Jump to content

Chromecast cloudflare issue


J2ghz
Go to solution Solved by pir8radio,

Recommended Posts

J2ghz

I am using Emby behind a cloudflare proxy. I use Emby for Kodi, Emby on web,Emby for android and emby theater from windows store, all of them work. When I try to play anything on my Chromecast, nothing happens (meaning there's emby logo and it says ready to cast). I've searched previous issues and looked and emby logs, and there are no requests from chromecast to  emby server. I have then tried to connect directly to my ip in Emby for Android, and casting worked.

 

 

Leading me to believe it could be either https, using hostname or cloudflare. I think cloudflare is the most probable culprit, but I can't test it, since I don't have a valid https certificate, and my domain is HSTS enabled, so I can't try just hostname without https. I have not found a way to get any log or anything from the chromecast, but on thursday I'll probably be able to capture all requests made by the chromecast, if that helps.

Link to comment
Share on other sites

It could also be that the Chromecast is rejecting your SSL cert. There is no way for us to override that so you will need to make sure to use a cert that it will accept.

Link to comment
Share on other sites

J2ghz

It could also be that the Chromecast is rejecting your SSL cert. There is no way for us to override that so you will need to make sure to use a cert that it will accept.

Is there a way to check if that is the case?

Link to comment
Share on other sites

zigzagtshirt

Is there a way to check if that is the case?

 

Can you swap the SSL cert with one that is known to work to test it?

Link to comment
Share on other sites

J2ghz

Can you swap the SSL cert with one that is known to work to test it?

No, if you want custom certificate on cloudflare you have to upgrade to 200$ USD/month plan.

Link to comment
Share on other sites

zigzagtshirt

No, if you want custom certificate on cloudflare you have to upgrade to 200$ USD/month plan.

 

Can you not provide your own SSL cert?  (Sorry, I don't know much about Cloudfare)

Link to comment
Share on other sites

Jdiesel

My setup through Cloudflare works with Chromecast.

 

On the Emby side I have the public port set to 443, external domain set to my domain, Report https as external address enabled, and the custom certificate field left blank to use the Emby self signed certs. On the Cloudflare side I have SSL set to full. Everything runs through Cloudflare and all my apps connect to the Cloudflare signed certificate.

Edited by Jdiesel
Link to comment
Share on other sites

J2ghz

My setup through Cloudflare works with Chromecast.

 

On the Emby side I have the public port set to 443, external domain set to my domain, Report https as external address enabled, and the custom certificate field left blank to use the Emby self signed certs. On the Cloudflare side I have SSL set to full. Everything runs through Cloudflare and all my apps connect to the Cloudflare signed certificate.

So you use 443 as port for emby on local side? My setup looks like this:

 

Client -----(hostname:443)---->cloudflare------(hostname:443)------>local nginx------(localip:8097)----->docker container-------(localhost:8097)----->emby

 

http://i.imgur.com/phgZC4B.png

http://i.imgur.com/dYEx8sk.png

Edited by J2ghz
Link to comment
Share on other sites

Jdiesel

So you use 443 as port for emby on local side? My setup looks like this:

 

Client -----(hostname:443)---->cloudflare------(hostname:443)------>local nginx------(localip:8097)----->docker container-------(localhost:8097)----->emby

 

http://i.imgur.com/phgZC4B.png

http://i.imgur.com/dYEx8sk.png

Yes. At one time I was using a nginx reverse proxy but decided to get rid of it to simplify my setup. I just setup an OpenVPN connection to connect to all my other services when I need to and have port 443 open in my firewall. I was mistaken in my first post. I changed my local port to 443 not my public.

 

Depending on your OS you may have to do some routing to allow Emby to use port 443.

 

Client -----(hostname:443)---->Cloudflare------(hostname:443)------>Emby

 

5924ad472bca1_Capture.png

Edited by Jdiesel
Link to comment
Share on other sites

pir8radio

I am using Emby behind a cloudflare proxy. I use Emby for Kodi, Emby on web,Emby for android and emby theater from windows store, all of them work. When I try to play anything on my Chromecast, nothing happens (meaning there's emby logo and it says ready to cast). I've searched previous issues and looked and emby logs, and there are no requests from chromecast to  emby server. I have then tried to connect directly to my ip in Emby for Android, and casting worked.

 

 

Leading me to believe it could be either https, using hostname or cloudflare. I think cloudflare is the most probable culprit, but I can't test it, since I don't have a valid https certificate, and my domain is HSTS enabled, so I can't try just hostname without https. I have not found a way to get any log or anything from the chromecast, but on thursday I'll probably be able to capture all requests made by the chromecast, if that helps.

 

 

Lets make sure this is not a local issue first...  Try mine, login to my server see this post.   See if chromecast works using my server.   I am behind nginx and cloudflare.  My setup looks like:  Cloudflare----(cloud)----->Nginx (forcing ssl HSTS)---(internal network)--->Emby server NO SSL

Edited by pir8radio
  • Like 1
Link to comment
Share on other sites

J2ghz

Lets make sure this is not a local issue first...  Try mine, login to my server see this post.   See if chromecast works using my server.   I am behind nginx and cloudflare.  My setup looks like:  Cloudflare----(cloud)----->Nginx (forcing ssl HSTS)---(internal network)--->Emby server NO SSL

It works. I'll try to find out what's the difference between your setup and mine. I won't be able to test anything today.

