Emby via reverse proxy and internal network settings

[FunkadelicRelic 10]

OK - I used HAProxy to strip the port from the Host= field, it now looks the same on both working and failed videos but the issue remains

[FunkadelicRelic 10]

Hmm. More updates. If I select the failed video on the Android TV and leave the spinning circle for 5 minutes the video eventually plays. However, when backing out of the video and trying to exit the app it still crashes and makes me force close. So it looks like it is eventually playing.

[KMBanana 84]

Make sure on the Emby server the "Public https port number" is set to 443 under Expert -> Advanced.  

In the Emby Server Dashboard make sure the "Remote (WAN) access" is https://emby.domain.com:443

 

Try leaving the port field on the Android TV client blank when setting it up or setting it to 00000.  

[FunkadelicRelic 10]

Thanks @@KMBanana - but wouldn't this break my configuration? The Emby server should never be contacted on 443 or any other port besides 8096 for that matter as my Reverse Proxy receives and terminates the SSL traffic before handing over to the server backend on port 8096.

[FunkadelicRelic 10]

OK - even more testing. My Roku 3 plays everything I throw at it just fine.

 

I'm now starting to think the issue may infact be the Android TV or Android TV client as opposed to the Reverse Proxy configuration.

[KMBanana 84]

Under Expert-Advanced you'll see configurations for local and public ports.  The local ports need to be the ports Emby is actually listening on, in your case 8096. 

The pubic ports though need to be the port the clients connect to, which in your case is the port the reverse proxy is listening on, 443.  

[FunkadelicRelic 10]

So I went ahead and tried that - if I set both HTTPS ports to 443 in Emby server, the first troublesome file I played started playing fine. So I backed out and tried another and it failed, so something certainly bumped into life.

 

However, I restarted my Emby docker container and it would no longer start, with errors in the log indicating 'access denied' on network sockets. I manually edited the system.xml and reverted the two HTTPS ports back to 8920 and the container starts again.

 

Not entirely sure what is happening there. Also, all my other players work with the HTTPS ports set to 8920 in Emby server, which makes me think this may be localised to Android TV.

 

Any thoughts?

[KMBanana 84]

So I went ahead and tried that - if I set both HTTPS ports to 443 in Emby server, the first troublesome file I played started playing fine. So I backed out and tried another and it failed, so something certainly bumped into life.

 

However, I restarted my Emby docker container and it would no longer start, with errors in the log indicating 'access denied' on network sockets. I manually edited the system.xml and reverted the two HTTPS ports back to 8920 and the container starts again.

 

Not entirely sure what is happening there. Also, all my other players work with the HTTPS ports set to 8920 in Emby server, which makes me think this may be localised to Android TV.

 

Any thoughts?

Don't set the local https port to 443, just the public https port number.  

 

It's very strange that some files are playing and others are not though, the connection settings I would expect to either work or not work.

 

I did have strange issues with my nginx reverse proxy only certain devices, in my case videos that were cast to a chromecast wouldn't play even though the same files would play properly on the device you were casting from. Correcting the public https port to 443 solved that issue for me.  

[pir8radio 1292]

Hmm. More updates. If I select the failed video on the Android TV and leave the spinning circle for 5 minutes the video eventually plays. However, when backing out of the video and trying to exit the app it still crashes and makes me force close. So it looks like it is eventually playing.

 

Use a chrome browser hit F12 then select the Network tab and ALL next to "Hide data URLs"  go do your server and play a video, look for any red errors in the bottom half of the developer screen, or any red lines in your main network screen..  This will usually point out any RP issues. 

[FunkadelicRelic 10]

OK - so I changed the public HTTPS port to 443 and restarted Emby fine. Tried two troublesome videos on Android TV and they both worked! However, the third I tried failed, and now they all still fail, even though they worked very soon after changing the port and restarting Emby server. Very strange.

[FunkadelicRelic 10]

@@pir8radio - Thanks for the suggestion. I did that on my PC (which by the way has no issues playing any content, just like the Roku and my phones) and no errors appear at all. Stream works perfectly and the URL is correctly listed as https://emby.domain.com/somestrings.

[FunkadelicRelic 10]

Another update - tried the Android TV BETA (I think?) version 1.4.57g. Same issue.

[FunkadelicRelic 10]

Just scanning the system.xml config file out of desperation - can anyone advise what this setting is - <IsBehindProxy> - it is currently set to false for me.

[Luke 37063]

It doesn't do anything

[KMBanana 84]

OK - so I changed the public HTTPS port to 443 and restarted Emby fine. Tried two troublesome videos on Android TV and they both worked! However, the third I tried failed, and now they all still fail, even though they worked very soon after changing the port and restarting Emby server. Very strange.

