HTTPS very slow when in internal network

[hvt 6]

Hi,

 

my HTTPS connection in my internal network to Emby are very slow. I am experiencing response times of ~3 seconds per request and the stream won't load at all. An apache host on the same server offering Nextcloud and being the reverse proxy for some other servers is not affected. It's only Emby which does not have a reverse proxy. When accessing emby over the internet via HTTPS it's fast as usual. Also HTTP on the internal network has no issues. It is only from the internal network. To confirm this issue I tested in all stated conditions and on different devices.

 

I already submitted logs in this thread: https://emby.media/community/index.php?/topic/75143-emby-being-slow-in-the-browser/

 

Greedings

[mastrmind11 717]

not sure wy you would bother w/ HTTPS on a LAN, but in any case I recently read someone on here that had similar issues and they twaked their proxy to forward to 8096 instead of 8920 and that solved the issue.

[hvt 6]

not sure wy you would bother w/ HTTPS on a LAN, but in any case I recently read someone on here that had similar issues and they twaked their proxy to forward to 8096 instead of 8920 and that solved the issue.

 

I am going to try setting up a reverse proxy for emby.

[mastrmind11 717]

I am going to try setting up a reverse proxy for emby.

if it's just a LAN issue, why not just ditch HTTPS?  It's overkill.

[Justy 2]

Hi,

 

I've set up a reverse proxy too. It's pointing to :8096. And I have no problems/delays.

 

And I agree mastrmind11: It's overkill and not necessary.

 

kr

 

justy

 

P.S. like this:

location / {
proxy_pass http://192.168.178.10:8096;

Edited August 6, 2019 by Justy

[hvt 6]

Everything should be encrypted. No matter if internal or not. HTTPS should not be the problem. I just setup a reverse proxy in the /emby directory of my dyndns domain. Same effect. Nextcloud is working fine tho. My Apache config:

        # Emby
        SetEnv proxy-nokeepalive 1
	SetEnv proxy-sendchunked 1
    
	Header        set        Connection "Upgrade"
	RequestHeader setifempty Connection "Upgrade"
	Header        set        Upgrade "websocket"
	RequestHeader setifempty Upgrade "websocket"
	
	# /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\
	# For websocket tunelling the module  proxy_wstunnel MUST be enabled
	# Available from apache 2.4 for older versions it's a bit more complicated
	# => sudo a2enmod proxy_wstunnel
	# => sudo service apache2 restart
	# /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\ /!\
	
	# Compatibility for old version of emby
	<Location /emby/socket >
			ProxyPass        ws://127.0.0.1:8096/emby/socket
			ProxyPassReverse ws://127.0.0.1:8096/emby/socket
	</location>
	
	# For current version
	<Location /embywebsocket>
			ProxyPass        ws://127.0.0.1:8096/emby
			ProxyPassReverse ws://127.0.0.1:8096/emby
	</location>
	
	<Location /emby >
			ProxyPass        http://127.0.0.1:8096
			ProxyPassReverse http://127.0.0.1:8096
	</location>

	<Location /emby/emby >
			ProxyPass        http://127.0.0.1:8096/emby
			ProxyPassReverse http://127.0.0.1:8096/emby
	</location>

# Source: https://emby.media/community/index.php?/topic/40461-emby-server-with-apache-reverse-proxy/

What do I need to set for the hosting settings in emby? I am having:

 

- Secure connection mode: Required for all remote connections

- External domain: my dyndns domain

- Port mapping: Off

- Folder for ssl certificate

- Allow remote conenctions: On

 

Anyways the dev tools of Firefox say that each GET request to stream.mp4 takes up to 3 seconds... Some have 70% of the time: TLS, some other have 90%: blocked and some have 90% of the time: Waiting

[Justy 2]

Hi,

 

I use nginx as reverse proxy. So I cannot compare to my config.

 

But for host settings in emby I would say "secure connection mode" "required for all remote connections" is wrong. Change to handle it by reverse proxy. If you want to use a reverse proxy.

 

Second is: why you proxypass to http://127.0.0.1:8096/emby
 

if you want to use https? shouldn't it be 8920?

[hvt 6]

Change to handle it by reverse proxy.

 

Going to try that one.