Link to comment
Share on other sites

pir8radio

Cloudflare: Under Speed tab make sure non of the "minify" options are checked. Disable Rocket Loader.   Under Crypto settings, Mine is set to Full, Opportunistic Encryption is ON, HSTS is enabled, TLS 1.3 is enabled+ORTT.

 

This may also be your nginx config even though it works without cloudflare, but lets rule out cloudflare first. 

  • Like 1
Link to comment
Share on other sites

pir8radio

It works. I'll try to find out what's the difference between your setup and mine. I won't be able to test anything today.

 

What did you find?  I'm always curious to know issue & fix.

Link to comment
Share on other sites

J2ghz

Cloudflare: Under Speed tab make sure non of the "minify" options are checked. Disable Rocket Loader.   Under Crypto settings, Mine is set to Full, Opportunistic Encryption is ON, HSTS is enabled, TLS 1.3 is enabled+ORTT.

 

This may also be your nginx config even though it works without cloudflare, but lets rule out cloudflare first. 

 

I use Full (strict), otherwise the same.

I have looked at the traffic using Mikrotik Torch, it seems when connecting to ip, it connects to ip, but when using hostname, I can't see any requests to cloudflare servers (104.31.*.*) but I can see a lot of requests to 10.0.0.13:8096 which is the ip of the docker container emby is running inside (they all fail, the server is remote).

Link to comment
Share on other sites

pir8radio

I use Full (strict), otherwise the same.

I have looked at the traffic using Mikrotik Torch, it seems when connecting to ip, it connects to ip, but when using hostname, I can't see any requests to cloudflare servers (104.31.*.*) but I can see a lot of requests to 10.0.0.13:8096 which is the ip of the docker container emby is running inside (they all fail, the server is remote).

 

you may want to post your nginx config, and maybe a few lines from the nginx log for that site, if you keep one.

Link to comment
Share on other sites

J2ghz

server {
    listen      443 ssl http2;
    server_name emby.example.com;

    ssl on;
    ssl_certificate     /etc/nginx/cert.pem;
    ssl_certificate_key /etc/nginx/cert.key;
    ssl_client_certificate /etc/nginx/origin-pull-ca.pem;
    ssl_verify_client on;
    location / {
        proxy_pass   https://127.0.0.1:8097;

        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Protocol $scheme;
    }
}

The problem is, when I try to play something, the only line in access log I get is

 

my.router.i.p - - [29/May/2017:23:12:25 +0200] "GET /Users/3ddfb7a4b5a84d20b5a5ca76eaaff2f0/Items/2a243ad2b3fd3e35bd49e08db9cdbd59 HTTP/1.1" 200 1935 "https://emby.example.com/web/home.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" "m.y.i.p" "emby.example.com" sn="emby.example.com" rt=0.007 ua="127.0.0.1:8097" us="200" ut="0.007" ul="1935" cs=-

I'll try to use just nginx without cloudflare tomorrow.

Link to comment
Share on other sites

  • Solution
pir8radio
server {
    listen      443 ssl http2;
    server_name emby.example.com;

    ssl on;
    ssl_certificate     /etc/nginx/cert.pem;
    ssl_certificate_key /etc/nginx/cert.key;
    ssl_client_certificate /etc/nginx/origin-pull-ca.pem;
    ssl_verify_client on;
    location / {
        proxy_pass   https://127.0.0.1:8097;

        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $remote_addr;
        proxy_set_header X-Forwarded-Host $host;
        proxy_set_header X-Forwarded-Port $server_port;
        proxy_set_header X-Forwarded-Protocol $scheme;
    }
}

The problem is, when I try to play something, the only line in access log I get is

 

my.router.i.p - - [29/May/2017:23:12:25 +0200] "GET /Users/3ddfb7a4b5a84d20b5a5ca76eaaff2f0/Items/2a243ad2b3fd3e35bd49e08db9cdbd59 HTTP/1.1" 200 1935 "https://emby.example.com/web/home.html" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36" "m.y.i.p" "emby.example.com" sn="emby.example.com" rt=0.007 ua="127.0.0.1:8097" us="200" ut="0.007" ul="1935" cs=-

I'll try to use just nginx without cloudflare tomorrow.

 

 

comment out x forwarded-port and x forwarded-protocol.  and change your x forwarded for to:  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

 

I would also connect to emby from nginx using http NOT https, (proxy_pass http://127.0.0.1:XXXX;) its on the same PC so no real security concerns of someone sniffing the link between the two applications because it never leaves the localhost, it it makes things go way smoother.  Let nginx handle SSL. 

 

Here is what my config looks like as a reference..   You can ignore the "security settings"   my ssl is also setup for http2 fyi.

 

 

 

 

server {

    listen [::]:80;
    listen 80;
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name servername_andsuch.com;
 
    include userId.Emby;
 
access_log  logs/music.log  music;
 
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_certificate      ssl/pub.pem;
        ssl_certificate_key  ssl/pvt.pem;
        ssl_session_cache shared:SSL:10m;
 
     location / {
        proxy_pass http://127.0.0.1:8080;
 
        proxy_hide_header X-Powered-By;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 
     ## SECURITY SETTINGS ##
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header Strict-Transport-Security "max-age=15552000; includeSubDomains; preload" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;
      
 
     ## WEBSOCKET SETTINGS ##
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

 

 

Edited by pir8radio
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...