Jump to content

Need help with apache reverse proxy and websockets


Recommended Posts

Posted

I tried to set up apache as reverse proxy for my emby server.

Web app works fine. But I can't connect with an Emby app (e. g. Kodi) and I get 404 on every /embywebsocket request. Should be 101 I think.

 

I have running nextcloud on the same apache and try to use 8443 for Emby.

Any help appreciated.

<VirtualHost *:80>

    ServerName toothless.goip.de

    RewriteEngine on

    RewriteCond %{REQUEST_SCHEME} =http
    RewriteRule ^/?(.*)$ https://toothless.goip.de/$1 [R=301,L]

    RewriteCond %{REQUEST_SCHEME} =ws
    RewriteRule ^/?(.*)$ wss://toothless.goip.de:8443/$1 [R=301,L]

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

</VirtualHost>
SSLStaplingCache shmcb:${APACHE_RUN_DIR}/ssl_stapling_cache(129600)
ServerName toothless.goip.de

<VirtualHost *:443>

    Protocols h2 http/1.1

    DocumentRoot /var/www/nextcloud

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    <FilesMatch \.php$>
        SetHandler proxy:unix:/run/php/php7.2-fpm.sock|fcgi://localhost/
    </FilesMatch>

    SSLEngine on
    SSLUseStapling on
    SSLCertificateFile /etc/letsencrypt/live/toothless.goip.de/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/toothless.goip.de/privkey.pem
    Include /etc/letsencrypt/mod_options-ssl-apache.conf

    Header set Strict-Transport-Security "max-age=31556926; includeSubDomains; preload"

    <Directory /var/www/nextcloud>
        Options +FollowSymlinks
        AllowOverride All
    </Directory>

</VirtualHost>

<VirtualHost *:8443>

    Protocols h2 http/1.1

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLUseStapling on
    SSLCertificateFile /etc/letsencrypt/live/toothless.goip.de/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/toothless.goip.de/privkey.pem
    Include /etc/letsencrypt/mod_options-ssl-apache.conf

    ProxyPass / http://localhost:8096/
    ProxyPassReverse / http://localhost:8096/

    ProxyPass /embywebsocket ws://localhost:8096/embywebsocket
    ProxyPassReverse /embywebsocket ws://localhost:8096/embywebsocket

    Header set Connection "Upgrade"
    Header set Upgrade "websocket"
    RequestHeader setifempty Connection "Upgrade"
    RequestHeader setifempty Upgrade "websocket"
    
</VirtualHost>
pir8radio
Posted

 

I tried to set up apache as reverse proxy for my emby server.

Web app works fine. But I can't connect with an Emby app (e. g. Kodi) and I get 404 on every /embywebsocket request. Should be 101 I think.

 

I have running nextcloud on the same apache and try to use 8443 for Emby.

Any help appreciated.


 

 

Check out this post, make sure its not the same issue first:   https://emby.media/community/index.php?/topic/64083-could-not-find-handler-for-embywebsocket/?p=636078

Posted (edited)

This is one of several threads i've read before posting.

Can't get this work using "ProxyPass" with proxy_wstunnel.

 

Instead of that I used mod_rewrite for proxying the websocket traffic.

After that worked I added some secure headers.

<VirtualHost *:8443>

    Protocols h2 http/1.1

    ErrorLog ${APACHE_LOG_DIR}/error.log
    CustomLog ${APACHE_LOG_DIR}/access.log combined

    SSLEngine on
    SSLUseStapling on
    SSLCertificateFile /etc/letsencrypt/live/toothless.goip.de/fullchain.pem
    SSLCertificateKeyFile /etc/letsencrypt/live/toothless.goip.de/privkey.pem
    Include /etc/letsencrypt/mod_options-ssl-apache.conf

    ProxyPass / http://localhost:8096/
    ProxyPassReverse / http://localhost:8096/

    RewriteEngine On
    RewriteCond %{HTTP:Connection} Upgrade [NC]
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteRule ^/?(.*)$ ws://localhost:8096/$1 [P,L]

    Header unset Server

    Header set Strict-Transport-Security "max-age=31556926; includeSubDomains; preload"
    Header set Referrer-Policy "strict-origin"
    Header set X-Frame-Options "sameorigin"
    Header set X-XSS-Protection "1; mode=block"
    Header set X-Content-Type-Options "nosniff"
    Header set Content-Security-Policy "default-src 'none'; child-src 'self'; font-src 'self' data:; connect-src 'self' wss: ws: https://mb3admin.com https://github.com/MediaBrowser/; media-src 'self' blob: data: https://github.com/MediaBrowser/; manifest-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; worker-src 'self' blob:; script-src 'self' https://www.gstatic.com; img-src data: https: http: ; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css"
    
</VirtualHost>
Edited by loeffelpan
  • 1 year later...
castillo92
Posted (edited)

 

This is one of several threads i've read before posting.

Can't get this work using "ProxyPass" with proxy_wstunnel.

 

Instead of that I used mod_rewrite for proxying the websocket traffic.

After that worked I added some secure headers.

[...]
    RewriteEngine On
    RewriteCond %{HTTP:Connection} Upgrade [NC]
    RewriteCond %{HTTP:Upgrade} websocket [NC]
    RewriteRule ^/?(.*)$ ws://localhost:8096/$1 [P,L]
[...]

 

 

Thats work for me too!! Thanks you very much!! I read severals post but the solution is yours:

 

My vhost finally looks like:

<VirtualHost *:443>
	ServerName my_server.com

	ServerAdmin webmaster@[member="Localhost"]
	DocumentRoot /var/www

# La etiqueta env=!dontlog es una variable para que no se registren esos accesos:
	SetEnvIf Request_URI "^/emby/videos/*" dontlog
	SetEnvIf Request_URI "^/emby/Sessions/*" dontlog
	ErrorLog ${APACHE_LOG_DIR}/error.log
	CustomLog ${APACHE_LOG_DIR}/access.log combined env=!dontlog

# Media Server Emby
        RewriteEngine On
        RewriteCond %{HTTP:Connection} Upgrade [NC]
        RewriteCond %{HTTP:Upgrade} websocket [NC]
        RewriteRule ^/?(.*)$ ws://localhost:8096/$1 [P,L]
    
        ProxyPass /emby/ http://192.168.1.50:8096/
        ProxyPassReverse /emby/ http://192.168.1.50:8096/
        Redirect permanent /emby /emby/

<IfModule mod_headers.c>
  Header always set Strict-Transport-Security "max-age=15768000; includeSubDomains; preload"
</IfModule>

SSLCertificateFile /etc/letsencrypt/live/my_server.com/fullchain.pem
SSLCertificateKeyFile /etc/letsencrypt/live/my_server.com/privkey.pem
Include /etc/letsencrypt/options-ssl-apache.conf

</VirtualHost>

Could you explain me why you added some secure headers? Emby does not have integrated?

Edited by castillo92

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...