Search the Community
Showing results for tags 'nginx'.
-
NGINX and emby Config Version 1.0.4 Last Update 1-1-2024 Update by Pir8Radio Why Use NGINX reverse proxy ahead of my application servers like emby? With NGINX or any reverse proxy ahead of an application server you have more control over your setup. You can do things the application servers were not built to handle, have better control over your security and logging, replace lines of code without editing the application server code, better control of caching, etc, etc.... One of the main reasons is so that you don't have to open a new port on your firewall for every application server you host, all you really need to open is 80 & 443 and the internet can reach all of your different servers through one entrance. Will NGINX work on my OS? Most likely, you can find various versions of NGINX for most OS's and they come in different flavors, with options baked in, or just the bare NGINX that you need to compile. See below for download links to get you started. Will NGINX break things on emby? Absolutely if you don't configure it correctly! I HIGHLY suggest when choosing a scheme to setup your domain URL you choose SUB-DOMAIN and NOT sub-directory, more below. Also if you come to the emby forum with things not working, or issues you have and you use a Reverse Proxy, PLEASE make sure that is one of the first things you mention in your forum post. ESPECIALLY if emby works on one platform or client, but not another. So many times people complain "but it works on chrome, so I didn't think it was the reverse proxy". Mention you have a Reverse Proxy please. If the reverse proxy is setup correctly it should be totally transparent to the user and the application server (emby). I'm not going to go into how to purchase and setup a domain name. Lots of how-to's on that out there. Once you have a domain name and its pointed to your IP address, you can go to that domain name and hit your server then continue on.... Sub-Domain vs Sub-Directory: Lets say your domain name is: domain.com there are two main ways you can direct traffic from the internet to your backend application servers like emby. One is sub-directory, something like domain.com/emby or domain.com/other-server This is doable in nginx, but there are some catches and you need to know how your reverse proxy and application server work in detail.. This often breaks different features in emby and other application servers.. To keep with our "Totally Transparent" goal sub-directory doesn't work well, it requires a lot of rewriting and work-arounds to make it work smoothly, if you choose sub-directory you will run into issues you will need to address. The other option is Sub-Domain, this is the cleanest, most transparent, easiest to setup and maintain, it's also what I highly suggest you setup. A sub-domain looks like: emby.domain.com or other-server.domain.com The below config is based on Sub-Domain I will include a sub-directory example as well. NGINX Downloads: Official nginx downloads(LINUX): nginx.org Official nginx downloads(Windows): nginx.org WINDOWS users I suggest this version: nginx-win.ecsds.eu download links are at the bottom of the page. This Windows version has lots of cool features compiled into it already, and is optimized for windows. They keep up with updates, its a FREE (for non-commercial) third party build that I highly recommend. Additional Links: Content Security Policy info (CSP) (For Advanced Users): A CSP WILL break your server if you don't know what you are doing, I suggest reading up, lots of googleing, and understand what a CSP's function is and is not prior to venturing into this area Example NGINX Reverse Proxy Config: 3-29-2020 - ADDED A LINE FOR CLOUDFLARE USERS SO THAT THE X-REAL-IP HEADER IS CORRECTED. THIS ONLY EFFECTS Cloudflare USERS. 4-11-2020 (V1.0.1) - MOVED proxy_buffering off; FROM LOCATION BLOCK TO SERVER BLOCK 12-18-2020 (V1.0.2) - ADDED 301 SERVER SECTION TO FORCE ALL TRAFFIC TO SSL. 9-23-2021 no nginx config change, but cloudflare changed how they cache video files, so emby users that use Cloudflare now need to add a rule like below to make sure video is seekable and playable. 8-18-2022 - added a line for photo sync to cover large uploads of videos and images. (client_max_body_size 1000M;) 1-1-2024 - changed http2 setting per @weblesuggestion in this thread post # 1309363. ** The below "Page Rules" are only needed for Cloudflare CDN users, otherwise ignore. worker_processes auto; error_log logs/error.log; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_names_hash_bucket_size 64; server_tokens off; ## The below will create a separate log file for your emby server which includes ## userId's and other emby specific info, handy for external log viewers. ## Cloudflare users will want to swap $remote_addr in first line below to $http_CF_Connecting_IP ## to log the real client IP address log_format emby '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorization"'; log_format default '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port'; sendfile off; ## Sendfile not used in a proxy environment. gzip on; ## Compresses the content to the client, speeds up client browsing. gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; proxy_connect_timeout 1h; proxy_send_timeout 1h; proxy_read_timeout 1h; tcp_nodelay on; ## Sends data as fast as it can not buffering large chunks, saves about 200ms per request. ## The below will force all nginx traffic to SSL, make sure all other server blocks only listen on 443 server { listen 80 default_server; server_name _; return 301 https://$host$request_uri; } ## Start of actual server blocks server { listen [::]:443 ssl; ## Listens on port 443 IPv6 ssl enabled listen 443 ssl; ## Listens on port 443 IPv4 ssl enabled http2 on; ## Enables HTTP2 proxy_buffering off; ## Sends data as fast as it can not buffering large chunks. server_name emby.domainname.com; ## enter your service name and domain name here example emby.domainname.com access_log logs/emby.log emby; ## Creates a log file with this name and the log info above. ## SSL SETTINGS ## ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate ssl/pub.pem; ## Location of your public PEM file. ssl_certificate_key ssl/pvt.pem; ## Location of your private PEM file. ssl_session_cache shared:SSL:10m; location ^~ /swagger { ## Disables access to swagger interface return 404; } location / { proxy_pass http://127.0.0.1:8096; ## Enter the IP and port of the backend emby server here. client_max_body_size 1000M; ## Allows for mobile device large photo uploads. proxy_hide_header X-Powered-By; ## Hides nginx server version from bad guys. proxy_set_header Range $http_range; ## Allows specific chunks of a file to be requested. proxy_set_header If-Range $http_if_range; ## Allows specific chunks of a file to be requested. proxy_set_header X-Real-IP $remote_addr; ## Passes the real client IP to the backend server. #proxy_set_header X-Real-IP $http_CF_Connecting_IP; ## if you use cloudflare un-comment this line and comment out above line. proxy_set_header Host $host; ## Passes the requested domain name to the backend server. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## Adds forwarded IP to the list of IPs that were forwarded to the backend server. ## ADDITIONAL SECURITY SETTINGS ## ## Optional settings to improve security ## ## add these after you have completed your testing and ssl setup ## ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ## ## See https://hstspreload.org/ read through the "Deployment Recommendations" section first! ## add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header Strict-Transport-Security "max-age=15552000; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client. proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; } } }
