Skyfay 19 Posted March 20, 2022 Posted March 20, 2022 (edited) I have the problem that I cannot establish an SSL connection to my server. I had a domain example.com which ran over Nginx as a web server (reverse proxy). Now I have switched to example.com/app and it runs emby. The problem now is that I can only communicate unencrypted with the Emby apps via the open port 8096. https is somehow no longer possible. Can someone tell me why? previously I could also act encrypted with https://example.com:443. Now only the web connection is encrypted. I would like to have example.com/app for the web and example.com with the 8096 or 8920 port as the https connection for my apps. Edited March 20, 2022 by Skyfay
Skyfay 19 Posted March 21, 2022 Author Posted March 21, 2022 @Luke Nothing is loaded and finally I end up in a timeout. The Emby app says no media server is available.
Luke 42078 Posted March 21, 2022 Posted March 21, 2022 Have you checked your emby server log to see if the requests even get that far? Same for nginx, have you checked your nginx logs to see if the requests make it to nginx?
Skyfay 19 Posted March 22, 2022 Author Posted March 22, 2022 (edited) 15 hours ago, Luke said: Have you checked your emby server log to see if the requests even get that far? Same for nginx, have you checked your nginx logs to see if the requests make it to nginx? No, I don't see anything on Emby. But if I go over the https port and only enter the IP of the server, then it shouldn't run over Nginx at all, should it? And unfortunately that doesn't work either. So if that doesn't work over the web server with example.com/app, why doesn't it work over the Emby https port either? example.com:8096 works. example.com:8920 does not work. Communication via http is a bit tricky because passwords etc. could be read out... Edited March 22, 2022 by Skyfay
Skyfay 19 Posted March 22, 2022 Author Posted March 22, 2022 (edited) As I have now seen in many other topics, I am not the first to have this problem. I have now created a slightly different solution, which I will share here. it concerns the following threads: @pir8radio commented a lot, so I'm tagging him here. What I did now, I made an extra server entry, but directly on port 8096. I simplified the config once to share it here. #This first element is to redirect http to https: server { listen 80; listen [::]:80; server_name example.com; location / { return 301 https://example.com; } } # Now, this is the extra config to use SSL with emby Apps. I made nginx listen on port 8096. # Then I entered the same domain as server_name and also added the SSL certificates. # With this configuration you can then log in with the Emby Apps: IP=https://example.com | Port=8096 server { listen 8096 ssl; listen [::]:8096 ssl; server_name example.com; ssl_certificate /etc/nginx/ssl/live/example.com/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/live/example.com/privkey.pem; location / { proxy_pass http://172.19.0.4:8096; # I use docker so I have this IP, otherwise it would have to be 127.0.0.1:8096. } } # Here comes the final part of how to access emby over the web. server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name example.com; ssl_certificate /etc/nginx/ssl/live/example.com/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/live/example.com/privkey.pem; location /app/ { proxy_pass http://172.19.0.4:8096/; # This is only because of Docker otherwise 127.0.0.1:8096 } } This is only if the path is not a subdomain but a sub/directory. Then you can apply this. It is also important that these entries above are intended as examples and that no security entries etc. are present. I just wanted to simplify it a lot. Edited March 23, 2022 by Skyfay
Luke 42078 Posted March 22, 2022 Posted March 22, 2022 Quote As I have now seen in many other topics, I am not the first to have this problem. Of course, because this is something that has a lot of moving parts and therefore you will always have to be aware of them and manage it. You need to make sure your certificate is not expired, you need to make sure you're choosing a certificate that will work with your client devices, and if you're using a reverse proxy then you need to ensure that is correctly configured for it. And of course, software updates to your reverse proxy, new SSL requirements from browsers/devices, OS updates to your server or client devices can cause disruption at any time. So the fact that others have had an SSL problem at some point does not mean there is a specific problem in general. It almost always means that something came up, and they need to figure out what it is and adjust accordingly.
