Malleyc94 0 Posted September 29, 2016 Share Posted September 29, 2016 Hi, new user here! I'm running emby inside docker on unraid and am loving it so far I've generated SSL certs with LetsEncrypt and Nginx in another docker I found instructions on how to turn these .pem files into something emby will accept sudo openssl pkcs12 -inkey privkey.pem -in fullchain.pem -export -out emby.pfx I can acess the web server https://mydns.afraid.org and another docker https://mydns.afraid.org:8123 with no issues from any device however when i acess https://mydns.afraid.org:8920 from a mobile device sometimes it will dispay one of the two follwing errors This site cannot be reached ERR_TUNNEL_CONNECTION_FAILED or Your connection is not private NET::ERR_CERT_AUTHORITY_INVALID other times it will work totally fine! Is this a known issue (i read a post talking about mono only supporting TLS1.0) or is this an issue with how i have set up https access any help appreciated Link to comment Share on other sites More sharing options...
Luke 36882 Posted September 30, 2016 Share Posted September 30, 2016 The first one looks like connectivity. The second one looks like the browser rejecting the cert by default. You can override this in the browser page by clicking proceed anyway, although I think that override might first require clicking something else in order to show it. Then once you do this, it will remember this for a little while before you have to do it again. I am guessing you may have overridden it once, then it worked for a bit and now you need to do it again. Link to comment Share on other sites More sharing options...
Malleyc94 0 Posted October 2, 2016 Author Share Posted October 2, 2016 Thanks for that. I was expecting to find the option to click proceed but it was never avaible. I'm currently working on setting up a reverse proxy to handle the HTTPS side of things along with auto renewal of certs. Sent from my Nexus 5X using Tapatalk Link to comment Share on other sites More sharing options...
Malleyc94 0 Posted October 4, 2016 Author Share Posted October 4, 2016 I've been able to secure the server using lets encrypt for auto renewing certs and nginx web server to reverse proxy. Its working for all clients mobile and other and is using TLS 1.2 Link to comment Share on other sites More sharing options...
Guest plexman Posted October 9, 2016 Share Posted October 9, 2016 I've been able to secure the server using lets encrypt for auto renewing certs and nginx web server to reverse proxy. Its working for all clients mobile and other and is using TLS 1.2 Could you please post how you did it, and if it wokrs with everything like remote control, chromecast, etc. Link to comment Share on other sites More sharing options...
Luke 36882 Posted October 9, 2016 Share Posted October 9, 2016 Well done ! Link to comment Share on other sites More sharing options...
Malleyc94 0 Posted October 10, 2016 Author Share Posted October 10, 2016 Update, I'm currently having an issue with websocket traffic. Interesting the Android mobile app continued to work after I made the change but re connecting to the server failed. I've still got a bit more testing to do but believe I need to also redirect the websocket traffic. @@plexman my setup is on UnRaid so is a bit different but basically once you have a Nginx Webserver secured with let's encrypt (pre packaged docker on UnRaid) you change some conf files in ngix to allow the redirect. Can post conf if you'd like Sent from my Nexus 5X using Tapatalk Link to comment Share on other sites More sharing options...
Guest plexman Posted October 10, 2016 Share Posted October 10, 2016 @@Malleyc94 yes please post your conf so I can compare with this post to ensure that everything Works perfectly. Thanks Link to comment Share on other sites More sharing options...
Luke 36882 Posted October 10, 2016 Share Posted October 10, 2016 Fyi - the web socket is used for features like remote control but will not prevent basic connectivity if it is not working. Link to comment Share on other sites More sharing options...
Malleyc94 0 Posted October 13, 2016 Author Share Posted October 13, 2016 Attached are the configuration files for Nginx, I've been getting most of my info regrarding that from this forum here https://lime-technology.com/forum/index.php?topic=43696.60 @ Luke the only port i have open is 443 So when connecting via the android app i should use Host: https://my.subdomain.tld/emby (working link for browser traffic that nginx redirects to internal ip:8096) Port: 443 Should this be working or am i going about this the wrong way? Nginx Conf.zip Link to comment Share on other sites More sharing options...
Luke 36882 Posted October 13, 2016 Share Posted October 13, 2016 Seems like it should be OK. Link to comment Share on other sites More sharing options...
Malleyc94 0 Posted October 28, 2016 Author Share Posted October 28, 2016 Finally got everything working the way i wanted My system is unRAID OS Emby Docker Aptalca's letsEncrypt docker (Also contains Nginx Webserver) This works for all devices and remote control function is working fine too i connect to the web app using https://mydomain.net/emby i connect emby apps to the server using https://mydomain.net port 443 Here's the 3 files you need to modify inside the lets encrypt appdata directory appdata/Nginx-letsencrypt/nginx/site-confs/default server { listen 443 ssl default_server; ssl_certificate /config/keys/fullchain.pem; ssl_certificate_key /config/keys/privkey.pem; ssl_dhparam /config/nginx/dhparams.pem; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; client_max_body_size 0; location / { root /config/www; index index.html index.htm index.php; } location /emby { # Send traffic to the backend proxy_pass http://192.168.###.###:8096/emby; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $remote_addr; proxy_set_header X-Forwarded-Protocol $scheme; proxy_redirect off; # Send websocket data to the backend aswell proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } appdata/Nginx-letsencrypt/nginx/nginx.conf user nobody users; worker_processes 4; pid /run/nginx.pid; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; # server_names_hash_bucket_size 64; # server_name_in_redirect off; client_max_body_size 0; include /etc/nginx/mime.types; default_type application/octet-stream; ## # Logging Settings ## access_log /config/log/nginx/access.log; error_log /config/log/nginx/error.log; ## # Gzip Settings ## gzip on; gzip_disable "msie6"; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/x-javascript text/xml application/xml application/xml+rss text/javascript; include /etc/nginx/conf.d/*.conf; include /config/nginx/site-confs/*; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers "EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH"; ssl_prefer_server_ciphers on; ssl_session_cache shared:SSL:10m; add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;"; add_header X-Frame-Options SAMEORIGIN; add_header X-Content-Type-Options nosniff; add_header X-XSS-Protection "1; mode=block"; add_header X-Robots-Tag none; ssl_stapling on; # Requires nginx >= 1.3.7 ssl_stapling_verify on; # Requires nginx => 1.3.7 } appdata/Nginx-letsencrypt/nginx/proxy.conf client_max_body_size 10m; client_body_buffer_size 128k; # Timeout if the real server is dead proxy_next_upstream error timeout invalid_header http_500 http_502 http_503; # Advanced Proxy Config send_timeout 5m; proxy_read_timeout 240; proxy_send_timeout 240; proxy_connect_timeout 240; # Basic Proxy Config proxy_set_header Host $host:$server_port; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto https; proxy_redirect http:// $scheme://; proxy_http_version 1.1; proxy_set_header Connection ""; proxy_cache_bypass $cookie_session; proxy_no_cache $cookie_session; proxy_buffers 32 4k; Link to comment Share on other sites More sharing options...
Luke 36882 Posted October 28, 2016 Share Posted October 28, 2016 Great info, thanks ! Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now