- 288 replies
-
- 20
-
- reverse-proxy
- reverse
-
(and 5 more)
Tagged with:
-
I have spent alot of time trying to make Emby secure with https and I have now hit a brick wall. My knowledge on this topic is zero, so im hoping with some guidance I can get this working. OS: Windows Port Forward: 443 Domain: YES SSL: Lets Encrypt via Win-Acme (No passphrase) Reverse Proxy: NGINX Most of the infomation is taken from https://emby.media/community/index.php?/topic/44757-setting-up-ssl-for-emby-wip/#comment-419091 Where I have hit a brick wall is when i try and start NGINX. It fails to start and nothing shows in the logs. Below is my nginx.conf, Thanks in advance. worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } ##EMBY Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate C:\\nginx-1.26.2\conf\SSL\mydomain.com-crt.pem; ssl_certificate_key C:\\nginx-1.26.2\conf\SSL\mydomain.com-key.pem; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; proxy_hide_header X-Powered-By; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com; emby.mydomain.com; location / { proxy_pass http://192.167.178.21:8096; proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } }
-
I have been running Emby off my Mac mini M1 for a while now without issue. I setup SSL certification for remote access and everything has been working great. Right now, though, I have to renew my certificates every 90 days and then restart the Server for the new Certs to take effect. I have been using CertBot and OpenSSL for my certificate creation. I was trying to explore the use of NGINX Reverse Proxy as a way to automate the SSL Certificate process. Specifically, I could have a powershell script run to generate my certificates using CertBot and then I wouldn't have to worry about restarting the Emby Server as part of the process. I went though the recommended HOW TO: NGINX for Windows Topic that is recommended. And that was very useful for generating my Config file. However, I have not yet been able to get the Reverse Proxy to work. Here is my Config File (this is taken directly from the other HOW TO post): worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } ##EMBY Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name mydomain.com; # ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate /private/etc/letsencrypt/live/mydomain.com/cert.pem; ssl_certificate_key /private/etc/letsencrypt/live/mydomain.com/privkey.pem; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; proxy_hide_header X-Powered-By; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;"; #add your domainname and all subdomains listed on your cert location / { proxy_pass http://192.168.86.21:8096; # This is my local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } } I know the syntax works because I ran the command sudo nginx -t and the test was successful. So I guess where I am struggling is the Emby Network Settings and/or the Port Forwarding. As I mentioned, I have Remote Access with mydomain.com working already, so I am at least familiar with these areas (in so much that I know the router works if the ports are set up correctly). But I am not 100% sure that I have these setup the way they are supposed to be configured. I have local http/https as 8096/8920. I have public http/https as 80/443. I forwarded the 80 and 443 ports on my router to the computer that is running NGINX (which is the same computer where Emby runs). Does anyone see where I may have gone wrong, or where I might be missing a step?
- 4 replies
-
- reverse proxy
- nginx
-
(and 1 more)
Tagged with:
-
I have a Emby server on Windows with port 8098 and a Nginx server before it with port 2345, they are on same machine then I install Emby Android app on my mobile phone and configure server address: http://192.168.51.39:2345, and everything is ok But after I restart Emby Android app, the server address has been changed to http://192.168.51.39:8098 automatically !! I want to know why the app change the server address? It seems the app use the Nginx upstream address as the server address, am I make some mistakes in configuration ? All the devices are in the same LAN Arch: Emby Android -> Nginx -> Emby Server Emby server version: 4.8.0.54 Emby Andrord version: 3.3.39 ========== Nginx Conf Begin ============= server{ gzip on; listen 2345; listen [::]:2345; server_name default; ## The default `client_max_body_size` is 1M, this might not be enough for some posters, etc. client_max_body_size 20M; add_header 'Referrer-Policy' 'no-referrer'; set $emby http://192.168.51.39:8098; #emby/jellyfin address # Proxy sockets traffic for jellyfin-mpv-shim and webClient location ~ /(socket|embywebsocket) { # Proxy emby/jellyfin Websockets traffic proxy_pass $emby; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-Host $http_host; } location ~* /web/index.html { proxy_buffering off; js_body_filter addExternalUrl.incloudUrl buffer_type=string; proxy_pass $emby; proxy_pass_request_body off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_set_header Accept-Encoding "identity"; proxy_set_header X-Original-URI $request_uri; js_header_filter addExternalUrl.HeaderFilter; } location @backend { proxy_pass $emby; } ... } ========== Nginx Conf Begin =============
- 10 replies
-
Emby Server Type: Docker Emby Server Version: 4.7.11.0 Reverse Proxy: NGINX Proxy Manager Let's Encrypt Certificate - TLS 1.2, 1.3 Browsers Tested: Firefox, Edge, Chrome, Opera Hello: After looking at some playback, I noticed that my streams are utilizing HTTP/1.1 instead of the far superior HTTP/2 method. I have scoured the forums here as well as Google, and I seem to be alone. My setup is quite simple, with a NGINX Proxy Manager docker that connects clients securely to the Emby server. My domain has HTTP/2 support, with TLS 1.2/1.3 available and established upon client connection. As far as I am aware, the Emby Server Version I am running supports HTTP/2. I see no way to force it in settings, but I know for certain my reverse proxy has it enabled. Could there be any insight as to what I am doing wrong so that HTTP/2 is used? Client ---> TLS 1.3 LE Cert --> NPM ---> Emby:8096
