How to run Emby behind reverse proxy but allow apps to connect

[bozrdnag 73]

I am running Emby via a Docker container on Unraid.  Works great.  I finally set about securing my server and setup a Letsencrypt/nginx Docker container and have things basically running.  My problem is that Emby apps using Connect won't work.  All my family and friends connect via Rokus so it's vital I get this working.

 

I tried going in to Advanced>Hosting and entered mydomain.com under External Domain and I set Secure Connection Mode to Handled by reverse proxy and left the SSL cert fields empty but that didn't work.

 

Any ideas what I am doing wrong?

[Luke 37095]

What does "didn't work" mean?

[KMBanana 84]

Did you configure your Reverse proxy to point to your Emby server IP and local http port or are you using the default linuxserver/letsencrypt configuration for Emby?

If using linuxserver\letsencrypt's default Emby config did you follow their instructions and remove ".sample" from the config and attach Emby and LetsEncrypt docker containers to a user defined docker bridge network?  https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/proxy-confs/_readme#L21 

Did you change the public https port to 443 and public http port to 80 in Emby's settings?  Assuming you are reverse proxying ports 80 and 443.  

[bozrdnag 73]

What does "didn't work" mean?

 

I mean the can't connect to my server.

 

Did you configure your Reverse proxy to point to your Emby server IP and local http port or are you using the default linuxserver/letsencrypt configuration for Emby?

If using linuxserver\letsencrypt's default Emby config did you follow their instructions and remove ".sample" from the config and attach Emby and LetsEncrypt docker containers to a user defined docker bridge network?  https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/proxy-confs/_readme#L21 

Did you change the public https port to 443 and public http port to 80 in Emby's settings?  Assuming you are reverse proxying ports 80 and 443.  

 

I followed a different tutorial that led me create the following default file:

server {
	listen 443 ssl default_server;
	listen 80 default_server;
	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

	location /nzbget {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.42:6789;
	}
		
	location /emby {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.42:8096;
	}
	
	location /ombi {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.42:3579;
	}
		
	location /sonarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.42:8989;
	}
	
	location /radarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.42:7878;
	}
	
	location /nextcloud {
		include /config/nginx/proxy.conf;
		proxy_pass https://192.168.1.42:444;
	}
	
	location ~ /netdata/(?<ndpath>.*) {
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass http://192.168.1.42:19999;
		proxy_http_version 1.1;
		proxy_pass_request_headers on;
		proxy_set_header Connection "keep-alive";
		proxy_store off;
	}
	
	# Transmission
	location /transmission/ {
    proxy_pass http://192.168.1.42:9091/transmission/web/;
    proxy_set_header Host $host;
	proxy_set_header        X-Real-IP       $remote_addr;
	proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_buffering off;
        }

	# Also Transmission specific
    location /rpc {
        proxy_pass http://192.168.1.42:9091/transmission/rpc;
        }
}

Everything works fine and I can access the Emby webgui page via my domain name.  It's just the apps that don't connect via the webgui that have issues.

[mastrmind11 717]

I mean the can't connect to my server.

 

 

I followed a different tutorial that led me create the following default file:

server {
	listen 443 ssl default_server;
	listen 80 default_server;
	root /config/www;
	index index.html index.htm index.php;

	server_name _;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;

	location /nzbget {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.42:6789;
	}
		
	location /emby {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.42:8096;
	}
	
	location /ombi {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.42:3579;
	}
		
	location /sonarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.42:8989;
	}
	
	location /radarr {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.42:7878;
	}
	
	location /nextcloud {
		include /config/nginx/proxy.conf;
		proxy_pass https://192.168.1.42:444;
	}
	
	location ~ /netdata/(?<ndpath>.*) {
		proxy_set_header X-Forwarded-Host $host;
		proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass http://192.168.1.42:19999;
		proxy_http_version 1.1;
		proxy_pass_request_headers on;
		proxy_set_header Connection "keep-alive";
		proxy_store off;
	}
	
	# Transmission
	location /transmission/ {
    proxy_pass http://192.168.1.42:9091/transmission/web/;
    proxy_set_header Host $host;
	proxy_set_header        X-Real-IP       $remote_addr;
	proxy_set_header        X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_buffering off;
        }

	# Also Transmission specific
    location /rpc {
        proxy_pass http://192.168.1.42:9091/transmission/rpc;
        }
}

Everything works fine and I can access the Emby webgui page via my domain name.  It's just the apps that don't connect via the webgui that have issues.

