Jump to content


Photo

Roku app never finishes Loading or Retrieving when behind reverse proxy


  • Please log in to reply
53 replies to this topic

#41 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 2801 posts
  • Local time: 07:10 AM
  • LocationChicago

Posted 17 July 2019 - 06:56 PM

That is correct. Emby without a reverse proxy works fine.

 

With either my reverse proxy or Emby directly work fine with firesticks, android, and browsers work fine - this only happens with Roku.

 

 

This is an MKV file. Typically I only play/stream MKVs or MP4s

 

Ok, you are a different user than the OP, can you post your nginx config?     make sure you at least have these lines in your config too:

	proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
	proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
	proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.



#42 Paint OFFLINE  

Paint

    Member

  • Members
  • 23 posts
  • Local time: 08:10 AM

Posted 17 July 2019 - 07:05 PM

Ok, you are a different user than the OP, can you post your nginx config?     make sure you at least have these lines in your config too:

	proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
	proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
	proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

 
Yep, those are in there. 
 
 
Here are my configs: 
 
nginx.conf:
 

user www-data;
pid /run/nginx.pid;


# you must set worker processes based on your CPU cores, nginx does not benefit from setting more than that
worker_processes auto; #some last versions calculate it automatically
worker_cpu_affinity auto;

# number of file descriptors used for nginx
# the limit for the maximum FDs on the server is usually set by the OS.
# if you don't set FD's then OS settings will be used which is by default 2000
worker_rlimit_nofile 100000;

# only log critical errors
error_log /var/log/nginx/error.log crit;

# provides the configuration file context in which the directives that affect connection processing are specified.
events {
    # determines how much clients will be served per worker
    # max clients = worker_connections * worker_processes
    # max clients is also limited by the number of socket connections available on the system (~64k)
    #worker_connections 8192;
    worker_connections 4000;

    # optmized to serve many clients with each thread, essential for linux -- for testing environment
    use epoll;

    # accept as many connections as possible, may flood worker connections if set too low -- for testing environment
    multi_accept on;
}

http {
        # cache informations about FDs, frequently accessed files
        # can boost performance, but you need to test those values
        open_file_cache max=200000 inactive=20s;
        open_file_cache_valid 30s;
        open_file_cache_min_uses 2;
        open_file_cache_errors on;

        ##
        # Basic Settings
        ##
        # copies data between one FD and other from within the kernel
        # faster then read() + write()
        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        #keepalive_timeout 65;
        types_hash_max_size 2048;
        proxy_headers_hash_max_size 51200;
        proxy_headers_hash_bucket_size 6400;
        server_tokens off;
        proxy_connect_timeout 1h;
        proxy_send_timeout 1h;
        proxy_read_timeout 1h;
        etag on;

        log_format  emby  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorizat                                                                                                                        ion"';

        log_format default '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port';

        #geoip_country /etc/nginx/geoip/GeoIP.dat; # the country IP database
        #geoip_city /etc/nginx/geoip/GeoLiteCity.dat; # the city IP database

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;
        server_names_hash_bucket_size 128;
        map_hash_bucket_size 64;
        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1.2 TLSv1.1 TLSv1; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;
        #ssl_session_cache shared:SSL:5m;
        #ssl_session_timeout 1h;

        ##
        # Logging Settings
        ##

        # to boost I/O on HDD we can disable access logs
        access_log off;
        #access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Timeouts
        ##

        client_header_timeout  3m;
        client_body_timeout    3m;
        send_timeout           3m;

        ##
        # Gzip Settings
        ##
        gzip on;
        gzip_disable "MSIE [1-6]\.";
        gzip_min_length   1100;
        gzip_vary         on;
        gzip_proxied      expired no-cache no-store private auth;
        gzip_buffers      16 8k;
        gzip_comp_level   6;
        gzip_http_version 1.1;
        gzip_types        text/plain text/css text/js applciation/json application/javascript application/x-javascript text/xml application/xml application/rss+xml text/javascript images/svg+xml application/x-font-ttf font/opentype application/vnd.ms-fontobject; /xml+rss text/javascript;
        reset_timedout_connection on;