-
@pir8radio @pwhodges thanks for trying to help me I have converted Let’s Encrypt to work with emby directly without using Nginx Cer add to emby setting surf to my server and now working without any warning from the browser about the Certificate .. and the video payed as well. ok now when I try with the emby app, the video still give me an error. So it is not related with Nginx ... there is an issue with the app itself @Luke this issue only I have with Galaxy Note 5 The device is Galaxy Note 5 Android 7.0 emby 3.2.56 Server emby 4.7.5.0 (Ubuntu Linux 20.04.4) log file is attached please note that I have replace my domain name and IP to my_domain.com and my_ip on the log file Many Thanks embyserver.txt
- 21 replies
-
- reverse-proxy
- reverse
-
(and 5 more)
Tagged with:
-
Hi, I have been having what seems to be a common issue which is the video player going to the start when attempting to skip. From what I could tell this has something to do with my Nginx reverse-proxy setup. Found out about this from this comment I went to their post and tried to use their Nginx reverse-proxy configuration. Post can be found here https://emby.media/community/index.php?/topic/93074-how-to-emby-with-nginx-with-windows-specific-tips-and-csp-options/ But I am getting a error every time I run it. I am unsure if this configuration is supposed to work on ubuntu as it is posted under general/windows and my server is on Ubuntu 20.04.4 LTS x86_64. The error is as follows This is the configuration used to achieve this error. https://pastebin.com/Vyfhkrb6 . I am also using cloud flare so take that into account when reviewing the configuration.
- 5 replies
-
- ubuntu
- reverse proxy
-
(and 1 more)
Tagged with:
-
I built an emby server, now I want to use nginx reverse proxy it. But when I access my domain ,the page is all black. I can see the title is "emby", but no other things. my nginx config user www www; worker_processes auto; error_log /data/wwwlogs/error_nginx.log crit; pid /var/run/nginx.pid; worker_rlimit_nofile 51200; events { use epoll; worker_connections 51200; multi_accept on; } http { include mime.types; default_type application/octet-stream; server_names_hash_bucket_size 128; client_header_buffer_size 32k; large_client_header_buffers 4 32k; client_max_body_size 1024m; client_body_buffer_size 10m; sendfile on; tcp_nopush on; keepalive_timeout 120; server_tokens off; tcp_nodelay on; fastcgi_connect_timeout 300; fastcgi_send_timeout 300; fastcgi_read_timeout 300; fastcgi_buffer_size 64k; fastcgi_buffers 4 64k; fastcgi_busy_buffers_size 128k; fastcgi_temp_file_write_size 128k; fastcgi_intercept_errors on; #Gzip Compression gzip on; gzip_buffers 16 8k; gzip_comp_level 6; gzip_http_version 1.1; gzip_min_length 256; gzip_proxied any; gzip_vary on; gzip_types text/xml application/xml application/atom+xml application/rss+xml application/xhtml+xml image/svg+xml text/javascript application/javascript application/x-javascript text/x-json application/json application/x-web-app-manifest+json font/opentype application/x-font-ttf application/vnd.ms-fontobject image/x-icon; gzip_disable "MSIE [1-6]\.(?!.*SV1)"; ##Brotli Compression #brotli on; #brotli_comp_level 6; #brotli_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascri$ ##If you have a lot of static files to serve through Nginx then caching of the files' metadata (not the actual files' contents) can sa$ #open_file_cache max=1000 inactive=20s; #open_file_cache_valid 30s; #open_file_cache_min_uses 2; #open_file_cache_errors on; log_format json escape=json '{"@timestamp":"$time_iso8601",' '"server_addr":"$server_addr",' '"remote_addr":"$remote_addr",' '"scheme":"$scheme",' '"request_method":"$request_method",' '"request_uri": "$request_uri",' '"request_length": "$request_length",' '"uri": "$uri", ' '"request_time":$request_time,' '"body_bytes_sent":$body_bytes_sent,' '"bytes_sent":$bytes_sent,' '"status":"$status",' '"upstream_time":"$upstream_response_time",' '"upstream_host":"$upstream_addr",' '"upstream_status":"$upstream_status",' '"host":"$host",' '"http_referer":"$http_referer",' '"http_user_agent":"$http_user_agent"' '}'; ######################## default ############################ server { listen 80; server_name _; access_log /data/wwwlogs/access_nginx.log combined; root /data/wwwroot/default; index index.html index.htm index.php; #error_page 404 /404.html; #error_page 502 /502.html; location /nginx_status { stub_status on; access_log off; allow 127.0.0.1; deny all; } location ~ [^/]\.php(/|$) { #fastcgi_pass remote_php_ip:9000; fastcgi_pass unix:/dev/shm/php-cgi.sock; fastcgi_index index.php; include fastcgi.conf; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ { expires 30d; access_log off; } location ~ .*\.(js|css)?$ { expires 7d; access_log off; } location ~ ^/(\.user.ini|\.ht|\.git|\.svn|\.project|LICENSE|README.md) { deny all; } } location /.well-known { allow all; } } ########################## vhost ############################# include vhost/*.conf; } and my vhost mydomian.config server { listen 80; listen [::]:80; listen 443 ssl http2; listen [::]:443 ssl http2; ssl_certificate /usr/local/nginx/conf/ssl/mydomain.com.crt; ssl_certificate_key /usr/local/nginx/conf/ssl/mydomain.com.key; ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; ssl_ciphers TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:TLS13-AES-128-CCM-8-SHA256:TLS13-AES-128-$ ssl_prefer_server_ciphers on; ssl_session_timeout 10m; ssl_session_cache builtin:1000 shared:SSL:10m; ssl_buffer_size 1400; add_header Strict-Transport-Security max-age=15768000; ssl_stapling on; ssl_stapling_verify on; server_name mydomain.com; access_log /data/wwwlogs/mydomain.com_nginx.log combined; index index.html index.htm index.php; root /data/wwwroot/mydomain.com; include /usr/local/nginx/conf/rewrite/other.conf; #error_page 404 /404.html; #error_page 502 /502.html; location ~ [^/]\.php(/|$) { #fastcgi_pass remote_php_ip:9000; fastcgi_pass unix:/dev/shm/php-cgi.sock; fastcgi_index index.php; include fastcgi.conf; } location ~ .*\.(gif|jpg|jpeg|png|bmp|swf|flv|mp4|ico)$ { expires 30d; access_log off; } location ~ .*\.(js|css)?$ { expires 7d; access_log off; } location ~ /(\.user\.ini|\.ht|\.git|\.svn|\.project|LICENSE|README\.md) { deny all; } location /.well-known { allow all; } location ~ / { proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header Host $http_host; proxy_redirect off; proxy_pass http:/127.0.0.1:8096; } } Please help me check out what's wrong with the code? Thanks a lot.
