[How-To] Emby Server on Windows Server with IIS as Reverse Proxy with Automatic Certificate Renewal

[Justus 8]

I have just read the guide and it seems to be very good and interesting for many people. Since I want to set up my Emby server on a mini Windows PC that runs 24/7, I was also interested in it. But it seems to be much more complicated than what I have in mind. Can't I just take the normal Emby installation and use a Powershell script via Windows task scheduling? That then automatically retrieves the IP address of the server and compares it with the DNS-A-Record-IP stored with my domain provider. If there is a discrepancy, the script updates the A-record at the domain provider with the new IP address. Just schedule this every minute. The SSL certificate script by Certbot can also be entered in the Task Scheduler and be executed. 

And that's actually it, isn't it? What are the advantages of using 10 different applications in the guide? Security aspects or other things?

Edited April 22, 2024 by Justus

[drashna 47]

On 4/22/2024 at 1:23 PM, Justus said:

And that's actually it, isn't it? What are the advantages of using 10 different applications in the guide? Security aspects or other things?

Part of the point is to add a reverse proxy to hide emby behind.  And one that is easier to automate setting up SSL corticates.   The IISCrypto thing.... I think is a bad, bad idea, as it can break all sorts of things on your system, and IIS allows you to disable legacy TLS support, anyways (which is why the IISCrypto).  

 

[Nathanael 4]

On 4/22/2024 at 10:23 PM, Justus said:

And that's actually it, isn't it? What are the advantages of using 10 different applications in the guide? Security aspects or other things?

What do you mean with 10+ applications?

Even with your suggested "powershell script" you would still need applications like NSSM to create the Emby service as running as an application has some downsides on a server, or an application like Certify the web for the automatic SSL renewal.

The rest are extensions to Microsoft IIS. 

Those are not á lot of apps. It is a basic Reverse proxy setup.

[TheITJedi 40]

12 hours ago, drashna said:

Part of the point is to add a reverse proxy to hide emby behind.  And one that is easier to automate setting up SSL corticates.   The IISCrypto thing.... I think is a bad, bad idea, as it can break all sorts of things on your system, and IIS allows you to disable legacy TLS support, anyways (which is why the IISCrypto).  

 

At the point I wrote this, I was using Server 2019 which did not have the “disable legacy TLS” option. Server 2022 does and makes the IISCrypto bits unnecessary. However, older versions of Windows Server still need it. 

[TolkienBard 57]

Is there someplace I can poke about to find the modern update to this guide? I would really like to get my server up and running using HTTPS and not have to deal with regularly having to renew stuff. However, when  I get to the step of:

Install IIS (Internet Information Services) 

I run into issues. First off, Server Manager was not showing up. I finally figured that one out and got all the stuff installed. But then, once I launch it and attempt to "Add Roles or Features", I am greeted with the popup that there are no servers selected and the Emby server does not show up as an option to add.

More importantly though is, MS Web Platform Installer has been discontinued. The links all over the place for finding a copy of it (from a third-party that is not MS) are eitehr dead or for version 3.0 which crashes after opening.

 

I have less than zero beneath the hood skills when it comes to this sort of thing, so I was very glad to see such a detailed guide. Alas, I have hit a brick wall and am unable to proceed to finish the project.

 

[TheITJedi 40]

@TolkienBardI am working on an updated guide and tooling to make it easier for those with minimal technical expertise. I hope to have it completed before the end of the month, but as I’m a full time single parent and work full time, I can’t promise it will be done by then.

 

[drashna 47]

for the links, iis.net is microsoft owned. The downloads from there should be the safest option:  

ARR: Application Request Routing : The Official Microsoft IIS Site

Url Rewrite: URL Rewrite : The Official Microsoft IIS Site

 

 

 

[TolkienBard 57]

@TheITJedi I shall patiently await your convenience. I am perfectly capable of logging into my server in the same, other ways that I have been since before MB became Emby, LOL. No rush. I just recently discovered my summer has opened up immensely and am trying to tackle some of those "projects from the list", you know, the list we all have going on in the back of our minds for if we ever have the time.

[TheITJedi 40]

@TolkienBardI am familiar with that list lol.
 

I’m about 1/3rd of the way done building all the pieces of the script. The big lift is getting the prompts all put together to allow for customization of how it assembles everything. The idea is run the script, it will give you a menu to chose from and let you do the entire setup as a one stop shop.

