reverse proxy problems

[alphabanks 0]

I would like to know what are the correct steps for configuring Emby with a reverse proxy. I am not using an opensource load balancer I am actually testing with a Netscaler VPX. I am testing Emby via the web

 

interface, Amazon Fire TV generation 2 boxes and an Android tablet. The web interface just works the problem is the Amazon Fire TV and the Android. If I try to connect on the Fire TV I enter the URL such as

 

https://emby.media.test than I enter 443 for the port it simply says can't connect to server. If I use the tablet I can actually log in but when I try to play media I receive no compatible streams are currently available.

.

My Emby config is as follows public ports are 443 and 80 the local ports are 8096 and 8020. I am using a standard config the client is presented with 443 on the front end while the backend is talking on 8020 or 8096.

 

[Luke 42083]

What kind of ssl cert? You need to use a certificate that your devices will trust.

[alphabanks 0]

I am actually using one of these 

 

 

https://cheapsslsecurity.com/comodo/positivessl.html

[Luke 42083]

There are lots of topics here about reverse proxies. Have you checked out any of those?

[alphabanks 0]

All of those topics are based off of free opensource tools I've not seen anything on Netscaler or F5.  As I stated the web interface just works the problem is Amazon Fire and a Android tablet.  This is interesting because if everything is going over 443 than the clients should work. I need to look in the Emby logs to see if there is anything useful.

[Luke 42083]

Do any requests from those devices show up in the logs?

[laie_techie 16]

I don't have experience with Netscalar VPX, but I think some of the same principles apply. You want to make sure your proxy / reverse proxy first detects the webstream paths, because those require the ws protocol. Otherwise, you will be forwarding http or https to your emby server which is wrong.

[Neminem 1524]

Hmm Netscalar is for citrix, right ?

Dos the url work with out netscaler ?

Netscarer should only act as you gateway, for citrix, if set up correct.

All other traffic should go around netscaler.

Edited June 18, 2019 by jaycedk

[pir8radio 1312]

I assume you are talking about netscaler's proxy...     post your NS configuration for your proxy forward profile.   Not a fan of netscaler as a reverse proxy by the way... 

 

Do you have websockets enabled for your profile?      You are going to have to grab an nginx config (click my avatar and there is a link to a config) and setup the same headers and options in your ns profile.   You wont be able to use a default http or https profile. 

Edited June 20, 2019 by pir8radio

[alphabanks 0]

I will check out one of your NGINX configs and try to incorporate it into the Netscaler. BTW I am using content switching virtual servers and polices. BTW if I don't use the content switch everything works for example I tested the three configurations. I only have one public ip so I want all my services to go over port 443 that's why I was using the content switch. I have not looked at using url rewrite feature btw I will post my config in the morning. Aslo why are you not a fan of the Netsclaer and is there a preferred OS for NGINX? Basically do you get better performance on Linux than Windows just curious.

 

virtual server  port 8096

backend service port 8096 (port emby was listening on)

 

virtual server port 443

backed service port 443 (port emby was listening on)

Edited June 20, 2019 by alphabanks

[pir8radio 1312]

I will check out one of your NGINX configs and try to incorporate it into the Netscaler. BTW I am using content switching virtual servers and polices. BTW if I don't use the content switch everything works for example I tested the three configurations. I only have one public ip so I want all my services to go over port 443 that's why I was using the content switch. I have not looked at using url rewrite feature btw I will post my config in the morning. Aslo why are you not a fan of the Netsclaer and is there a preferred OS for NGINX? Basically do you get better performance on Linux than Windows just curious.

 

virtual server  port 8096

backend service port 8096 (port emby was listening on)

 

virtual server port 443

backed service port 443 (port emby was listening on)

 

I probably just dont like it because I do like nginx lol..   We use netscaler at work for a bunch of stuff..  Just not a fan, seems a little harder to get what you want done, done.   

I've beat up nginx on windows, it does quite well...   I hear it runs better (more efficient) on Linux, but I'v only used it on Linux for low volume sites so I couldn't give you a good first hand opinion. 

[alphabanks 0]

I just looked at one of your configs I would like to ask which part of your config should I try to bring over to the Netscaler?

 

Do I need more than this

 

Location / {
        proxy_pass http://127.0.0.1:8080; ## Enter the IP and port of the backend emby server here.

    proxy_hide_header X-Powered-By;     ## Hides nginx server version from bad guys.
    proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

 

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;

Edited June 20, 2019 by alphabanks

[pir8radio 1312]

I just looked at one of your configs I would like to ask which part of your config should I try to bring over to the Netscaler?

 

Do I need more than this

 

Location / {

        proxy_pass http://127.0.0.1:8080; ## Enter the IP and port of the backend emby server here.

 

    proxy_hide_header X-Powered-By;     ## Hides nginx server version from bad guys.

    proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.

    proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.

    proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.

        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

 

 

 

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection $http_connection;

 

no that should be it...   Netscaler might already do some of that, but websockets, and making sure original emby headers are passed through..   range and if-range will cause mp4 playback issues if its not passing, and if the clients IP is not passed through emby will think its a local user and cause some playback issues.

[alphabanks 0]

I installed the Emby theatre client on my laptop coonected it to my phones hotspot launched the client and used fiddler to do a trace. Below are the results when I hit the play button on the client of course all I got was a spinning circle.

 

#    Result    Protocol    Host    URL    Body    Caching    Content-Type    Process    Comments    Custom    
1    200    HTTP    Tunnel to    api.github.com:443    0            emby.theater:6040            
2    502    HTTP    192.168.90.110:8096    /emby/system/info/public    512    no-cache, must-revalidate    text/html; charset=UTF-8    electron:8012            
3    200    HTTP    Tunnel to    www.emby.example.com:443    0            electron:8012            
4    200    HTTP    Tunnel to    www.emby.example.com:443    0            electron:8012            
5    200    HTTP    Tunnel to    www.emby.example.com:443    0            electron:8012            
6    200    HTTP    Tunnel to    tv.emby.media:443    0            electron:8012            
7    200    HTTP    Tunnel to    www.emby.example.com:443    0            electron:8012            
8    200    HTTP    Tunnel to    chat-pa.clients6.google.com:443    0            firefox:4136            
9    200    HTTP    Tunnel to    tv.emby.media:443    0            electron:8012            
10    200    HTTP    Tunnel to    tv.emby.media:443    0            electron:8012            
11    200    HTTP    Tunnel to    tv.emby.media:443    0            electron:8012            
12    200    HTTP    Tunnel to    tv.emby.media:443    0            electron:8012            
13    200    HTTP    Tunnel to    tv.emby.media:443    0            electron:8012            
14    200    HTTP    Tunnel to    mb3admin.com:443    0            electron:8012            
15    200    HTTP    Tunnel to    www.emby.example.com:443    0            electron:8012            
16    200    HTTP    Tunnel to    www.emby.example.com:443    0            electron:8012            
17    200    HTTP    Tunnel to    www.emby.example.com:443    0            electron:8012            
18    504    HTTP    127.0.0.1:8023    /play    512    no-cache, must-revalidate    text/html; charset=UTF-8    electron:8012