-
Hello, I'm building an emby server in the google cloud structure with Linux, but stuck in the reverse proxy part, this is the code I'm using, but when I activate it and try to reverse the service using: systemctl restart nginx Receive this beautiful: The job for nginx.service failed because the control process ended with an error code. See "systemctl status nginx.service" and "journalctl -xe" for details. The error log returns this: 09/02/2022 17:30:17 [warning] 13219#13219: server name "rflix.rodrigoremir.xyz/" has suspicious symbols in /etc/nginx/sites-enabled/default:9 02/09/2022 17:30:17 [emerg] 13219#13219: Invalid number of arguments in "proxy_set_header" directive in /etc/nginx/sites-enabled/default:31 Code used: ############################################# # # Proxy Reverso # ############################################# #/etc/nginx/sites-available/default server { server_name rflix.rodrigoremir.xyz/; location / { proxy_pass http://127.0.0.1:8096/; proxy_set_header Host $host; proxy_set_header X-Real_IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Protocol $scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_buffering off; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-Host $http_host; } location /embywebsocket { proxy_pass http://127.0.0.1:8096; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header Host $host; proxy_set_header X-Real-IP #remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Protocol #scheme; proxy_set_header X-Forwarded-Host $http_host; proxy_buffering off; } } #End What can solve this problem?
-
Controlar las descargas en Emby con Nginx como proxy inverso - APORTE
Alexmanafan posted a topic in Spanish
Controlar las descargas en Emby con Nginx como proxy inverso -
I just got a new router, which means my server has moved from local IP 10.0.x.x to 192.168.x.x. I added exactly the same port-forwarding rules to the new router that I had in the old router, changed the local IP address in the NGINX config, restarted NGINX and...it doesn't connect. The domain gets a CloudFlare 524 error. My IP address followed by ports 80, 443, 4343, 8920 and 7241 fails. My IP address followed by port 8096 succeeds. This doesn't make any sense. I have Emby's ports in the network config set to 4343 for secure and 7241 for non-secure. CanYouSeeMe.org can only see me on port 8096. NGINX isn't jumping in front of any of the attempts at direct-IP access, which from memory it's supposed to.
- 295 replies
-
- reverse-proxy
- reverse
-
(and 5 more)
Tagged with:
-
Hi Emby Community, I'm trying to set up a reverse proxy (jada jada jada ipv6 reachable from ipv4 jada jada) and for reasons I can only do it with node.js. I took inspiration from this nginx config guide as there where no guides for node.js but I'm stuck at setting the headers correctly. First I want a working setup in pure node.js and the think about using express for compression middleware and stuff like that. const http = require('http'); const PORT = 80; const hostname = 'emby.mydomain.com'; function onRequest(req, res) { console.log('serve: ' + req.url); const options = { hostname: hostname, port: 80, path: req.url, method: req.method, headers: { ...req.headers, 'X-Real-IP': '$remote_addr', 'X-Forwarded-for': '$proxy_add_x_forwarded_for', 'Host': '$host', 'X-Forwarded-Proto': '$remote_addr', 'X-Forwarded-Protocol': '$scheme', //proxy_redirect off; // websockets //proxy_http_version 1.1; 'Upgrade': '$http_upgrade', 'Connection': "upgrade" } }; const proxy = http.request(options, function (r) { res.writeHead(r.statusCode, r.headers); r.pipe(res, { end: true }); }); req.pipe(proxy, { end: true }); } http.createServer(onRequest).listen(PORT); console.log('Listening on port '+PORT); As I am not very comfortable in nginx and honestly ony a beginner in node.js I'm missing some header information, how to set http to version 1.1 (red something that thats maybe already default?) and how to translate the proxy_redirect directive. Thank you for any responses, maybe someone with some nodejs experience can help me out here.
