Jump to content

Search the Community

Showing results for tags 'NGINX'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • General
    • Announcements
    • Emby Premiere Purchase/Subscription Support
    • Feature Requests
    • Tutorials and Guides
  • Emby Server
    • General/Windows
    • Android Server
    • Asustor
    • FreeBSD
    • Linux
    • NetGear ReadyNAS
    • MacOS
    • QNAP
    • Synology
    • TerraMaster NAS
    • Thecus
    • Western Digital
    • DLNA
    • Live TV
  • Emby Apps
    • Amazon Alexa
    • Android Mobile
    • Android TV / Fire TV
    • Emby Theater
    • iOS
    • Apple TV
    • Kodi
    • Raspberry Pi
    • Roku
    • Samsung Smart TV
    • Sony PlayStation
    • LG Smart TV
    • Web App
    • Windows Media Center
    • Plugins
  • Language-specific support
    • Arabic
    • Dutch
    • French
    • German
    • Italian
    • Portuguese
    • Russian
    • Spanish
    • Swedish
  • Community Contributions
    • Ember for Emby
    • Fan Art & Videos
    • Tools and Utilities
    • Web App CSS
  • Other
    • General Discussion
    • Developer API
    • Hardware
    • Media Clubs
    • Legacy Support

Blogs

  • Emby Blog

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 13 results

  1. Hello Emby community! So today I decided to give Emby a try in order to maybe replace Plex that I have been using for years. So far, I loved almost everything about Emby (maybe not the fact that we can't change the green accent in the AndroidTV app, but that's a story for another day ). I have one question though, for which I couldnt seem to find precise info. I run all my services from a machine in my house, which runs OpenMediaVault (i.e. Debian). I use Docker for most of the services, with bridge mode for their network interface. I also have, among those services, an Nginx container that serves as a reverse-proxy, so I can access my services more easily. The OpenMediaVault web interface proposes the option to connect using a self-signed SSL certificate, which I decided to use when I set it all up. I then re-used this same SSL certificate for all my other reverse-proxies, by mounting the certificate files as read-only into the Nginx container, so that I only had one exception to add to my browsers in order to reach all my services like so: https://servicename.hostname.lan So far, so good, as I only access these services from my home lan, and since I used Plex until now, I never had to mess with secure remote access: since the connection is routed through their servers, it was an easy setup with no configuration on my side (only authorizing the default Plex port for outgoing connections in my machine's iptables as well as ESTABLISHED,RELATED incoming connections, then once it was connected I had nothing more to do for their servers to detect my machine, not even setting port redirection on my router or allowing anything through my router's firewall). But now, I'd like to switch to Emby, and here's my question: am I not able to allow secure remote access if I don't have a domain name pointing to my home router's IP? What else could I do? I can post the nginx configs (with purged personal info) if needed. Many thanks in advance!
  2. Ok this is going to be a long post. In this thread I will show you 2 different ways in which I setup a HTTPS connection to my emby server. Both ways require a certificate which again I will show you how i got mine using Lets Encrypt on Windows. I will break the posts up into Sections. Part.1 - Setting up a DDNS (Dynamic DNS host) Only require if you ISP IP is dynamic i.e. changes. Part.1.A - Setting Up DDNS using your own Domain Name Part.2 - Getting a Domain Name (Optional but looks fancier) Part.3 - Getting a SSL Cert from Lets Encrypt the easy way. Part 3a - Using LE.exe to get Certificates (recommended) Part.4 - Setting up HTTPS by changing default port to 443 Part.5 - Setting up HTTPS using reverse proxy
  3. I've been looking, but I cannot find any examples of how to self-host Emby behind an NGINX reverse proxy at anything other than the root path on port 80. I host a website under the www subdomain at the root path on port 80, so that's not an option. I'm fine with any of these solutions: Use a different port (http://www.mydomain.com:8096/) Use a different subdomain (http://emby.mydomain.com/) Use a different path (http://www.mydomain.com/emby/) My current configuration is an attempt at solution #3 because that's the one I was able to get furthest on. I think I'd prefer solution #1 or #2, but I'm not picky. I'd also like to setup SSL, but I need to get this working before I can worry about encryption. That said, the SSL configuration for my website might be responsible for my current problem. All requests to port 80 are redirected to 443, which has SSL enabled. The server just directs everything on the /emby path to localhost:8096, which Emby binds to. I'm able to load the index page, but it fails to load the Javascript used to render any actual content. It looks like the server isn't able to serve the Javascript file over HTTPS. I have very limited experience with NGINX and Emby and I have no idea how to fix it. Here's my NGINX server configuration: server { listen 443 ssl default_server; listen [::]:443 ssl default_server; root /█████/website; server_name █████; ssl on; ssl_certificate /█████/cert.pem; ssl_certificate_key /█████/privkey.pem; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.4.4 8.8.8.8; location /static { alias /█████/website/static; } location / { try_files $uri @wsgi; } location @wsgi { proxy_pass http://unix:/tmp/gunicorn.sock; include proxy_params; } location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { access_log off; log_not_found off; expires max; } location /emby { proxy_pass http://127.0.0.1:8096; } } server { listen 80 default_server; listen [::]:80 default_server; server_name █████; return 301 https://$host$request_uri; }
  4. Hello I have my Emby server configured to use ssl by inputting the external domain name and secure connection mode set to handled by reverse proxy. I have nginx secured with ssl and I can successfully hit my emby server using the custom domain url, and certificate is successfully verified for https. But it seems my users that go through the app.emby.media site and log in using emby connect are still directed to an http site with a not secure connection warning. Is there a simple step I'm missing to get that to redirect to the proper https wan url configured in Emby?
  5. garrettjones331

