Jump to content

Help with SSL https NGINX reverse proxy Let's Encrypt


Go to solution Solved by Ronny244,

Recommended Posts

Posted

I have spent alot of time trying to make Emby secure with https and I have now hit a brick wall. My knowledge on this topic is zero, so im hoping with some guidance I can get this working.

 

OS: Windows

Port Forward: 443

Domain: YES

SSL: Lets Encrypt via Win-Acme (No passphrase)

Reverse Proxy: NGINX

Most of the infomation is taken from https://emby.media/community/index.php?/topic/44757-setting-up-ssl-for-emby-wip/#comment-419091

Where I have hit a brick wall is when i try and start NGINX. It fails to start and nothing shows in the logs.

Below is my nginx.conf, Thanks in advance.

 

worker_processes  2;


events {
    worker_connections  8192;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;
    
    gzip on;
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
    text/plain
    text/css
    text/js
    text/xml
    text/javascript
    application/javascript
    application/x-javascript
    application/json
    application/xml
    application/rss+xml
    image/svg+xml;

    tcp_nodelay on;

    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
## End: Timeouts ##

    
    
## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
      
      return 301 https://$host$request_uri;
}    

##EMBY Server##

server {
listen [::]:80;
listen 80;
listen [::]:443 ssl;
listen 443 ssl;
server_name emby.mydomain.com;

ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      C:\\nginx-1.26.2\conf\SSL\mydomain.com-crt.pem;
ssl_certificate_key  C:\\nginx-1.26.2\conf\SSL\mydomain.com-key.pem;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;
        
proxy_hide_header X-Powered-By;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff"  always;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header 'Referrer-Policy' 'no-referrer';

add_header Content-Security-Policy "frame-ancestors mydomain.com; emby.mydomain.com;
        

location / {
proxy_pass http://192.167.178.21:8096;

proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

#Next three lines allow websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
}
}


}

seanbuff
Posted
7 minutes ago, Ronny244 said:

Where I have hit a brick wall is when i try and start NGINX. It fails to start and nothing shows in the logs.

Below is my nginx.conf, Thanks in advance.

Below is a good reference to use, compare your nginx config with this:
 

 

Posted

thank you, I will take a look.

Posted

Thank you for pointing me to that link. I have edited it to match my server and i still get nothing. One good thing is the seperate log for Emby, that will be usefull going forward.

here is my new nginx.config:

 

 

worker_processes  auto;

error_log  logs/error.log;

events {
    worker_connections  8192;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_names_hash_bucket_size 64;
    server_tokens off;

    log_format  emby  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorization"';


    log_format default '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port';

    sendfile        off;

    gzip on;
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;

    proxy_connect_timeout 1h;
    proxy_send_timeout 1h;
    proxy_read_timeout 1h;
    tcp_nodelay on;

server {
    listen 80 default_server;
    server_name _;

    return 301 https://$host$request_uri;
}

server {

    listen [::]:443 ssl;
    listen 443 ssl;
    http2  on;
    proxy_buffering off;

    server_name emby.mydomain.com;

    access_log  logs/emby.log  emby;

     ## SSL SETTINGS ##
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_certificate          C:/nginx-1.26.2/conf/SSL/mydomain.com-crt.pem;
    ssl_certificate_key  C:/nginx-1.26.2/conf/SSL/mydomain.com-key.pem;
        ssl_session_cache shared:SSL:10m;

     location ^~ /swagger {
        return 404;
}

     location / {
        proxy_pass http://192.168.178.21:8096;
    client_max_body_size 1000M;

    proxy_hide_header X-Powered-By;
    proxy_set_header Range $http_range;
    proxy_set_header If-Range $http_if_range;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    add_header 'Referrer-Policy' 'origin-when-cross-origin';
    add_header Strict-Transport-Security "max-age=15552000; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

         proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
    }
}
}

Posted

Hi,

You did use your actual domain and not "mydomain.com" as shown above, correct?

What does the nginx log file show?

Posted

Hi,

I used my domain (godaddy, confirmed with CNAME in Win-Acme) I just changed it before posting. Thanks for checking about it though it could be easily missed.

  • Thanks 1
Posted

That's good!

Next up check the nginx log to see if it has any useful information as to the problem.

Posted (edited)

There is nothing in the logs, the error and the emby log are both blank.

line “error_log  logs/error.log;” of my nginx conf and not the actual emby error log that is.

I have tried running as admin and changed permissions but I have hit a brick wall and not sure where to go next.

Edited by Ronny244
Posted

How did you install nginx on windows?

