3 Sony ATVs, all exhibit the same issue

[mastrmind11 717]

I posted something semi unrelated a few weeks ago about the same problem on the same ATV at a different location.  I am completely unable to connect to my server remotely from any of these tvs, manually or using connect, via 80 or 443.  I get an immediate "connection failed" message after hitting OK.  I am able to connect to the server using every other non-TV device on the same network w/o issue.  Since I have until tomorrow morning to get this figured out or try again in a couple months, I'm hoping we can figure something out.

 

My server is behind nginx, 80 and 443 are forwarded to my local internal IP on 8096.  nginx and emby are on the same box, emby is running in a docker container in host mode. 

 

I did some digging this morning and found this in the nginx error log, which corresponds to the time I was trying to connect from the TV (sensitive stuff redacted):

2018/03/30 21:58:06 [error] 20801#20801: *84301 connect() failed (111: Connection refused) while connecting to upstream, client: client_ip, server: , request: "GET /emby/System/Info HTTP/2.0", upstream: "http://10.0.1.152:8096/emby/System/Info", host: "my_domain_name"

There are success entries in the access.log from the same timeframe when I was testing other devices on the same network.

 

Here is my nginx config:

server {

        listen 80 default_server;
        listen [::]:80 default_server;
    
        server_name my_domain.com 10.0.1.152;
        return 301 https://$server_name$request_uri;

}

server {

 # SSL configuration

 include /etc/nginx/proxy.conf;

 listen 443 ssl http2 default_server;
 listen [::]:443 ssl http2 default_server;
 include /etc/nginx/snippets/strong-ssl.conf;
 ssl_certificate /etc/letsencrypt/live/my_domin.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/my_domain.com/privkey.pem;

 # Root location
root /var/www/html;


 # Add index.php to the list if you are using PHP
 index index.html index.htm index.php index.nginx-debian.html;
 
 # Basic Auth to protect the site
# auth_basic "Restricted";
# auth_basic_user_file /etc/nginx/.htpasswd;

 # Change the client side error pages (4xx) to prevent some information disclosure
 error_page 401 403 404 /404.html;

 # First attempt to serve request as file, then as directory,
 # then fall back to displaying a 404.
 
 # Deny access to .htaccess files, if Apache's document
 # root concurs with nginx's one
 
 location ~ /\.ht {
          deny all;
 }

# Let's Encrypt Webroot plugin location -- allow access

 location ^~ /.well-known/acme-challenge/ {
          auth_basic off;
          autoindex on;
       }

# Location settings for reverse proxy; enable those you wish to use
# by removing the # from the section between the location line and the last }
#

location / { #emby at root of webserver
proxy_pass http://10.0.1.152:8096; 

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

#Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
}

I don't understand why literally every other device I've tried work, but not these TVs.  2 TVs on this network, 1 TV on a different network, all the same brand.  Please help!

 

EDIT:  I'm not sure how those entries got into the nginx error log.  I'm trying to connect from a TV again and it's failing, but I'm not seeing any corresponding entries in the error.log.

Edited March 31, 2018 by mastrmind11

[mastrmind11 717]

Ok, now I'm tailing the nginx access.log and whenever I hit the server I'm seeing 301 responses.  Huh?

 

 

[31/Mar/2018:10:02:07 -0400] "GET /emby/system/info/public?format=json HTTP/1.1" 301 178 "-" "Dalvik/2.1.0 (Linux; U; Android 7.0; BRAVIA 4K GB Build/NRD91N.S101)"

[mastrmind11 717]

And this is what I get when I hit the server via a web browser on the TV:

[31/Mar/2018:10:20:15 -0400] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Linux; Andr0id 7.0; BRAVIA 4K GB Build/NRD91N.S101) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 OPR/40.0.2207.0 OMI/4.9.0.59.E9103576.156"
[31/Mar/2018:10:20:15 -0400] "GET / HTTP/2.0" 302 156 "-" "Mozilla/5.0 (Linux; Andr0id 7.0; BRAVIA 4K GB Build/NRD91N.S101) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 OPR/40.0.2207.0 OMI/4.9.0.59.E9103576.156"
[31/Mar/2018:10:20:15 -0400] "GET /web/index.html HTTP/2.0" 200 1614 "-" "Mozilla/5.0 (Linux; Andr0id 7.0; BRAVIA 4K GB Build/NRD91N.S101) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 OPR/40.0.2207.0 OMI/4.9.0.59.E9103576.156"

[mastrmind11 717]

Ok, so I opened 8096->8096 and I can log in, so something is jacked w/ my nginx.  I'd appreciate any insight.  @@pir8radio @@Swynol, got any ideas?

