Cannot navigate on the movie's timeline when running behind a reverse proxy using VLC as player

[Arthessia 12]

Hi,

I've a little question, I followed the Nginx installation procedure for emby reverse proxy, it is working well in general. My brother noticed a weird behavior when using VLC as player on his Android phone, when he is at home, he can navigate on the movie's timeline (cause he is on our WiFi), but using 4g from our external domain hitting our nginx reverse proxy and redirecting to our emby server, he cannot do it anymore.

 

Am I alone facing that issue?

    server {
        listen 80;
        server_name myemby.domain.fr;
        proxy_hide_header X-Powered-By;
        location ^~ /.well-known/acme-challenge/ {
            proxy_pass http://192.168.x.x:86;
        }

        return 301 https://$host$request_uri;
    }
    server {
        listen [::]:443 ssl;            ## Listens on port 443 IPv6 ssl enabled
        listen 443 ssl;             ## Listens on port 443 IPv4 ssl enabled
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        http2  on;                  ## Enables HTTP2
        proxy_buffering off;        ## Sends data as fast as it can not buffering large chunks.
        server_name myemby.domain.fr;

        # proxy_cache mycache;

        ssl_certificate /usr/local/certs/live/myemby.domain.fr/fullchain.pem;
        ssl_certificate_key /usr/local/certs/live/myemby.domain.fr/privkey.pem;

        location ^~ /swagger {
            return 404;
        }

        location ^~ /.well-known/acme-challenge/ {
            proxy_pass http://192.168.x.x:86;
        }

        location / {
            proxy_pass http://192.168.x.x:8096;
            proxy_hide_header X-Powered-By;      ## Hides nginx server version from bad guys.
            proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
            proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
            proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
            proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $http_connection;
        }
    }

 

[TMCsw 248]

Try commenting out or removing this line:

3 hours ago, Arthessia said:

proxy_set_header Upgrade $http_upgrade;

also you probably should change.

3 hours ago, Arthessia said:

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

to:

 ssl_protocols TLSv1.3 TLSv1.2;

 

[Arthessia 12]

hi,

thank you for your answer, I did the modification & restarted my nginx, still no luck  

Arthessia

[Luke 42077]

Hi, have you compared your nginx setup to this?

 

[Arthessia 12]

Hi Luke,

yes as explained in the initial message I followed that procedure. 

I did a lot of tests and was not able to fix that

Thanks 

[Luke 42077]

Did you find any differences between your configuration and that? 

[Arthessia 12]

At the beginning I found few of them, but even by applying all changes, it didn't solve the issue. I also have a colleague facing the exact same problem with VLC. Working in private network (wifi) but by passing through nginx, she cannot navigate anymore on the movies timeline.

I also aligned the http {} part of the config it didn't help.

[Lessaj 467]

I don't use nginx I use httpd but I just tested on my device using VLC as the player and I had no issues jumping around while direct playing - I use a reverse proxy both inside and outside my network with the outside pointing to the inside reverse proxy and I tested under both conditions. Just looking at the requests it performs a GET on a URL with original.mkv in it, and when you jump to another position in the file it issues a new GET request. This request does not complete until another action is taken, so you'll see the GET request hit the requests log (if configured) but you won't see it in the access log until it's done.

However, if the video was transcoding then when I try to jump in VLC it closes the video stream. I can see in the logs that it was requesting stream.mkv. When trying to swipe to seek it says it's an unseekable video.

So are you experiencing this with direct play, or only while transcoding? It sounds like you're dealing with transcoding since you mentioned remote. Also is there any reason to be using VLC for playback instead of the included player in the app?

[Arthessia 12]

Thank you for your message Lessaj, I'll perform some tests including what you are pointing. 

Could it be possible for you to give me your httpd config ? If the problem comes from nginx (we never know) i'll see to migrate on httpd 

[Lessaj 467]

Sure. I am connecting to the HTTPS port for connecting the proxy to Emby but you could use plain HTTP as well, just make sure you change the port to accomodate. My requests log could use some cleaning up of the format but I like what I set for access logs since I mostly look at those anyway.

EDIT: However I am fairly certain the problem you're having is what I described, it's transcoding when remote, thus is not seekable using an external player.