I had issues with a Roku and port 80 redirects.  I also had issues w/ my 2 Bravia's w/ port 80 redirects.  What worked for me was to get rid of the redirect and just use HSTS on the proxy.  Solved 100% of my connection issues on all devices.  see here https://emby.media/community/index.php?/topic/57583-3-sony-atvs-all-exhibit-the-same-issue/page-3 for a working nginx config.  

[bozrdnag 73]

I'm still having no luck with this.  I tried replacing my default file with your but it just gave me a bunch of errors.  A few problems I believe are:

 

1. I'm running everything on Unraid with has different paths

2. I'm not familiar enough to know which paths should be internal to the container or are pointing to the cache drive

3. I'm new to all of this so I'm going by trial and error without really knowing much about what does what.

 

If it helps, I am running Linuxserver,io Letsencrypt/nginx container and my current configuration followed their tutorial.  Again, I can connect to https://emby.myserver.com just fine.  I just can't get the Android and Roku apps to work.

[fbartels 9]

As far as I remember Emby needs to run on the root of a subdomain and cannot run in a path:

	location /emby {
		include /config/nginx/proxy.conf;
		proxy_pass http://192.168.1.42:8096;
	}

 

[KMBanana 84]

Strongly recommend using the built in configuration file that linuxserver's letsEncrypt docker container comes with for Emby.  Make sure to follow their instructions and have both the containers on a user defined docker bridge network (IE, not the default one). 

https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/proxy-confs/_readme#L21%C2%A0

 

You could also try copying their config to your default file, but unsure if it will work perfectly, I know some of their configs are setup that way with a separate docker bridge network for a reason. I suspect the rewrite line they include in their subfolder config may be what you're missing.  

 

# replace HOSTIP below with the IP address of your emby server
# to enable password access, uncomment the two auth_basic lines


location /emby {
#    auth_basic "Restricted";
#    auth_basic_user_file /config/nginx/.htpasswd;
    include /config/nginx/proxy.conf;
    rewrite /emby/(.*) /$1 break;
    proxy_pass http://192.168.1.42:8096;
    proxy_set_header Range $http_range;
    proxy_set_header If-Range $http_if_range;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
}

[mastrmind11 717]

As far as I remember Emby needs to run on the root of a subdomain and cannot run in a path:

Also this ^^

[KMBanana 84]

While using a subdomain is simpler and has less issues and complications it is possible to use a path like domain.com/emby.  I used to do this and was able to  have roku and android clients connect.  

[neik 837]

While using a subdomain is simpler and has less issues and complications it is possible to use a path like domain.com/emby.  I used to do this and was able to  have roku and android clients connect.  

 

Would you mind sharing your config?

 

I am also struggling using a path and don't really know why, so a working config would be great for comparison.

[KMBanana 84]

Would you mind sharing your config?

 

I am also struggling using a path and don't really know why, so a working config would be great for comparison.

I've been using a subdomain for several months now so I don't have it anymore.  I was using a combination of Night and Pir8Radio's configs from this thread which I've seen you've already posted in, plus some of the SSL config from linuxserver/letsencrypt docker image.  https://emby.media/community/index.php?/topic/48236-setting-up-emby-behind-a-reverse-proxy-nginx/page-1

 

From your config you posted there your "rewrite" line differs a little bit from what Radio and linuxserver/letsencrypt use.

 

Yours is 

rewrite ^/emby(/.*)$ $1 break;

While they both use

rewrite /emby/(.*) /$1 break;

[bozrdnag 73]

 

Strongly recommend using the built in configuration file that linuxserver's letsEncrypt docker container comes with for Emby.  Make sure to follow their instructions and have both the containers on a user defined docker bridge network (IE, not the default one). 

https://github.com/linuxserver/docker-letsencrypt/blob/master/root/defaults/proxy-confs/_readme#L21%C2%A0

 

You could also try copying their config to your default file, but unsure if it will work perfectly, I know some of their configs are setup that way with a separate docker bridge network for a reason. I suspect the rewrite line they include in their subfolder config may be what you're missing.  

