Real reverse proxy?

[Tur0k 143]

you could do it either way.  currently I force SSL on public Internet access.  I think I started doing this when i first switched to port 443 from 8920.  I can test fully offloading tomorrow.  I would pay attention to the way that accounts are allowed to login.  if you have users that have a PIN I wonder if they are allowed to use a PIN when on the public Internet.  I will note a few other things based on your screenshots here:

In my firewall I enabled NAT reflection in order to allow me to access the resources while on the local LAN.  

Also, I disable deprecated or near deprecated cryptographic protocols and ciphers in:
Settings - Global Advanced pass thru -Custom options
this allows me to globally block: SSL 2, SSL3, and TLS1 as well as forcing modern cipher compatibility listed here: https://wiki.mozilla.org/Security/Server_Side_TLS#Recommended_configurations

Be careful this is a double edged sword.  if you have legacy devices you are still supporting setting your browser to moden compatibility only may cause those devices to not function properly.  

I use ACL and Action rules on the front end to determine:
1.  Which backend resources the source is requesting

2.  Whether the source is on one of my local LANS or the public Internet.  
     A.  if the source is on one of my local LANs i do not forward the source IP address to the backend server.  
     B.  If the source is on the public internet, I forward the source IP address to the backend server.  
     Note: I do this because there are some features that can be dynamically turned on or off based on whether the client is a public or internal source.  Also, some software has brute force attack protection and would need to know if the source is on the public Internet to function properly.  

3. I use a separate publicly fully trusted SSL cert for each of my subdomains that ties to a separate backend server.  this means I don't need to stand up a CA locally and deploy to my clients systems.  based on the SNI I dynamically hand out the appropriate SSL cert using SSL offloading on the front end.  


Lastly, in my Action rule if the request does not match any of the ACL action rules I have setup the requester is redirected to a dead node.  I learned this from a friend that used it to address IP block port scanning and brute-force attacks that found his WAN.  The only other thing I think you could do is setup HTTP monitoring on your backend resources in order stop forwarding in the event that it goes down. 

[bobwinters 1]

Did we find a fix for this? I've spend the last month learning and setting up my media server in Linux, I'm almost done and it's slightly irritating that I can't get Emby connect to work.

 

I'm running a reverse proxy. emby.example.com which forwards port 80 requests to 443.

 

I've changed the public ports in Emby.

 

When I try to login through app.emby.tv it comes up with this error message:

 

We're unable to connect to the selected server right now. Please ensure it is running and try again.

 

Oddly enough, I've tested it with the Android app and it works. A message displays asking to accept my letsencrypt certificate. Once I hit okay, it went through fine.

[pir8radio 1292]

Did we find a fix for this? I've spend the last month learning and setting up my media server in Linux, I'm almost done and it's slightly irritating that I can't get Emby connect to work.

 

I'm running a reverse proxy. emby.example.com which forwards port 80 requests to 443.

 

I've changed the public ports in Emby.

 

When I try to login through app.emby.tv it comes up with this error message:

 

Oddly enough, I've tested it with the Android app and it works. A message displays asking to accept my letsencrypt certificate. Once I hit okay, it went through fine.

 

your issue is different..    what port is nginx setup to connect to emby on?  (proxy pass)   is there an ssl cert installed on emby?  If not and you are just connecting with HTTP you probably need to modify the emby xml config and enable https there..

[bobwinters 1]

your issue is different..    what port is nginx setup to connect to emby on?  (proxy pass)   is there an ssl cert installed on emby?  If not and you are just connecting with HTTP you probably need to modify the emby xml config and enable https there..

Nginx connects to Emby on http. No cert installed in Emby. I modified the system.xml to require https for external connections. Still the same error message .

Edited January 27, 2018 by bobwinters

[pir8radio 1292]

Nginx connects to Emby on http. No cert installed in Emby. I modified the system.xml to require https for external connections. Still the same error message .

 

You should have changed only <enableHTTPS>true</enableHTTPS>     so if you changed something else, change it back.  :-)

[bobwinters 1]

You should have changed only <enableHTTPS>true</enableHTTPS>     so if you changed something else, change it back.  :-)

Oops  . I changed RequireHttps back to false and changed enableHTTPS to true. Still the same error message though. I can reach the login screen, but I just can't sign in.

[pir8radio 1292]

Oops  . I changed RequireHttps back to false and changed enableHTTPS to true. Still the same error message though. I can reach the login screen, but I just can't sign in.

 

Oh, well that's yet a different issue...  where are you trying to login using "emby connect"?  app.emby.media?  you login to that page using this forum login info...     not your normal emby account info.. are you doing that?   then you can add your server and what not...   

Edited January 27, 2018 by pir8radio

[bobwinters 1]

Oh, well that's yet a different issue...  where are you trying to login using "emby connect"?  app.emby.media?  you login to that page using this forum login info...     not your normal emby account info.. are you doing that?   then you can add your server and what not...   