[kernelcutter 1]

@TheITJedi, I'm a near 30-year Microsoft OS engineer who has just retired, if you would like assistance, let me know.

[parhamsan 17]

@TheITJedithanks for the great post, been using your guide (with some tweaks on the certify the web with CF and ZeroSSL instead of lets Encrypt) for a while now.

Have a question for you, I have used your web.config content for most of my subdomain (for example emby.mysubdomain.com) and the reverse proxy for my other subdomain and they work just fine.

However if i want to use my main domain (mydomain.com) to access certain http port, what would be the content of the web.config file for that certain subdomain or my mydomain.com.

As an example all my subdomains plex.mydomain.com, emby.mydomain.com, hfs2.mydomain.com, etc are redirected to https with your tweak, but I still want to use my main domain name to access certain ports, for example http://mydomain.com:8096 to access emby http, http://mydomain.com:7000 for lets say RDP and etc

is this possible?

Obviously, currently I have forwarded ports 80, 443 to my main server where the IIS and reverse proxy is set-up.

Any help would be appreciated, thanks!!!

Edited July 31, 2024 by parhamsan

[TheITJedi 40]

Hey gang, 

I am  very sorry that I am way later than I had planned getting this finished. Life has been crazy the last couple months. 

README: https://github.com/itjedi42/emby-server-tools/blob/main/README.md

SCRIPT: https://github.com/itjedi42/emby-server-tools/blob/main/Manage-EmbyServer.ps1

 

What it does:

• Checks if installation path exists, if not, creates it.
• Checks if 7-Zip is installed (needed to extract .7z archives of Emby Server), if its not present, it will get the latest version and install it.
• Checks for NSSM in installation path, if not found, fetches it and gets it where it needs to be.
• Checks if Visual C++ 2015-2022 Redistributable Runtime is installed, if not it gets latest version and installs it.
• Checks if IIS is installed, if not, installs it and relevant features.
• Checks if IIS Rewrite2 Module is installed, if not, it downloads and installs it.
• Checks if IIS AAR3.0 Module is installed, if not, it downloads and installs it.
• Checks if Certify The Web client is installed, if not it downloads and installs it.
• Downloads latest .7z x64 version of Emby Server (will download latest beta if `-beta` is specified) and extracts it.
• Creates a local user to use as a service account to run Emby Server.
• Configures Emby Server to run as a service via NSSM.
• Configures Windows Firewall rule to allow TCP port `80` and `443` in and UDP `443` in (For TLS1.3/QUIC support).
• Stops the default IIS website.
• Creates a new `Emby Server Reverese Proxy` site.
• Configures IIS WebServer farm in AAR3.0.
• Configures IIS server variables.
• Disables IIS caching (causes weirdness with streaming).
• Configures IIS request filtering.
• Configures IIS headers.
• Configures rewrite/reverse proxy rules.
• Configures Certify the Web client to create and maintain SSL certificate.
• Disables OCSP stapling.
• Disables legacy TLS.
• Configures QUICK protocol and TLS 1.3 (if Windows Server 2022 or newer).
• Starts Emby Server as a Service.
• Launches Emby Server WebUI in the default system browser.
• Outputs credentials of created service account.

The script can also be used to update Emby Server when new versions are available.

 

NOTES:

You will still have to configure your router to pass ports through to the machine this is run on. 

You will still have to configure the internal Emby settings inside the application itself. 

---

 

Emby Internal Settings

• Navigate to your server via the localhost:8096 address
• Click the gear in the top right corner
• Click Network from the list of tabs on the right
• Configure as shown (use your hostname in the external domain box)

---

@kernelcutterBy all means! Feel free to provide feedback or even clone the repo and PR changes! I am sure there are bits that can be optimized and added. 

I hope this helps everyone!

[TheITJedi 40]

@kernelcutter  By all means! Feel free to provide feedback or even clone the repo and PR changes! I am sure there are bits that can be optimized and added. 

 

Edited August 18, 2024 by TheITJedi

[TheITJedi 40]

On 7/31/2024 at 9:59 AM, parhamsan said:

@TheITJedithanks for the great post, been using your guide (with some tweaks on the certify the web with CF and ZeroSSL instead of lets Encrypt) for a while now.