[pir8radio 1292]

Ok, so I opened 8096->8096 and I can log in, so something is jacked w/ my nginx.  I'd appreciate any insight.  @@pir8radio @@Swynol, got any ideas?

 

Some of the apps dont like redirects, are your tv's setup to connect to HTTPS Port 443 or are you expecting them to redirect on their own and using http port 80?   along the same lines do you have emby setup for https?  what do you see reported when you go to: https://yourdomain.com/emby/system/info/public/ an http address or an https one?

Edited March 31, 2018 by pir8radio

[mastrmind11 717]

Some of the apps dont like redirects, are your tv's setup to connect to HTTPS Port 443 or are you expecting them to redirect on their own and using http port 80?   along the same lines do you have emby setup for https?  what do you see reported when you go to: https://yourdomain.com/emby/system/info/public/ an http address or an https one?

I'm expecting them to redirect when I hit port 80.  I have not touched the emby settings regarding SSL.  /public shows an http WAN address (and local address on 8096)

[pir8radio 1292]

I'm expecting them to redirect when I hit port 80.  I have not touched the emby settings regarding SSL.  /public shows an http WAN address (and local address on 8096)

 

Ok i would first start with editing the config and changing (i think its, <EnableHttps>true</EnableHttps>) see if that link reports back https then..  see if that helps, otherwise you will probably have to enter the https addresses into the tv apps. 

[Luke 37095]

in the beta server you no longer need to edit the config file. the config page will set those values based on what you select.

[mastrmind11 717]

Ok i would first start with editing the config and changing (i think its, <EnableHttps>true</EnableHttps>) see if that link reports back https then..  see if that helps, otherwise you will probably have to enter the https addresses into the tv apps. 

But isn't my nginx settings forwarding both 80 and 443 to 8096?  WHen I point to 443 from the TV, I get a 400 response from nginx.

 

And why does this setup work w/ literally every other device I've tried?  Is it the redirect you mentioned?

[pir8radio 1292]

But isn't my nginx settings forwarding both 80 and 443 to 8096?  WHen I point to 443 from the TV, I get a 400 response from nginx.

 

And why does this setup work w/ literally every other device I've tried?  Is it the redirect you mentioned?

 

I'm thinking so...   On most apps you HAVE to enter HTTPS://  AND port 443   don't just change the port and use your domain name, you have to add the https://.       Yea I noticed on roku, when i tried to force a redirect it didnt like it, I don't have your TV to test, so im just guessing that is the issue. 

[mastrmind11 717]

I'm thinking so...   On most apps you HAVE to enter HTTPS://  AND port 443   don't just change the port and use your domain name, you have to add the https://.       Yea I noticed on roku, when i tried to force a redirect it didnt like it, I don't have your TV to test, so im just guessing that is the issue. 

when I enter the full URL and 443, it doesn't even make it to nginx...  w.t.f?

[pir8radio 1292]

when I enter the full URL and 443, it doesn't even make it to nginx...  w.t.f?

 

lol, thats strange then...   sounds app related?  I can't really speak to the app..  But if you want to PM me the info i can try to connect and see if anything looks obvious. I shouldn't have to actually login to your server just hit the login page. 

[mastrmind11 717]

lol, thats strange then...   sounds app related?  I can't really speak to the app..  But if you want to PM me the info i can try to connect and see if anything looks obvious. I shouldn't have to actually login to your server just hit the login page. 

I made the changes outlined by @@dcrdev here https://emby.media/community/index.php?/topic/55484-help-with-reverse-proxycustom-domain-and-remote-connectivity/ and still no good.  I pm'd you.  Wish I could see the flipping logs on the ATV app...

[Luke 37095]

I think you can with a logcat viewer.

[pir8radio 1292]

No issues spotted when connecting to your server..  Agreed the ATV app logs might help...  I'll pm you my server info you can see if your TV works on my server or has the same issue. 

[mastrmind11 717]

No issues spotted when connecting to your server..  Agreed the ATV app logs might help...  I'll pm you my server info you can see if your TV works on my server or has the same issue. 

ok,thanks

[mastrmind11 717]

No issues spotted when connecting to your server..  Agreed the ATV app logs might help...  I'll pm you my server info you can see if your TV works on my server or has the same issue. 

Worked.  Can you pm me or post your nginx config?

[pir8radio 1292]

Worked.  Can you pm me or post your nginx config?