ServerTokens Prod
ServerSignature Off

<VirtualHost <YOURIPHERE>:<YOURPORTHERE>>
ServerName <YOURDOMAINHERE>
ServerAlias <YOURDOMAINHERE>
ErrorLog "|/usr/sbin/rotatelogs -l /etc/httpd/logs/ssl_emby_error_log.%Y%m%d%H%M 86400"
LogFormat "%a - - [%{%Y-%m-%d %T}t.%{msec_frac}t] \"%r\" %>s Size=%S Duration=%{ms}T
TransferLog "|/usr/sbin/rotatelogs -l /etc/httpd/logs/ssl_emby_access_log.%Y%m%d%H%M 86400"
LogLevel warn
SSLEngine on
SSLProxyEngine On
SSLProxyVerify none 
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

<proxy *>
        AddDefaultCharset off
        Order Allow,Deny
        Allow from all
</proxy>

Header        set        Connection "Upgrade"
Header        set        Upgrade "websocket"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
Header always append X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
Header always unset Server
Header always unset X-Powered-By
Header always unset X-AspNet-Version

KeepAlive On
Timeout 6000
SetEnv proxy-initial-not-pooled 1

AddOutputFilterByType DEFLATE image/webp application/x-javascript text/html application/json font/woff2 image/jpeg image/png text/css text/vtt text/javascript

ProxyRequests Off
ProxyPreserveHost On

RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) wss://<YOUREMBYSERVERHERE>:8920/$1 [P,L]

ProxyPass "/embywebsocket" "wss://<YOUREMBYSERVERHERE>:8920/embywebsocket" connectiontimeout=10 keepalive=on
ProxyPassReverse "/embywebsocket" "wss://<YOUREMBYSERVERHERE>:8920/embywebsocket"
ProxyPass "/" "https://<YOUREMBYSERVERHERE>:8920/" connectiontimeout=10 keepalive=on
ProxyPassReverse "/" "https://<YOUREMBYSERVERHERE>:8920/"

SSLProtocol TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!MEDIUM:!SSLv3:!kRSA:!SHA1:!SHA256:!SHA384:!DSS:!aNULL
SSLHonorCipherOrder on 
SSLCertificateFile /etc/httpd/ssl/server.cer
SSLCertificateKeyFile /etc/httpd/ssl/server.key
SSLCertificateChainFile /etc/httpd/ssl/fullchain.cer

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog "|/usr/sbin/rotatelogs -l /etc/httpd/logs/ssl_emby_request_log.%Y%m%d%H%M 86400" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>  

 

Edited February 12, 2025 by Lessaj

[Luke 42077]

@Arthessiahas this helped?

[Arthessia 12]

Hi,

I'm not at home currently I can't really test. I'll keep you informed when I've a moment to work on this.

[Arthessia 12]

Hi,

After a long (very long) period, I finally found the solution (if one day someone has the same issue than me...):

    server {
        listen 80;
        server_name myemby.domain.fr;
        proxy_hide_header X-Powered-By;
        location ^~ /.well-known/acme-challenge/ {
            proxy_pass http://192.168.x.x:86;
        }

        return 301 https://$host$request_uri;
    }
    server {
        listen [::]:443 ssl;            ## Listens on port 443 IPv6 ssl enabled
        listen 443 ssl;             ## Listens on port 443 IPv4 ssl enabled
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.3 TLSv1.2;
        http2  on;                  ## Enables HTTP2
        server_name myemby.domain.fr;

        # proxy_cache mycache;

        ssl_certificate /usr/local/certs/live/myemby.domain.fr/fullchain.pem;
        ssl_certificate_key /usr/local/certs/live/myemby.domain.fr/privkey.pem;

        location ^~ /swagger {
            return 404;
        }

        location ^~ /.well-known/acme-challenge/ {
            proxy_pass http://192.168.x.x:86;
        }

        location / {
            proxy_pass http://192.168.x.x:8096;
            proxy_request_buffering off;
            proxy_buffering off;
            proxy_cache off;
            proxy_hide_header X-Powered-By;      ## Hides nginx server version from bad guys.
            proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
            proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
            proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
            proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.
            proxy_http_version 1.1;
            proxy_set_header Connection $http_connection;
        }
    }

Everything works now!

Thanks

[Lessaj 467]

Can you elaborate on what you added/changed to makes this work for transcoded playback in an external player? I'm not seeing anything unique here that may be related to stream.mkv or any m3u playlist type requests.

[Arthessia 12]

hi,

Yep, let me elaborate:

First of all, after reading some documentation about TLS & nginx, I updated line 15 the versions.

Then, I decided to use some LLMs to question what could be the issue and if I missed anything else (I don't like it but I was not sure what I was searching).

And, after some minutes of prompting, LLM advised me to add some buffering properties inside the location. Then I moved the line 17 to the location block and added 2 other properties like advised by the AI.

To be honest I'm not sure if it is the TLS update or buffering update that fixed my issue, but I noticed a performance increased after this update, and mostly the VLC issue that is now finally fixed

I also removed http_upgrade and added a proxy_cache off options for other reason, (but it could also affect it).

Edited July 12, 2025 by Arthessia