I recently installed Emby, and to allow encrypted remote access, I put it behind my NGINX reverse proxy. This worked perfectly. I have a domain, and Emby is a webapp behind that domain. I have a login system on the domain that is monitored with fail2ban. When a user logs in, the system checks their permissions, and they can access webapps via my reverse proxy based on their respective permissions. This also works perfectly with Emby -- only the users who have authenticated on my domain with the proper permissions can access it.
However, the problem is that I or other people cannot connect any Emby apps to my server because the Emby apps obviously try to connect to my Emby reverse proxy without authenticating on my domain, meaning those connections are not properly entitled and blocked with a 401 error. I typically let API endpoints on other webapps bypass the server auth for this purpose, but I could not figure out which specific endpoints to open up for Emby to connect to Emby apps while keeping the main Emby endpoint locked down.
I can remove my server auth and use the new feature in 18.104.22.168 that require users to log into Emby if they access the page remotely. This allows apps through while still keeping the Emby page behind a login (the Emby login and not my domain's login), but it is less than ideal for one main reason: I lose all control I have by locking the web portal behind my server auth such as fail2ban monitoring incorrect logins.
I hope I was clear about my use case, and maybe some of you can help me figure out the best way to proceed such as which endpoints I can open up while keeping the overall subfolder locked down, or maybe a way to configure it that balances ease of use and security.
Edited by RG9400, 02 April 2019 - 09:20 PM.