Jump to content

Cannot navigate on the movie's timeline when running behind a reverse proxy using VLC as player


Go to solution Solved by Arthessia,

Recommended Posts

Posted

Hi,

I've a little question, I followed the Nginx installation procedure for emby reverse proxy, it is working well in general. My brother noticed a weird behavior when using VLC as player on his Android phone, when he is at home, he can navigate on the movie's timeline (cause he is on our WiFi), but using 4g from our external domain hitting our nginx reverse proxy and redirecting to our emby server, he cannot do it anymore.

 

Am I alone facing that issue?

    server {
        listen 80;
        server_name myemby.domain.fr;
        proxy_hide_header X-Powered-By;
        location ^~ /.well-known/acme-challenge/ {
            proxy_pass http://192.168.x.x:86;
        }

        return 301 https://$host$request_uri;
    }
    server {
        listen [::]:443 ssl;            ## Listens on port 443 IPv6 ssl enabled
        listen 443 ssl;             ## Listens on port 443 IPv4 ssl enabled
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        http2  on;                  ## Enables HTTP2
        proxy_buffering off;        ## Sends data as fast as it can not buffering large chunks.
        server_name myemby.domain.fr;

        # proxy_cache mycache;

        ssl_certificate /usr/local/certs/live/myemby.domain.fr/fullchain.pem;
        ssl_certificate_key /usr/local/certs/live/myemby.domain.fr/privkey.pem;

        location ^~ /swagger {
            return 404;
        }

        location ^~ /.well-known/acme-challenge/ {
            proxy_pass http://192.168.x.x:86;
        }

        location / {
            proxy_pass http://192.168.x.x:8096;
            proxy_hide_header X-Powered-By;      ## Hides nginx server version from bad guys.
            proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
            proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
            proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
            proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $http_connection;
        }
    }

 

Sans titre.png

Posted

Try commenting out or removing this line:

3 hours ago, Arthessia said:
proxy_set_header Upgrade $http_upgrade;

also you probably should change.

3 hours ago, Arthessia said:
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

to:

 ssl_protocols TLSv1.3 TLSv1.2;

 

Posted

hi,

thank you for your answer, I did the modification & restarted my nginx, still no luck :( 

Arthessia

Posted

Hi, have you compared your nginx setup to this?

 

Posted

Hi Luke,

yes as explained in the initial message I followed that procedure. 

I did a lot of tests and was not able to fix that

Thanks 

Posted

Did you find any differences between your configuration and that? 

Posted

At the beginning I found few of them, but even by applying all changes, it didn't solve the issue. I also have a colleague facing the exact same problem with VLC. Working in private network (wifi) but by passing through nginx, she cannot navigate anymore on the movies timeline.

I also aligned the http {} part of the config it didn't help.

Posted

I don't use nginx I use httpd but I just tested on my device using VLC as the player and I had no issues jumping around while direct playing - I use a reverse proxy both inside and outside my network with the outside pointing to the inside reverse proxy and I tested under both conditions. Just looking at the requests it performs a GET on a URL with original.mkv in it, and when you jump to another position in the file it issues a new GET request. This request does not complete until another action is taken, so you'll see the GET request hit the requests log (if configured) but you won't see it in the access log until it's done.

However, if the video was transcoding then when I try to jump in VLC it closes the video stream. I can see in the logs that it was requesting stream.mkv. When trying to swipe to seek it says it's an unseekable video.

So are you experiencing this with direct play, or only while transcoding? It sounds like you're dealing with transcoding since you mentioned remote. Also is there any reason to be using VLC for playback instead of the included player in the app?

Posted

Thank you for your message Lessaj, I'll perform some tests including what you are pointing. 

Could it be possible for you to give me your httpd config ? If the problem comes from nginx (we never know) i'll see to migrate on httpd 

Posted (edited)

Sure. I am connecting to the HTTPS port for connecting the proxy to Emby but you could use plain HTTP as well, just make sure you change the port to accomodate. My requests log could use some cleaning up of the format but I like what I set for access logs since I mostly look at those anyway.

EDIT: However I am fairly certain the problem you're having is what I described, it's transcoding when remote, thus is not seekable using an external player.

ServerTokens Prod
ServerSignature Off

<VirtualHost <YOURIPHERE>:<YOURPORTHERE>>
ServerName <YOURDOMAINHERE>
ServerAlias <YOURDOMAINHERE>
ErrorLog "|/usr/sbin/rotatelogs -l /etc/httpd/logs/ssl_emby_error_log.%Y%m%d%H%M 86400"
LogFormat "%a - - [%{%Y-%m-%d %T}t.%{msec_frac}t] \"%r\" %>s Size=%S Duration=%{ms}T
TransferLog "|/usr/sbin/rotatelogs -l /etc/httpd/logs/ssl_emby_access_log.%Y%m%d%H%M 86400"
LogLevel warn
SSLEngine on
SSLProxyEngine On
SSLProxyVerify none 
SSLProxyCheckPeerCN off
SSLProxyCheckPeerName off
SSLProxyCheckPeerExpire off

