Breezey 0 Posted Friday at 11:08 PM Posted Friday at 11:08 PM Hi, I'm hoping someone can help because I've narrowed this down as much as I can. Environment Emby Server 4.9.5.0 QNAP TS-464 and TS-453D Native QPKG installation (not Docker) Nginx Proxy Manager (latest jc21/nginx-proxy-manager) HTTPS using Let's Encrypt Reverse proxy to Emby on HTTP port 8096 Reverse proxy NPM configuration is very standard: Forward Scheme: HTTP Forward Host: 192.168.x.x Forward Port: 8096 Force SSL: Enabled HTTP/2: Enabled WebSockets: Enabled Cache Assets: Disabled Block Common Exploits: Disabled No custom locations No custom nginx directives Emby Network settings Secure connection mode: Handled by reverse proxy External domain configured Public HTTPS port: 443 Local HTTP port: 8096 Local HTTPS port: 8920 Remote connections enabled UPnP disabled The strange part I have two completely separate Emby servers. Different NAS hardware Different databases Same Emby version Same reverse proxy Both behave identically. Testing results Works Windows browser via reverse proxy Android phone browser via reverse proxy Android phone Emby app via reverse proxy Android TV browser (Edge) via reverse proxy Android TV app via local IP OttoAibox Emby app via local IP Fails Sony Android TV Emby app via reverse proxy OttoAibox Emby app via reverse proxy Both Android TV devices authenticate correctly if I connect directly to: http://192.168.x.x:8096 They fail only when using: https://emby.backup.monitoringcomputers.com.au Emby Connect Emby Connect also fails. The PIN page says: Pin Confirmed. Thank you. but the TV never completes the login. Logs The server receives the authentication request. Immediately afterwards the log shows: GET /emby/Users/authenticatebyname followed by: Access token is invalid or expired. 401 Unauthorized Browser authentication succeeds through the same reverse proxy. Why I think this may be a client issue Everything else works: Browser Android phone app Direct LAN Same reverse proxy Same certificate Only Android TV-style clients fail when connecting through the reverse proxy. Has anyone seen this before? Is there something different about Android TV authentication compared with the Android phone app? Any suggestions would be appreciated.
Breezey 0 Posted 21 hours ago Author Posted 21 hours ago This has never worked through the reverse proxy on Android TV devices. It is not a regression after an update."
ebr 16502 Posted 13 hours ago Posted 13 hours ago My 80% confidence guess is that your proxy is converting POST calls to GET OR not properly forwarding the POST data on POST calls.
Luke 42748 Posted 8 hours ago Posted 8 hours ago Quote GET /emby/Users/authenticatebyname Ding ding ding. Yes this should be a post. They Emby app sends a post, so something in your stack is modifying the request. I would start by resolving that.
Breezey 0 Posted 4 hours ago Author Posted 4 hours ago Thanks for the clue. I'm not using Cloudflare or any CDN. The path is: Internet → Grandstream GWN7003 port forwarding → Nginx Proxy Manager → Emby. NPM is using a standard proxy host with: Forward scheme: HTTP Forward host: 192.168.20.10 Forward port: 8096 WebSockets: Enabled Force SSL: Enabled HTTP/2: Enabled No custom locations No advanced configuration Is there a particular request or Nginx directive you'd like me to inspect to determine where the POST is being converted to a GET?
Luke 42748 Posted 3 hours ago Posted 3 hours ago 1 hour ago, Breezey said: Thanks for the clue. I'm not using Cloudflare or any CDN. The path is: Internet → Grandstream GWN7003 port forwarding → Nginx Proxy Manager → Emby. NPM is using a standard proxy host with: Forward scheme: HTTP Forward host: 192.168.20.10 Forward port: 8096 WebSockets: Enabled Force SSL: Enabled HTTP/2: Enabled No custom locations No advanced configuration Is there a particular request or Nginx directive you'd like me to inspect to determine where the POST is being converted to a GET? Have you compared your nginx setup to this:
Breezey 0 Posted 1 hour ago Author Posted 1 hour ago Posted just now I captured the Nginx Proxy Manager access log during a failed login. The Android TV app initially sends: POST http://xxx.xxx.xxx.com.au/emby/Users/AuthenticateByName?format=json NPM returns 301 Moved Permanetly The client then immediately retries as: GET https://xxx.xxx.xxx.com.au/emby/Users/AuthenticateByName?format=json which returns 401. So the POST is being converted to a GET after the HTTP→HTTPS redirect. I captured the Nginx Proxy Manager access log during the failed Android TV login. The Android TV client appears to POST over HTTP, receives the Force SSL redirect, then retries as a GET over HTTPS, which Emby rejects. My Nginx Proxy Manager configuration is otherwise standard with Force SSL enabled and no custom rewrite rules. Is the Android TV client expected to start with HTTP even when the server is configured as HTTPS, or should it be connecting via HTTPS directly?
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now