Emby Nginx Reverse Proxy Forbidden

[mshaik 2]

Hi I have a Emby Media Server running on Docker Container and Nginx reverse proxy on a Docker Container, Everything works well in my local network. But When I add the local Ip in nginx proxy server for forwarding my domain request to embyserver it gives a forbidden. In my Emby I disabled all remote connections as the remote connection is enable for nginx proxy and it connects to Emby. It only works If I enable Remote Connections. I saw a solution in previous post that network_mode host will resolve it but in my case even it's not working. Can you please help me with it?

 

Here's the Emby Log:

 

2021-10-22 11:24:45.812 Info Server: http/1.1 Response 200 to 192.168.0.27. Time: 7ms. http://192.168.0              :8096/emby/Items/566/Images/Primary?maxHeight=235&maxWidth=418&tag=7571a8f0436153179f11f6dffd00539f&quality=90

2021-10-22 11:24:45.815 Info Server: http/1.1 Response 200 to 192.168.0.27. Time: 6ms. http://192.168.0              :8096/emby/Items/567/Images/Primary?maxHeight=235&maxWidth=418&tag=f86a7a1c8ec644d7956985d1a105304f&quality=90

2021-10-22 11:24:45.815 Info Server: http/1.1 Response 200 to 192.168.0.27. Time: 7ms. http://192.168.0              :8096/emby/Items/545/Images/Primary?maxHeight=235&maxWidth=418&tag=c10d588ffe01708b652c76f9e17c34b8&quality=90

2021-10-22 11:24:45.815 Info Server: http/1.1 Response 200 to 192.168.0.27. Time: 7ms. http://192.168.0              :8096/emby/Items/575/Images/Primary?maxHeight=235&maxWidth=418&tag=b847e5c8757390c6b7102c00c98c2f16&quality=90

2021-10-22 11:25:36.892 Info Server: http/1.1 GET http://192.168.0              :8096/emby/Users/c658af2f8c644387bcca55c4b50618e3?X-Emby-Client=Emby Web&X-Emby-Device-Name=Chrome&X-Emby-Device-Id=c392c892-3f98-4260-83ea-9e605c4fbd91&X-Emby-Client-Version=4.6.4.0. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:25:36.902 Info Server: http/1.1 Response 200 to 192.168.0.27. Time: 10ms. http://192.168.0              :8096/emby/Users/c658af2f8c644387bcca55c4b50618e3?X-Emby-Client=Emby Web&X-Emby-Device-Name=Chrome&X-Emby-Device-Id=c392c892-3f98-4260-83ea-9e605c4fbd91&X-Emby-Client-Version=4.6.4.0

2021-10-22 11:25:36.930 Info Server: http/1.1 GET http://192.168.0              :8096/emby/ScheduledTasks?X-Emby-Client=Emby Web&X-Emby-Device-Name=Chrome&X-Emby-Device-Id=c392c892-3f98-4260-83ea-9e605c4fbd91&X-Emby-Client-Version=4.6.4.0. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:25:36.931 Info Server: http/1.1 GET http://192.168.0              :8096/emby/Sessions?ActiveWithinSeconds=300&IncludeAllSessionsIfAdmin=true&X-Emby-Client=Emby Web&X-Emby-Device-Name=Chrome&X-Emby-Device-Id=c392c892-3f98-4260-83ea-9e605c4fbd91&X-Emby-Client-Version=4.6.4.0. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:25:36.938 Info Server: http/1.1 GET http://192.168.0              :8096/emby/System/Info?X-Emby-Client=Emby Web&X-Emby-Device-Name=Chrome&X-Emby-Device-Id=c392c892-3f98-4260-83ea-9e605c4fbd91&X-Emby-Client-Version=4.6.4.0. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:25:36.942 Info Server: http/1.1 Response 200 to 192.168.0.27. Time: 12ms. http://192.168.0              :8096/emby/Sessions?ActiveWithinSeconds=300&IncludeAllSessionsIfAdmin=true&X-Emby-Client=Emby Web&X-Emby-Device-Name=Chrome&X-Emby-Device-Id=c392c892-3f98-4260-83ea-9e605c4fbd91&X-Emby-Client-Version=4.6.4.0

