dhenzler 9 Posted December 1, 2021 Share Posted December 1, 2021 (edited) I'm back at this... a year later, and it still confounds me how to get this working. My first Emby system was on VMware running under Linux Mint. Worked fine, but couldn't put it on the Internet for extended use as it was unprotected. Now using emby on a BSD 12.2 jail running on TrueNAS-12.0-U6.1. I like this because of the extra features like "Mount Points" which greatly reduces the stress of adding content. The Secure Socket Layer SSL or HTTPS as some prefer to call it is the bottleneck here. Emby claims that it's server will create a self signed certificate if a domain name & certificate is NOT provided... Well some searching shows that to be a lie. I've configured my firewall to work with either 8096 or 8920. 8920 should be an HTTPS port. It isn't ! I choose blacklist Has anyone done this...? https://support.emby.media/support/solutions/articles/44001159601-network-hosting-settings <== This is BS The local and public https ports can be configured in much the same way as regular http: In addition you can also supply your own custom SSL certificate. This is highly recommended for https usage. If omitted, the server will create a self-signed certificate. ??? Not here ! Dave Edited December 1, 2021 by dhenzler added info Link to comment Share on other sites More sharing options...
Luke 36879 Posted December 1, 2021 Share Posted December 1, 2021 Hi, sorry that help text is outdated. @cayars The server no longer creates a self-signed certificate because most devices will just end up rejecting it anyway. You'll need to provide an SSL certificate. 1 Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 1, 2021 Author Share Posted December 1, 2021 (edited) Been looking into how Emby-server works... looks like a Windoz thing, which for me greatly complicates things. I'd like to use a self signed certificate. Looking around for the way to make a p12 is a task in of itself. Any recommendations? Configuration tips... I'm assuming that blacklist is likely my best way to proceed. Is this just the path... no filenames? Corrections to the screens should be made so that the confusion factor is removed. As well a simple link to a location on making the requisite files with openssl would be greatly appreciated. D Edited December 1, 2021 by dhenzler duplicate entry Link to comment Share on other sites More sharing options...
Carlo 4328 Posted December 1, 2021 Share Posted December 1, 2021 Trust us, you don't want a self signed cert if using anything other than a browser as you can't easily add it. Do you have a domain? If not get a cheap or free one and then you can get a legit cert as well. That would be the full path including the cert name. You can use this web page that works really well for converting to pkcs#12 format. https://www.sslshopper.com/ssl-converter.html Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 1, 2021 Author Share Posted December 1, 2021 I went to this ==> https://blog.pavelsklenar.com/how-to-create-pkcs-12-for-your-application/ Looked like a good possibility. Self Signed would be fine as I'm only using it to keep prying eyes out when using the system, no man in the middle stuff... I'm not big into getting hooked up with OTHERS as they come and go. Thanks for the tips.. will continue to spend time until it works. Dave Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 1, 2021 Author Share Posted December 1, 2021 Emby Knowledge Base: https://support.emby.media/support/home - Let me know if something isn't clear, missing or needs adding. That is a waste of time... been there... much of what I've posted as worthless came from there... Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 1, 2021 Author Share Posted December 1, 2021 I restarted Emby after putting the p12 file in place... and as always... nothing worked. https://my_address:8920 fails to do anything. Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 1, 2021 Author Share Posted December 1, 2021 Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 1, 2021 Author Share Posted December 1, 2021 Wonder if this is a problem ? Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 1, 2021 Author Share Posted December 1, 2021 13 minutes ago, dhenzler said: Using the magnifier glass thing... the certificate path seemed to be satisfied. I'm not totally sure the .p12 file contains the requisite stuff, but it should be ok. I'm going to give it up for today... tired of no progress. Link to comment Share on other sites More sharing options...
