Emby Server network configuration

[wotgorilla 1]

Hello all.

I am configuring my Emby Server on a Synology NAS. The web service is hidden behind a nginx reverse proxy located on a different host within the same subnet. My firewall rules allow only the reverse proxy to reach port 8096 of the NAS.

What should I declare as "Local IP address"? The description of this parameter says: Optional. Override the local IP address that Emby Server will present to Emby apps. If left blank, the server will automatically detect the local IP address.

What is not clear to me: the Emby Server will not present the IP address of the NAS to Emby apps, it will only present it to the reverse proxy.

Should I put the IP address of the interface Emby is listening on, or the IP address of the interface the reverse proxy is listening on?

Similarly, I am unsure of the port numbers I should put in the fields "Public http port number" and "Public https port number"? The port the Emby Server is listening on or the port the reverse proxy is listening on?

Thanks for the clarification

Eric

[Luke 42078]

Quote

What is not clear to me: the Emby Server will not present the IP address of the NAS to Emby apps, it will only present it to the reverse proxy.

Hi, what do you mean by this?

[Luke 42078]

Quote

Should I put the IP address of the interface Emby is listening on, or the IP address of the interface the reverse proxy is listening on?

 

Customizing this value should be a last resort. Usually there are better ways.

[Luke 42078]

Quote

Similarly, I am unsure of the port numbers I should put in the fields "Public http port number" and "Public https port number"? The port the Emby Server is listening on or the port the reverse proxy is listening on?

Hi, does the help text underneath the options help clarify this?

[wotgorilla 1]

In all honesty, not really. What I mean to say is: is this where I declare the IP address and the port to bind Emby to, or the IP address and port the the clients have to use?

[Luke 42078]

16 minutes ago, wotgorilla said:

In all honesty, not really. What I mean to say is: is this where I declare the IP address and the port to bind Emby to, or the IP address and port the the clients have to use?

They are two separate things so that's why there are both private and public port config options for that.

[wotgorilla 1]

Oh, I thought that one was for calls from the subnet/LAN and the other for calls from the WAN. So "Local IP address" means "bind to"?

[Luke 42078]

There is no bind to but that is the closest thing

[Carlo 4561]

On 3/18/2025 at 12:00 PM, wotgorilla said:

Hello all.

I am configuring my Emby Server on a Synology NAS. The web service is hidden behind a nginx reverse proxy located on a different host within the same subnet. My firewall rules allow only the reverse proxy to reach port 8096 of the NAS.

What should I declare as "Local IP address"? The description of this parameter says: Optional. Override the local IP address that Emby Server will present to Emby apps. If left blank, the server will automatically detect the local IP address.

What is not clear to me: the Emby Server will not present the IP address of the NAS to Emby apps, it will only present it to the reverse proxy.

Should I put the IP address of the interface Emby is listening on, or the IP address of the interface the reverse proxy is listening on?

Similarly, I am unsure of the port numbers I should put in the fields "Public http port number" and "Public https port number"? The port the Emby Server is listening on or the port the reverse proxy is listening on?

Thanks for the clarification

Eric

Hi Eric,

Can you give us a bit more information on your setup?
What ports did you forward on your router for Emby use.
What IP and port are the port(s) forwarded to?

What IPs does the NAS have assigned to it?
Are these IPs static or DHCP reserved?

What do you have nginx reverse proxy running on?
Did you set it up for specifically for Emby Server or has it already been in use for your setup.

Do you have/use a domain name?
Do you have certs?

What machines/devices are running firewalls?

Carlo
 

[wotgorilla 1]

The nginx service is running in docker on a Ubuntu headless machine. This nginx instance serves as a HTTPS reverse proxy for several other web services running on my NAS or the Ubuntu machine itself. It presents Emby on port 443 to the LAN. The TLS certificates are supplied by Let's Encrypt and updated using cerbot running as a cron task. Each host has its own firewall but the firewall for the LAN is on my EdgeRouter-X router. For simplicity, the DHCP server is also running on the EdgeRouter-X and it assigns only reserved IP addresses.

 

 

[Q-Droid 989]

Are you running HTTPS on LAN or only for WAN? HTTPS on LAN not only adds complexity but complications too. Emby is not intended for HTTPS on LAN so some things don't work as expected.

 

[wotgorilla 1]

HTTPS is used to access all my web services from both inside and outside the LAN as I cannot use a different URL to access then depending on my location. However, the DNS server on my LAN translates the subdomain names to internal IP addresses when I am calling it from the LAN, to avoid hairpinning.

 

What issues exactly are you referring to. i haven't had any so far, to my knowledge.

[Q-Droid 989]

It depends on how you use it, so YMMV. If none of the stuff below applies to you then it should be fine.

When an app/device connects to your Emby server it pulls the LAN and WAN URLs shown on your server's dashboard. If it determines that it's on the same LAN as the server it will try to connect to the LAN URL. If it's able to connect then it'll use HTTP and everything will work as expected.

Browsers don't use this feature and go where you tell them, though they will follow an HTTP redirect.

If the app/device is not able to connect to LAN you may face a delay for it to timeout before it tries the WAN URL. If your firewall rejects the connection then fallback should be faster.

If the server can't determine if the client app/device is on LAN or they are on different subnets or VLANs the connections could be marked as remote by the server. Meaning bandwidth detection and bitrate limits would be in effect. You'd have to include those segments in the "LAN networks" field of the settings to be treated as LAN connections.

 

[wotgorilla 1]

It's fascinating and fairly different from my expectation.

Are you saying that even though the Emby app on, say, my Roku box in the same subnet logs in to the Emby server through my reverse proxy on port 443, the video traffic afterwards goes through 8096?

In my particular setup, the Emby server is in the same VLAN as my PCs and reverse proxy, while I keep my IoT devices on a separate VLAN. If I had a smart TV on the IoT VLAN that I wanted to connect to Emby, should I also forward the traffic from Emby to HTTP port 8096 on my reverse proxy?

Edited March 21, 2025 by wotgorilla

[Q-Droid 989]

No, I don't think traffic will be split that way. What I'm saying is if a client can connect to 8096 then it will. But if your firewall blocks (preferably rejects) it then it has no choice but to go thru the proxy. 

The clients on separate VLAN can present as remote connections to the server and rules/restrictions you might have for remote access will apply. Unless you include that subnet in LAN networks OR none are defined and you're using common private IP subnets. You can check logs to see if the clients are seen as local or remote. 

If it's working for you and all LAN clients are seen as local then you're good to go and don't need to change anything. 

 

[Luke 42078]

@wotgorillahas this helped?

[wotgorilla 1]

Yes thank you, I have successfully configured my Emby server. Another happy customer!