- 12 replies
-
Preface All of the media I'm testing have previously worked flawlessly in the current environment. Meaning my network topography/speed has not changed. I cannot say for sure when this problem began as I rarely need to use a browser to access my Emby personally, however I had a user report issues a few weeks ago. I gave it very little thought until I had reason to use a browser recently and I ran into problems. Problem Recently (within the last few weeks), Emby playback within my web-browser has begun giving me the following error: Testing I have tested with various browser on various machines with results as such Ubuntu - Chrome: FAIL Windows - Chrome: FAIL Ubuntu - Firefox: FAIL Windows - Firefox: FAIL Windows - Edge: SUCCESS I have deduced that this happens for all Matroska contained media as far as I can tell. Container WebM w/ VP9/Opus codecs works correctly. I'd have to really go fishing for other types of media to test as my libraries are 99.99% Matroska or WebM. Logs NOTE: Firefox actually attempted transcoding, though still resulted in the same error. I zipped the result transcode logs for each occurrence, though I know they will not be helpful for debugging this. 20180926-Emby.Server.DEBUG-Ubuntu.Chrome.v69.0.3497.81-1.log 20180926-Emby.Server.DEBUG.Windows.Chrome.v68.0.3440.100-1.log 20180926-Emby.Server.DEBUG-Ubuntu.Firefox.v57.0.1-1.log 20180926-Emby.Server.DEBUG-Ubuntu.Firefox.v57.0.1.zip 20180926-Emby.Server.DEBUG.Windows.Firefox.v62.0.2-1.log 20180926-Emby.Server.DEBUG.Windows.Firefox.v62.0.2.zip 20180926-Emby.Server.DEBUG.Windows.Edge.log UPDATE -- 20180927 -- Official Embyserver Docker Container results -- 20180927-Emby.Server.DEBUG-Ubuntu.Chrome.v69.0.3497.81-3-1.log UPDATE It appears I may have opened a duplicate post from someone else with a similar problem (though to be fair, when I searched I did not find it as their topic is very misleading) https://emby.media/community/index.php?/topic/63309-docker/?p=627055 Also at a glance at their log, their ffmpeg doesn't even start, whereas this is not my issue.
- 8 replies
-
- playback
- directplay
-
(and 5 more)
Tagged with:
-
(SSL Guide) LetsEncrypt, Docker, Openmediavault, Reverse Proxy, Subdomain
blackcoffee posted a topic in Linux
How to secure Emby using LetsEncrypt and Nginx Reverse Proxy by modifying Docker containers in Openmediavault. https://youtu.be/jYoDyoH2C0A- 5 replies
-
- sslopenmediavault
- omv
-
(and 7 more)
Tagged with:
-
Stuck Configuring Nginx Reverse Proxy with Cloudflare in front
MachineLearning posted a topic in General/Windows
Inspired by this article on how to host a website using cloudflare and nginx, i intend to do the same for my emby server. Like swynol, i have nginx server and emby server running on the very same machine which i station on my local home network. My OS however is ubuntu instead of windows. Ive tried both swynol's and lukecarrier's github codes, no avail, it wont redirect to the emby server no matter what. My nginx server was indeed running as both ports 80 and 443 are opened as tested by canyouseeme.org. It just wont redirect whenever i go to https://emby.mydomainname.com I dont even know where should i put the code, of the guides online, some say /etc/nginx/conf.d/mydomain.com, some say /etc/nginx/sites-available/mydomain.com with /etc/nginx/sites-enabled linked to earlier. I highly suspect that the code is the culprit. sudo nginx -t show no error, systemctl status nginx operational Shed some light anyone? Appreciate it. Update 16/12/2020 Here's my nginx code where I put under sites-available and then linked to sites-enabled via ln -s server { listen [::]:80; ## Listens on port 80 IPv6 listen 80; ## Listens on port 80 IPv4 listen [::]:443 ssl http2; ## Listens on port 443 IPv6 with http2 and ssl enabled listen 443 ssl http2; ## Listens on port 443 IPv4 with http2 and ssl enabled proxy_buffering off; ## Sends data as fast as it can not buffering large chunks. server_name emby.mydomainname.com; ## enter your service name and domain name here access_log /var/log/nginx/embyaccess.log; ## Creates a log file with this name and the log info above. ## SSL SETTINGS ## ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate /etc/ssl/mydomainname/cert.pem; ## Location of your public ssl_certificate_key /etc/ssl/mydomainname/key.pem; ## Location of your private PEM file. ssl_client_certificate /etc/ssl/mydomainname/cloudflare.crt; ##Authenticated Origin Pulls ssl_verify_client on; ##Authenticated Origin Pulls ssl_session_cache shared:SSL:10m; location ^~ /swagger { ## Disables access to swagger interface return 404; } location / { proxy_pass http://localhost:8096; ## Enter the IP here proxy_hide_header X-Powered-By; ## Hides nginx server version from bad guys. proxy_set_header Range $http_range; ## Allows specific chunks of a file to be requested. proxy_set_header If-Range $http_if_range; ## Allows specific chunks of a file to be requested. #proxy_set_header X-Real-IP $remote_addr; ## Passes the real client IP to the backend server. proxy_set_header X-Real-IP $http_CF_Connecting_IP; ## if you use cloudflare un-comment this line and comment out above line. proxy_set_header Host $host; ## Passes the requested domain name to the backend server. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## Adds forwarded IP to the list of IPs that were forwarded to the backend server. ## ADDITIONAL SECURITY SETTINGS ## ## Optional settings to improve security ## ## add these after you have completed your testing and ssl setup ## ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ## ## See https://hstspreload.org/ read through the "Deployment Recommendations" section first! ## add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header Strict-Transport-Security "max-age=15552000; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client. proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; } } Big thanks to @pir8radio for the configuration, my configuration is based on his. Setting up authenticated origin pulls is optional, here's where I download the cert. https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls#section6- 13 replies
-
Ok this is going to be a long post. In this thread I will show you 2 different ways in which I setup a HTTPS connection to my emby server. Both ways require a certificate which again I will show you how i got mine using Lets Encrypt on Windows. I will break the posts up into Sections. Part.1 - Setting up a DDNS (Dynamic DNS host) Only require if you ISP IP is dynamic i.e. changes. Part.1.A - Setting Up DDNS using your own Domain Name Part.2 - Getting a Domain Name (Optional but looks fancier) Part.3 - Getting a SSL Cert from Lets Encrypt the easy way. Part 3a - Using LE.exe to get Certificates (recommended) Part.4 - Setting up HTTPS by changing default port to 443 Part.5 - Setting up HTTPS using reverse proxy
- 218 replies
-
- 12
-
Hello Emby community! So today I decided to give Emby a try in order to maybe replace Plex that I have been using for years. So far, I loved almost everything about Emby (maybe not the fact that we can't change the green accent in the AndroidTV app, but that's a story for another day ). I have one question though, for which I couldnt seem to find precise info. I run all my services from a machine in my house, which runs OpenMediaVault (i.e. Debian). I use Docker for most of the services, with bridge mode for their network interface. I also have, among those services, an Nginx container that serves as a reverse-proxy, so I can access my services more easily. The OpenMediaVault web interface proposes the option to connect using a self-signed SSL certificate, which I decided to use when I set it all up. I then re-used this same SSL certificate for all my other reverse-proxies, by mounting the certificate files as read-only into the Nginx container, so that I only had one exception to add to my browsers in order to reach all my services like so: https://servicename.hostname.lan So far, so good, as I only access these services from my home lan, and since I used Plex until now, I never had to mess with secure remote access: since the connection is routed through their servers, it was an easy setup with no configuration on my side (only authorizing the default Plex port for outgoing connections in my machine's iptables as well as ESTABLISHED,RELATED incoming connections, then once it was connected I had nothing more to do for their servers to detect my machine, not even setting port redirection on my router or allowing anything through my router's firewall). But now, I'd like to switch to Emby, and here's my question: am I not able to allow secure remote access if I don't have a domain name pointing to my home router's IP? What else could I do? I can post the nginx configs (with purged personal info) if needed. Many thanks in advance!