    Reverse Proxy - ERR_TOO_MANY_REDIRECTS

    Hello, I used Swynol's guide on setting up a reverse proxy in attempt to set up my own (Reference Post #5 - https://emby.media/community/index.php?/topic/47508-how-to-nginx-reverse-proxy/). In terms of NGINX config set up, I essentially copy and pasted his last post replacing his domains and sub-domains with my own. For the Emby server set up I have the public https port to 443, the external domain set, and the secure connection mode set to "Reverse Proxy". I have manually checked the server config xml and verified that "requirehttps" is false. I also have my 80 and 443 ports forwarded to the NGINX server on my router. The issue I'm getting is that when I try to access my server I get a "ERR_TOO_MANY_REDIRECTS" in chrome. I've exhausted my google-fu techniques and come to seek knowledge from others who may be more savvy with NGINX and reverse proxies.
  6. How to secure Emby using LetsEncrypt and Nginx Reverse Proxy by modifying Docker containers in Openmediavault. https://youtu.be/jYoDyoH2C0A
  7. Preface All of the media I'm testing have previously worked flawlessly in the current environment. Meaning my network topography/speed has not changed. I cannot say for sure when this problem began as I rarely need to use a browser to access my Emby personally, however I had a user report issues a few weeks ago. I gave it very little thought until I had reason to use a browser recently and I ran into problems. Problem Recently (within the last few weeks), Emby playback within my web-browser has begun giving me the following error: Testing I have tested with various browser on various machines with results as such Ubuntu - Chrome: FAIL Windows - Chrome: FAIL Ubuntu - Firefox: FAIL Windows - Firefox: FAIL Windows - Edge: SUCCESS I have deduced that this happens for all Matroska contained media as far as I can tell. Container WebM w/ VP9/Opus codecs works correctly. I'd have to really go fishing for other types of media to test as my libraries are 99.99% Matroska or WebM. Logs NOTE: Firefox actually attempted transcoding, though still resulted in the same error. I zipped the result transcode logs for each occurrence, though I know they will not be helpful for debugging this. 20180926-Emby.Server.DEBUG-Ubuntu.Chrome.v69.0.3497.81-1.log 20180926-Emby.Server.DEBUG.Windows.Chrome.v68.0.3440.100-1.log 20180926-Emby.Server.DEBUG-Ubuntu.Firefox.v57.0.1-1.log 20180926-Emby.Server.DEBUG-Ubuntu.Firefox.v57.0.1.zip 20180926-Emby.Server.DEBUG.Windows.Firefox.v62.0.2-1.log 20180926-Emby.Server.DEBUG.Windows.Firefox.v62.0.2.zip 20180926-Emby.Server.DEBUG.Windows.Edge.log UPDATE -- 20180927 -- Official Embyserver Docker Container results -- 20180927-Emby.Server.DEBUG-Ubuntu.Chrome.v69.0.3497.81-3-1.log UPDATE It appears I may have opened a duplicate post from someone else with a similar problem (though to be fair, when I searched I did not find it as their topic is very misleading) https://emby.media/community/index.php?/topic/63309-docker/?p=627055 Also at a glance at their log, their ffmpeg doesn't even start, whereas this is not my issue.
  8. Server knows that the device is eligible for direct play according to the logs but only gives transcode options anyway. server: custom build x86 hardware ubuntu 18.04 emby 3.4.1.0 athlon 5350 emby runs from behind a nginx proxy (if deemed necessary will post configurations) client: sony xperia z3 android 6.0.1 snapdragon 801 (hevc supported) same result for my samsung my s7 edge, transcode options are set to default. logs included but cut first post here thank you in advance Log server cut.txt log transcode cut.txt