Yeah this is very weird.  

I would start troubleshooting from scratch here, as it seems like you were having two problems before, one of which being the public https port setting.  Now that that's fixed we need to pin down the other problem.  I would try the following troubleshooting steps.  

Check logs for anything unusual or different from before

Does restarting the Emby server reliably make it work temporarily?

Does it start failing after a certain amount of time or after a certain number of videos?

Do you have something like fail2ban setup?  Check the logs for it as well

Is the Android TV device on the same local network as your Emby server or remote?  

Does restarting the AndroidTV without restarting the Emby server make it work, even temporarily?

 

Did you try setting up the Android TV using either a blank entry for the port or port 00000?  I don't really think that's it anymore but it's something simple enough it's worth a try regardless.  

[FunkadelicRelic 10]

Thanks @@KMBanana - I've answered some of your questions below and will try some more testing from scratch this evening.

 

Does restarting the Emby server reliably make it work temporarily?

I will try this tonight.

Does it start failing after a certain amount of time or after a certain number of videos?

Hard to tell. When it worked before, I had a chance to play 2 videos for 20 seconds each with 10 seconds delay in between selecting the next. The third and subsequent ones failed.

Do you have something like fail2ban setup?  Check the logs for it as well

No fail2ban in place. In fact, pfSense is running pretty stock, with the addition of pfBlockerNg performing some GeoIP blocking and DNS blacklisting.

Is the Android TV device on the same local network as your Emby server or remote?

The Android TV is on a VLAN (WIFI) for wireless devices. Same as my phones, PC's and Roku devices. The Emby server is in a seperate VLAN (DMZ). HAProxy is configured to listed on a different VLAN (MGMT). HAProxy is set to connect to the Emby server backend in the DMZ. Comfortable that this is not Firewall rule related as I run around 15 other services perfectly this way (as well as Plex - before I moved to Emby). Also, all my other devices work flawlessly.

Does restarting the AndroidTV without restarting the Emby server make it work, even temporarily?

Good suggestion. Will try tonight.

Did you try setting up the Android TV using either a blank entry for the port or port 00000?  I don't really think that's it anymore but it's something simple enough it's worth a try regardless.  

Yes I did try this when you suggested it earlier. I tried server = https://emby.domain.com and left the port blank. Same issue.

[FunkadelicRelic 10]

So I just tried another failing video on Android TV, and I noticed while it was failing there was an ellipses in the options (...) at the bottom of the screen where the controls are placed. I clicked it and clicked the option (I think it was something like Playback Optimization or Error) and it asked me if I was having problems with audio or video. I clicked yes and the video re-loaded and started working!

 

I tried this twice and it worked both times, although the second time there was slight lag in the video.

 

Any idea what this option is doing?

[Luke 37063]

It generally forces transcoding.

[FunkadelicRelic 10]

Ok thanks for the confirmation.

 

Breakthrough here though! I installed MX Player and set the Android TV client to use an external player and everything plays perfectly!

 

Any ideas why the native player fails so miserably while MX works? Though this is getting me working I would much rather figure out the reason the default player won't work so I could use the native player in the future (it's so much prettier!).

[Luke 37063]

Please open a topic in the appropriate section of the community for the app you're trying to play with, while making sure to follow how to report a problem. thanks !

[Tur0k 143]

So, I have been in the middle of adding a new managed switch, and further sub-dividing my network.  I wanted to make sure that my config works properly before publishing it.  I won't lie I am leery of sharing any of my personal configs, logs, ini files etc for fear of missing something that is self-identifying.  I have scrubbed my externally identifying info as much as possible.  so if you see that I have missed something let me know. 

 

Info on my internal networks:

 

VLAN 1 - network equipment VLAN - currently 192.168.1.0/24 (I will eventually move this to 10.0.1.0/24

VLAN 2 - VLAN for all wired non-service hosting nodes (workstations, HTPC clients, and consoles) - 10.0.2.0/24

VLAN 3 - VLAN for all WIFI non-service hosting nodes (laptops, smartphones, tablets) - 10.0.3.0/24

VLAN 4 - VLAN for all servers - 10.0.4.0/24

VLAN 192 - VLAN for future security cameras - 192.168.0.1

VLAN 172 - Guest network (WIFI and IOT devices (echos, mibox, etc). 

 

firewall and HAProxy server - 192.168.1.1

Emby HTPC server - 10.0.4.6

home automation server - 10.0.4.8

 

Currently, I am hosting access on my reverse proxy to my Emby HTPC server (10.0.4.6) and my home automation server's (10.0.4.6) web management UI and smartphone app connector (separately secured). I have SSL secured access to both Emby and my home automation server's web UI to external and internal requests. When accessed from internal networks I allow the connection to Emby on port 8096. when accessed from the public Internet I force the connection to Emby on port 8920.