I was using  app.emby.media. I tried readding the emby server and it's now working! 

 

Thanks for the help @@pir8radio

[AndyBlaser 1]

To me this looks like a bug. If I define

mydomain.com/emby

Emby should recognise the presence of a subpath and add the port in front of the slash (mydomain.com:443/emby) instead of behind it (mydomain.com/emby:443) because this obviously wrong...

 

Having to inform users that they should enter the server address manually is not really a solution and defeats the purpose of Emby Connect in my opinion.

[Luke 37139]

@@AndyBlaser what exactly looks like a bug to you? Thanks.

[AndyBlaser 1]

Hi Luke, thanks a lot for your reply!

 

Emby's behaviour regarding subpaths seems off. As I described above, the port should not be added at the very end, but before the slash. In my case, the path to Emby is https://subdomain.domain.com/emby, but Emby adds the port to the end (i.e. https://subdomain.domain.com/emby:443) for the external address, which is obviously wrong. The port should be added before the slash (i.e. https://subdomain.domain.com:443/emby).

 

Because of this behaviour my users cannot connect to the server via Emby Connect. I have to give them the right address instead, which seems tedious and kind of defeating the purpose of having Emby Connect at all.

 

I hope this makes it clear what I meant in my first post - really appreciate your help!

[Luke 37139]

We don't support entering sub paths into the apps. So it's not off, rather just don't do that. The apps will already take care of adding /emby themselves. Please let us know if this helps. Thanks.

[vash265 0]

I've been having some trouble with this myself using an Apache server.  My reverse proxies work fine when I use the Android app or my web browser, but when I try using the FireStick app I get this error message in my log file: 

 

2018-07-04 21:01:03.418 Info HttpServer: HTTP POST http://<URL>:8096/emby/Items/367cb42b535f978c269bc7ba5a384822/PlaybackInfo?format=json. UserAgent: Dalvik/2.1.0 (Linux; U; Android 5.1.1; AFTT Build/LVY48F)

2018-07-04 21:01:03.427 Error HttpServer: Error processing request

*** Error Report ***

Version: 3.4.1.0

Command line: /opt/emby-server/system/EmbyServer.dll -programdata /var/lib/emby -ffmpeg /opt/emby-server/bin/ffmpeg -ffprobe /opt/emby-server/bin/ffprobe -restartexitcode 3 -updatepackage emby-server-deb_{version}_amd64.deb

Operating system: Unix 4.15.0.23

64-Bit OS: True

64-Bit Process: True

User Interactive: True

Processor count: 4

Program data path: /var/lib/emby

Application directory: /opt/emby-server/system

System.ArgumentNullException: Value cannot be null.

Parameter name: g

  at System.Guid..ctor(String g)

  at Emby.Server.Implementations.Library.UserManager.GetUserById(String id)

  at Emby.Server.MediaEncoding.Api.MediaInfoService.<GetPlaybackInfo>d__17.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at Emby.Server.MediaEncoding.Api.MediaInfoService.<Post>d__19.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at Emby.Server.Implementations.Services.ServiceExecGeneral.<GetTaskResult>d__3.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at Emby.Server.Implementations.Services.ServiceHandler.<ProcessRequestAsync>d__13.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at Emby.Server.Implementations.HttpServer.HttpListenerHost.<RequestHandler>d__70.MoveNext()

System.ArgumentNullException

  at System.Guid..ctor(String g)

  at Emby.Server.Implementations.Library.UserManager.GetUserById(String id)

  at Emby.Server.MediaEncoding.Api.MediaInfoService.<GetPlaybackInfo>d__17.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at Emby.Server.MediaEncoding.Api.MediaInfoService.<Post>d__19.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at Emby.Server.Implementations.Services.ServiceExecGeneral.<GetTaskResult>d__3.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at Emby.Server.Implementations.Services.ServiceHandler.<ProcessRequestAsync>d__13.MoveNext()

--- End of stack trace from previous location where exception was thrown ---

  at System.Runtime.ExceptionServices.ExceptionDispatchInfo.Throw()

  at System.Runtime.CompilerServices.TaskAwaiter.HandleNonSuccessAndDebuggerNotification(Task task)

  at Emby.Server.Implementations.HttpServer.HttpListenerHost.<RequestHandler>d__70.MoveNext()

 

2018-07-04 21:01:03.427 Info HttpServer: HTTP Response 400 to <REMOTE IP>. Time: 9ms. http://<URL>:8096/emby/Items/367cb42b535f978c269bc7ba5a384822/PlaybackInfo?format=json

 

My setup for the server forwards all http requests to https.  My conf file for emby is below:

<VirtualHost *:80>

        ServerName emby.<URL>.com

        UseCanonicalName on

        Redirect / https://emby.<URL>.com/

</VirtualHost>

 

 

<VirtualHost *:443>

        ServerName emby.<URL>.com

 

 

