NGINX Setup for Emby on Mac

[cp41 3]

I have been running Emby off my Mac mini M1 for a while now without issue.
I setup SSL certification for remote access and everything has been working great.

Right now, though, I have to renew my certificates every 90 days and then restart the Server for the new Certs to take effect.
I have been using CertBot and OpenSSL for my certificate creation.

I was trying to explore the use of NGINX Reverse Proxy as a way to automate the SSL Certificate process.
Specifically, I could have a powershell script run to generate my certificates using CertBot and then I wouldn't have to worry about restarting the Emby Server as part of the process.

I went though the recommended HOW TO: NGINX for Windows Topic that is recommended. 
And that was very useful for generating my Config file.
However, I have not yet been able to get the Reverse Proxy to work.

Here is my Config File (this is taken directly from the other HOW TO post):

worker_processes  2;

events {
    worker_connections  8192;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;
    
    gzip on;
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
    text/plain
    text/css
    text/js
    text/xml
    text/javascript
    application/javascript
    application/x-javascript
    application/json
    application/xml
    application/rss+xml
    image/svg+xml;

    tcp_nodelay on;

    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
## End: Timeouts ##

    
    
## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
      
      return 301 https://$host$request_uri;
}    

##EMBY Server##

server {
listen [::]:80;
listen 80;
listen [::]:443 ssl;
listen 443 ssl;
server_name mydomain.com;   #

ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      /private/etc/letsencrypt/live/mydomain.com/cert.pem;
ssl_certificate_key  /private/etc/letsencrypt/live/mydomain.com/privkey.pem;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
        
proxy_hide_header X-Powered-By;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff"  always;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header 'Referrer-Policy' 'no-referrer';

add_header Content-Security-Policy "frame-ancestors mydomain.com;";   #add your domainname and all subdomains listed on your cert
        

location / {
proxy_pass http://192.168.86.21:8096; # This is my local emby ip and non SSL port

proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

#Next three lines allow websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}

}

 

I know the syntax works because I ran the command sudo nginx -t and the test was successful.

So I guess where I am struggling is the Emby Network Settings and/or the Port Forwarding.
As I mentioned, I have Remote Access with mydomain.com working already, so I am at least familiar with these areas (in so much that I know the router works if the ports are set up correctly).
But I am not 100% sure that I have these setup the way they are supposed to be configured.

I have local http/https as 8096/8920.

I have public http/https as 80/443.

I forwarded the 80 and 443 ports on my router to the computer that is running NGINX (which is the same computer where Emby runs).

Does anyone see where I may have gone wrong, or where I might be missing a step?

Edited February 16 by cp41
Replaced Actual Domain Name with mydomain.com

[Luke 37066]

HI, what exactly is the problem?

[cp41 3]

When I have this setup configured, and I have the NGINX reverse proxy running, l cannot access the server using mydomain.com. The website fails to connect. So I am unable to access the server from outside my network. 
I figured I must be doing something wrong. I was hoping someone could look at my configuration and see a glaring error. 
 

 

[Luke 37066]

Hi, do you get an error message? What does it say?

[cp41 3]

Wellllllll....I was going to take a screenshot of the error. Which I did.

But as I did I noticed it talked about the firewall.
So I decided to make sure NGINX could pass through the firewall.

Once I had that setup...everyhting is working.

Huzzah!

And even though I didn't end up needing any specific advice from this thread....it did trigger in me the ability to figure it out.

So I thank you all the same.