 

At this point in the network rebuild I have tested my workstations, HTPC clients on VLAN 2.  I have not had time to test my Mibox (which will be connecting from my guest guest network (with guest isolation enabled) as i need to finish loosening up my firewall rules to allow VLAN 172 (my guest network) access to the HAProxy on the Firewall and public Internet only. 

 

My Public Services:

I have a purchased domain (ex: mydomain.org).  I use a DDNS synthetic record to point to a 3rd level domain (ex: emby.mydomain.org).  I have the built in DDNS client setup to update this for me on my firewall.  For all subsequent services (ex: service2.mydomain.org) that I host I created a CNAME that points back to the main DDNS synthetic record.  I use let's encrypt for SSL certificates that are tied to my subdomains.  HAProxy is configured to dish out the appropriate SSL certificate based on the SNI request. 

 

scrubbed info place holders in the config:

    <WANPORT> = first open port on the public Internet and internal networks

    <WANPORT2> = second open port on the public Internet and internal networks

    <WANIPADDRESS> = ...

 

    <HA> = name of my HA software

    <HA_APP> = name of the home automation server's smartphone app connector.

    NOTE: I left the Emby title in place as we all know what I use for my HTPC server and front ends. 

 

    <3RDLEVEL_SUBDOMAIN_1> = this is the first DDNS/Synthetic record I have with my public domain's DNS.

    <3RDLEVEL_SUBDOMAIN_2> = this is the CNAME record I have with my public domain's DNS.

    <2NDLEVEL_DOMAIN> = this is my purchased domain name. 

    <1STLEVEL_DOMAIN> = this would be the .com, .net, .org in your purchased domain. 

 

 

Config:

   

# Automaticaly generated, dont edit manually.
# Generated on: 2017-10-09
global
    maxconn            25
    stats socket /tmp/haproxy.socket level admin
    gid            80
    nbproc            1
    chroot            /tmp/haproxy_chroot
    daemon
    tune.ssl.default-dh-param    4096
    log-send-hostname        HAProxyMasterNode
    server-state-file /tmp/haproxy_server_state
    ssl-default-bind-options no-sslv3 no-tlsv10
    ssl-default-bind-ciphers ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256

listen HAProxyLocalStats
    bind 127.0.0.1:2200 name localstats
    mode http
    stats enable
    stats refresh 5
    stats admin if TRUE
    stats uri /haproxy/haproxy_stats.php?haproxystats=1
    timeout client 5000
    timeout connect 5000
    timeout server 5000

resolvers globalresolvers
    nameserver htpc_1 192.168.1.1:53
    nameserver homeadmin 192.168.1.1:53
    resolve_retries 3
    timeout retry 1
    hold valid 10

frontend WAN<WANPORT2>
    bind            <WANIPADDRESS>:<WANPORT2> name <WANIPADDRESS>:<WANPORT2> ssl  crt /var/etc/haproxy/WAN<WANPORT2>.pem crt /var/etc/haproxy/WAN<WANPORT2>  
    mode            http
    log            global
    option            socket-stats
    option            http-keep-alive
    option            forwardfor
    acl https ssl_fc
    http-request set-header        X-Forwarded-Proto http if !https
    http-request set-header        X-Forwarded-Proto https if https
    maxconn            15
    timeout client        30000
    acl            Local_Lan    src 192.168.1.0/24
    acl            Local_VLan2    src 10.0.2.0/24
    acl            Local_VLan3    src 10.0.3.0/24
    acl            Local_VLan4    src 10.0.4.0/24
    acl            <HA>_acl    hdr_beg(host) -i <3RDLEVEL_SUBDOMAIN_2>
    acl            emby_acl    hdr_beg(host) -i <3RDLEVEL_SUBDOMAIN_1>
    acl            aclcrt_WAN<WANPORT2>    hdr_reg(host) -i ^<3RDLEVEL_SUBDOMAIN_1>\.<2NDLEVEL_DOMAIN>\.<1STLEVEL_DOMAIN>( [0-9]){1,5})?$
    acl            aclcrt_WAN<WANPORT2>    hdr_reg(host) -i ^<3RDLEVEL_SUBDOMAIN_2>\.<2NDLEVEL_DOMAIN>\.<1STLEVEL_DOMAIN>( [0-9]){1,5})?$
    use_backend <HA>_80-internal_http_ipv4  if  Local_Lan <HA>_acl aclcrt_WAN<WANPORT2>
    use_backend <HA>_80-internal_http_ipv4  if  Local_VLan2 <HA>_acl aclcrt_WAN<WANPORT2>
    use_backend <HA>_80-internal_http_ipv4  if  Local_VLan3 <HA>_acl aclcrt_WAN<WANPORT2>
    use_backend <HA>_80-internal_http_ipv4  if  Local_VLan4 <HA>_acl aclcrt_WAN<WANPORT2>
    use_backend <HA>_80-external_http_ipv4  if  <HA>_acl aclcrt_WAN<WANPORT2>
    use_backend emby8096_http_ipv4  if  Local_Lan emby_acl aclcrt_WAN<WANPORT2>
    use_backend emby8096_http_ipv4  if  Local_VLan2 emby_acl aclcrt_WAN<WANPORT2>
    use_backend emby8096_http_ipv4  if  Local_VLan3 emby_acl aclcrt_WAN<WANPORT2>
    use_backend emby8096_http_ipv4  if  Local_VLan4 emby_acl aclcrt_WAN<WANPORT2>
    use_backend emby8920_http_ipv4  if   aclcrt_WAN<WANPORT2>