 

# replace HOSTIP below with the IP address of your emby server
# to enable password access, uncomment the two auth_basic lines


location /emby {
#    auth_basic "Restricted";
#    auth_basic_user_file /config/nginx/.htpasswd;
    include /config/nginx/proxy.conf;
    rewrite /emby/(.*) /$1 break;
    proxy_pass http://192.168.1.42:8096;
    proxy_set_header Range $http_range;
    proxy_set_header If-Range $http_if_range;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
}

 

 

 

I am using the built in configuration files.  At first I used their emby.subfolder.conf file because I was just using myserver.coom/emby.  I have since added subdomains to my domain and am now running emby.myserver.com and using the build in emby.subdomain.conf file.

 

With both methods I had little trouble getting it to work with the webgui.  My problem is, and always has been, getting the Android and roku apps to connect.  Di you have to do anything specifically for those?

[KMBanana 84]

I've only connected Roku and android apps by having them directly connect to my server by manually entering the URL, never tried with Emby connect.  Does connecting to the server directly work?  Have someone test it outside of your Emby Server's local LAN.  

 

Does the Remote Address on the Emby Dashboard page in Server settings say "https://sub.domain.com:443"? 

[bozrdnag 73]

I've only connected Roku and android apps by having them directly connect to my server by manually entering the URL, never tried with Emby connect.  Does connecting to the server directly work?  Have someone test it outside of your Emby Server's local LAN.  

 

Does the Remote Address on the Emby Dashboard page in Server settings say "https://sub.domain.com:443"? 

 

I prefer Connect because every once in a while something happens and their Emby app loses the server.  None of them ever remembered my server address or the port and didn't want to bother me so they would go days without being able to use it before I figured it out and fixed it for them.  Connect solved those problems.

 

I just tried to manually enter the server address and port on my Android app and it still wouldn't connect. I am now wondering if the problem is something I thought was an unrelated issue.  Ever since setting up nginx as a reverse proxy I have noticed a delay when accessing any of my apps through my domain name.  If I enter https://emby.myserver.com nothing will happen for like 30-40 seconds.  After the 30-40 seconds the page loads quickly like I would expect.  I wonder if the apps are timing out before they are able to connect to the server?  Today it's even worse.  I just timed a delay of 145 seconds before emby loaded from my browser.

 

Any idea where to start troubleshooting that issue?

Edited July 24, 2018 by bozrdnag

[KMBanana 84]

I'm getting a bit out of my element here, but it sort of sounds like the applications could be trying to reach the Emby server at the local address, timing out, and then connecting with the remote address.  

Not sure what would cause them to do that or how to debug it or test for it though.  

[bozrdnag 73]

I'm getting a bit out of my element here, but it sort of sounds like the applications could be trying to reach the Emby server at the local address, timing out, and then connecting with the remote address.  

Not sure what would cause them to do that or how to debug it or test for it though.  

 

i apologize for being unclear and using the word "apps" too loosely.  I get a delay when accessing apps on my server that are behind nginx.  By those apps I mean, Emby server, Radarr, Sonarr, Nzbget, etc.  I can access all of those apps' webguis via my domain from outside my network but I usually get the delay I mentioned.

 

As a second issue, I can't get any of the Emby apps (Android or Roku) to connect to Emby at all.  I am now wondering if the first issue is the cause of my second issue.

[pir8radio 1292]

i apologize for being unclear and using the word "apps" too loosely.  I get a delay when accessing apps on my server that are behind nginx.  By those apps I mean, Emby server, Radarr, Sonarr, Nzbget, etc.  I can access all of those apps' webguis via my domain from outside my network but I usually get the delay I mentioned.

 

As a second issue, I can't get any of the Emby apps (Android or Roku) to connect to Emby at all.  I am now wondering if the first issue is the cause of my second issue.

 

Pm me your emby domain name.  Ill look and see if i see anything. 

[vpiassa29 0]

Veja esse post:

 

https://emby.media/community/index.php?/topic/48236-setting-up-emby-behind-a-reverse-proxy-nginx/?p=803233