        # request timed out -- default 60
        client_max_body_size         32m; # increased to allow for ddwrt firmware upgrades

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

emby:

server {
        listen 8920 ssl http2 reuseport;
        listen [::]:8920 ssl http2 reuseport;
        server_name <REDACTED> <REDACTED>;

        # Global Headers
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;
        proxy_hide_header X-Powered-By;  ## Hides nginx server version from bad guys.

        error_log /var/log/nginx/emby_error.log error;
        access_log /var/log/nginx/emby_access.log emby buffer=16k;

        # certs sent to the client in SERVER HELLO are concatenated in ssl_certificate
        ssl_certificate             /etc/ssl/ca/acme/<redacted>.fullchain;
        ssl_certificate_key         /etc/ssl/ca/acme/<redacted>.key;
        ssl_session_timeout 1h;
        ssl_session_cache shared:SSL:50m;
        ssl_session_tickets off;

        # Diffie-Hellman parameter for DHE ciphersuites, recommended 2048 bits
        ssl_dhparam                 /etc/ssl/dh/RSA4096.pem;

        # intermediate configuration. tweak to your needs.
        ssl_protocols TLSv1.3 TLSv1.2;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
        ssl_prefer_server_ciphers   on;

        # OCSP Stapling ---
        # fetch OCSP records from URL in ssl_certificate and cache them
        ssl_stapling on;
        ssl_stapling_verify on;

        ## verify chain of trust of OCSP response using Root CA and Intermediate certs
        ssl_trusted_certificate      /etc/ssl/ca/acme/<redacted>.ca;

        resolver 192.168.1.1 8.8.4.4 8.8.8.8 valid=300s;
        #resolver 192.168.1.1;
        resolver_timeout 10s;

        underscores_in_headers on;
        proxy_intercept_errors on;
        recursive_error_pages  on;

        location / {
                proxy_pass http://192.168.1.40:8096;  ## Enter the IP and port of the backend emby server here.

                proxy_hide_header X-Powered-By;  ## Hides nginx server version from bad guys.
                proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
                proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
                proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
                proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

                ## ADDITIONAL SECURITY SETTINGS ##
                ## Optional settings to improve security ##
                ## add these after you have completed your testing and ssl setup ##
                add_header 'Referrer-Policy' 'origin-when-cross-origin';
                add_header Strict-Transport-Security "max-age=15552000; includeSubdomains; preload" always;
                add_header X-Frame-Options "SAMEORIGIN" always;
                add_header X-Content-Type-Options "nosniff" always;
                add_header X-XSS-Protection "1; mode=block" always;

                ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $http_connection;
    }

}

Edited by diamantj, 17 July 2019 - 07:11 PM.


#43 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 2801 posts
  • Local time: 07:10 AM
  • LocationChicago

Posted 17 July 2019 - 07:31 PM

Other than sendfile being on, which I dont "think" is your issue, I dont see anything crazy in your config.   I might suggest trying my single config first, though it looks like alot of your config is already mine..    But I hate split configs using include.....      lol, just as a test use my config, and see if it works, you can also connect to my server and see if your roku works there. 


Edited by pir8radio, 17 July 2019 - 08:32 PM.


#44 jeffsand121 OFFLINE  

jeffsand121

    Newbie

  • Members
  • 8 posts
  • Local time: 08:10 AM

Posted 17 July 2019 - 08:07 PM

I found the issue that was causing the same problem with Roku playing remotely. The "default" in the config I am using was not listening on port 80. Once I included that command and did a 301 redirect, I have no playback problems.
  • pir8radio likes this

#45 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 2801 posts
  • Local time: 07:10 AM
  • LocationChicago

Posted 17 July 2019 - 08:34 PM

I found the issue that was causing the same problem with Roku playing remotely. The "default" in the config I am using was not listening on port 80. Once I included that command and did a 301 redirect, I have no playback problems.