Did you test it prior to trying to set it up for use with Emby?
 

Posted

I downloaded from the nginx site then unzip to my C:/ folder, I didn't test it before as to be honest i dont know how it works. I was just following the guide with all my fingers crossed.

I have had a few errors with .pem locations but i think they are sorting in the conf now. I have used commands such as nginx -s reload and nginx -t and I get nothing. Do you suggest I use another version of nginx? Im not sure what to do next.

Posted
On 10/14/2024 at 1:20 PM, Ronny244 said:

There is nothing in the logs, the error and the emby log are both blank.

Is your router forwarding the WAN port(s) to the proper LAN IP:port(s) running nginx ? 

Posted
On 10/15/2024 at 7:26 AM, Ronny244 said:

I downloaded from the nginx site then unzip to my C:/ folder, I didn't test it before as to be honest i dont know how it works. I was just following the guide with all my fingers crossed.

I have had a few errors with .pem locations but i think they are sorting in the conf now. I have used commands such as nginx -s reload and nginx -t and I get nothing. Do you suggest I use another version of nginx? Im not sure what to do next.

If using the version recommended for Windows from nginx-win.ecsds.eu 

Read the directions for how to install the windows version.
It basically tells you to go to the official nginx site to download and install their windows version.  Then you overwrite it with the Windows version from ecsds.eu

  • 2 weeks later...
Posted (edited)

 

On 16/10/2024 at 00:44, TMCsw said:

Is your router forwarding the WAN port(s) to the proper LAN IP:port(s) running nginx ? 

My networking knowage is non existent but ill try and expain what ive done so far.

In my routers port sharing settings I seleted my HTPC device with IPv4 address: 192.168.178.21 and opened up port 443.

In firewall settings inbound rules I have alowed port 443 for Domain, Private, Public.

My Emby Network ill show by attaching pictures at the bottom of this post.

In my nginx config im using 192.168.178.21 as its the WAN port on my router?

...geez this is way to deep for me, I should of just stuck with an SSL cert and pass 😁 but reverse proxy adds much more security.

On 16/10/2024 at 23:51, Carlo said:

If using the version recommended for Windows from nginx-win.ecsds.eu 

Read the directions for how to install the windows version.
It basically tells you to go to the official nginx site to download and install their windows version.  Then you overwrite it with the Windows version from ecsds.eu

Ok thank for that information, will do that now.

I am now seeing logs in the logs folder, its saying:  [notice] 25476#25044: Fatal: wait for sockapi failed

 

1.jpg

2.jpg

3.jpg

Edited by Ronny244
Posted
11 hours ago, TMCsw said:

Please give a screen shot of you router’s port forwarding page...

And

Go to https://www.yougetsignal.com/tools/open-ports/ and put in your URL and port (443)

I went to https://www.yougetsignal.com/tools/open-ports/ and it shows my ISP's static IP port 443 is open. With IP 192.168.178.21 port 443 is closed.

I have now download nginx for windows and replaced from the nginx-win.ecsds.eu version and in command prompt I typed cd c:/nssm restart nginx.

it succesfull stopped and started and my log file says:

[notice] 3788#12400: Access to sockapi succeeded!
[notice] 3788#12400: using sockapi from "4;8;12;"

 

4.jpg

Posted

You should consider using Caddy instead of nginx. It's the much easier option and ideal for those starting from zero to intermediate networking skill.

 

  • Agree 1
Posted
On 26/10/2024 at 13:39, Q-Droid said:

You should consider using Caddy instead of nginx. It's the much easier option and ideal for those starting from zero to intermediate networking skill.

 

I wanted to try caddy but there is a lack of guides on the Emby forum. There is one guide but its for V1, Im still open to try caddy but dont want to seach places like reddit. The guides for Nginx are also old but there are more guides so thats why I chose Nginx.

On 28/10/2024 at 01:02, Luke said:

@Ronny244has this helped?

Yes it has helped but I cannot get acces via emby.mydomain.com

GrimReaper
Posted
3 minutes ago, Ronny244 said:

I wanted to try caddy but there is a lack of guides on the Emby forum. There is one guide but its for V1

 

  • Like 1
Posted

Ahh great, I will give caddy a go If nginx fails. Thanks for the pointing me to the guides.

  • 2 months later...
  • Solution
Posted

Migrated to Linux and used caddy. Had some issues to begin with but when I used localhost instead of my ip in the caddyfile it worked. Possibly an ip issue caused the problems with nginx. Thank you all for your time.

  • Thanks 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...