teknand 0 Posted November 29, 2020 Share Posted November 29, 2020 (edited) I am running Emby on a TrueNAS server behind a haproxy reverse proxy that is configured to use LetEncrypt certificates so the cert configuration doesn't have to be done in Emby. My domain provider is Google Domains and I have a synthetic record configured to point to my subdomain. When users attempt to login to my Emby server through any of the Emby apps using my subdomain URL they can access the server and see their profile but when they attempt to login they get the following error: Invalid username or password. Please try again. The Emby logs show: 2020-11-28 20:05:49.428 Info HttpServer: HTTP GET http://emby.domain.io:8096/Users/authenticatebyname?X-Emby-Client=Emby for Android&X-Emby-Device-Name=SAMSUNG_DEVICE&X-Emby-Device-Id=180dd06ae38b4c18&X-Emby-Client-Version=3.1.64. Host=emby.domain.io, accept=application/json, User-Agent=Mozilla/5.0 (Linux; Android 10; SM-G975U1 Build/QP1A.190711.020; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/86.0.4240.198 Mobile Safari/537.36, X-Requested-With=com.mb.android, Sec-Fetch-Site=cross-site, Sec-Fetch-Mode=cors, Sec-Fetch-Dest=empty, Accept-Encoding=gzip, deflate, Accept-Language=en-US,en;q=0.9 2020-11-28 20:05:49.429 Error HttpServer: Access token is invalid or expired. 2020-11-28 20:05:49.429 Info HttpServer: HTTP Response 401 to 192.168.50.10. Time: 1ms. http://emby.domain.io:8096/Users/authenticatebyname?X-Emby-Client=Emby for Android&X-Emby-Device-Name=SAMSUNG_DEVICE&X-Emby-Device-Id=180dd06ae38b4c18&X-Emby-Client-Version=3.1.64. ConnectionId: null My haproxy configuration is as follows: global log /dev/log local0 log /dev/log local1 notice chroot /var/lib/haproxy stats socket /run/haproxy/admin.sock mode 660 level admin expose-fd listeners stats timeout 30s user haproxy group haproxy daemon # Default SSL material locations ca-base /etc/ssl/certs crt-base /etc/ssl/private # Default ciphers to use on SSL-enabled listening sockets. # For more information, see ciphers(1SSL). This list is from: # https://hynek.me/articles/hardening-your-web-servers-ssl-ciphers/ # An alternative list with additional directives can be obtained from # https://mozilla.github.io/server-side-tls/ssl-config-generator/?server=haproxy ssl-default-bind-ciphers TLS_AES_128_GCM_SHA256:TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384 ssl-default-bind-options no-sslv3 defaults log global mode http option httplog option dontlognull timeout connect 5000 timeout client 50000 timeout server 50000 errorfile 400 /etc/haproxy/errors/400.http errorfile 403 /etc/haproxy/errors/403.http errorfile 408 /etc/haproxy/errors/408.http errorfile 500 /etc/haproxy/errors/500.http errorfile 502 /etc/haproxy/errors/502.http errorfile 503 /etc/haproxy/errors/503.http errorfile 504 /etc/haproxy/errors/504.http frontend www-http bind *:80 bind *:443 ssl crt /etc/ssl/domain.io/domain.pem redirect scheme https code 301 if !{ ssl_fc } acl letsencrypt-acl path_beg /.well-known/acme-challenge/ use_backend letsencrypt-backend if letsencrypt-acl use_backend gitlab-backend if { hdr_dom(host) -i gitlab.domain.io } use_backend gitlab-backend if { hdr_dom(host) -i pages.domain.io } use_backend nextcloud-backend if { hdr_dom(host) -i nextcloud.domain.io } use_backend emby-backend if { hdr_dom(host) -i emby.domain.io } default_backend gitlab-backend backend gitlab-backend server gitlab 192.168.50.9:80 backend pages-backend server pages 192.168.50.9:8090 backend nextcloud-backend server nextcloud 192.168.50.12:80 backend emby-backend server emby 192.168.50.13:8096 backend letsencrypt-backend server letsencrypt 127.0.0.1:8888 If users navigate to my Emby subdomain in a browser and login they have no issue. Only when using the app do they have trouble. I should also note that if a user has an Emby Connect account and I have set their account email in their profile then they can use the Connect account to login from the apps. While this is a work around, not all my users want Connect accounts so I would like to avoid this if possible. Edited November 29, 2020 by teknand Link to comment Share on other sites More sharing options...
teknand 0 Posted November 29, 2020 Author Share Posted November 29, 2020 Another issue I am seeing is that all user profiles show as though the user is logging in on the local network. My assumption is that this is due to the connection being through the reverse proxy. An easy solution would be to turn on the 'Hide this user from login screens on the local network' for every user but I want to be sure this is the expected behavior. Link to comment Share on other sites More sharing options...
Solution Luke 36999 Posted November 29, 2020 Solution Share Posted November 29, 2020 16 hours ago, teknand said: Another issue I am seeing is that all user profiles show as though the user is logging in on the local network. My assumption is that this is due to the connection being through the reverse proxy. An easy solution would be to turn on the 'Hide this user from login screens on the local network' for every user but I want to be sure this is the expected behavior. Hi, it sounds like you need to configure the proxy so that emby server can see the original ip address of the remote user. Link to comment Share on other sites More sharing options...
teknand 0 Posted November 29, 2020 Author Share Posted November 29, 2020 3 hours ago, Luke said: Hi, it sounds like you need to configure the proxy so that emby server can see the original ip address of the remote user. Thanks! That did fix this part of my issue. I added the following to the defaults section of my haproxy.cfg: option forwardfor except 127.0.0.1 Still trying to figure out the login issue though. Link to comment Share on other sites More sharing options...
Luke 36999 Posted December 1, 2020 Share Posted December 1, 2020 Does the server dashboard activity section display the correct remote addresses now? Link to comment Share on other sites More sharing options...
teknand 0 Posted December 1, 2020 Author Share Posted December 1, 2020 3 hours ago, Luke said: Does the server dashboard activity section display the correct remote addresses now? Kind of. The remote address is correct but the port is not. Haproxy is taking the request on the 80 port and passing it to Emby on the 8096 port from what I understand looking at the haproxy.cfg but the dashboard is showing port 8920. Here is my configuration on the Emby server. Link to comment Share on other sites More sharing options...
Luke 36999 Posted December 1, 2020 Share Posted December 1, 2020 Then I would configure your public facing port in emby server network settings. Link to comment Share on other sites More sharing options...
teknand 0 Posted December 1, 2020 Author Share Posted December 1, 2020 I tried that too and still wasn't having any luck. I've spent the last 3 or 4 hours trying to get it working. All of a sudden the power went out a couple times and came back on and now it is somehow working... Wish I had an answer as to why but I'm clueless in this situation. Since you pointed me in the right direction for setting up the forwardfor setting in haproxy I'm going to mark that as the solution. Link to comment Share on other sites More sharing options...
Luke 36999 Posted December 1, 2020 Share Posted December 1, 2020 Thanks for the feedback. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now