mastrmind11 717 Posted March 31, 2018 Share Posted March 31, 2018 (edited) I posted something semi unrelated a few weeks ago about the same problem on the same ATV at a different location. I am completely unable to connect to my server remotely from any of these tvs, manually or using connect, via 80 or 443. I get an immediate "connection failed" message after hitting OK. I am able to connect to the server using every other non-TV device on the same network w/o issue. Since I have until tomorrow morning to get this figured out or try again in a couple months, I'm hoping we can figure something out. My server is behind nginx, 80 and 443 are forwarded to my local internal IP on 8096. nginx and emby are on the same box, emby is running in a docker container in host mode. I did some digging this morning and found this in the nginx error log, which corresponds to the time I was trying to connect from the TV (sensitive stuff redacted): 2018/03/30 21:58:06 [error] 20801#20801: *84301 connect() failed (111: Connection refused) while connecting to upstream, client: client_ip, server: , request: "GET /emby/System/Info HTTP/2.0", upstream: "http://10.0.1.152:8096/emby/System/Info", host: "my_domain_name" There are success entries in the access.log from the same timeframe when I was testing other devices on the same network. Here is my nginx config: server { listen 80 default_server; listen [::]:80 default_server; server_name my_domain.com 10.0.1.152; return 301 https://$server_name$request_uri; } server { # SSL configuration include /etc/nginx/proxy.conf; listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; include /etc/nginx/snippets/strong-ssl.conf; ssl_certificate /etc/letsencrypt/live/my_domin.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/my_domain.com/privkey.pem; # Root location root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.php index.nginx-debian.html; # Basic Auth to protect the site # auth_basic "Restricted"; # auth_basic_user_file /etc/nginx/.htpasswd; # Change the client side error pages (4xx) to prevent some information disclosure error_page 401 403 404 /404.html; # First attempt to serve request as file, then as directory, # then fall back to displaying a 404. # Deny access to .htaccess files, if Apache's document # root concurs with nginx's one location ~ /\.ht { deny all; } # Let's Encrypt Webroot plugin location -- allow access location ^~ /.well-known/acme-challenge/ { auth_basic off; autoindex on; } # Location settings for reverse proxy; enable those you wish to use # by removing the # from the section between the location line and the last } # location / { #emby at root of webserver proxy_pass http://10.0.1.152:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } I don't understand why literally every other device I've tried work, but not these TVs. 2 TVs on this network, 1 TV on a different network, all the same brand. Please help! EDIT: I'm not sure how those entries got into the nginx error log. I'm trying to connect from a TV again and it's failing, but I'm not seeing any corresponding entries in the error.log. Edited March 31, 2018 by mastrmind11 1 Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted March 31, 2018 Author Share Posted March 31, 2018 Ok, now I'm tailing the nginx access.log and whenever I hit the server I'm seeing 301 responses. Huh? [31/Mar/2018:10:02:07 -0400] "GET /emby/system/info/public?format=json HTTP/1.1" 301 178 "-" "Dalvik/2.1.0 (Linux; U; Android 7.0; BRAVIA 4K GB Build/NRD91N.S101)" Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted March 31, 2018 Author Share Posted March 31, 2018 And this is what I get when I hit the server via a web browser on the TV: [31/Mar/2018:10:20:15 -0400] "GET / HTTP/1.1" 301 178 "-" "Mozilla/5.0 (Linux; Andr0id 7.0; BRAVIA 4K GB Build/NRD91N.S101) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 OPR/40.0.2207.0 OMI/4.9.0.59.E9103576.156" [31/Mar/2018:10:20:15 -0400] "GET / HTTP/2.0" 302 156 "-" "Mozilla/5.0 (Linux; Andr0id 7.0; BRAVIA 4K GB Build/NRD91N.S101) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 OPR/40.0.2207.0 OMI/4.9.0.59.E9103576.156" [31/Mar/2018:10:20:15 -0400] "GET /web/index.html HTTP/2.0" 200 1614 "-" "Mozilla/5.0 (Linux; Andr0id 7.0; BRAVIA 4K GB Build/NRD91N.S101) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/53.0.2785.143 Safari/537.36 OPR/40.0.2207.0 OMI/4.9.0.59.E9103576.156" Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted March 31, 2018 Author Share Posted March 31, 2018 Ok, so I opened 8096->8096 and I can log in, so something is jacked w/ my nginx. I'd appreciate any insight. @@pir8radio @@Swynol, got any ideas? Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted March 31, 2018 Share Posted March 31, 2018 (edited) Ok, so I opened 8096->8096 and I can log in, so something is jacked w/ my nginx. I'd appreciate any insight. @@pir8radio @@Swynol, got any ideas? Some of the apps dont like redirects, are your tv's setup to connect to HTTPS Port 443 or are you expecting them to redirect on their own and using http port 80? along the same lines do you have emby setup for https? what do you see reported when you go to: https://yourdomain.com/emby/system/info/public/ an http address or an https one? Edited March 31, 2018 by pir8radio Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted March 31, 2018 Author Share Posted March 31, 2018 Some of the apps dont like redirects, are your tv's setup to connect to HTTPS Port 443 or are you expecting them to redirect on their own and using http port 80? along the same lines do you have emby setup for https? what do you see reported when you go to: https://yourdomain.com/emby/system/info/public/ an http address or an https one? I'm expecting them to redirect when I hit port 80. I have not touched the emby settings regarding SSL. /public shows an http WAN address (and local address on 8096) Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted March 31, 2018 Share Posted March 31, 2018 I'm expecting them to redirect when I hit port 80. I have not touched the emby settings regarding SSL. /public shows an http WAN address (and local address on 8096) Ok i would first start with editing the config and changing (i think its, <EnableHttps>true</EnableHttps>) see if that link reports back https then.. see if that helps, otherwise you will probably have to enter the https addresses into the tv apps. Link to comment Share on other sites More sharing options...
