Real reverse proxy?

[AeonLucid 0]

Hi,

 

I've set-up a reverse proxy using Nginx.

I am able to watch my content through the web browser using my own domain.

 

However, when I use the mobile application, it is unable to connect to my server through Emby connect.

I assume this happens because my Emby instance does not know about the reverse proxy it has in front of it.

 

How can I make Emby aware of the reverse proxy so it gives Emby connect the proper url?

 

Emby dashboard

Emby advanced config

 

Edit: People seem to not understand the issue here. Emby connect advertises the wrong url to clients wanting to connect. Of course it's possible to manually enter the correct url but I want to have Emby connect working properly. 

Edited November 19, 2017 by AeonLucid

[adrianwi 238]

Why not connect directly to your domain on the mobile app, rather than through Emby connect?

[CBers 6778]

@@AeonLucid this might help.

 

https://emby.media/community/index.php?/topic/47508-how-to-nginx-reverse-proxy

[AeonLucid 0]

Why not connect directly to your domain on the mobile app, rather than through Emby connect?

I would like to save my users the trouble of having to do that.

 

@@AeonLucid this might help.

https://emby.media/community/index.php?/topic/47508-how-to-nginx-reverse-proxy

That's exactly how my reverse proxy is setup and as I mentioned, works fine. The tutorial doesn't say anything about correcting Emby connect, which is what I am looking for.

[CBers 6778]

That's exactly how my reverse proxy is setup and as I mentioned, works fine. The tutorial doesn't say anything about correcting Emby connect, which is what I am looking for.

 

Not sure nginx and Emby Connect wotk together.

 

Perhaps @@Swynol knows.

 

In the meantime, perhaps do as @@adrianwi suggested.

[adrianwi 238]

I haven't used Emby Connect, but if it's anything like plex.tv then it will be connecting to your emby media server using a specific port that will need to be open and redirected in your router settings.  It shouldn't need to touch your reverse proxy, which I would assume is just redirecting traffic on port 80 (http) and 443 (https).

 

I just set up my friends and family as users in emby and then get them to connect directly to my server using https://emby.domain.com.  They select themselves from the list, enter the password and that's it.  You can set all the apps I've used to remember the username and password, so once it's done once that's it.

 

Can't imagine Emby Connect it that much easier.

[Swynol 375]

its probably a port forwarding issue. in emby server dashboard under advanced what ports are set as public http and https? 

 

with your reverse proxy is it listening on port 443 then forwarding to 8096?

 

what you probably need to do is on your router, forward ports 8096 and 8920 to your emby server. emby connect should then work.

[Swynol 375]

there is an alternative way. if emby is your only service then you can do it without NGINX. You can change the public https port to 443 in emby server dashboard. put your domain in the domain box and your .pfx in the certificate box. 

 

that way you still connect to your emby server with your domain name on port 443 and emby connect will also use port 443

[AeonLucid 0]

its probably a port forwarding issue. in emby server dashboard under advanced what ports are set as public http and https? 

 

with your reverse proxy is it listening on port 443 then forwarding to 8096?

 

what you probably need to do is on your router, forward ports 8096 and 8920 to your emby server. emby connect should then work.

 

Yes my reverse proxy is properly working as I said in the OP. 

No I don't have to forward port 8096 and 8920 because it will then bypass the nginx proxy, therefore not being a real reverse proxy. 

 

there is an alternative way. if emby is your only service then you can do it without NGINX. You can change the public https port to 443 in emby server dashboard. put your domain in the domain box and your .pfx in the certificate box. 

 

that way you still connect to your emby server with your domain name on port 443 and emby connect will also use port 443

 

I have multiple services running so this won't do it for me. 

[Swynol 375]

If you want emby connect to work you need to forward the ports.

 

Reason is emby connect uses the ports that are set in advanced / security.

 

You can’t set emby to use port public or private 443 because nginx is using it. There’s no other way to use it other than telling people to use your domain name rather than emby connect

 

 

Sent from my iPhone using Tapatalk

[AeonLucid 0]

If you want emby connect to work you need to forward the ports.

Reason is emby connect uses the ports that are set in advanced / security.

You can’t set emby to use port public or private 443 because nginx is using it. There’s no other way to use it other than telling people to use your domain name rather than emby connect

Sent from my iPhone using Tapatalk

Yeah that's what I figured.

 

I'm going to try to implement an override for the remote wan access url in the advanced settings later today if I can figure out how to setup the dev environment.

[Swynol 375]

just had another thought. if you port forward external ports 8920 and 8096 to internal port 443 pointing to NGINX that might work. 

 

alternatively change the ports in emby server to http 8080 public and https 8443 public then forward those ports to 443 internal.

 

I've not tried this but no reason it shouldnt work.

[AeonLucid 0]

just had another thought. if you port forward external ports 8920 and 8096 to internal port 443 pointing to NGINX that might work. 

 

alternatively change the ports in emby server to http 8080 public and https 8443 public then forward those ports to 443 internal.

 

I've not tried this but no reason it shouldnt work.