-
I've been looking, but I cannot find any examples of how to self-host Emby behind an NGINX reverse proxy at anything other than the root path on port 80. I host a website under the www subdomain at the root path on port 80, so that's not an option. I'm fine with any of these solutions: Use a different port (http://www.mydomain.com:8096/) Use a different subdomain (http://emby.mydomain.com/) Use a different path (http://www.mydomain.com/emby/) My current configuration is an attempt at solution #3 because that's the one I was able to get furthest on. I think I'd prefer solution #1 or #2, but I'm not picky. I'd also like to setup SSL, but I need to get this working before I can worry about encryption. That said, the SSL configuration for my website might be responsible for my current problem. All requests to port 80 are redirected to 443, which has SSL enabled. The server just directs everything on the /emby path to localhost:8096, which Emby binds to. I'm able to load the index page, but it fails to load the Javascript used to render any actual content. It looks like the server isn't able to serve the Javascript file over HTTPS. I have very limited experience with NGINX and Emby and I have no idea how to fix it. Here's my NGINX server configuration: server { listen 443 ssl default_server; listen [::]:443 ssl default_server; root /█████/website; server_name █████; ssl on; ssl_certificate /█████/cert.pem; ssl_certificate_key /█████/privkey.pem; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.4.4 8.8.8.8; location /static { alias /█████/website/static; } location / { try_files $uri @wsgi; } location @wsgi { proxy_pass http://unix:/tmp/gunicorn.sock; include proxy_params; } location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { access_log off; log_not_found off; expires max; } location /emby { proxy_pass http://127.0.0.1:8096; } } server { listen 80 default_server; listen [::]:80 default_server; server_name █████; return 301 https://$host$request_uri; }
- 9 replies
-
- nginx
- reverse proxy
-
(and 2 more)
Tagged with:
-
Hello I have my Emby server configured to use ssl by inputting the external domain name and secure connection mode set to handled by reverse proxy. I have nginx secured with ssl and I can successfully hit my emby server using the custom domain url, and certificate is successfully verified for https. But it seems my users that go through the app.emby.media site and log in using emby connect are still directed to an http site with a not secure connection warning. Is there a simple step I'm missing to get that to redirect to the proper https wan url configured in Emby?
-
Hello, I used Swynol's guide on setting up a reverse proxy in attempt to set up my own (Reference Post #5 - https://emby.media/community/index.php?/topic/47508-how-to-nginx-reverse-proxy/). In terms of NGINX config set up, I essentially copy and pasted his last post replacing his domains and sub-domains with my own. For the Emby server set up I have the public https port to 443, the external domain set, and the secure connection mode set to "Reverse Proxy". I have manually checked the server config xml and verified that "requirehttps" is false. I also have my 80 and 443 ports forwarded to the NGINX server on my router. The issue I'm getting is that when I try to access my server I get a "ERR_TOO_MANY_REDIRECTS" in chrome. I've exhausted my google-fu techniques and come to seek knowledge from others who may be more savvy with NGINX and reverse proxies.