  9. Hey Guys. I want to add Emby to my current setup with a nginx reverse proxy, lets encrypt and nextcloud. I already tried some things but it didnt worked so I hope you can help me. docker-compose.yml: version: '2' services: proxy: image: jwilder/nginx-proxy container_name: proxy ports: - 80:80 - 443:443 volumes: - ./proxy/conf.d:/etc/nginx/conf.d - ./uploadlimit.conf:/etc/nginx/conf.d/uploadlimit.conf:ro - ./proxy/vhost.d:/etc/nginx/vhost.d - ./proxy/html:/usr/share/nginx/html - ./proxy/certs:/etc/nginx/certs:ro - /var/run/docker.sock:/tmp/docker.sock:ro networks: - proxy-tier restart: always letsencrypt-companion: image: jrcs/letsencrypt-nginx-proxy-companion container_name: letsencrypt-companion volumes_from: - proxy volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./proxy/certs:/etc/nginx/certs:rw restart: always web: image: nginx container_name: nextcloud_webserver volumes: - ./nginx.conf:/etc/nginx/nginx.conf:ro links: - app volumes_from: - app environment: - VIRTUAL_HOST=nextcloud.mydomain.de, alternative.domain.de - VIRTUAL_NETWORK=nginx-proxy - VIRTUAL_PORT=80 - LETSENCRYPT_HOST=nextcloud.mydomain.de, alternative.domain.de - LETSENCRYPT_EMAIL=my@email.de networks: restart: always app: image: nextcloud:fpm container_name: nextcloud_fpm links: - db volumes: - ./nextcloud/apps:/var/www/html/apps - ./nextcloud/config:/var/www/html/config - /mainstorage/nextcloud/data:/var/www/html/data networks: - proxy-tier restart: always db: image: mariadb container_name: db volumes: - /mainstorage/nextcloud/db:/var/lib/mysql environment: - MYSQL_ROOT_PASSWORD=securepw - MYSQL_DATABASE=nextcloud - MYSQL_USER=user - MYSQL_PASSWORD=anothersecurepw networks: - proxy-tier restart: always networks: proxy-tier: external: name: nginx-proxy nginx.conf: user www-data; events { worker_connections 768; } http { upstream backend { server app:9000; } include /etc/nginx/mime.types; default_type application/octet-stream; server { listen 80; # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; root /var/www/html; client_max_body_size 10G; # 0=unlimited - set max upload size fastcgi_buffers 64 4K; gzip off; index index.php; error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; rewrite ^/.well-known/carddav /remote.php/dav/ permanent; rewrite ^/.well-known/caldav /remote.php/dav/ permanent; location = /robots.txt { allow all; log_not_found off; access_log off; } location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location / { rewrite ^/remote/(.*) /remote.php last; rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; try_files $uri $uri/ =404; } location ~ \.php(?:$|/) { fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice fastcgi_pass backend; fastcgi_intercept_errors on; } # Adding the cache control header for js and css files # Make sure it is BELOW the location ~ \.php(?:$|/) { block location ~* \.(?:css|js)$ { add_header Cache-Control "public, max-age=7200"; # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; # Optional: Don't log access to assets access_log off; } # Optional: Don't log access to other assets location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ { access_log off; } } } I already tried something like adding emby: image: emby/embyserver container_name: emby volumes: - /mainstorage/emby/config:/config - /mainstorage/nextcloud/data/user1/files/:/mnt/share1 - /mainstorage/nextcloud/data/user2/files/:/mnt/share2 devices: - /dev/dri/renderD128 networks: - proxy-tier restart: always to the docker-compose file but it didnt work. My Goal is to be able to access emby from a different subdomain than my nextcloud. Like nextcloud access is under nextcloud.mydomain.de and emby is emby.mydomain.de. I hope someone can help me
  10. ACoolUsername