 

 

Second is: why you proxypass to http://127.0.0.1:8096/emby

 

if you want to use https? shouldn't it be 8920?

 

As the reverse proxy resides on the same machine as the emby server the traffic is not visible for the outside world, there is no need to use HTTPS for the connection. The target would be disable HTTPS completly in Emby as the HTTPS connection is handled by the reverse proxy. The next step for me is to block the 8096 and 8920 (Emby HTTP and HTTPS ports) on the server for ingoing and outgoing traffic to avoid bypassing the reverse proxy on the other ports. But I am afraid this will break some apps as the generated urls by emby wont be right anymore (Right @@Luke ?).

Edited August 7, 2019 by hvt

[Justy 2]

I refer to your comment:

 

Everything should be encrypted. No matter if internal or not. HTTPS should not be the problem.

 

 

 

 That's why I recommend to proxypass to http://127.0.0.1:8920/emby

But now it's clear. It's the same way I'm doing it:

emby hosting:

local http: 8096

local https: 8920

allow remote connections

public http: 80

public http: 443

external domain: (sub.)mydomain.com

own ssl folder: empty

certificate password: empty

secure connection: by reverse proxy

portmapping: no

router:
protocol TCP
map external 443 to internal 443

 

and then your apache config:

 

 

<VirtualHost *:443>
    ServerName cname.domain.com
....

.........

http://127.0.0.1:8096
......

 

 

[hvt 6]

That's why I recommend to proxypass to http://127.0.0.1:8920/emby

 

By internal I meant internal network I am using the reverse proxy to not use https built into Emby as I assume atm that this causes the long response times. Would be playing myself if I would reverse proxy to https

 

Thank you for your configuration. I am going to try this

[Justy 2]

Just was wondering why to proxy to https.

 

Hope it will help. Good luck.

 

P.S perhaps you will have to map also port 80 external to internal (with redirect to 443 in apache) on the router. Depends on your certificate and other things you're running.

[hvt 6]

80 gets redirected to 443

[hvt 6]

Update: Just applied similar configuration as @@Justy but still very slow. Whats bugging me is that the logs either firefox or emby do state what is taking so long exactly. Other application going over the server such as git server and nextcloud are fast as usual...

[Justy 2]

Hmmm,

 

Whats is the url you use if you acess from local network?

 

Is it your domain name or local emby IP?

 

Perhaps you are accessing from WAN?

[hvt 6]

The ways i am accessing it:

 

In general now (after reverse proxy setup):

https://dyndns.domain.com/emby/web/...

(has issue)

 

In general before:

https://dyndns.domain.com:8920/web/...

(had no issue until 2 weeks ago started this all)

 

The thing is when accessing it like this:

http://192.168.0.124:8096/web/index.html

(no issues. now and before.)

 

Emby Windows App:

Idk. Probably http in internal network.

(No issues. Now and before.)

 

Emby Android App:

Same as windows app

 

What I noticed:

I entered a wrong password by mistake when deleting my cache/cookies and all. In the admin interface this attempt has attached the ip of my router to it. Gonna take a look at apache forwarding the forwarded headers.

 

EDIT: https://stackoverflow.com/questions/7312215/is-there-a-way-to-remove-apaches-reverse-proxy-request-headers says that the appropiate headers are sent by default

Edited August 7, 2019 by hvt

[Justy 2]

From local lan i only use:

http://192.168.0.124:8096

As far as I know, you have to Tell your router the hostname of your embyserver or set up a dns Server if you use https://dyndns.domain.com.

Without that you will connect from LAN to WAN and back.

I can Check at my site, what the delay is if I am doing this. But if I remember, it is not like yours.

Will come back to you.

Edited August 7, 2019 by Justy

[Justy 2]

Just checked it.

 

No delay by accessing from local lan over WAN and back. Stream starts immediately.

 

Why not use in local lan http://192.168.0.124:8096?

For apache reverse proxy I cannot help, sorry.

[hvt 6]

I am using the update client supplied by my dyndns provider. That works. For the other applications it works just fine. Indepently from internal or external location. When resolving the dns the router is "intelligent" enough to redirect the traffic directly to the specified device in the port forwarding settings instead of sending it into the internet. I want to use one url no matter the location. Meaning that I dont have to decide whether i am internal or not and type the specific address. For the apps this is not a problem, as they autodetect the urls.