metsuke 27 Posted December 2, 2021 Share Posted December 2, 2021 I'm not sure what Emby expects for a cert, but you have a few other options as well. You can use a reverse proxy (nginx) and just put the cert in there, then point nginx to emby. I use this technique. Or, you can use a service like cloudflare to be your SSL and proxy to your emby server. Then you don't have to modify Emby at all or do anything with certs. You would probably want to firewall off anything other than cloudflare IPs if you go this route, but it works well. In the end, the aforementioned advice is still the best option, which is to get a domain for cheap, which enables you to get a legitimate SSL certificate for free. Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 2, 2021 Author Share Posted December 2, 2021 Thank you for the ideas. I try to steer clear of services that cost money or that are provided by others. They seem to come and go. As well as change... requiring me to change as well. I don't know how to configure reverse proxy. And I have ZERO knowledge of Emby's server system. Seems to be a Windows IIS server of some sort. I see lots of dll's My confort zone is Linux & Unix. My system is built in a BSD 12.2 jail on TrueNAS-12.0-U6.1 I'd need some hand holding to get through a configuration to use Nginx reverse proxy... are you willing to provide some assist ? Obviously the Emby server runs on port 80. How to get openssl to configure with it is a question I've had. I like to use self-signed certs because I build and destroy stuff on whim. Know how that works with FAMP server Thanks again for the suggestions... Any GitHub scripts that will do what I need? Dave Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 2, 2021 Author Share Posted December 2, 2021 (edited) will this work ? server { listen 80; server_name media.yourdomain.com media.int.yourdomain.com ; root /var/www/html; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name media.yourdomain.com media.int.yourdomain.com ; if ($host !~ ^media(\.int)?\.yourdomain\.com$) { return 444; } root /var/www/html/emby; ssl_certificate /etc/letsencrypt/live/media.yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/media.yourdomain.com/privkey.pem; error_page 502 @502; error_page 503 @503; location = / { return 301 https://$server_name/web/index.html; } location / { try_files $uri $uri/ @backend; } location @backend { proxy_pass http://127.0.0.1:5200; # Allow WebSocket connections via HTTP 201 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; } location @502 { try_files /unavailable.html =502; } location @503 { try_files /unavailable.html =503; } } Edited December 2, 2021 by dhenzler add question Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 2, 2021 Author Share Posted December 2, 2021 Is there a particular Nginx download I should use? I can use sub-domains of existing registered domains yes? I wish to use openssl to create my self signed certificate & key If I don't want to use a sub-domain, can I use the public IP for my Internet and port number? Link to comment Share on other sites More sharing options...
metsuke 27 Posted December 2, 2021 Share Posted December 2, 2021 (edited) 16 minutes ago, dhenzler said: Is there a particular Nginx download I should use? I use vanilla FreeBSD (not TrueNAS) so I don't know if the pkg system is the same, but I just use nginx from the latest pkg repository. I can use sub-domains of existing registered domains yes? You can use any part of a domain that you own, only. I wish to use openssl to create my self signed certificate & key That's fine. If I don't want to use a sub-domain, can I use the public IP for my Internet and port number? You can either use the domain or sub-domain that you own and paid for, or your public IP. The port would be added to either. Here is an abbreviated version of my nginx reverse proxy in a jail. You may not need all those config options, but I use them and more with success. user www; worker_processes 2; http { add_header Strict-Transport-Security "max-age=15552000; includeSubdomains" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options noopen; add_header X-Frame-Options "SAMEORIGIN"; add_header X-Permitted-Cross-Domain-Policies none; add_header X-Robots-Tag none; add_header X-Xss-Protection "1; mode=block" always; add_header Referrer-Policy 'no-referrer'; client_body_buffer_size 128k; client_header_buffer_size 1m; client_max_body_size 0; default_type application/octet-stream; fastcgi_buffers 512 16k; fastcgi_max_temp_file_size 0; gzip on; gzip_min_length 1100; gzip_buffers 4 32k; gzip_types text/plain application/x-javascript text/xml text/css; include mime.types; keepalive_timeout 3600; large_client_header_buffers 4 64k; proxy_hide_header X-Powered-By; proxy_set_header Host $host; proxy_set_header If-Range $http_if_range; proxy_set_header Range $http_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_ssl_session_reuse on; real_ip_header X-Forwarded-For; real_ip_recursive on; sendfile on; server_names_hash_bucket_size 64; set_real_ip_from 127.0.0.1; set_real_ip_from <THE IP OF YOUR REVERSE PROXY JAIL GOES HERE>; ssl_certificate /<PATH TO YOUR CERT>/fullchain.pem; ssl_certificate_key /<PATH TO YOUR CERT>/privkey.pem; ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH'; ssl_prefer_server_ciphers on; ssl_protocols TLSv1.3 TLSv1.2; ssl_session_cache shared:SSL:10m; ssl_session_timeout 60m; tcp_nodelay on; tcp_nopush on; server { listen 443 ssl; add_header Referrer-Policy 'no-referrer'; add_header X-Frame-Options "SAMEORIGIN" always; server_name <SOME RESOLVABLE DOMAIN NAME>; location / { proxy_pass https://<IP TO YOUR EMBY JAIL>:8920; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } } Edited December 2, 2021 by metsuke Link to comment Share on other sites More sharing options...