Luke 37095 Posted March 31, 2018 Share Posted March 31, 2018 in the beta server you no longer need to edit the config file. the config page will set those values based on what you select. 1 Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted March 31, 2018 Author Share Posted March 31, 2018 Ok i would first start with editing the config and changing (i think its, <EnableHttps>true</EnableHttps>) see if that link reports back https then.. see if that helps, otherwise you will probably have to enter the https addresses into the tv apps. But isn't my nginx settings forwarding both 80 and 443 to 8096? WHen I point to 443 from the TV, I get a 400 response from nginx. And why does this setup work w/ literally every other device I've tried? Is it the redirect you mentioned? Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted March 31, 2018 Share Posted March 31, 2018 But isn't my nginx settings forwarding both 80 and 443 to 8096? WHen I point to 443 from the TV, I get a 400 response from nginx. And why does this setup work w/ literally every other device I've tried? Is it the redirect you mentioned? I'm thinking so... On most apps you HAVE to enter HTTPS:// AND port 443 don't just change the port and use your domain name, you have to add the https://. Yea I noticed on roku, when i tried to force a redirect it didnt like it, I don't have your TV to test, so im just guessing that is the issue. Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted March 31, 2018 Author Share Posted March 31, 2018 I'm thinking so... On most apps you HAVE to enter HTTPS:// AND port 443 don't just change the port and use your domain name, you have to add the https://. Yea I noticed on roku, when i tried to force a redirect it didnt like it, I don't have your TV to test, so im just guessing that is the issue. when I enter the full URL and 443, it doesn't even make it to nginx... w.t.f? Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted March 31, 2018 Share Posted March 31, 2018 when I enter the full URL and 443, it doesn't even make it to nginx... w.t.f? lol, thats strange then... sounds app related? I can't really speak to the app.. But if you want to PM me the info i can try to connect and see if anything looks obvious. I shouldn't have to actually login to your server just hit the login page. Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted March 31, 2018 Author Share Posted March 31, 2018 lol, thats strange then... sounds app related? I can't really speak to the app.. But if you want to PM me the info i can try to connect and see if anything looks obvious. I shouldn't have to actually login to your server just hit the login page. I made the changes outlined by @@dcrdev here https://emby.media/community/index.php?/topic/55484-help-with-reverse-proxycustom-domain-and-remote-connectivity/ and still no good. I pm'd you. Wish I could see the flipping logs on the ATV app... Link to comment Share on other sites More sharing options...
Luke 37095 Posted March 31, 2018 Share Posted March 31, 2018 I think you can with a logcat viewer. Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted March 31, 2018 Share Posted March 31, 2018 No issues spotted when connecting to your server.. Agreed the ATV app logs might help... I'll pm you my server info you can see if your TV works on my server or has the same issue. Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted March 31, 2018 Author Share Posted March 31, 2018 No issues spotted when connecting to your server.. Agreed the ATV app logs might help... I'll pm you my server info you can see if your TV works on my server or has the same issue. ok,thanks Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted March 31, 2018 Author Share Posted March 31, 2018 No issues spotted when connecting to your server.. Agreed the ATV app logs might help... I'll pm you my server info you can see if your TV works on my server or has the same issue. Worked. Can you pm me or post your nginx config? Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted March 31, 2018 Share Posted March 31, 2018 Worked. Can you pm me or post your nginx config? this is my current config for the most part... I have some custom logging crap you can ignore. https://emby.media/community/index.php?/topic/48236-setting-up-emby-behind-a-reverse-proxy-nginx/?p=457670 I also do not use redirects, I use HSTS which forces https. (Strict transport security)... On top of that i have cloudflare in front of my nginx which adds more variables to the mess lol... Link to comment Share on other sites More sharing options...