Have a question for you, I have used your web.config content for most of my subdomain (for example emby.mysubdomain.com) and the reverse proxy for my other subdomain and they work just fine.

However if i want to use my main domain (mydomain.com) to access certain http port, what would be the content of the web.config file for that certain subdomain or my mydomain.com.

As an example all my subdomains plex.mydomain.com, emby.mydomain.com, hfs2.mydomain.com, etc are redirected to https with your tweak, but I still want to use my main domain name to access certain ports, for example http://mydomain.com:8096 to access emby http, http://mydomain.com:7000 for lets say RDP and etc

is this possible?

Obviously, currently I have forwarded ports 80, 443 to my main server where the IIS and reverse proxy is set-up.

Any help would be appreciated, thanks!!!

@parhamsan

I’m glad you found it helpful! 

Yes, it’s possible to do what you are asking, but there are some caveats  

Your bare domain would also need to have its DNS record pointed to the same place as the sub domains. Assuming it is, then it’s a matter of port forwarding in your router. (You might also need to open ports in Windows Firewall depending on your configuration)  

If you are trying to make Remote Desktop available over :7000 on the internet, and still work normally in-network, your router would need to be able to map external ports to different internal ports. Most modern routers can.

Your router would need to be configured to port forward :7000 to :3389 for RDP. Alternatively it is possible to reconfigure Remote Desktop to listen on ports other than :3389. (But in either case, opening up Remote Desktop to the open internet is generally a bad idea and security risk, do so at your own peril.)

If you want to reach Emby on :8096 of your bare domain. You would need to forward :8096 through your router for Emby. However, it should be noted that the :8096 port is just HTTP and not encrypted. :8920 is the HTTPS port for Emby, but you’d have to set up your cert inside Emby Server.

Part of the point of the reverse proxy is to allow for automated certificate renewal so you can basically “set it and forget it”, rather than have to manage the certificate in Emby. With the reverse proxy, IIS listens on :80 & :443, HTTP traffic is automatically redirected to be HTTPS. IIS relays the traffic to Emby Server on :8096 and then Emby doesn’t have to be configured with the certificate, the Certify the Web client can handle renewals via IIS.

[parhamsan 17]

On 8/21/2024 at 12:27 AM, TheITJedi said:

@parhamsan

I’m glad you found it helpful! 

Yes, it’s possible to do what you are asking, but there are some caveats  

Your bare domain would also need to have its DNS record pointed to the same place as the sub domains. Assuming it is, then it’s a matter of port forwarding in your router. (You might also need to open ports in Windows Firewall depending on your configuration)  

If you are trying to make Remote Desktop available over :7000 on the internet, and still work normally in-network, your router would need to be able to map external ports to different internal ports. Most modern routers can.

Your router would need to be configured to port forward :7000 to :3389 for RDP. Alternatively it is possible to reconfigure Remote Desktop to listen on ports other than :3389. (But in either case, opening up Remote Desktop to the open internet is generally a bad idea and security risk, do so at your own peril.)

If you want to reach Emby on :8096 of your bare domain. You would need to forward :8096 through your router for Emby. However, it should be noted that the :8096 port is just HTTP and not encrypted. :8920 is the HTTPS port for Emby, but you’d have to set up your cert inside Emby Server.

Part of the point of the reverse proxy is to allow for automated certificate renewal so you can basically “set it and forget it”, rather than have to manage the certificate in Emby. With the reverse proxy, IIS listens on :80 & :443, HTTP traffic is automatically redirected to be HTTPS. IIS relays the traffic to Emby Server on :8096 and then Emby doesn’t have to be configured with the certificate, the Certify the Web client can handle renewals via IIS.

Hey TheITJedi,

Thanks for taking the time to respond to my question. Although I started my reverse proxy with windows server and IIS, I have not leaned towards NGINX Proxy Manager since it has a lot easier UI for creating subdomains and SSL certificates.

I Appreciate the feedback on how to access http port with port forwarding on the router!  

[skooogis 7]

On 8/18/2024 at 9:47 AM, TheITJedi said:

Hey gang, 

I am  very sorry that I am way later than I had planned getting this finished. Life has been crazy the last couple months. 