metsuke 27 Posted December 2, 2021 Share Posted December 2, 2021 Also keep in mind that if you don't have internally resolvable DNS and thus cannot provide nginx with a server_name then you can just set it as default according to this post: https://stackoverflow.com/questions/69701574/nginx-reverse-proxy-without-defining-server-name Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 2, 2021 Author Share Posted December 2, 2021 (edited) I have several registered domains. I use sub-domains off these for playing with these toys... confused by some of the identities. The example used media.blablabla.. & media.int.blablabla is media important? I see some $server_name$request_uri I assume those are memory variables I assume that the proxy_pass http://127.0.0.1:5200 stays... Edited December 2, 2021 by dhenzler Link to comment Share on other sites More sharing options...
metsuke 27 Posted December 2, 2021 Share Posted December 2, 2021 If you have domains then that should work fine. "media" is the sub-domain that whomever you got that from is using. The port will be whatever the port is configured in the Network section of Emby. In my case, it is 8920. My "server" stanza is very stripped down and works fine, but whatever works. Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 2, 2021 Author Share Posted December 2, 2021 I guess I'm on my way then... I have control of my DNS through my ISP service and things are pretty much configurable in an instant. Thanks for the assist ! ;o) D Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 2, 2021 Author Share Posted December 2, 2021 I'm assuming the script I showed you is to be placed in /usr/local/etc/nginx/ nginx.conf Link to comment Share on other sites More sharing options...
Luke 36879 Posted December 2, 2021 Share Posted December 2, 2021 12 hours ago, dhenzler said: will this work ? server { listen 80; server_name media.yourdomain.com media.int.yourdomain.com ; root /var/www/html; return 301 https://$server_name$request_uri; } server { listen 443 ssl; server_name media.yourdomain.com media.int.yourdomain.com ; if ($host !~ ^media(\.int)?\.yourdomain\.com$) { return 444; } root /var/www/html/emby; ssl_certificate /etc/letsencrypt/live/media.yourdomain.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/media.yourdomain.com/privkey.pem; error_page 502 @502; error_page 503 @503; location = / { return 301 https://$server_name/web/index.html; } location / { try_files $uri $uri/ @backend; } location @backend { proxy_pass http://127.0.0.1:5200; # Allow WebSocket connections via HTTP 201 proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_set_header X-Forwarded-Host $host; proxy_set_header X-Forwarded-Server $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Real-IP $remote_addr; proxy_redirect off; } location @502 { try_files /unavailable.html =502; } location @503 { try_files /unavailable.html =503; } } Hi there, I would suggest comparing your nginx configuration to that of @pir8radio. Many people here use his settings. Please let us know if this helps. Thanks. Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 2, 2021 Author Share Posted December 2, 2021 (edited) 2 hours ago, Luke said: Hi there, I would suggest comparing your nginx configuration to that of @pir8radio. Many people here use his settings. Please let us know if this helps. Thanks. The script I showed you for nginx doesn't work for BSD. File locations are all wrong. And access to emby is wrong. I'll look at @pi8radio again. But my first glance didn't take me anywhere near the required info. Edited December 2, 2021 by dhenzler changes'\ Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 2, 2021 Author Share Posted December 2, 2021 3 hours ago, dhenzler said: The script I showed you for nginx doesn't work for BSD. File locations are all wrong. And access to emby is wrong. I'll look at @pi8radio again. But my first glance didn't take me anywhere near the required info. Problem with this is it's Windows centric... I stopped supporting Bill Gates & his org 20 years ago. Emby appears to be a Windows IIS server or close to it. I'm not sure how Nginx under BSD would invoke or pass to that? I'm lost in that area. Played with it until I was worn out... Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 2, 2021 Author Share Posted December 2, 2021 (edited) https://www.adamintech.com/how-to-configure-emby-for-https/ Not having much luck with this. But making the SSL stuff worked... Using my Public IP for the domain name didn't ssl_gen.sh p12_gen.sh Edited December 2, 2021 by dhenzler adding script files for openssl Link to comment Share on other sites More sharing options...
metsuke 27 Posted December 2, 2021 Share Posted December 2, 2021 (edited) It doesn't matter what settings Emby is using internally as long as a web page displays at the end. The reverse proxy can point to it with no issue. The file location in FreeBSD is /usr/local/etc/nginx/nginx.conf Are you testing externally or internally? Does it work fine internally? Have you tried using the config that I posted, replacing the <> variables with your own? Edited December 2, 2021 by metsuke 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now