2021-10-22 11:25:36.943 Info Server: http/1.1 GET http://192.168.0              :8096/emby/News/Product?StartIndex=0&Limit=4&X-Emby-Client=Emby Web&X-Emby-Device-Name=Chrome&X-Emby-Device-Id=c392c892-3f98-4260-83ea-9e605c4fbd91&X-Emby-Client-Version=4.6.4.0. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:25:36.944 Info Server: http/1.1 Response 200 to 192.168.0.27. Time: 6ms. http://192.168.0              :8096/emby/System/Info?X-Emby-Client=Emby Web&X-Emby-Device-Name=Chrome&X-Emby-Device-Id=c392c892-3f98-4260-83ea-9e605c4fbd91&X-Emby-Client-Version=4.6.4.0

2021-10-22 11:25:36.946 Info Server: http/1.1 GET http://192.168.0              :8096/emby/LiveTv/Recordings?UserId=c658af2f8c644387bcca55c4b50618e3&IsInProgress=true&Fields=CanDelete,PrimaryImageAspectRatio&EnableTotalRecordCount=false&EnableImageTypes=Primary,Thumb,Backdrop&X-Emby-Client=Emby Web&X-Emby-Device-Name=Chrome&X-Emby-Device-Id=c392c892-3f98-4260-83ea-9e605c4fbd91&X-Emby-Client-Version=4.6.4.0. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:25:36.953 Info Server: http/1.1 Response 200 to 192.168.0.27. Time: 8ms. http://192.168.0              :8096/emby/LiveTv/Recordings?UserId=c658af2f8c644387bcca55c4b50618e3&IsInProgress=true&Fields=CanDelete,PrimaryImageAspectRatio&EnableTotalRecordCount=false&EnableImageTypes=Primary,Thumb,Backdrop&X-Emby-Client=Emby Web&X-Emby-Device-Name=Chrome&X-Emby-Device-Id=c392c892-3f98-4260-83ea-9e605c4fbd91&X-Emby-Client-Version=4.6.4.0

2021-10-22 11:26:13.214 Info Server: http/1.1 Response 403 to 1              .34. Time: 1ms. http://                 .duckdns.org/

2021-10-22 11:26:13.364 Info Server: http/1.1 GET http://                 .duckdns.org/favicon.ico. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:26:13.365 Info Server: http/1.1 Response 403 to 1              .34. Time: 0ms. http://                 .duckdns.org/favicon.ico

2021-10-22 11:26:15.233 Info Server: http/1.1 GET http://                 .duckdns.org/. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:26:15.233 Info Server: http/1.1 Response 403 to 1              .34. Time: 0ms. http://                 .duckdns.org/

2021-10-22 11:26:15.341 Info Server: http/1.1 GET http://                 .duckdns.org/favicon.ico. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:26:15.341 Info Server: http/1.1 Response 403 to 1              .34. Time: 0ms. http://                 .duckdns.org/favicon.ico

2021-10-22 11:26:15.492 Info Server: http/1.1 GET http://                 .duckdns.org/. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:26:15.493 Info Server: http/1.1 Response 403 to 1              .34. Time: 0ms. http://                 .duckdns.org/

2021-10-22 11:26:15.601 Info Server: http/1.1 GET http://                 .duckdns.org/favicon.ico. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:26:15.602 Info Server: http/1.1 Response 403 to 1              .34. Time: 1ms. http://                 .duckdns.org/favicon.ico

2021-10-22 11:26:15.759 Info Server: http/1.1 GET http://                 .duckdns.org/. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:26:15.760 Info Server: http/1.1 Response 403 to 1              .34. Time: 0ms. http://                 .duckdns.org/

2021-10-22 11:26:15.869 Info Server: http/1.1 GET http://                 .duckdns.org/favicon.ico. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:26:15.870 Info Server: http/1.1 Response 403 to 1              .34. Time: 0ms. http://                 .duckdns.org/favicon.ico

2021-10-22 11:27:36.069 Info Server: http/1.1 GET http://                 .duckdns.org/. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:27:36.069 Info Server: http/1.1 Response 403 to 1              .34. Time: 0ms. http://                 .duckdns.org/

2021-10-22 11:27:36.197 Info Server: http/1.1 GET http://                 .duckdns.org/favicon.ico. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:27:36.198 Info Server: http/1.1 Response 403 to 1              .34. Time: 1ms. http://                 .duckdns.org/favicon.ico

2021-10-22 11:29:09.744 Info Server: http/1.1 GET http://                 .duckdns.org/. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:29:09.744 Info Server: http/1.1 Response 403 to 1              .34. Time: 0ms. http://                 .duckdns.org/

