Jump to content

Emby app users unable to login to Emby subdomain with Emby server behind haproxy


teknand
 Share

Go to solution Solved by Luke,

Recommended Posts

I am running Emby on a TrueNAS server behind a haproxy reverse proxy that is configured to use LetEncrypt certificates so the cert configuration doesn't have to be done in Emby. My domain provider is Google Domains and I have a synthetic record configured to point to my subdomain. When users attempt to login to my Emby server through any of the Emby apps using my subdomain URL they can access the server and see their profile but when they attempt to login they get the following error:

Invalid username or password. Please try again.

The Emby logs show:

2020-11-28 20:05:49.428 Info HttpServer: HTTP GET http://emby.domain.io:8096/Users/authenticatebyname?X-Emby-Client=Emby for Android&X-Emby-Device-Name=SAMSUNG_DEVICE&X-Emby-Device-Id=180dd06ae38b4c18&X-Emby-Client-Version=3.1.64. Host=emby.domain.io, accept=application/json, User-Agent=Mozilla/5.0 (Linux; Android 10; SM-G975U1 Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/86.0.4240.198 Mobile Safari/537.36, X-Requested-With=com.mb.android, Sec-Fetch-Site=cross-site, Sec-Fetch-Mode=cors, Sec-Fetch-Dest=empty, Accept-Encoding=gzip, deflate, Accept-Language=en-US,en;q=0.9
2020-11-28 20:05:49.429 Error HttpServer: Access token is invalid or expired.

My haproxy configuration is as follows:

global
        log /dev/log    local0
        log /dev/log    local1 notice
        chroot /var/lib/haproxy
        stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners
        stats timeout 30s
        user haproxy
        group haproxy
        daemon

        # Default SSL material locations
        ca-base /etc/ssl/certs
        crt-base /etc/ssl/private

        # Default ciphers to use on SSL-enabled listening sockets.
        # For more information, see ciphers(1SSL). This list is from:
        #  https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/
        # An alternative list with additional directives can be obtained from
        #  https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy
        ssl-default-bind-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384

        ssl-default-bind-options no-sslv3

defaults
        log     global
        mode    http
        option  httplog
        option  dontlognull
        timeout connect 5000
        timeout client  50000
        timeout server  50000
        errorfile 400 /etc/haproxy/errors/400.http
        errorfile 403 /etc/haproxy/errors/403.http
        errorfile 408 /etc/haproxy/errors/408.http
        errorfile 500 /etc/haproxy/errors/500.http
        errorfile 502 /etc/haproxy/errors/502.http
        errorfile 503 /etc/haproxy/errors/503.http
        errorfile 504 /etc/haproxy/errors/504.http

frontend www-http
        bind *:80
        bind *:443 ssl crt /etc/ssl/domain.io/domain.pem

        redirect scheme https code 301 if !{ ssl_fc }

        acl letsencrypt-acl path_beg /.well-known/acme-challenge/
        use_backend letsencrypt-backend if letsencrypt-acl

        use_backend gitlab-backend if { hdr_dom(host) -i gitlab.domain.io }
        use_backend gitlab-backend if { hdr_dom(host) -i pages.domain.io }
        use_backend nextcloud-backend if { hdr_dom(host) -i nextcloud.domain.io }
        use_backend emby-backend if { hdr_dom(host) -i emby.domain.io }

        default_backend gitlab-backend

backend gitlab-backend
        server gitlab 192.168.50.9:80

backend pages-backend
        server pages 192.168.50.9:8090

backend nextcloud-backend
        server nextcloud 192.168.50.12:80

backend emby-backend
        server emby 192.168.50.13:8096

backend letsencrypt-backend
        server letsencrypt 127.0.0.1:8888

If users navigate to my Emby subdomain in a browser and login they have no issue. Only when using the app do they have trouble.

I should also note that if a user has an Emby Connect account and I have set their account email in their profile then they can use the Connect account to login from the apps. While this is a work around, not all my users want Connect accounts so I would like to avoid this if possible.

Edited by teknand
Link to comment
Share on other sites

Another issue I am seeing is that all user profiles show as though the user is logging in on the local network. My assumption is that this is due to the connection being through the reverse proxy. An easy solution would be to turn on the 'Hide this user from login screens on the local network' for every user but I want to be sure this is the expected behavior.

Link to comment
Share on other sites

  • Solution
16 hours ago, teknand said:

Another issue I am seeing is that all user profiles show as though the user is logging in on the local network. My assumption is that this is due to the connection being through the reverse proxy. An easy solution would be to turn on the 'Hide this user from login screens on the local network' for every user but I want to be sure this is the expected behavior.

Hi, it sounds like you need to configure the proxy so that emby server can see the original ip address of the remote user.

Link to comment
Share on other sites

3 hours ago, Luke said:

Hi, it sounds like you need to configure the proxy so that emby server can see the original ip address of the remote user.

Thanks! That did fix this part of my issue. I added the following to the defaults section of my haproxy.cfg:

option forwardfor except 127.0.0.1

Still trying to figure out the login issue though. 🤔

Link to comment
Share on other sites

3 hours ago, Luke said:

Does the server dashboard activity section display the correct remote addresses now?

Kind of. The remote address is correct but the port is not. Haproxy is taking the request on the 80 port and passing it to Emby on the 8096 port from what I understand looking at the haproxy.cfg but the dashboard is showing port 8920.

Here is my configuration on the Emby server.

543666621_Screenshot2020-12-01003733.png.7e9bedf71f1004e8b8f1acec74cb544c.png

722666359_Screenshot2020-12-01003832.thumb.png.3957e85f0b685eff5e2841c38cee63a2.png

418439538_Screenshot2020-12-01003912.thumb.png.44838310c1476e314b7962edbb123819.png

Link to comment
Share on other sites

I tried that too and still wasn't having any luck. I've spent the last 3 or 4 hours trying to get it working. All of a sudden the power went out a couple times and came back on and now it is somehow working... 🤷‍♂️ Wish I had an answer as to why but I'm clueless in this situation. Since you pointed me in the right direction for setting up the forwardfor setting in haproxy I'm going to mark that as the solution.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...