Jump to content

Android TV clients cannot authenticate through reverse proxy (browser and Android phone work)


Recommended Posts

Posted

Hi,

I'm hoping someone can help because I've narrowed this down as much as I can.

Environment

  • Emby Server 4.9.5.0
  • QNAP TS-464 and TS-453D
  • Native QPKG installation (not Docker)
  • Nginx Proxy Manager (latest jc21/nginx-proxy-manager)
  • HTTPS using Let's Encrypt
  • Reverse proxy to Emby on HTTP port 8096

Reverse proxy

NPM configuration is very standard:

  • Forward Scheme: HTTP
  • Forward Host: 192.168.x.x
  • Forward Port: 8096
  • Force SSL: Enabled
  • HTTP/2: Enabled
  • WebSockets: Enabled
  • Cache Assets: Disabled
  • Block Common Exploits: Disabled
  • No custom locations
  • No custom nginx directives

Emby Network settings

  • Secure connection mode: Handled by reverse proxy
  • External domain configured
  • Public HTTPS port: 443
  • Local HTTP port: 8096
  • Local HTTPS port: 8920
  • Remote connections enabled
  • UPnP disabled

The strange part

I have two completely separate Emby servers.

  • Different NAS hardware
  • Different databases
  • Same Emby version
  • Same reverse proxy

Both behave identically.

Testing results

Works

  • Windows browser via reverse proxy
  • Android phone browser via reverse proxy
  • Android phone Emby app via reverse proxy
  • Android TV browser (Edge) via reverse proxy
  • Android TV app via local IP
  • OttoAibox Emby app via local IP

Fails

  • Sony Android TV Emby app via reverse proxy
  • OttoAibox Emby app via reverse proxy

Both Android TV devices authenticate correctly if I connect directly to:

http://192.168.x.x:8096
They fail only when using:
https://emby.backup.monitoringcomputers.com.au
 

Emby Connect

Emby Connect also fails.

The PIN page says:

Pin Confirmed. Thank you.

but the TV never completes the login.

Logs

The server receives the authentication request.

Immediately afterwards the log shows:

GET /emby/Users/authenticatebyname
followed by:
Access token is invalid or expired.
401 Unauthorized
 

Browser authentication succeeds through the same reverse proxy.

Why I think this may be a client issue

Everything else works:

  • Browser
  • Android phone app
  • Direct LAN
  • Same reverse proxy
  • Same certificate

Only Android TV-style clients fail when connecting through the reverse proxy.

Has anyone seen this before?

Is there something different about Android TV authentication compared with the Android phone app?

Any suggestions would be appreciated.

Posted

This has never worked through the reverse proxy on Android TV devices. It is not a regression after an update."

Posted

My 80% confidence guess is that your proxy is converting POST calls to GET OR not properly forwarding the POST data on POST calls.

Posted
Quote
GET /emby/Users/authenticatebyname

Ding ding ding. Yes this should be a post. They Emby app sends a post, so something in your stack is modifying the request. I would start by resolving that.

Posted

Thanks for the clue. I'm not using Cloudflare or any CDN. The path is:
Internet → Grandstream GWN7003 port forwarding → Nginx Proxy Manager → Emby.

NPM is using a standard proxy host with:

  • Forward scheme: HTTP
  • Forward host: 192.168.20.10
  • Forward port: 8096
  • WebSockets: Enabled
  • Force SSL: Enabled
  • HTTP/2: Enabled
  • No custom locations
  • No advanced configuration

Is there a particular request or Nginx directive you'd like me to inspect to determine where the POST is being converted to a GET?

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...