plaidstallion 9 Posted June 4, 2020 Share Posted June 4, 2020 I was hoping someone could take a look at the HTTP headers I have my reverse proxy (Traefik v2) apply to Emby (and other apps) and let me know what might be causing issues with the app? customFrameOptionsValue: SAMEORIGIN browserXssFilter: true stsSeconds: 155520011 referrerPolicy: no-referrer contentTypeNosniff: true sslRedirect: true forceSTSHeader: true stsIncludeSubdomains: true stsPreload: true featurePolicy: true sslForceHost: true contentSecurityPolicy: "default-src ‘self’; script-src ‘self’ ‘unsafe-eval’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:; media-src *;" accessControlAllowOriginList: [“<origin>”] featurePolicy: "geolocation 'none'; camera 'none'; microphone 'none'" The web interface is accessible but sometimes it doesn't load all the assets (cover art, etc) and movies will randomly not play. If I take all the headers off, everything works fine as if I am connecting inside the LAN but then I lose that nice A+ security rating for headers scan. I suppose I can start taking them off one by one and see what might be the issue but thought the devs or forum mods may just be able to look at my list and spot what is wrong. I looked for documentation of recommended headers but didn't see any articles through Google searches. Seems like a good wiki item. Link to comment Share on other sites More sharing options...
Luke 37064 Posted June 4, 2020 Share Posted June 4, 2020 I would check out @@pir8radio's nginx config. I know it's not the same reverse proxy software, but you may pick up some tips from that. Link to comment Share on other sites More sharing options...
plaidstallion 9 Posted June 5, 2020 Author Share Posted June 5, 2020 (edited) I would check out @@pir8radio's nginx config. I know it's not the same reverse proxy software, but you may pick up some tips from that. I will check it out. I was able to get it functioning by taking off "media-src *;" from the contentSecurityPolicy line so it now looks like this: contentSecurityPolicy: "default-src ‘self’; script-src ‘self’ ‘unsafe-eval’; style-src ‘self’ ‘unsafe-inline’; frame-src *; img-src * data: blob:; font-src ‘self’ data:;" I left the rest of the options in the list above alone so it must be something with the media-src *; With that line added, some movies would play but not all and the whole experience was pretty hit or miss. Seems like that resolved the issue though. Edited June 5, 2020 by plaidstallion 1 Link to comment Share on other sites More sharing options...
Luke 37064 Posted June 5, 2020 Share Posted June 5, 2020 Thanks for the feedback ! Link to comment Share on other sites More sharing options...
Solution plaidstallion 9 Posted June 9, 2020 Author Solution Share Posted June 9, 2020 (edited) I wanted to follow up to this post with a correction. The headers actually had nothing to do with the issue. I had a global rate limit set for all my forward facing applications and Emby seems to make many many more requests than my other programs. So, while I was not shown an error, as the other programs would do if I hit the page too much, all the back end stuff that Emby does was getting blocked and I was none the wiser. I loosened the rate limiting a bit and all is well. HTTP headers were not an issue at all. This should probably be marked as the correct answer. Edited June 9, 2020 by plaidstallion 1 Link to comment Share on other sites More sharing options...
Luke 37064 Posted June 9, 2020 Share Posted June 9, 2020 Thanks for the feedback ! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now