README: https://github.com/itjedi42/emby-server-tools/blob/main/README.md

SCRIPT: https://github.com/itjedi42/emby-server-tools/blob/main/Manage-EmbyServer.ps1

 

What it does:

• Checks if installation path exists, if not, creates it.
• Checks if 7-Zip is installed (needed to extract .7z archives of Emby Server), if its not present, it will get the latest version and install it.
• Checks for NSSM in installation path, if not found, fetches it and gets it where it needs to be.
• Checks if Visual C++ 2015-2022 Redistributable Runtime is installed, if not it gets latest version and installs it.
• Checks if IIS is installed, if not, installs it and relevant features.
• Checks if IIS Rewrite2 Module is installed, if not, it downloads and installs it.
• Checks if IIS AAR3.0 Module is installed, if not, it downloads and installs it.
• Checks if Certify The Web client is installed, if not it downloads and installs it.
• Downloads latest .7z x64 version of Emby Server (will download latest beta if `-beta` is specified) and extracts it.
• Creates a local user to use as a service account to run Emby Server.
• Configures Emby Server to run as a service via NSSM.
• Configures Windows Firewall rule to allow TCP port `80` and `443` in and UDP `443` in (For TLS1.3/QUIC support).
• Stops the default IIS website.
• Creates a new `Emby Server Reverese Proxy` site.
• Configures IIS WebServer farm in AAR3.0.
• Configures IIS server variables.
• Disables IIS caching (causes weirdness with streaming).
• Configures IIS request filtering.
• Configures IIS headers.
• Configures rewrite/reverse proxy rules.
• Configures Certify the Web client to create and maintain SSL certificate.
• Disables OCSP stapling.
• Disables legacy TLS.
• Configures QUICK protocol and TLS 1.3 (if Windows Server 2022 or newer).
• Starts Emby Server as a Service.
• Launches Emby Server WebUI in the default system browser.
• Outputs credentials of created service account.

The script can also be used to update Emby Server when new versions are available.

 

NOTES:

You will still have to configure your router to pass ports through to the machine this is run on. 

You will still have to configure the internal Emby settings inside the application itself. 

---

 

Emby Internal Settings

• Navigate to your server via the localhost:8096 address
• Click the gear in the top right corner
• Click Network from the list of tabs on the right
• Configure as shown (use your hostname in the external domain box)

---

@kernelcutterBy all means! Feel free to provide feedback or even clone the repo and PR changes! I am sure there are bits that can be optimized and added. 

I hope this helps everyone!

Just for fun I wanted to test this on a WS2025, and I get a bunch of WriteErrorException.
It succeeds with only these things:
Install 7zip.
Install IIS.
Downloads Emby-zip to C:\Embyserver.

The rest fails..

What am I doing wrong?

I have the script at C:\

Run powershell as administrator and run with modified Example1 ;
 

.\Manage-EmbyServer.ps1 -Install -CreateServiceAccount -CertificateContactName "Admin" -CertificateContactEmal "admin@example.com" -ExternalHostName "media.example.com

Though, I dont actually have a domain with records to test with so i put Test.local as -ExternalHostName 

[Clackdor 92]

@Carlothe link you posted has nothing to do with the powershell script previously mentioned. They're two completely separate tools. I'm not even entirely sure what the one in the thread you linked does.

That said, I looked over the powershell script. It doesn't "rip out" emby's web server and replace it with IIS. You're misinterpreting that part as it just stops and removes the default web site that's created as part of installing the IIS role. Everything else is just installing dependencies, emby itself, certificate renewal, and setting up IiS to function as a reverse proxy, etc.

I'm not advocating for anyone to use the script or that I agree with all of the configurations it makes. I'm just saying that after looking it over that it appears to do what it says and nothing more. As always, anyone looking to use it should verify for themselves before running it.

I much prefer the manual setup and configuration approach as it gives you a better understanding of the whole process and how to troubleshoot issues or make configuration changes to better suit your environment.

As someone who's used IIS as a web server and reverse proxy for a while, it's definitely worth learning how it works if you intend on using it. 

[Carlo 4552]

Had the thread open, meaning to read it for a couple days. Then I saw the links in the message posted right above my response about the "emby-server-tools" script and that was what I was commenting on.

Since I haven't read the thread from the beginning, I deleted my message but would be cautious using without some kind of background, discussion or similar.