Delphi 83 Posted March 31, 2018 Share Posted March 31, 2018 (edited) Same problem here on my Bravia, removing the redirects did not solve the issue. Kodi can access it from the same TV, but Kodi seems to max the CPU of the TV so would prefer Emby for AndroidTV working again... Edited March 31, 2018 by Delphi Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted March 31, 2018 Author Share Posted March 31, 2018 The redirect is simply not working. I can see the request hitting the server, 301 response, then no redirect. When I do the same w/ anything else I see the 301, 302, 200, which is what it's supposed to do. Thoroughly confused at this point. At least bypassing nginx works if I can't figure this out before I have to leave. Open to any ideas. Link to comment Share on other sites More sharing options...
Solution pir8radio 1292 Posted March 31, 2018 Solution Share Posted March 31, 2018 (edited) The redirect is simply not working. I can see the request hitting the server, 301 response, then no redirect. When I do the same w/ anything else I see the 301, 302, 200, which is what it's supposed to do. Thoroughly confused at this point. At least bypassing nginx works if I can't figure this out before I have to leave. Open to any ideas. what happens with this config? #server { # # listen 80 default_server; # listen [::]:80 default_server; # # server_name my_domain.com 10.0.1.152; # return 301 https://$server_name$request_uri; # #} server { # SSL configuration include /etc/nginx/proxy.conf; listen 80; #added port 80 listen [::]:80; #added port 80 ipv6 listen 443 ssl http2; #removed default server listen [::]:443 ssl http2; #removed default server server_name my_domain.com 10.0.1.152; #moved listen info #Add HSTS Header add_header Strict-Transport-Security "max-age=15552000; preload" always; include /etc/nginx/snippets/strong-ssl.conf; ssl_certificate /etc/letsencrypt/live/my_domin.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/my_domain.com/privkey.pem; # Root location root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.php index.nginx-debian.html; # Basic Auth to protect the site # auth_basic "Restricted"; # auth_basic_user_file /etc/nginx/.htpasswd; # Change the client side error pages (4xx) to prevent some information disclosure error_page 401 403 404 /404.html; # First attempt to serve request as file, then as directory, # then fall back to displaying a 404. # Deny access to .htaccess files, if Apache's document # root concurs with nginx's one location ~ /\.ht { deny all; } # Let's Encrypt Webroot plugin location -- allow access location ^~ /.well-known/acme-challenge/ { auth_basic off; autoindex on; } # Location settings for reverse proxy; enable those you wish to use # by removing the # from the section between the location line and the last } # location / { #emby at root of webserver proxy_pass http://10.0.1.152:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; #fixed connection header } } Edited March 31, 2018 by pir8radio 1 Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted March 31, 2018 Share Posted March 31, 2018 @@mastrmind11 oops reload and try that above config again... I forgot to move your server_name my_domain.com 10.0.1.152; line.. Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted March 31, 2018 Author Share Posted March 31, 2018 @@mastrmind11 oops reload and try that above config again... I forgot to move your server_name my_domain.com 10.0.1.152; line.. That works, but is that w/o the redirect? When I tail access.log I see the TV coming in and getting a 200. When I try via my phone browser via http I can see the redirect to https. Can you elaborate what you did? Appreciate it. Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted March 31, 2018 Share Posted March 31, 2018 (edited) That works, but is that w/o the redirect? When I tail access.log I see the TV coming in and getting a 200. When I try via my phone browser via http I can see the redirect to https. Can you elaborate what you did? Appreciate it. HSTS should force http connections to https on the clients side not the server side. So if you view a browser log you should see a 307 like this: You can add some other redirects after the fact to catch any unsupported HSTS clients, but if you watch your logs I bet you wont see any. And the headers should look like this: Forcing the change to https due to HSTS, I think most apps and OS's respect the hsts vs server redirect. Edited March 31, 2018 by pir8radio 1 Link to comment Share on other sites More sharing options...
Delphi 83 Posted March 31, 2018 Share Posted March 31, 2018 (edited) delete Edited March 31, 2018 by Delphi Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now