 

this is my current config for the most part... I have some custom logging crap you can ignore.  https://emby.media/community/index.php?/topic/48236-setting-up-emby-behind-a-reverse-proxy-nginx/?p=457670

 

I also do not use redirects, I use HSTS which forces https. (Strict transport security)...   On top of that i have cloudflare in front of my nginx which adds more variables to the mess lol...

[Delphi 83]

Same problem here on my Bravia, removing the redirects did not solve the issue.

 

Kodi can access it from the same TV, but Kodi seems to max the CPU of the TV so would prefer Emby for AndroidTV working again...

Edited March 31, 2018 by Delphi

[mastrmind11 717]

The redirect is simply not working.  I can see the request hitting the server, 301 response, then no redirect.  When I do the same w/ anything else I see the 301, 302, 200, which is what it's supposed to do.  Thoroughly confused at this point.  At least bypassing nginx works if I can't figure this out before I have to leave.  Open to any ideas.

[pir8radio 1292]

The redirect is simply not working.  I can see the request hitting the server, 301 response, then no redirect.  When I do the same w/ anything else I see the 301, 302, 200, which is what it's supposed to do.  Thoroughly confused at this point.  At least bypassing nginx works if I can't figure this out before I have to leave.  Open to any ideas.

 

what happens with this config? 

#server {
#
#        listen 80 default_server;
#        listen [::]:80 default_server;
#    
#        server_name my_domain.com 10.0.1.152;
#        return 301 https://$server_name$request_uri;
#
#}

server {

 # SSL configuration

 include /etc/nginx/proxy.conf;
 
 listen 80; #added port 80
 listen [::]:80; #added port 80 ipv6
 listen 443 ssl http2; #removed default server
 listen [::]:443 ssl http2; #removed default server

 server_name my_domain.com 10.0.1.152; #moved listen info

#Add HSTS Header
 add_header Strict-Transport-Security "max-age=15552000; preload" always;

 include /etc/nginx/snippets/strong-ssl.conf;
 ssl_certificate /etc/letsencrypt/live/my_domin.com/fullchain.pem;
 ssl_certificate_key /etc/letsencrypt/live/my_domain.com/privkey.pem;

 # Root location
root /var/www/html;


 # Add index.php to the list if you are using PHP
 index index.html index.htm index.php index.nginx-debian.html;
 
 # Basic Auth to protect the site
# auth_basic "Restricted";
# auth_basic_user_file /etc/nginx/.htpasswd;

 # Change the client side error pages (4xx) to prevent some information disclosure
 error_page 401 403 404 /404.html;

 # First attempt to serve request as file, then as directory,
 # then fall back to displaying a 404.
 
 # Deny access to .htaccess files, if Apache's document
 # root concurs with nginx's one
 
 location ~ /\.ht {
          deny all;
 }

# Let's Encrypt Webroot plugin location -- allow access

 location ^~ /.well-known/acme-challenge/ {
          auth_basic off;
          autoindex on;
       }

# Location settings for reverse proxy; enable those you wish to use
# by removing the # from the section between the location line and the last }
#

location / { #emby at root of webserver
proxy_pass http://10.0.1.152:8096; 

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

#Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection; #fixed connection header
        }
}

Edited March 31, 2018 by pir8radio

[pir8radio 1292]

@@mastrmind11 oops reload and try that above config again... I forgot to move your server_name my_domain.com 10.0.1.152;   line.. 

[mastrmind11 717]

@@mastrmind11 oops reload and try that above config again... I forgot to move your server_name my_domain.com 10.0.1.152;   line.. 

That works, but is that w/o the redirect?  When I tail access.log I see the TV coming in and getting a 200.  When I try via my phone browser via http I can see the redirect to https.  Can you elaborate what you did?  Appreciate it.

[pir8radio 1292]

That works, but is that w/o the redirect?  When I tail access.log I see the TV coming in and getting a 200.  When I try via my phone browser via http I can see the redirect to https.  Can you elaborate what you did?  Appreciate it.

 

HSTS should force http connections to https on the clients side not the server side.    So if you view a browser log you should see a 307 like this:  You can add some other redirects after the fact to catch any unsupported HSTS clients, but if you watch your logs I bet you wont see any.

 

 

 

And the headers should look like this: Forcing the change to https due to HSTS,  I think most apps and OS's respect the hsts vs server redirect. 

 

Edited March 31, 2018 by pir8radio

[Delphi 83]

delete

Edited March 31, 2018 by Delphi