Configuration to use the Android client to access a server behind a reverse-proxy

[TheFreeMan 2]

I originally posted this is the Security 101 thread, but figured I'd end my thread jack and post it here, which seems like a more appropriate location.

 

The original post:

 

 

I've got the emby server running in a docker container on my server. I also have a LetsEncrypt/Nginx docker running. I had no problem getting my nginx config set up to be able to reverse proxy access my server from the outside world (forcing everything over HTTPS).
     
    What I haven't figured out is how do I get the emby apps (Android, XBOX, smart TV, etc) to access the emby server now that it's behind the reverse proxy. Sitting here in front of my computer, with WiFi turned off on my phone, the Android app just spins and spins until it finally times out. If I turn WiFi back on, it connects pretty quickly.
     
    I'm also running OpenVPN, so I can establish a VPN tunnel to the server then access emby via the app with no problem, but I don't think my son in the Army can do that from his Xbox, and it does seem (without any absolute testing whatsoever) to be a bit slower that way.
     
    I read the post by @@Swynol on reverse proxying but that doesn't seem to be what I'm after (I've already got that working), and I looked through his blog post linked earlier in this thread.

    I saw this post from @ earlier in this thread, as well. I've looked at that configuration page and I'm not sure exactly what those settings will do, so before enabling anything there, I want to make sure I'm not going to lock myself out of my setup by misconfiguring things.

    If I go to the Advanced page in settings and put "mydomain.com" in the External Domain field, point the Custom ssl certificate path to the location where nginx stores all its certs (I've got .pem files and .pfx files), then hit the https check box, can I then put "mydomain.com" in my app's server Host entry? Would I use 8096 or 443 for the port?

    As a note - I "own" the domain - it's a free ddns from changeip.com, I don't have anything setup through emby's dns service.

 

@@Swynol was kind enough to reply with this:

 

Hi @TheFreeMan

When you say how do i get the emby apps to access the server - do you mean internally or externally? if internally use the LAN IP, externally they can connect using your domain name https://.....   and port 443  (im guessing you have port forwarded 443 on your router to your docker running NGINX). If you just turn the wifi off and it doesnt connect its probably still pointing to your LAN IP.

I mean externally - If I'm internal I do just point at the server's IP address. Externally, the expectation is to point the Android client at something like https://emby.mydomain.com and have nginx handle the internal redirection.

 

With NGINX does it point to emby on port 8096 or 8920? if you tick the box to force everything HTTPS then you need a valid PFX cert and password in emby server, Unless you use Alexa with emby i recommend NOT ticking the force HTTPS. And use NGINX config to redirect anything on port 80 http to port 443 https.

nginx is forwarding all :80 requests to :443, then it's pointing at port 8096 for emby
 

When using a VPN tunnel remotely it connects to your internal network so your app is probably still using the LAN IP which is why it works over VPN.

Correct. I'm good to go with this and can connect from my cell phone with the app when the VPN is enabled. From a browser (at work or mobile off the home network) I can connect to https://emby.mydomain.com, get prompted for my nginx credentials, then get presented with the emby login.

 

if you fill in the Advanced page in emby server with your domain name, pfx, password and then port forward 8920 on your router to emby server then you can connect to your emby server using your domain name (HTTPS with port 8920)

 

This is where I got a bit lost. I put the domain name in the domain field and put the full path & file name of the .pfx in the SSL cert path. I'd initially checked the 'force HTTPS' box, but based on your recommendation (and not owning or planning on owning an Alexa), cleared the box. I'm not sure what password to put in the password field - nginx took care of creating all the certs for me. Maybe I fed it a password and forgot to record it for the future???

 

Finally - you mention forwarding port 8920 at the router. I thought the whole point of the reverse proxy was that I wouldn't need a port forward beyond 80 & 443. If I forward 8920, aren't I bypassing the nginx proxy by talking directly to the emby server? If I'm going to do that, I have no need for nginx in the first place, and I'm counting on emby's security to keep the bad guys out. (Not claiming it's weak, just want to use nginx...)

[Guest asrequested]

Have you read this?

 

https://emby.media/community/index.php?/topic/47508-how-to-nginx-reverse-proxy/

[TheFreeMan 2]

Thanks for stopping by, Doofus-

 

I have read Swynol's notes. As I read it, that's for configuring nginx itself, which I've already done. From a browser, I can hit my emby (or any of my other) server, get prompted for my nginx password and get through to the service behind it. I'm sure there are some tweaks in that thread that I should probably embrace, but haven't yet. If I've missed something in there about how that works with the apps, please break out the clue-bat and give me a good beating...

 

What I'm not able to do is get the emby app for Android (or anything else, I only have an android phone to play with) to connect to my emby server through the reverse proxy. I believe the right track is configuration settings on the `Advanced` page in the emby settings, but, I'm a bit confused by what to put in there. I've tried a few different things but haven't gotten any of them to work.

 

I can get the app to connect if I first create a VPN tunnel, but then my phone is effectively on my home network and it works by pointing directly to the internal 192.168.x.x IP address. I'm OK with doing that for myself, but my kids probably won't want to put up with the hassle, and I'm not aware of any OpenVPN client that can be installed on an Xbox One.

[pir8radio 1292]

I can hit my emby (or any of my other) server, get prompted for my nginx password and get through to the service behind it.

 

What I'm not able to do is get the emby app for Android (or anything else, I only have an android phone to play with) to connect to my emby server through the reverse proxy.

 

So in the first line you say you have nginx setup with basic authentication (nginx password),  and it works.  The apps wont work with basic authentication like that.  Unless i'm misunderstanding.

[Swynol 375]

Thanks for stopping by, Doofus-

 

I have read Swynol's notes. As I read it, that's for configuring nginx itself, which I've already done. From a browser, I can hit my emby (or any of my other) server, get prompted for my nginx password and get through to the service behind it. I'm sure there are some tweaks in that thread that I should probably embrace, but haven't yet. If I've missed something in there about how that works with the apps, please break out the clue-bat and give me a good beating...

 

What I'm not able to do is get the emby app for Android (or anything else, I only have an android phone to play with) to connect to my emby server through the reverse proxy. I believe the right track is configuration settings on the `Advanced` page in the emby settings, but, I'm a bit confused by what to put in there. I've tried a few different things but haven't gotten any of them to work.

 

I can get the app to connect if I first create a VPN tunnel, but then my phone is effectively on my home network and it works by pointing directly to the internal 192.168.x.x IP address. I'm OK with doing that for myself, but my kids probably won't want to put up with the hassle, and I'm not aware of any OpenVPN client that can be installed on an Xbox One.

I think @@pir8radio has hit the nail on the head. 

 

If you are using NGINX for authentication first before getting to your Emby login then this is likely why some apps arent working. Devices such as the Roku wont know what to do with the NGINX auth. It would be expecting to see your emby login.

 

When using the VPN tunnel its bypassing NGINX so thats why it is working that way.

[TheFreeMan 2]

Having a sad...

 

I was hoping to be able to do all the config bit at my end so the kids would be able to download the app, plug in the config info I give them and "it just works". Ah well...

 

Thanks for the input everyone.