2021-10-22 11:29:09.890 Info Server: http/1.1 GET http://                 .duckdns.org/favicon.ico. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:29:09.890 Info Server: http/1.1 Response 403 to 1              .34. Time: 0ms. http://                 .duckdns.org/favicon.ico

2021-10-22 11:29:11.844 Info Server: http/1.1 GET http://                 .duckdns.org/. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:29:11.845 Info Server: http/1.1 Response 403 to 1              .34. Time: 1ms. http://                 .duckdns.org/

2021-10-22 11:29:11.947 Info Server: http/1.1 GET http://                 .duckdns.org/favicon.ico. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:29:11.947 Info Server: http/1.1 Response 403 to 1              .34. Time: 0ms. http://                 .duckdns.org/favicon.ico

2021-10-22 11:29:12.086 Info Server: http/1.1 GET http://                 .duckdns.org/. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:29:12.086 Info Server: http/1.1 Response 403 to 1              .34. Time: 0ms. http://                 .duckdns.org/

2021-10-22 11:29:12.191 Info Server: http/1.1 GET http://                 .duckdns.org/favicon.ico. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:29:12.191 Info Server: http/1.1 Response 403 to 1              .34. Time: 0ms. http://                 .duckdns.org/favicon.ico

2021-10-22 11:29:12.340 Info Server: http/1.1 GET http://                 .duckdns.org/. UserAgent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/95.0.4638.54 Safari/537.36

2021-10-22 11:29:12.949 Info Server: http/1.1 Response 403. Time: 0ms. http://                 .duckdns.org/favicon.ico

[Luke 37008]

Hi there, I would suggest comparing your nginx configuration to that of @pir8radio. Please let us know if this helps. Thanks.

[CassTG 98]

IS the proxy passing it through as a `SSL connection i.e do you have domains and certs? or are you going insecure?

If Secure

I dont use NGINX proxy manager myself as i use Linuxserver.io Swag proxy as it does proxy nginx and fail2ban with letsencrypt/zerossl

Anyways not being familiar i will just describe how its setup in Swag as no doubt the process will be the similar

Upstream port in emby proxy conf is set to 8096 and container set to emby

Emby settings for secure connectioon as follows:

• Leave public ports as is
• Set Public https port to 443
• add External Domain that you are using i.e emby.yourdomain.com
• Allow remote connections ticked
• Secure connection mode - set to Handles by Reverse Proxy

If unsecure, i cannot help as not really tested it that way

 

Do you have a copy of the proxy conf you are using so we can see if there is obvious issues or not (obs replace sensitive info like ips and domain names)

 

[mshaik 2]

Hi @CassTG Thanks for the quick response. Yes it's a secure ssl with Let's Encrypt provided by the Nginx Proxy Manager. If I allow remote connection It's working as expected but my question is why do we need remote connections allowed here. Our Emby server sits in local and is connected by Nginx Proxy, the Remote connection is already enable for Nginx, the proxy connects to emby locally right?

 

Hi @Luke, I don't find any config of @pir8radio, can you please point exactly where can I find it?

[Luke 37008]

2 hours ago, mshaik said:

Hi @CassTG Thanks for the quick response. Yes it's a secure ssl with Let's Encrypt provided by the Nginx Proxy Manager. If I allow remote connection It's working as expected but my question is why do we need remote connections allowed here. Our Emby server sits in local and is connected by Nginx Proxy, the Remote connection is already enable for Nginx, the proxy connects to emby locally right?

 

Hi @Luke, I don't find any config of @pir8radio, can you please point exactly where can I find it?

 

[mshaik 2]

Thanks @Luke will check it.

[Lenders57 15]

Hi,

I host my own emby server to my home on debian 10, nginx and emby (i don't use docker). I have my domain, and I don't have the "remote connection" enable to the settings from the app.

I have a let's encrypt ssl certificate to. Is it possible to see your nginx conf ? Ithink your proxy pass is not correct, that's why you've got a 403

[Luke 37008]

Let us know how you get on. Thanks.

[mshaik 2]

Hi @Lenders57, thanks for you response. It's Nginx Proxy Manager I am using. 