        # setup the proxy

        <Proxy *>

                Order allow,deny

                Allow from all

        </Proxy>

        ProxyRequests     Off

        ProxyPreserveHost On

 

        Header        set        Connection "Upgrade"

        RequestHeader setifempty Connection "Upgrade"

        Header        set        Upgrade "websocket"

        RequestHeader setifempty Upgrade "websocket"

 

        # Notice!!! Put me before http!!!

        ProxyPass        /embywebsocket ws://localhost:8096/embywebsocket

        ProxyPassReverse /embywebsocket ws://localhost:8096/embywebsocket

 

        ProxyPass        /emby/embywebsocket ws://localhost:8096/emby/embywebsocket

        ProxyPassReverse /emby/embywebsocket ws://localhost:8096/emby/embywebsocket

 

        ProxyPass / http://localhost:8096/

        ProxyPassReverse / http://localhost:8096/

 

        SSLEngine on

        SSLCertificateFile <PATH>

        SSLCertificateKeyFile <PATH>

        Include <PATH>

</VirtualHost>

 

 

I've tried setting the public port numbers and using both Force HTTPS and the "Handled by reverse proxy" options in the embryo admin page, but I'm still getting the same error (the first quoted part in this response).  

 

And to reiterate, the only app that fails to connect successfully is the FireStick app.  My iPhone app, Android app, and browser connections are all successful.  

 

The reason I'm posting in this thread I was initially having problems with the reverse proxy for web sockets, and I'm unsure if this is related to that, or if it's simply just a bug in the firestick application.

 

Thanks for any help you can offer!

 

Edit - I should also mention that I'm attempting to connect directly via my URL, not through emby connect or a similar service on all the devices and apps I've tried.

 

 

Edited July 4, 2018 by vash265

[mastrmind11 717]

 

I've been having some trouble with this myself using an Apache server.  My reverse proxies work fine when I use the Android app or my web browser, but when I try using the FireStick app I get this error message in my log file: 

 

 

My setup for the server forwards all http requests to https.  My conf file for emby is below:

 

I've tried setting the public port numbers and using both Force HTTPS and the "Handled by reverse proxy" options in the embryo admin page, but I'm still getting the same error (the first quoted part in this response).  

 

And to reiterate, the only app that fails to connect successfully is the FireStick app.  My iPhone app, Android app, and browser connections are all successful.  

 

The reason I'm posting in this thread I was initially having problems with the reverse proxy for web sockets, and I'm unsure if this is related to that, or if it's simply just a bug in the firestick application.

 

Thanks for any help you can offer!

 

Edit - I should also mention that I'm attempting to connect directly via my URL, not through emby connect or a similar service on all the devices and apps I've tried.

 

 

 

self signed certs?  What happens w/ the firestick if you disable the proxy and connect directly?

[vash265 0]

self signed certs?  What happens w/ the firestick if you disable the proxy and connect directly?

 

Let's encrypt certs.  I'll try opening my router's ports when I'm back home later and check back to see if that has any effect.

[AndyBlaser 1]

We don't support entering sub paths into the apps. So it's not off, rather just don't do that. The apps will already take care of adding /emby themselves. Please let us know if this helps. Thanks.

Thanks for the clarification! Just to put it differently, making sure I fully understand: Emby apps will add the subpath "/emby" if it cannot find an emby instance in the root directory? Because in my case Emby is running inside a docker environment on an OMV server, which I can reach using just my external address. I now removed the subpath (i.e. only "subdomain.domain.com") and it seems to work flawlessly now.

 

Perhaps it would be helpful to mention this in the documentation or below the setting itself? Or if subpaths are not allowed (I honestly still don't understand why), it should not be possible at all - maybe a slash should be disallowed?

Edited July 5, 2018 by AndyBlaser

[pir8radio 1292]

 

 

 

My setup for the server forwards all http requests to https.  My conf file for emby is below:

 

 

 

 

The devices you are having trouble with, are you entering https://abcd.com:443  or do you have the HTTP address in expecting it to abide by the redirect?  Some device OS's do not allow redirects to https you would have to use hsts or enter the https directly in the app. 

Edited July 5, 2018 by pir8radio

[vash265 0]

The devices you are having trouble with, are you entering https://abcd.com:443  or do you have the HTTP address in expecting it to abide by the redirect?  Some device OS's do not allow redirects to https you would have to use hsts or enter the https directly in the app. 

 

 

I entered https://emby.<DOMAIN>.com,and am expecting to redirect internally to the emby server.  This works on the Roku application as well.  

[pir8radio 1292]

I entered https://emby.<DOMAIN>.com,and am expecting to redirect internally to the emby server.  This works on the Roku application as well.  

 

understood,   but you are using https  and not http  correct?   In the actual emby client app?

[vash265 0]

understood,   but you are using https  and not http  correct?   In the actual emby client app?

 

Yeppers. 

[mastrmind11 717]

Yeppers. 

what happens when you use standard 80?