frontend WAN<WANPORT>
    bind            <WANIPADDRESS>:<WANPORT> name <WANIPADDRESS>:<WANPORT>   
    mode            tcp
    log            global
    maxconn            5
    timeout client        30000
    default_backend <HA>_<WANPORT>_tcp_ipvANY

backend <HA>_80-internal_http_ipv4
    mode            http
    log            global
    timeout connect        30000
    timeout server        30000
    retries            3
    server            <HA> 10.0.4.8:80  resolvers globalresolvers resolve-prefer ipv4

backend <HA>_80-external_http_ipv4
    mode            http
    log            global
    timeout connect        30000
    timeout server        30000
    retries            3
    source ipv4@ usesrc clientip
    server            <HA> 10.0.4.8:80  resolvers globalresolvers resolve-prefer ipv4

backend emby8096_http_ipv4
    mode            http
    log            global
    timeout connect        30000
    timeout server        30000
    retries            3
    server            htpc_1 10.0.4.6:8096  resolvers globalresolvers resolve-prefer ipv4

backend emby8920_http_ipv4
    mode            http
    log            global
    timeout connect        30000
    timeout server        30000
    retries            3
    server            htpc_1 10.0.4.6:8920 ssl  verify none resolvers globalresolvers resolve-prefer ipv4

backend <HA>_<WANPORT>_tcp_ipvANY
    mode            tcp
    log            global
    timeout connect        30000
    timeout server        30000
    retries            3
    server            <HA>ouch 10.0.4.8:<WANPORT>  resolvers globalresolvers

Edited October 12, 2017 by Tur0k

[FunkadelicRelic 10]

@@Tur0k - thanks for posting. Can I ask, why are you specifying resolvers globalresolvers in your backend configuration? I can see you are pointing the DNS to 2 of your internal clients - do you not use Unbound on the pfSense instance itself? Were you seeing odd DNS lookups?

 

Just curious as that is about the only difference I can see between our configs.

[Tur0k 143]

@@Tur0k - thanks for posting. Can I ask, why are you specifying resolvers globalresolvers in your backend configuration? I can see you are pointing the DNS to 2 of your internal clients - do you not use Unbound on the pfSense instance itself? Were you seeing odd DNS lookups?

 

Just curious as that is about the only difference I can see between our configs.

I made some network changes in my home and now have 6 VLANS where I used to have only the default VLAN.  I had some trouble with it and my reverse proxy.  I run the local DNS resolver in PFSENSE and found that i forgot to add all the new VLANs to the network interfaces section.  this caused queries from some of my vlans to come up with nothing.

[FunkadelicRelic 10]

So just a bit of an update.

 

I picked up a new nVidia Shield TV (2017) today, and Emby works just fine through my HAProxy config. Everything I have thrown at it plays without fail.

 

I guess the issue may be either the older version of Android the TV was running or maybe the weaker specs. Who knows. All good from my point of view, I can fully make the switch from PLEX now. Happy days.

 

On a side note, I wish I'd bought a Shield TV earlier. We've put up with sluggish Android half-baked into the TV for nearly two years and the Shield just blows everything away. I am very happy with it. Even just navigating through the Emby GUI is a delight.

 

Now on to picking up a tuner so I can try out LiveTV! Then I'll never have to go back into the Sony menu ever again!

 

Thanks everyone who helped and contributed to the thread.

[CBers 6771]

@@FunkadelicRelic - That's why I have 3 Shield TV's

 

They are the best Android TV devices on the market.

 

The HDHomeRun devices work well with Emby.