Here's the Proxy Pass Conf:

server {
  set $forward_scheme http;
  set $server         "192.xx.0.xx";
  set $port           8096;

  listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;

  server_name  xxxxxxxxx.duckdns.org;

  # Let's Encrypt SSL
  include xxxxxxx/letsencrypt-acme-challenge.conf;
  include xxxxxxxxxxxxx/ssl-ciphers.conf;
  ssl_certificate xxxxxxxxxxx/fullchain.pem;
  ssl_certificate_key xxxxxxxxxxx/privkey.pem;

[pir8radio 1292]

On 10/22/2021 at 1:00 PM, mshaik said:

Hi @CassTG Thanks for the quick response. Yes it's a secure ssl with Let's Encrypt provided by the Nginx Proxy Manager. If I allow remote connection It's working as expected but my question is why do we need remote connections allowed here. Our Emby server sits in local and is connected by Nginx Proxy, the Remote connection is already enable for Nginx, the proxy connects to emby locally right?

 

Hi @Luke, I don't find any config of @pir8radio, can you please point exactly where can I find it?

you have to enable remote connections because if the reverse proxy is setup correctly the server and the users shouldn't know its there.    the proxy passes the remote addresses to the backend server..  you CAN force it to strip those if you want, but then emby server has no clue who is doing what, its logs and all of that good stuff will show one ip.

[pir8radio 1292]

@mshaik if you need to know how to make it look like its local let us know..

[mshaik 2]

Thank you so much @pir8radio for the explanation. So when using reverse proxy it will sure send the incoming IP address to the emby server and doesn't use the Local IP. 

Also Can you please let me know how to force it to strip to local IP of NGINX to pass to emby instead of the incoming IP as I have Fail2Ban set for my nginx , I can track all incoming IP's there. Also Can you please let me know how secure it is if I have NGINX reverse proxy with SSL domain using let's encrypt with remote connection on for Emby vs off for Emby, also I have fail2ban set for my Nginx proxy manager

Edited October 24, 2021 by mshaik

[pir8radio 1292]

Just now, mshaik said:

Thank you so much @pir8radio for the explanation. So when using reverse proxy it will sure send the incoming IP address to the emby server and doesn't use the Local IP. 

Also Can you please let me know how to force it to strip to local IP of NGINX to pass to emby instead of the incoming IP as I have Fail2Ban set for my nginx , I can track all incoming IP's there.

yes just be careful..   emby server treats local connections differently..  with transcoding, and security..  but if you want to stop the remote address you can.

	    proxy_set_header X-Real-IP "";  ## Passes the real client IP to the backend server.
        proxy_set_header X-Forwarded-For "";  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

will strip those headers, or you can change " " to a local ip...  or 127.0.0.1      " " should strip them out though.

[mshaik 2]

@pir8radio

Where should I make these changes, can you please let me know?

 

Also Can you also let me know how secure it is with removing the IP address from the incoming requests of Emby  as I have NPM monitoring them?

[Lenders57 15]

9 hours ago, mshaik said:

Hi @Lenders57, thanks for you response. It's Nginx Proxy Manager I am using. 

Here's the Proxy Pass Conf:

server {
  set $forward_scheme http;
  set $server         "192.xx.0.xx";
  set $port           8096;

  listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;

  server_name  xxxxxxxxx.duckdns.org;

  # Let's Encrypt SSL
  include xxxxxxx/letsencrypt-acme-challenge.conf;
  include xxxxxxxxxxxxx/ssl-ciphers.conf;
  ssl_certificate xxxxxxxxxxx/fullchain.pem;
  ssl_certificate_key xxxxxxxxxxx/privkey.pem;

Ahh ok, i don't know NPM with nginx stock, you add a proxy_pass and you don't need to enable remote connections

[mshaik 2]

@Lenders57 can you please share your proxy pass, are you having the xforwaded commands in the proxy pass as mentioned by @pir8radio.

[Lenders57 15]

44 minutes ago, mshaik said:

@Lenders57 can you please share your proxy pass, are you having the xforwaded commands in the proxy pass as mentioned by @pir8radio.

Sure I have it

server {
        listen 80;

        server_name my_tld.fr;

        location ~ /.well-known {
                root /home/sites/my_tld.fr;
        }

        return 301 https://my_tld.fr$request_uri;
}

server {
    listen 443 ssl http2;

    server_name my_tld.fr;

    error_log /var/log/nginx/my_tld.fr_error.log error;
    access_log /var/log/nginx/my_tld.fr_access.log combined;
    ssl_session_timeout 30m;
    ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_certificate /link/to/certificate/my_tld.fr/fullchain.pem;
    ssl_certificate_key /link/to/certificate/my_tld.fr/privkey.pem;
    ssl_session_cache shared:SSL:10m;

    add_header Content-Security-Policy "frame-ancestors my_tld.fr;";

    location /.well-known {
        alias /home/sites/my_tld.fr/.well-known;
    }

    location / {
        proxy_pass http://127.0.0.1:8096;

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

 

[mshaik 2]

@Lenders57 Thank you so much.