    Not playing video through Nginx reverse proxy

    Hey, I have emby installed using the docker and behind an nginx reverse proxy, I used the config from this post https://emby.media/community/index.php?/topic/47508-how-to-nginx-reverse-proxy. Shown below. worker_processes 4; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; sendfile off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } ##EMBY Server## server { listen [::]:443 ssl; listen 443 ssl; #listen 80; #listen [::]:80; server_name emby.mydomain.com; access_log /var/log/nginx/emby.mydomain.com-access.log; error_log /var/log/nginx/emby.mydomain.com-error.log; ssl_protocols TLSv1.2 TLSv1.1; ssl_certificate /etc/letsencrypt/live/emby.mydomain.com/cert.pem; ssl_certificate_key /etc/letsencrypt/live/emby.mydomain.com/privkey.pem; ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; location / { proxy_pass http://localhost:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } } I am able to access emby through the reverse proxy and can browse media and manage server but whenever I try to play videos it just shows a black screen and the loading icon and eventually an error message will appear . I have tested this with Chrome, Firefox, Edge and Opera and they all give the same result (Firefox and Edge show the poster and loading icon). Everything works fine when connecting directly to emby (emby.mydomain.com:8904). Any help would be much appreciated.
  11. There have been a few posts around the Forum recently regarding SSL, HTTPS and Security. I'm by no means an expert on reverse proxies but have had alot of dealings with them over the past few months and with the help of @@pir8radio and @@shorty1483 have a fairly well setup and secure system to access my services from outside of my LAN. This guide is to help people access their Emby Server and any other services behind a reverse proxy. This is based on NGINX but it also works for Apache and IIS. So firstly, what is and why do i need a reverse proxy? If you’re like me and have many services running on servers or PCs in your home, i.e. Emby, Plex, Sonarr, Radarr, Ombi, Organizer, CP, home automation, CCTV and anything else. Then you have to open multiple ports on your router to direct traffic to where it needs to go. With a Reverse Proxy you only have to open 1 or 2 ports. Normally all HTTP traffic is sent over port 80 and HTTPS traffic over port 443. In my case I want all traffic served over HTTPS and port 443 so I close all ports bar 443. Another reason to use a reverse proxy is that you can use your own domain certs easily and fine tune your security settings. If you want to test your Domain security go here - https://securityheaders.io/ Chances are your rating will be an F. with reverse proxy you can easily attain a B+/A Grade. You can also setup a web faced server running NGINX and then have additional servers behind that hidden on your LAN, however if your like me I have NGINX running on the same machine as emby. I only access Emby remotely do i still need a reverse proxy? Difficult to answer. No you dont need a reverse proxy to access Emby, but if you do then you can fine tune the security. This guide assumes you have a Domain name, your own Certs to go with your domain name and either have your domain name pointed to a static PC (your home WAN IP) or have Dynamic DNS setup. Have I convinced you yet? I run Windows OS at home so this guide follows a Windows setup but the config will be the same across all OS. 1. Download the latest version of NGINX from here - http://nginx-win.ecsds.eu/ as of writing this guide its version 1.13.0.1 Violet. 2. Extract the ZIP file somewhere easy to find. C:\NGINX. a. To make future updating easier when you extract the ZIP the file is called nginx 1.13.0.1 Violet. Rename it to just NGINX. 3. Before we get started on the config of NGINX lets install it as a service. a. Download NSSM b. Extract the ZIP c. Copy correct x86 or x64 nssm.exe to C:\Windows\System32 d. Open a CMD, type ‘nssm install nginx’ e. Fill in the Application Path – C:\NGINX\nginx.exe Startup directory – C:\NGINX Service name – NGINX. Install Service Don’t Start the service yet, we need to configure NGINX. To create a config I use notepad++. I will go through each setting first before supplying a copy of my current config. This is how the config starts. worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; sendfile off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## } This part is fairly standard. anything starting with # is disabled or just a comment. The config is broken down into blocks. the first block here is the HTTP block. The HTTP block contains all the headers required to do the work of the reverse proxy for example when someone browses to emby.mydomain.com it matches a header in NGINX and it knows where to forward the data. The only change in the section above over a default config is the addition of server_tokens off; this is the first of our security tweaks. This removes the version of NGINX from being visible outside your network and less chances of attackers being able to exploit version weaknesses. ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } This next block is called a server block and it nested inside the HTTP block. This block is optional, it is only used to redirect any users from HTTP to HTTPS if you want to force users on HTTPS only. listen 80 and listen [::] 80 are default ports for HTTP traffic for IPv4 and IPv6. return 301 https://$host$request_uri; is what rewrites the request from HTTP to HTTPS. Again only needed if you are forcing everyone to use HTTPS only. ##EMBY Server## server { listen 80; listen [::] 80; listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNaUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; location / { proxy_pass http://192.168.10.10:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } The next server block is where the magic happens. First the listen 80; and listen [::] 80; are only needed if you want to allow users to access your emby server on port 80. otherwise delete these 2 lines to force all users to HTTPS access. Listen 443 ssl; and listen [::] 443 ssl; are the default HTTPS ports again for IPv4 and IPv6. server_name emby.mydomain.com will be your subdomain and how you access emby from outside your network. Now lets look at the SSL certificates, for my setup I created a .pem file. this file contains both my cert, intermediate and CA root cert in one file. This link gives you an idea how to do it - https://www.digicert.com/ssl-support/pem-ssl-creation.htm you should now have your cert.pem and a private.key file. for simplicity copy these files to C:\NGINX\conf\SSL (you have to create the SSL folder) This tells NGINX where to find the certs. ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; For now I am going to skip over the #add_header Public-Key-Pins - as you can see i have it disabled by using # in front of it. I will explain why later on. The next section adds further security tweaks, you will need to change the content-security-policy domain names to your own. you need to list all your subdomains i.e. sonarr.mydomain.com radarr.mydomain.com emby.my....... you get the idea. add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; The next part is called the location block. This is what tells your domain name emby.mydomain.com where the data should go. In this case it forwards everything to proxy_pass http://192.168.10.10:8096 you can also forward to proxy_pass http://127.0.0.1:8096 if it runs on the same box as NGINX. the rest of the location block is default stuff to help the data get to where it is needed. Your Config should now look like the one below. we need to save it to C:\NGINX\conf and name it nginx.conf worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } ##EMBY Server## server { listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; location / { proxy_pass http://192.168.10.10:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } } And thats it, you can now start your NGINX services by running services.msc and starting NGINX.
  12. I am experiencing the problem precisely as described in this topic, except only in Chrome and only when requesting the actual stream file (https://myserver/emby/videos/id/stream.webm?morestuf). All other pages (logging in, navigating, cover art, ...) work fine in all browsers. I am running Emby 3.0.5821 and use Nginx as the reverse proxy. Firefox and Microsoft Edge work fine but Chrome does not. Using the exact same setup, Firefox sends the Authorization header on all pages while Chrome does not send the Authentication header on its request to the stream file (https://myserver/emby/videos/id/stream.mkv?morestuf). One difference that I can see is that Chrome is asking for a stream.mkv file, while Firefox is asking for a stream.webm file. The result is that instead of my video, I get a popup that sais "Video Error There was an error playing the video.". The popup appears to be a recent addition to Emby, because I updated Emby before making this topic and before the update the popup was not there . Screenshots of the requests made by Firefox and Chrome are attached.
  13. ytzelf