That might trick emby into use the reverse proxy yeah. I'll do that if the override I mentioned above your post fails or takes too long.

[mastrmind11 717]

I agree w/ @@Swynol's approach.  There's no reason that won't work.

[AeonLucid 0]

The route I thought of is hard to do because the dependency "Emby.Server.Connect.dll" is not open-source. Otherwise it would be pretty easy.

 

I'll try @@Swynol's approach.

[adrianwi 238]

I think you might have problems with http requests if you just port forward everything to 443.  If you're trying it like this, I'd forward the http traffic to port 80 and the https traffic to 443, and then deal with the redirection back to your emby media server in your reverse proxy configuration.

[Luke 37139]

Just set the public ports in emby server setup and I would think you should be fine.

[mastrmind11 717]

What @@Luke said, but if you want to get nginx involved for a bit of more control, I do 80 and 443 to nginx and let nginx figure it out.  fwiw

[pir8radio 1292]

Like Luke said, I don't get why setting your public ports in emby won't make it work for you?    Emby doesn't actually bind to those "public" ports, it only binds to the local ones, so it WILL work with nginx.    Unless the linux version does something funky...  I use nginx, emby connect and only have 80 & 443 exposed via my router.  

 

[mastrmind11 717]

same ^^

[AeonLucid 0]

Managed to get it 'working' by putting the Public https port number to 443 and Require https for external connections to true.

 

My reverse nginx proxy had to be forwarded to the Local https port number in order to stop redirect loops though.

[Tur0k 143]

So I use a reverse proxy (HAPROXY on PFSense). I have a purchased domain and use let's encrypt SSL certificates. Each of my back end resources uses its own subdomain (so I don't mess with URL requests after the ".com/" in the RP.

On my firewall I only open port 443 for secured connections to the public Internet. I also resolve many backend resources through my reverse proxy. In my reverse proxy I match based on URL request (ex: sub1.mydomain.com, sub2.mydomain.com, sub3.mydomain.com). I dynamically use my ssl certs for each subdomain based on URL request.

I have two backend servers in my RP for Emby. The first is for secure connections to port 8920. It passes source IP. The second is for insecure connections to port 8096. I have ACL rules and actions that route public Internet requests to the secure backend server. Internal requests route to the insecure backend server.

 

I have a DHCP reserved IP address for the server that hosts the Emby server service. I

 

Emby server is open internally on port 8096 and 8920. I have advanced firewall rules that allow inbound comm on both ports. I have allowed edge traversal on port 8920 on the advanced inbound rule for 8920.

 

On Emby's advanced page (server dashboard - advanced) I have the following setup:

 

 

To the best of my understanding, the local HTTP/HTTPS fields and Public HTTP/HTTPS fields are meant to allow the Emby server config to account for port translation from a firewall (ex: 443) to an internal port on the host server (ex: 8920).

 

 

I do have the appropriate subdomain (ex: sub1.mydomain.com) listed in the external domain field.

 

 

Note: in order to enable the setting "require HTTPS for external connections" I had to load a certificate. I use HAproxy and SSL offload the let's encrypt certs there (and it is easier to administer them there) I created a self-signed one with a password and loaded it into Emby server to get this working.

 

On my dashboard (server dashboard - dashboard) I see the appropriate URL in the "remote wan access" field (ex: https://sub1.mydomain.com:443).

 

Then I added my Emby connect account to one of my non-admin local Emby server user accounts (server dashboard - users). This way if someone does brute-force my Emby connect account I am not worried about them deleting all my content or some other non-sense.

 

As I have only 1 front end tied to my wan interface I enabled NAT reflection (AKA: WAN loopback) on my firewall to allow both internal and external requests to work.

 

Sent from my iPhone using Tapatalk

Edited November 20, 2017 by Tur0k

[SkyBehind 23]

Like Luke said, I don't get why setting your public ports in emby won't make it work for you?    Emby doesn't actually bind to those "public" ports, it only binds to the local ones, so it WILL work with nginx.    Unless the linux version does something funky...  I use nginx, emby connect and only have 80 & 443 exposed via my router.  

 

 

Same, only 443 and 80 exposed and Emby Connect works fine through Nginx Reverse Proxy.

[Swynol 375]

ah didnt realise that emby doesnt bind the public ports. makes everything easier

[makarai 108]

Hey Guys, 

 

@@Tur0k

 

I also use HAProxy on my PFsense, I also just expose port 443 on my PFsense and forward it to the HAProxy ip that than does the traffic navigation. Do you setup the emby backend with or without ssl termination. I basically handle ssl on the haproxy and dont even bother with what emby does, so i have the https option unticked in emby, the only thing i run on my backends that needs ssl termination is "nextcloud" which need ssl encryption between the haproxy and the server that hosts nextcloud. 

 

Are there any special options you tick on the backend or frontend so you get good performance? I am an absolute beginner in all of this. I posted a guide on the PFsense forum with my settings

https://forum.pfsense.org/index.php?topic=134227.msg736816#msg736816 maybe you can check that one out  Unfortunately you have to be signed in to the forum to see the pictures

Edited November 26, 2017 by makarai