 

@pir8radio The Conf I have is not named as proxy_pass.conf but it's 6.conf. Also I don't see any Proxy_pass included it shows as follow:

 

# ------------------------------------------------------------
# mydomain
# ------------------------------------------------------------

server {
  set $forward_scheme http;
  set $server         "xxx.xx.xx.xxx"; #My IP
  set $port           8096;

  listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443 ssl http2;

  server_name myservername;

  # Let's Encrypt SSL
  include myssl.conf;
  include mysslciphers.conf;
  ssl_certificate mysslfull.pem;
  ssl_certificate_key mysslprivate.pem;

  # Block Exploits
  include conf.d/include/block-exploits.conf;

    # Force SSL
    include conf.d/include/force-ssl.conf;

  access_log  _access.log proxy;
  error_log _error.log warn;

  location / {

   # Proxy!
    include conf.d/include/proxy.conf;
  }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

 

I am unable to find conf.d folder anywhere in docker or the mount I have set. Can I use the conf which @Lenders57 added and add my own proxy pass, will it work?

[Lenders57 15]

@mshaik https://nginxproxymanager.com/advanced-config/#custom-nginx-configurations

You find anything on this link ? You can add custom conf, I think you vae to add proxy pass

[mshaik 2]

@Lenders57 Thank you so much, Can I set Proxy_Pass.conf in the custom folder, I don't see the naming anywhere mentioned in the custom one or Can I use the same conf file I have and replace content with my custom one.

[pir8radio 1292]

Sorry i'm not much help here. I don't use a proxy manager.. they tend to overwrite and write things in the configs that they think is needed or not needed.   They also spread the configs out all over the place and use include in the configs chaining them together, it gets messy and easy to mess up with a proxy manager. 

[CassTG 98]

To be fair i agree in apart, i watched a tutorial on NPM and thought that looks nice, good UI, and then as the video went on all i could see was hell thats a lot of faffing around. However i Use Swag Proxy server from Linuxserver.io and sure its command line only, but they do all the hard work you hardly have to touch it after the dockers deployed, and they have pre written tested configs for tonnes of services, you just go in and change the subdomain part and thats it. Never taken longer than 2 minutes to add a new service and always works a treat

[mshaik 2]

@CassTG Can you please provide Swag Proxy server Docker compose , I will try and see because the fail2ban bans the ip inside the docker but for somehow allows the IP, so just wanted to test other Proxy Options, Also does it have free ssl let's Encrypt?

[CassTG 98]

Hi

 

First take a look at a post on Fail2Ban guide i did Friday for someone else, especially the section at the bottom if you are using UFW on host machine

F2B Guide

And then here is my Swag Docker setup (i use command line but you can work out whats what)

Swag Proxy

Yes Swag uses one of two providers LetsEncrypt or ZEROSSL

You will see in my example i use ZeroSSL, which i advise you to use instead of LE. Reason being due to the expiration of LE Intermediate cert a lot of devices fail 2 work such as LG and Samsung TV's which aren't getting updates.

ZeroSSL is free and all you do is register an account (you manage certs online) and enter the email address you used into the Docker setup variable.

Requests made from the Swag Docker via Zerossl Acme are unlimited, so ignore the zerossl premium features as they are not relevant here, you can do as many subdomains via acme as you wish.

However if you wish to see the LE setup you can see LinuxServer.io Docker Compose here

Linuxserver Swag

Section 8 of the swag guide shows you what you need to do to setup your proxy files, its dead simple and takes a few seconds in Nano editor. But as Summary

• So make sure you have all your domain/subdomains ready for docker compose
• Start container up, if you have done it right it will get the zero ssl cert
• Enter Swag Container shell
• Make the changes to the proxy's you need
• Reboot swag and win win

The beauty with Swag is in each proxy template if there are special steps you need to do, it lists them at the top for you, Emby proxy.conf is an example as within the config file it explains how to setup Emby Network settings.

Anyways any issues feel free to dm me

[mshaik 2]

Thank you so much @CassTG, will try it for sure.