<proxy *>
        AddDefaultCharset off
        Order Allow,Deny
        Allow from all
</proxy>

Header        set        Connection "Upgrade"
Header        set        Upgrade "websocket"
Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains;"
Header always append X-Frame-Options SAMEORIGIN
Header always set X-Content-Type-Options nosniff
Header always unset Server
Header always unset X-Powered-By
Header always unset X-AspNet-Version

KeepAlive On
Timeout 6000
SetEnv proxy-initial-not-pooled 1

AddOutputFilterByType DEFLATE image/webp application/x-javascript text/html application/json font/woff2 image/jpeg image/png text/css text/vtt text/javascript

ProxyRequests Off
ProxyPreserveHost On

RewriteEngine On
RewriteCond %{HTTP:Connection} Upgrade [NC]
RewriteCond %{HTTP:Upgrade} websocket [NC]
RewriteRule /(.*) wss://<YOUREMBYSERVERHERE>:8920/$1 [P,L]

ProxyPass "/embywebsocket" "wss://<YOUREMBYSERVERHERE>:8920/embywebsocket" connectiontimeout=10 keepalive=on
ProxyPassReverse "/embywebsocket" "wss://<YOUREMBYSERVERHERE>:8920/embywebsocket"
ProxyPass "/" "https://<YOUREMBYSERVERHERE>:8920/" connectiontimeout=10 keepalive=on
ProxyPassReverse "/" "https://<YOUREMBYSERVERHERE>:8920/"

SSLProtocol TLSv1.2 +TLSv1.3
SSLCipherSuite HIGH:!MEDIUM:!SSLv3:!kRSA:!SHA1:!SHA256:!SHA384:!DSS:!aNULL
SSLHonorCipherOrder on 
SSLCertificateFile /etc/httpd/ssl/server.cer
SSLCertificateKeyFile /etc/httpd/ssl/server.key
SSLCertificateChainFile /etc/httpd/ssl/fullchain.cer

BrowserMatch "MSIE [2-5]" \
         nokeepalive ssl-unclean-shutdown \
         downgrade-1.0 force-response-1.0
CustomLog "|/usr/sbin/rotatelogs -l /etc/httpd/logs/ssl_emby_request_log.%Y%m%d%H%M 86400" \
          "%t %h %{SSL_PROTOCOL}x %{SSL_CIPHER}x \"%r\" %b"
</VirtualHost>  

 

Edited by Lessaj
  • Thanks 1
Posted

Hi,

I'm not at home currently I can't really test. I'll keep you informed when I've a moment to work on this.

  • Thanks 1
  • 4 months later...
Arthessia
Posted

Hi,

After a long (very long) period, I finally found the solution (if one day someone has the same issue than me...):

    server {
        listen 80;
        server_name myemby.domain.fr;
        proxy_hide_header X-Powered-By;
        location ^~ /.well-known/acme-challenge/ {
            proxy_pass http://192.168.x.x:86;
        }

        return 301 https://$host$request_uri;
    }
    server {
        listen [::]:443 ssl;            ## Listens on port 443 IPv6 ssl enabled
        listen 443 ssl;             ## Listens on port 443 IPv4 ssl enabled
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.3 TLSv1.2;
        http2  on;                  ## Enables HTTP2
        server_name myemby.domain.fr;

        # proxy_cache mycache;

        ssl_certificate /usr/local/certs/live/myemby.domain.fr/fullchain.pem;
        ssl_certificate_key /usr/local/certs/live/myemby.domain.fr/privkey.pem;

        location ^~ /swagger {
            return 404;
        }

        location ^~ /.well-known/acme-challenge/ {
            proxy_pass http://192.168.x.x:86;
        }

        location / {
            proxy_pass http://192.168.x.x:8096;
            proxy_request_buffering off;
            proxy_buffering off;
            proxy_cache off;
            proxy_hide_header X-Powered-By;      ## Hides nginx server version from bad guys.
            proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
            proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
            proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
            proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.
            proxy_http_version 1.1;
            proxy_set_header Connection $http_connection;
        }
    }

Everything works now!

Thanks

Posted

Can you elaborate on what you added/changed to makes this work for transcoded playback in an external player? I'm not seeing anything unique here that may be related to stream.mkv or any m3u playlist type requests.

  • Solution
Arthessia
Posted (edited)

hi,

Yep, let me elaborate:

image.thumb.png.649e62e42ec2f6d7a824a6737dc333b4.png

First of all, after reading some documentation about TLS & nginx, I updated line 15 the versions.

Then, I decided to use some LLMs to question what could be the issue and if I missed anything else (I don't like it but I was not sure what I was searching).

And, after some minutes of prompting, LLM advised me to add some buffering properties inside the location. Then I moved the line 17 to the location block and added 2 other properties like advised by the AI.

To be honest I'm not sure if it is the TLS update or buffering update that fixed my issue, but I noticed a performance increased after this update, and mostly the VLC issue that is now finally fixed :)

I also removed http_upgrade and added a proxy_cache off options for other reason, (but it could also affect it).

Edited by Arthessia
  • Thanks 2

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...