Unable to connect to Emby Server behind reverse proxy

[sscheib 11]

Hello everybody,

 

for some reason I am unable to connect from the Fire TV Stick to my Emby server, which is behind a nginx reverse proxy. It simply says: Unable to connect to server - that's all. However using my Android phone with the Emby app, it works perfectly.

Following my nginx.conf (/etc/nginx/nginx.conf)

user www-data;
worker_processes 4;
pid /run/nginx.pid;

events {
        worker_connections 768;
        # multi_accept on;
}

http {

        ##
        # Basic Settings
        ##

        sendfile on;
        tcp_nopush on;
        tcp_nodelay on;
        keepalive_timeout 65;
        types_hash_max_size 2048;
        server_tokens off;

        # server_names_hash_bucket_size 64;
        # server_name_in_redirect off;

        include /etc/nginx/mime.types;
        default_type application/octet-stream;

        ##
        # SSL Settings
        ##

        ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
        ssl_prefer_server_ciphers on;

        ##
        # Logging Settings
        ##

        access_log /var/log/nginx/access.log;
        error_log /var/log/nginx/error.log;

        ##
        # Gzip Settings
        ##

        gzip on;
        gzip_disable "msie6";

        gzip_vary on;
        gzip_proxied any;
        gzip_comp_level 6;
        gzip_buffers 16 8k;
        gzip_min_length 1100;
        gzip_http_version 1.1;
        gzip_types text/plain text/css application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml application/json application/x-javascript text/js;

        ##
        # Virtual Host Configs
        ##

        include /etc/nginx/conf.d/*.conf;
        include /etc/nginx/sites-enabled/*;
}

Next my emby configuration file (/etc/nginx/sites-available/emby - which is of course symlinked to sites-enabled - I changed the domain names):

server {
        server_name mydomain.com;
        listen 80;

        rewrite ^ https://mydomain.com$request_uri? permanent;
}

server {
        server_name mydomain.com;
        listen 443 ssl spdy;

        ssl_certificate                 /etc/letsencrypt/live/mydomain.com/cert.pem;
        ssl_certificate_key             /etc/letsencrypt/live/mydomain.com/privkey.pem;
        ssl_prefer_server_ciphers       On;
        ssl_protocols                   TLSv1 TLSv1.1 TLSv1.2;
        ssl_ciphers                     'AES256+EECDH:AES256+EDH:!aNULL';
        resolver                        8.8.8.8 8.8.4.4 valid=300s;
        resolver_timeout                5s;
        keepalive_timeout               180;
        proxy_hide_header X-Powered-By;
        add_header X-Xss-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff";
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains";
        add_header X-Frame-Options "SAMEORIGIN";
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors mydomain.com;";

        client_max_body_size 1024M;

        location / {
                # Send traffic to the backend
                proxy_pass http://127.0.0.1:8096;
                proxy_set_header Range $http_range;
                proxy_set_header If-Range $http_if_range;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                # Send websocket data to the backend aswell
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection "upgrade";
        }
}

I use the FireTV Stick 2 with the latest Emby App installed.

 

Any ideas?

[itkserver 3]

I don't claim to be an expert,shouldn't the file be called reverse? 

 

I have mine set up like this (also any other web clients i need to access):

 

 

 location /emby {

                        proxy_pass http://127.0.0.1:XXXX;

                        proxy_set_header Host $host;

                        proxy_set_header X-Real-IP $remote_addr;

                        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }

        location /deluge {

                proxy_pass        http://127.0.0.1:XXXX/;

                proxy_set_header  X-Deluge-Base "/deluge/";

}

 

etc...

 

also in where the servername is, i also use add "localhost" and the local ip to the server just to cover all possible access needs.

 

port 443 is your https port and might not be properly directing the traffic either i had a problem until i changed the emby port in the script to the onc set for https in the server settings.

[sscheib 11]

Hello,

 

I don't see a difference between your and mine config lines (besides you have different vhosts/locations). I have set the external Emby HTTPS port to 443 and also changed following values in /var/lib/emby/config/system.xml (as suggested in another thread: https://emby.media/community/index.php?/topic/55484-help-with-reverse-proxycustom-domain-and-remote-connectivity/):

- <EnableHttps>true</EnableHttps>

- <IsBehindProxy>true</IsBehindProxy>

- <RequireHttps>false</RequireHttps>

 

See the following screenshots:

 

Maybe you can help @@dcrdev ?

[itkserver 3]

Hello,

 

I don't see a difference between your and mine config lines (besides you have different vhosts/locations). I have set the external Emby HTTPS port to 443 and also changed following values in /var/lib/emby/config/system.xml (as suggested in another thread: https://emby.media/community/index.php?/topic/55484-help-with-reverse-proxycustom-domain-and-remote-connectivity/):

- <EnableHttps>true</EnableHttps>

- <IsBehindProxy>true</IsBehindProxy>

- <RequireHttps>false</RequireHttps>

 

See the following screenshots:

 

Maybe you can help @@dcrdev ?

Like I said, no expert, just adding my 2 cents as I understand it. Sorry o could t help.

 

Sent from my SM-G935V using Tapatalk

[dcrdev 255]

I use Apache over nginx and therefore am probably not the best person to comment on your config.

 

At a guess maybe your list of acceptable encryption ciphers isn't accommodating enough for the FireTV build of Android.

 

Can you try side loading something like busybox to the stick and using cURL to debug the issue?

[ebr 16173]

If you are trying to use SSL, the Fire is quite strict about that.  You will have to be sure that your certificate chain is complete and correct.

 

Fire TV Stick + SSL not working -> cannot connect

[CBers 7450]

Perhaps @@Swynol can help.

[sscheib 11]

If you are trying to use SSL, the Fire is quite strict about that.  You will have to be sure that your certificate chain is complete and correct.

 

Fire TV Stick + SSL not working -> cannot connect

Hi ebr,

 

alright, this was the clue in the right direction .. this was a simple layer 8 issue -___-

 

There are actually two certificates letsencrypt provides:

- cert.pem (used for OCSP Stapling)

- fullchain.pem (the name says it ......)

 

As modern browsers download the CA if not provided with the certificate itself (cert.pem) FireFox, Chrome, etc will report a secure connection.

However, debugging it with openssl I could see the intermediate CA was missing .. and then I realized that I used the wrong cert ...

 

Thank you guys for helping me out on this. It works now perfectly fine!

 

I think I am going to write an article about my emby/server configuration and publish it here, so that everybody can build up their own secure and fast Emby server instance

Edited February 5, 2018 by sscheib

[zackidack 0]

Hi ebr,

 

alright, this was the clue in the right direction .. this was a simple layer 8 issue -___-

 

There are actually two certificates letsencrypt provides:

- cert.pem (used for OCSP Stapling)

- fullchain.pem (the name says it ......)

 

As modern browsers download the CA if not provided with the certificate itself (cert.pem) FireFox, Chrome, etc will report a secure connection.

However, debugging it with openssl I could see the intermediate CA was missing .. and then I realized that I used the wrong cert ...

 

Thank you guys for helping me out on this. It works now perfectly fine!

 

I think I am going to write an article about my emby/server configuration and publish it here, so that everybody can build up their own secure and fast Emby server instance

Just wanted to say a big thank you for posting your solution! I had exactly the same problem, and you've just saved me after three days of mad googling! Legend.