[VIDE08 1]

 I could probably do a video of how to do it, it would be more better 

[skooogis 7]

Throwing out a question here to see if anybody could help me,

If I want to redirect to https://localhost:8920 instead of http://localhost:8096 what changes are needed to web.config below?
I have made a selfsigned cert and installed on Emby-server so it listen on 8920, and this is to be able to use TLS between proxy and emby since the connection otherwise always get http1.1
The rules that redirect http to https shouldnt be needed?
 

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <clear></clear>
        <rule name="Redirect to https" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
          <match url="*" negate="false" />
          <conditions logicalGrouping="MatchAny">
            <add input="{HTTPS}" pattern="off" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
        </rule>
        <rule name="Proxy to Emby" stopProcessing="false">
          <match url="(.*)" />
          <serverVariables>
            <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
            <set name="HTTP_ACCEPT_ENCODING" value="" />
            <set name="HTTP_X_REAL_IP" value="{REMOTE_ADDR}" />
          </serverVariables>
          <action type="Rewrite" url="http://localhost:8096/{R:1}" logRewrittenUrl="true" />
          <conditions>
            <add input="/{R:1}" pattern=".well-known" negate="true" />
          </conditions>
        </rule>
      </rules>
      <outboundRules>
        <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
          <conditions>
            <add input="{HTTPS}" pattern="on" />
          </conditions>
          <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
        </rule>
        <rule name="Proxy to Emby" preCondition="ResponseIsHtml1" enabled="true">
          <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://http://localhost:8096/(.*)" />
          <action type="Rewrite" value="http{R:1}://domain.com/{R:2}" />
        </rule>
        <rule name="Restore-AcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
          <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
          <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
        </rule>
        <preConditions>
          <preCondition name="ResponseIsHtml1">
            <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" />
          </preCondition>
          <preCondition name="NeedsRestoringAcceptEncoding">
            <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
          </preCondition>
        </preConditions>
      </outboundRules>
    </rewrite>
    <caching enabled="false" enableKernelCache="false" />
    <httpProtocol>
            <customHeaders>
                <add name="Cache-Control" value="no-cache" />
                <add name="Feature-Policy" value="sync-xhr 'self'" />
                <add name="Referrer-Policy" value="same-origin" />
                <add name="X-Content-Type-Options" value="nosniff" />
                <add name="X-Frame-Options" value="SAMEORIGIN" />
                <add name="X-Xss-Protection" value="1; mode=block" />
                <add name="alt-svc" value="h3=&quot;:443&quot;; ma=86400; persist=1" />
            </customHeaders>
    </httpProtocol>
        <security>
            <requestFiltering removeServerHeader="true">
                <requestLimits maxUrl="65534" maxQueryString="65534" />
            </requestFiltering>
        </security>
  </system.webServer>
    <system.web>
        <httpRuntime enableVersionHeader="false" />
    </system.web>
</configuration>

 

[TheITJedi 40]

3 hours ago, skooogis said:

Throwing out a question here to see if anybody could help me,

If I want to redirect to https://localhost:8920 instead of http://localhost:8096 what changes are needed to web.config below?
I have made a selfsigned cert and installed on Emby-server so it listen on 8920, and this is to be able to use TLS between proxy and emby since the connection otherwise always get http1.1
The rules that redirect http to https shouldnt be needed?
 