pir8radio 1312 Posted March 22, 2022 Posted March 22, 2022 (edited) 10 hours ago, Skyfay said: As I have now seen in many other topics, I am not the first to have this problem. I have now created a slightly different solution, which I will share here. it concerns the following threads: @pir8radio commented a lot, so I'm tagging him here. What I did now, I made an extra server entry, but directly on port 8096. I simplified the config once to share it here. #This first element is to redirect http to https: server { listen 80; listen [::]:80; server_name example.com; location / { return 301 https://example.com; } } # Now, this is the extra config to use SSL with emby Apps. I made nginx listen on port 8096. # Then I entered the same domain as server_name and also added the SSL certificates. # With this configuration you can then log in with the Emby Apps: IP=https://example.com | Port=8096 server { listen 8096 ssl; listen [::]:8096 ssl; server_name example.com; ssl_certificate /etc/nginx/ssl/live/example.com/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/live/example.com/privkey.pem; location / { proxy_pass http://172.19.0.4:8096; # I use docker so I have this IP, otherwise it would have to be 127.0.0.1:8096. } } # Here comes the final part of how to access emby over the web. server { listen 443 ssl http2; listen [::]:443 ssl http2; server_name example.com; ssl_certificate /etc/nginx/ssl/live/example.com/fullchain.pem; ssl_certificate_key /etc/nginx/ssl/live/example.com/privkey.pem; location /app/ { proxy_pass http://172.19.0.4:8096/; # This is only because of Docker otherwise 127.0.0.1:8096 } } This is only if the path is not a subdomain but a sub/directory. Then you can apply this. It is also important that these entries above are intended as examples and that no security entries etc. are present. I just wanted to simplify it a lot. you will want the Proxy_pass to use http not https. what is "not connecting" if you are not using the web version of emby and you are using phone or tv apps you MUST ENTER https:// and port 443 in the apps you can not use http or leave it blank. most apps will not follow a redirect. Edited March 22, 2022 by pir8radio
Skyfay 19 Posted March 23, 2022 Author Posted March 23, 2022 (edited) 8 hours ago, pir8radio said: you will want the Proxy_pass to use http not https. what is "not connecting" if you are not using the web version of emby and you are using phone or tv apps you MUST ENTER https:// and port 443 in the apps you can not use http or leave it blank. most apps will not follow a redirect. Exactly, well I have emby running on the web at example.com/app, and apparently you can't connect to the apps like that. You can see that in the topics marked above because the people there had tried exactly the same thing. That's why I wrote the config above so that I didn't need an extra sub domain and still be able to access the apps via example.com. My configuration above should be correct, at least it works for me now via the web with example.com/app and via the apps with https://example.com and port 8096. Before that it only worked if I did port forwarding with port 8096 and then accessed it via http. So example.com with the port 8096. It is then the same as directly the IP and worked in my case. But not via https and I thought I could specify the Emby port directly to use https. Edited March 23, 2022 by Skyfay
pir8radio 1312 Posted March 26, 2022 Posted March 26, 2022 On 3/23/2022 at 1:52 AM, Skyfay said: Exactly, well I have emby running on the web at example.com/app, and apparently you can't connect to the apps like that. You can see that in the topics marked above because the people there had tried exactly the same thing. That's why I wrote the config above so that I didn't need an extra sub domain and still be able to access the apps via example.com. My configuration above should be correct, at least it works for me now via the web with example.com/app and via the apps with https://example.com and port 8096. Before that it only worked if I did port forwarding with port 8096 and then accessed it via http. So example.com with the port 8096. It is then the same as directly the IP and worked in my case. But not via https and I thought I could specify the Emby port directly to use https. oh, gotcha, well it wont work for everything. some features you will find are broken. they are hard coded in the url's. open your /app url in chrome with developer tools and you'll see all kinds of errors.
Skyfay 19 Posted March 26, 2022 Author Posted March 26, 2022 4 minutes ago, pir8radio said: oh, gotcha, well it wont work for everything. some features you will find are broken. they are hard coded in the url's. open your /app url in chrome with developer tools and you'll see all kinds of errors. What kind of errors are these, I can't find any on mine. I couldn't find any bugs using the web either.
pir8radio 1312 Posted March 27, 2022 Posted March 27, 2022 12 hours ago, Skyfay said: What kind of errors are these, I can't find any on mine. I couldn't find any bugs using the web either. for example some of the emby files (app.js, apploader.js) use the path yourdomain.com/web/modules/app.js and others use yourdomain.com/emby/items so your second location block passes all traffic /app/ which would break these. So the html and scripts will be looking for yourdomain.com/web/..... not yourdomain.com/app/web/ since the html and js served from emby doesn't know /app/ exists, without you doing rewrites in nginx, those items should be broken. from outside of your lan. your first location block would work, since no sub directory in the proxy pass. so you are saying this works fine from your cell phone with wifi shut off?
Skyfay 19 Posted March 27, 2022 Author Posted March 27, 2022 6 hours ago, pir8radio said: for example some of the emby files (app.js, apploader.js) use the path yourdomain.com/web/modules/app.js and others use yourdomain.com/emby/items so your second location block passes all traffic /app/ which would break these. So the html and scripts will be looking for yourdomain.com/web/..... not yourdomain.com/app/web/ since the html and js served from emby doesn't know /app/ exists, without you doing rewrites in nginx, those items should be broken. from outside of your lan. your first location block would work, since no sub directory in the proxy pass. so you are saying this works fine from your cell phone with wifi shut off? The first server block is for all Emby apps, and the second is for the web. Since no sub directory is used for the first one, it works anyway. With the second one with the sub directory, I haven't been able to find any errors on the web so far, and google chrome doesn't show me any errors either.
pir8radio 1312 Posted March 29, 2022 Posted March 29, 2022 On 3/27/2022 at 6:46 AM, Skyfay said: The first server block is for all Emby apps, and the second is for the web. Since no sub directory is used for the first one, it works anyway. With the second one with the sub directory, I haven't been able to find any errors on the web so far, and google chrome doesn't show me any errors either. dm me the url, no login needed just curious what i see. 1
Skyfay 19 Posted March 31, 2022 Author Posted March 31, 2022 On 3/30/2022 at 1:27 AM, pir8radio said: dm me the url, no login needed just curious what i see. I sent you a DM.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now