- 17 replies
-
- reverse proxy
- NGINX
-
(and 2 more)
Tagged with:
-
Server knows that the device is eligible for direct play according to the logs but only gives transcode options anyway. server: custom build x86 hardware ubuntu 18.04 emby 3.4.1.0 athlon 5350 emby runs from behind a nginx proxy (if deemed necessary will post configurations) client: sony xperia z3 android 6.0.1 snapdragon 801 (hevc supported) same result for my samsung my s7 edge, transcode options are set to default. logs included but cut first post here thank you in advance Log server cut.txt log transcode cut.txt
- 8 replies
-
- ubuntu
- ubuntu 18.04
-
(and 4 more)
Tagged with:
-
Emby with nginx reverse proxy + lets encrypt and nextcloud docker
leon123456789 posted a topic in Linux
Hey Guys. I want to add Emby to my current setup with a nginx reverse proxy, lets encrypt and nextcloud. I already tried some things but it didnt worked so I hope you can help me. docker-compose.yml: version: '2' services: proxy: image: jwilder/nginx-proxy container_name: proxy ports: - 80:80 - 443:443 volumes: - ./proxy/conf.d:/etc/nginx/conf.d - ./uploadlimit.conf:/etc/nginx/conf.d/uploadlimit.conf:ro - ./proxy/vhost.d:/etc/nginx/vhost.d - ./proxy/html:/usr/share/nginx/html - ./proxy/certs:/etc/nginx/certs:ro - /var/run/docker.sock:/tmp/docker.sock:ro networks: - proxy-tier restart: always letsencrypt-companion: image: jrcs/letsencrypt-nginx-proxy-companion container_name: letsencrypt-companion volumes_from: - proxy volumes: - /var/run/docker.sock:/var/run/docker.sock:ro - ./proxy/certs:/etc/nginx/certs:rw restart: always web: image: nginx container_name: nextcloud_webserver volumes: - ./nginx.conf:/etc/nginx/nginx.conf:ro links: - app volumes_from: - app environment: - VIRTUAL_HOST=nextcloud.mydomain.de, alternative.domain.de - VIRTUAL_NETWORK=nginx-proxy - VIRTUAL_PORT=80 - LETSENCRYPT_HOST=nextcloud.mydomain.de, alternative.domain.de - LETSENCRYPT_EMAIL=my@email.de networks: restart: always app: image: nextcloud:fpm container_name: nextcloud_fpm links: - db volumes: - ./nextcloud/apps:/var/www/html/apps - ./nextcloud/config:/var/www/html/config - /mainstorage/nextcloud/data:/var/www/html/data networks: - proxy-tier restart: always db: image: mariadb container_name: db volumes: - /mainstorage/nextcloud/db:/var/lib/mysql environment: - MYSQL_ROOT_PASSWORD=securepw - MYSQL_DATABASE=nextcloud - MYSQL_USER=user - MYSQL_PASSWORD=anothersecurepw networks: - proxy-tier restart: always networks: proxy-tier: external: name: nginx-proxy nginx.conf: user www-data; events { worker_connections 768; } http { upstream backend { server app:9000; } include /etc/nginx/mime.types; default_type application/octet-stream; server { listen 80; # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; root /var/www/html; client_max_body_size 10G; # 0=unlimited - set max upload size fastcgi_buffers 64 4K; gzip off; index index.php; error_page 403 /core/templates/403.php; error_page 404 /core/templates/404.php; rewrite ^/.well-known/carddav /remote.php/dav/ permanent; rewrite ^/.well-known/caldav /remote.php/dav/ permanent; location = /robots.txt { allow all; log_not_found off; access_log off; } location ~ ^/(build|tests|config|lib|3rdparty|templates|data)/ { deny all; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { deny all; } location / { rewrite ^/remote/(.*) /remote.php last; rewrite ^(/core/doc/[^\/]+/)$ $1/index.html; try_files $uri $uri/ =404; } location ~ \.php(?:$|/) { fastcgi_split_path_info ^(.+\.php)(/.+)$; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $fastcgi_path_info; fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; #Avoid sending the security headers twice fastcgi_pass backend; fastcgi_intercept_errors on; } # Adding the cache control header for js and css files # Make sure it is BELOW the location ~ \.php(?:$|/) { block location ~* \.(?:css|js)$ { add_header Cache-Control "public, max-age=7200"; # Add headers to serve security related headers add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options "SAMEORIGIN"; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; add_header X-Download-Options noopen; add_header X-Permitted-Cross-Domain-Policies none; # Optional: Don't log access to assets access_log off; } # Optional: Don't log access to other assets location ~* \.(?:jpg|jpeg|gif|bmp|ico|png|swf)$ { access_log off; } } } I already tried something like adding emby: image: emby/embyserver container_name: emby volumes: - /mainstorage/emby/config:/config - /mainstorage/nextcloud/data/user1/files/:/mnt/share1 - /mainstorage/nextcloud/data/user2/files/:/mnt/share2 devices: - /dev/dri/renderD128 networks: - proxy-tier restart: always to the docker-compose file but it didnt work. My Goal is to be able to access emby from a different subdomain than my nextcloud. Like nextcloud access is under nextcloud.mydomain.de and emby is emby.mydomain.de. I hope someone can help me- 9 replies
-
- nginx
- lets encrypt
-
(and 4 more)
Tagged with:
-
Hey, I have emby installed using the docker and behind an nginx reverse proxy, I used the config from this post https://emby.media/community/index.php?/topic/47508-how-to-nginx-reverse-proxy. Shown below. worker_processes 4; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; sendfile off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } ##EMBY Server## server { listen [::]:443 ssl; listen 443 ssl; #listen 80; #listen [::]:80; server_name emby.mydomain.com; access_log /var/log/nginx/emby.mydomain.com-access.log; error_log /var/log/nginx/emby.mydomain.com-error.log; ssl_protocols TLSv1.2 TLSv1.1; ssl_certificate /etc/letsencrypt/live/emby.mydomain.com/cert.pem; ssl_certificate_key /etc/letsencrypt/live/emby.mydomain.com/privkey.pem; ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; location / { proxy_pass http://localhost:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } } I am able to access emby through the reverse proxy and can browse media and manage server but whenever I try to play videos it just shows a black screen and the loading icon and eventually an error message will appear . I have tested this with Chrome, Firefox, Edge and Opera and they all give the same result (Firefox and Edge show the poster and loading icon). Everything works fine when connecting directly to emby (emby.mydomain.com:8904). Any help would be much appreciated.
