosniff" always;

        add_header X-XSS-Protection "1; mode=block" always;

      

 

     ## WEBSOCKET SETTINGS ##

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection "upgrade";

    }

}

 

 

Edited May 30, 2017 by pir8radio

[J2ghz 11]

change your x forwarded for to:  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

 

That one helped. I took the config from https://confluence.jetbrains.com/pages/viewpage.action?pageId=74845225#HowTo...-NGINX (TeamCity NGINX config). Thanks for the help.