    Nginx HTTP Authentification

    Hello everyone, I am trying to get nginx basic http to work with emby but am getting some errors with http headers I added the following lines to my nginx configuration proxy_set_header Authorization $http_authorization; proxy_pass_header Authorization; Which seems to work in some cases (from nginx debug log) 2015/10/19 23:30:05 [debug] 8860#0: *7 http proxy header: "GET /emby/web/dashboard.html HTTP/1.1 X-Real-IP: xxxxxxxx X-Forwarded-Host: xxxxxxxx X-Forwarded-For: xxxxxxxx X-Forwarded-Proto: xxxxxxxx X-Forwarded-Protocol: https Connection: upgrade Host: 127.0.0.1:8096 Authorization: Basic xxxxxxxxxxxxxxxxxxxxx Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8 Upgrade-Insecure-Requests: 1 User-Agent: Mozilla/5.0 (Linux; Android 5.1.1; XT1039 Build/LMY48W) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/$ DNT: 1 Accept-Encoding: gzip, deflate, sdch Accept-Language: en-US,en;q=0.8,fr;q=0.6 Cookie: _pk_id.1.460e=ddfc4db714572eee.1445258016.2.1445261772.1445261758.; wanted_view=thumb; snatched_view=list;$ But fails elsewhere 2015/10/19 23:30:01 [debug] 8860#0: *7 HTTP/1.1 401 Unauthorized Server: nginx/1.6.2 Date: Mon, 19 Oct 2015 21:30:01 GMT Content-Type: text/html Content-Length: 596 Connection: keep-alive WWW-Authenticate: Basic realm="Restricted" Resulting in a 401 error each time I try to watch a video online (right after clicking on the play button, everything else works just fine). I was just wondering where exactly I would have to make some changes for all requests to include the Autorization header. Disabling http authentification altogether makes everything fine. Thanks a lot !
×
×
  • Create New...