 

Yea its good practice to listen on 80 as well   good find...

 

HSTS should of taken care of that, you shouldn't see the 301 getting used much if at all, if you use HSTS. 



#46 Paint OFFLINE  

Paint

    Member

  • Members
  • 23 posts
  • Local time: 08:10 AM

Posted 17 July 2019 - 08:45 PM

What should I add to my nginx to do a 301 redirect besides adding listening lines on port 80

#47 jeffsand121 OFFLINE  

jeffsand121

    Newbie

  • Members
  • 8 posts
  • Local time: 08:10 AM

Posted 17 July 2019 - 08:46 PM

I am using HSTS and thought it would have taken care of it too. Just happy it is working again. Thanks to all that helped!!

#48 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 2801 posts
  • Local time: 07:10 AM
  • LocationChicago

Posted 17 July 2019 - 08:56 PM

What should I add to my nginx to do a 301 redirect besides adding listening lines on port 80


server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;
return 301 https://$server_name$request_uri;
}


Sent from my iPhone using Tapatalk

#49 Paint OFFLINE  

Paint

    Member

  • Members
  • 23 posts
  • Local time: 08:10 AM

Posted 17 July 2019 - 09:30 PM

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;
return 301 https://$server_name$request_uri;
}


Sent from my iPhone using Tapatalk

Added this to my config. Will test again.

Since I am running on a custom SSL port, I had to use this config:

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;
return 301 https://$server_name:1234$request_uri;
}

And added this to my ssl server section
 

error_page 497 https://$host:1234$request_uri;

Edited by diamantj, 17 July 2019 - 10:12 PM.

  • pir8radio likes this

#50 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 2801 posts
  • Local time: 07:10 AM
  • LocationChicago

Posted 17 July 2019 - 10:36 PM

 

Added this to my config. Will test again.

Since I am running on a custom SSL port, I had to use this config:

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name example.com;
return 301 https://$server_name:1234$request_uri;
}

And added this to my ssl server section
 

error_page 497 https://$host:1234$request_uri;

 

 

yea sorry forgot you were using a goofy port..  :-)   Good work, hope it works.



#51 Paint OFFLINE  

Paint

    Member

  • Members
  • 23 posts
  • Local time: 08:10 AM

Posted 17 July 2019 - 10:48 PM

yea sorry forgot you were using a goofy port..  :-)   Good work, hope it works.

 

Also got a little cute with some user agent filtering. I dont want my domain redirecting everyone who goes to port 80 to redirect to my emby server. 

server {
  listen      80;
  server_name htpc.cloud;

  ## only redirect roku ##
  if ($http_user_agent ~ Roku/DVP|Dalvik\/2.1.0|AndroidTv) {
    # 301 = permanent redirect, 302 = temporary redirect
    return 301  https://$server_name:1234$request_uri;
  }
  # return no data
  return 444;
}


  • pir8radio likes this

#52 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 45426 posts
  • Local time: 08:10 AM

Posted 18 July 2019 - 11:19 AM

Please let us know if this solves your problem.

 

Thanks!



#53 Paint OFFLINE  

Paint

    Member

  • Members
  • 23 posts
  • Local time: 08:10 AM

Posted 18 July 2019 - 11:23 AM

Here are my findings. 

 

Roku can stream off of @pir8radio 's server, but it still fails on mine. 

 

I am going to check each line in my nginx.conf to fix any differences. 

 

I have a hunch its related to SSL/TLS settings....


Edited by Paint, 18 July 2019 - 11:28 AM.


#54 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 131628 posts
  • Local time: 08:10 AM

Posted 18 July 2019 - 02:13 PM

Let us know how you get on. Thanks !






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users