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
  <system.webServer>
    <rewrite>
      <rules>
        <clear></clear>
        <rule name="Redirect to https" enabled="true" patternSyntax="Wildcard" stopProcessing="true">
          <match url="*" negate="false" />
          <conditions logicalGrouping="MatchAny">
            <add input="{HTTPS}" pattern="off" />
          </conditions>
          <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" />
        </rule>
        <rule name="Proxy to Emby" stopProcessing="false">
          <match url="(.*)" />
          <serverVariables>
            <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" />
            <set name="HTTP_ACCEPT_ENCODING" value="" />
            <set name="HTTP_X_REAL_IP" value="{REMOTE_ADDR}" />
          </serverVariables>
          <action type="Rewrite" url="http://localhost:8096/{R:1}" logRewrittenUrl="true" />
          <conditions>
            <add input="/{R:1}" pattern=".well-known" negate="true" />
          </conditions>
        </rule>
      </rules>
      <outboundRules>
        <rule name="Add Strict-Transport-Security when HTTPS" enabled="true">
          <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" />
          <conditions>
            <add input="{HTTPS}" pattern="on" />
          </conditions>
          <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" />
        </rule>
        <rule name="Proxy to Emby" preCondition="ResponseIsHtml1" enabled="true">
          <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://http://localhost:8096/(.*)" />
          <action type="Rewrite" value="http{R:1}://domain.com/{R:2}" />
        </rule>
        <rule name="Restore-AcceptEncoding" preCondition="NeedsRestoringAcceptEncoding">
          <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" />
          <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" />
        </rule>
        <preConditions>
          <preCondition name="ResponseIsHtml1">
            <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" />
          </preCondition>
          <preCondition name="NeedsRestoringAcceptEncoding">
            <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
          </preCondition>
        </preConditions>
      </outboundRules>
    </rewrite>
    <caching enabled="false" enableKernelCache="false" />
    <httpProtocol>
            <customHeaders>
                <add name="Cache-Control" value="no-cache" />
                <add name="Feature-Policy" value="sync-xhr 'self'" />
                <add name="Referrer-Policy" value="same-origin" />
                <add name="X-Content-Type-Options" value="nosniff" />
                <add name="X-Frame-Options" value="SAMEORIGIN" />
                <add name="X-Xss-Protection" value="1; mode=block" />
                <add name="alt-svc" value="h3=&quot;:443&quot;; ma=86400; persist=1" />
            </customHeaders>
    </httpProtocol>
        <security>
            <requestFiltering removeServerHeader="true">
                <requestLimits maxUrl="65534" maxQueryString="65534" />
            </requestFiltering>
        </security>
  </system.webServer>
    <system.web>
        <httpRuntime enableVersionHeader="false" />
    </system.web>
</configuration>

 

 

@skooogisshort version is replace the instances of `http://localhost:8096` with `https://localhost:8920`

[TheITJedi 40]

Ive pushed an updated version (0.1.2) of the configuration script.

here: https://github.com/itjedi42/emby-server-tools/blob/main/Manage-EmbyServer.ps1

- updated links for IIS Rewrite and AAR components as Microsoft changed them. 

- updated link for certify the web client.

Edited December 9, 2024 by TheITJedi

[Clackdor 92]

For anyone that may be struggling with HTTP/2 support from clients to the IIS reverse proxy,  you may be missing registry keys to properly enable support. I recently discovered this on my own server which started off as Server 2016 Essentials and was later upgraded to Server 2022 with the essentials roles added back in via installer. This may also be the case if you have an old install of windows 10 or upgraded from 10 to 11, as well as any kind of in-place upgrade of server os versions. I'm not sure whether these keys are present on a fresh install of IIS on more recent builds of both server and client windows versions.

Check the following location in your registry: Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\HTTP\Parameters

You'll want to make sure that you have a DWORD key named "EnableHttp2Tls" and it is set to a hex value of 1. If this key doesn't exist you'll need to add it. You may also need to check for the "EnableHttp2Cleartext" DWORD key as well and make sure it is set to 1.

 

After adding both of these keys and rebooting my server, logs started showing clients negotiating http/2 connections to IIS instead of http/1.1. 

Something else worth noting, from my testing it doesn't seem possible to establish an HTTP/2 connection from ARR to emby's webserver (or any other service for that matter) to get full HTTP/2 support  from the Client to IIS & from IIS to Emby. This obviously requires making an https connection to emby, and having a trusted certificateconfigured in emby (self signed is fine as long as the host trusts it), and a host/domain name that matches the cert. From what I can tell it seems that ARR 3.0 is limited to http/1.1 at best when making outbound connections. Of course I would love if someone could prove me wrong on this last point 

Otherwise, IIS is fully capable of acting as an http/2 gateway for emby and other apps (assuming you don't need the connection to be http/2 on the backend)

 

 

[p30better 0]

This is the greatest windows tutorial I have seen in a long time. Usually us window server admins are forgotten and majority of tutorials for apps like emby are in linux.

[mausfield 1]

On 5/15/2024 at 5:59 PM, TheITJedi said:

@TolkienBardI am working on an updated guide and tooling to make it easier for those with minimal technical expertise. I hope to have it completed before the end of the month, but as I’m a full time single parent and work full time, I can’t promise it will be done by then.

 

Not sure where you're at with this updated guide, but a heartfelt thanks for being a great contributor to the community. I'm a recent Plex refugee and am very excited to try and get secure remote play working on Windows 11 for 10+ family members without buying domains and whatnot, or requiring them to TailScale/WG to the house.