-
There have been a few posts around the Forum recently regarding SSL, HTTPS and Security. I'm by no means an expert on reverse proxies but have had alot of dealings with them over the past few months and with the help of @@pir8radio and @@shorty1483 have a fairly well setup and secure system to access my services from outside of my LAN. This guide is to help people access their Emby Server and any other services behind a reverse proxy. This is based on NGINX but it also works for Apache and IIS. So firstly, what is and why do i need a reverse proxy? If you’re like me and have many services running on servers or PCs in your home, i.e. Emby, Plex, Sonarr, Radarr, Ombi, Organizer, CP, home automation, CCTV and anything else. Then you have to open multiple ports on your router to direct traffic to where it needs to go. With a Reverse Proxy you only have to open 1 or 2 ports. Normally all HTTP traffic is sent over port 80 and HTTPS traffic over port 443. In my case I want all traffic served over HTTPS and port 443 so I close all ports bar 443. Another reason to use a reverse proxy is that you can use your own domain certs easily and fine tune your security settings. If you want to test your Domain security go here - https://securityheaders.io/ Chances are your rating will be an F. with reverse proxy you can easily attain a B+/A Grade. You can also setup a web faced server running NGINX and then have additional servers behind that hidden on your LAN, however if your like me I have NGINX running on the same machine as emby. I only access Emby remotely do i still need a reverse proxy? Difficult to answer. No you dont need a reverse proxy to access Emby, but if you do then you can fine tune the security. This guide assumes you have a Domain name, your own Certs to go with your domain name and either have your domain name pointed to a static PC (your home WAN IP) or have Dynamic DNS setup. Have I convinced you yet? I run Windows OS at home so this guide follows a Windows setup but the config will be the same across all OS. 1. Download the latest version of NGINX from here - http://nginx-win.ecsds.eu/ as of writing this guide its version 1.13.0.1 Violet. 2. Extract the ZIP file somewhere easy to find. C:\NGINX. a. To make future updating easier when you extract the ZIP the file is called nginx 1.13.0.1 Violet. Rename it to just NGINX. 3. Before we get started on the config of NGINX lets install it as a service. a. Download NSSM b. Extract the ZIP c. Copy correct x86 or x64 nssm.exe to C:\Windows\System32 d. Open a CMD, type ‘nssm install nginx’ e. Fill in the Application Path – C:\NGINX\nginx.exe Startup directory – C:\NGINX Service name – NGINX. Install Service Don’t Start the service yet, we need to configure NGINX. To create a config I use notepad++. I will go through each setting first before supplying a copy of my current config. This is how the config starts. worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; sendfile off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## } This part is fairly standard. anything starting with # is disabled or just a comment. The config is broken down into blocks. the first block here is the HTTP block. The HTTP block contains all the headers required to do the work of the reverse proxy for example when someone browses to emby.mydomain.com it matches a header in NGINX and it knows where to forward the data. The only change in the section above over a default config is the addition of server_tokens off; this is the first of our security tweaks. This removes the version of NGINX from being visible outside your network and less chances of attackers being able to exploit version weaknesses. ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } This next block is called a server block and it nested inside the HTTP block. This block is optional, it is only used to redirect any users from HTTP to HTTPS if you want to force users on HTTPS only. listen 80 and listen [::] 80 are default ports for HTTP traffic for IPv4 and IPv6. return 301 https://$host$request_uri; is what rewrites the request from HTTP to HTTPS. Again only needed if you are forcing everyone to use HTTPS only. ##EMBY Server## server { listen 80; listen [::] 80; listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNaUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; location / { proxy_pass http://192.168.10.10:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } The next server block is where the magic happens. First the listen 80; and listen [::] 80; are only needed if you want to allow users to access your emby server on port 80. otherwise delete these 2 lines to force all users to HTTPS access. Listen 443 ssl; and listen [::] 443 ssl; are the default HTTPS ports again for IPv4 and IPv6. server_name emby.mydomain.com will be your subdomain and how you access emby from outside your network. Now lets look at the SSL certificates, for my setup I created a .pem file. this file contains both my cert, intermediate and CA root cert in one file. This link gives you an idea how to do it - https://www.digicert.com/ssl-support/pem-ssl-creation.htm you should now have your cert.pem and a private.key file. for simplicity copy these files to C:\NGINX\conf\SSL (you have to create the SSL folder) This tells NGINX where to find the certs. ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; For now I am going to skip over the #add_header Public-Key-Pins - as you can see i have it disabled by using # in front of it. I will explain why later on. The next section adds further security tweaks, you will need to change the content-security-policy domain names to your own. you need to list all your subdomains i.e. sonarr.mydomain.com radarr.mydomain.com emby.my....... you get the idea. add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; The next part is called the location block. This is what tells your domain name emby.mydomain.com where the data should go. In this case it forwards everything to proxy_pass http://192.168.10.10:8096 you can also forward to proxy_pass http://127.0.0.1:8096 if it runs on the same box as NGINX. the rest of the location block is default stuff to help the data get to where it is needed. Your Config should now look like the one below. we need to save it to C:\NGINX\conf and name it nginx.conf worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } ##EMBY Server## server { listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; location / { proxy_pass http://192.168.10.10:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } } And thats it, you can now start your NGINX services by running services.msc and starting NGINX.
- 4 replies
-
- 10
-
- NGINX
- reverse proxy
- (and 5 more)
-
I am experiencing the problem precisely as described in this topic, except only in Chrome and only when requesting the actual stream file (https://myserver/emby/videos/id/stream.webm?morestuf). All other pages (logging in, navigating, cover art, ...) work fine in all browsers. I am running Emby 3.0.5821 and use Nginx as the reverse proxy. Firefox and Microsoft Edge work fine but Chrome does not. Using the exact same setup, Firefox sends the Authorization header on all pages while Chrome does not send the Authentication header on its request to the stream file (https://myserver/emby/videos/id/stream.mkv?morestuf). One difference that I can see is that Chrome is asking for a stream.mkv file, while Firefox is asking for a stream.webm file. The result is that instead of my video, I get a popup that sais "Video Error There was an error playing the video.". The popup appears to be a recent addition to Emby, because I updated Emby before making this topic and before the update the popup was not there . Screenshots of the requests made by Firefox and Chrome are attached.