 

Anyways that whole thing was some kind of improvement. I also checked other issues e.g. I am using Lets Encrypt and the often changing certificates might cause problems but deleting certificate storage of the browser had no effect. Although it still works when you are outside of the network. Then things go fast as usual even over https. It's so damn confusing.

[Justy 2]

I understand. And it worked before .

 

And you mentioned checking of SSL cert. Make all sense.

 

Sorry, but at the moment I've no no clue what else it could be.

 

Hope you will figure it out.

[Justy 2]

Hi hvt,
 

thought again about it.

did you try this:

emby hosting:

local http: 8096

local https: 443

allow remote connections

public http: 80

public http: 443

external domain: (sub.)mydomain.com

own ssl folder: empty

certificate password: empty

secure connection: by reverse proxy

portmapping: no

[hvt 6]

Now I locked myself out Had to go to the config manually to get it to work again...

[Justy 2]

Ups, sorry. Was just an idea.

Good you could revert it.

 

Another idea:

 

Do you have a separate AV/firewall software like Kaspersky etc...?
Maybe this causes the delay? Some kind of SSL inspection, or so?
Tried with deactivated AV/software firewall?

Had some problems in browsers myself  with that in the past.
 

Edited August 8, 2019 by Justy

[hvt 6]

I just checked. Yeah there are some firewalls/inspection services running on some routers, but that does not make sense. For other applications using the same ssl cert, reverse proxy and "way" through the network this issue does not exist.

 

The issue is also not bound to a device or browser. Every computer and every smartphone in every browser has this issue when connecting internally via HTTPS. I also had a look at gpu and server metrics when streaming.

 

What kind of problem in the past? I cant see why its taking so long. I.e. not very detailed. Sometimes FF takes a lot of time for TLS Config, sometimes waiting for the server, sometimes being just blocked (values taken from dev tools > network tab). I cant see any pattern within this.

 

So mainly Emby must be the problem. But there were no updates applied when this issue started. I am gonna take a closer look at the plugins now. Deactivated most of them tho before because of recommendation by Luke in the thread linked at the beginning of this thread.

[mastrmind11 717]

dude seriously, remove your reverse proxie(s) and try it.  there's roughly a 90% chance you jacked up your proxy config and go from there.  the fact that you think https on a local network is required means  your (controlled by you) local network needs some work.  

 

in any case, if no proxy works, then either your proxy config is wrong, or your router doesn't support loopback.  next step would be to find a router that isn't garbage.  

 

regardless, start small and work up.  your requirement of end to end https is extreme (for eg, I work for a fortune 100 financial institution and our internal traffic is not encrypted).  just remove the bs requirement and enjoy Emby.

Edited August 8, 2019 by mastrmind11

[hvt 6]

dude seriously, remove your reverse proxie(s) and try it.  there's roughly a 90% chance you jacked up your proxy config and go from there.

 

dude seriously, please read before writing. I had no reverse proxies in use before and just setup one to test if this would solve the issue.

 

the fact that you think https on a local network is required means  your (controlled by you) local network needs some work. 

 

This does not mean it. I just don't understand why I should use HTTP in local network and use different urls based on my location.

 

in any case, if no proxy works, then either your proxy config is wrong, or your router doesn't support loopback.  next step would be to find a router that isn't garbage. 

 

Again, could you please read the actual issue here. Other applications using the same ssl cert, (now the) same reverse proxy on the same machine in the same network work without issues. But Emby works only on HTTP... Yeah the router my ISP gave me is garbage. No doubt. But it worked before and now even still works for other applications. Anyways Emby works in HTTPS but with delays of up to 5 seconds per single request which makes the web interface laggy.

 

your requirement of end to end https is extreme (for eg, I work for a fortune 100 financial institution and our internal traffic is not encrypted).  just remove the bs requirement and enjoy Emby.

 

Extreme... Are you serious? We live in 2019. HTTPS should be the default. HTTP is extreme. Maybe this financial institution should remove some bs software and the customer might enjoy while people are not able to collect every piece of data they want about said customer.

Edited August 9, 2019 by hvt