Swynol 375 Posted February 10, 2017 Posted February 10, 2017 (edited) Ok this is going to be a long post. In this thread I will show you 2 different ways in which I setup a HTTPS connection to my emby server. Both ways require a certificate which again I will show you how i got mine using Lets Encrypt on Windows. I will break the posts up into Sections. Part.1 - Setting up a DDNS (Dynamic DNS host) Only require if you ISP IP is dynamic i.e. changes. Part.1.A - Setting Up DDNS using your own Domain Name Part.2 - Getting a Domain Name (Optional but looks fancier) Part.3 - Getting a SSL Cert from Lets Encrypt the easy way. Part 3a - Using LE.exe to get Certificates (recommended) Part.4 - Setting up HTTPS by changing default port to 443 Part.5 - Setting up HTTPS using reverse proxy Edited November 3, 2017 by Swynol 12
Swynol 375 Posted February 10, 2017 Author Posted February 10, 2017 (edited) Part.1 - Dynamic DNS There are many services that offer a Dynamic DNS service and most are free. If you have a static IP from your ISP then you can skip this part but if you're like me then my ISP IP address changes every time my router restarts. I use Namecheap for a DDNS but you can also use noip, dynDNS. For the purpose of this thread I will demonstrate using No-ip. Goto noip.com and create an account. Click on Dynamic DNS (Free) on the left hand side. Click create a hostname. Hostname = what ever you want your hostname to be called Domain = what the part after your hostname will be. i.e embySSLtest.ddns.net Now you need to configure how the DDNS address will get your ISP IP address. There is software available which will run constantly on your PC and check for IP updates or some routers support a DDNS services. On my BT router under Advanced settings > Broadband > Dynamic DNS I can enter the account details we have just setup. Once that has been done we then need to Port Forward Emby's ports on our router. For this write up we will need to forward port 443 to the Internal IP address of your Emby Server. for example 192.168.1.100 To test your DDNS you can also temporarily forward port 8096 to your emby server. Then all you have to type in the Web address bar is http://embyssltest.ddns.net:8096 and it should take you to the web app Edited February 10, 2017 by Swynol 3
Swynol 375 Posted February 10, 2017 Author Posted February 10, 2017 (edited) Part.2 - Getting a Domain Name. Getting a personal domain name not only looks better but makes getting a SSL cert much easier. There are plenty of registrars out there, goDaddy, crazydomains, 123.reg, namecheap etc. For the purpose of this write up i will use namecheap. Create an account with namecheap.com and login. Click Domains at the top and registration. Now type in the search box what you want your personal domain to be called. i.e. embyssltest.com once you have decided on your name and bought it you need to set it up so that your new domain name knows where your emby server is. We do that by setting up a record to tell embyssltest.com to point to embyssltest.ddns.net that we set up earlier. On namecheap head to Advanced DNS Under host records - click add new record Select CNAME. host = emby value = embyssltest.ddns.net (change it to your DDNS) TTL = Automatic So now we should have emby.embyssltest.com which forwards to embyssltest.ddns.net Hope your still with me. only a few more things to setup! Edited February 10, 2017 by Swynol 3
Swynol 375 Posted February 10, 2017 Author Posted February 10, 2017 (edited) Part.3 - SSL Cert. There are various ways to get a SSL cert, some you have to pay for others are free either using OpenSSL or Lets Encrypt. I used the Lets Encrypt service which is free but comes with some limitations. The main one being that the cert expires every 90 days. To get a cert from lets encrypt there are various tools you can run however the easiest is using a site called www.sslforfree.com Head over to www.sslforfree.com In the big box you need to enter your domain name you bought above. (you can enter as many subdomains as you need by separating them with a space. so i did embyssltest.com emby.embyssltest.com click create free ssl certificate Click on Manual Verification (DNS) Green box Manually verify domain You should now see the above. You now need to head back over to your domain registrar and Advanced DNS Just as before when we created the CNAME record we now need to add a new record this time choosing TXT record Using the details above you populate your TXT record. create 1 TXT record per entry above. Host = _acme-challenge Value = 4G1h1vHrggXbdIXHvfLlaQHaA_o-eg6T3BxXp7JqbHU TTL = 1min Host = _acme-challenge.emby Value = m0TCGHyHl7m16P7T8z9HlKAkAdbgT2kJ_JLrncknalM TTL = 1min Notice above I removed the domain name from the Host as this is added automatically. .embyssltest.com Save the TXT records and wait a few mins for propagation Click on the Verify links to check that the TXT records are working. You should see the TXT record in your browser. Now click Download SSL Certificate. You should now have a zip file which contains 3 files certificate.crt ca_bundle.crt private.key congrats you now have your SSL cert! To BE Continued...... Edited February 10, 2017 by Swynol 4
Swynol 375 Posted February 10, 2017 Author Posted February 10, 2017 (edited) Part.4 - Setting up SSL connection to emby by changing emby's default SSL port. We now need to create a .pfx file from the .crt and .key files we have. i used OpenSSL to convert mine but an easier way is to use - https://www.sslshopper.com/ssl-converter.html Fill in the boxes as i have done below leave the pfx password box blank as emby requires a blank password. Click convert and we should now have a cert.pfx file. Save the file somewhere were we can import it into emby. for example C:\SSL\ Now head over to emby server and manage server. Click Advanced and fill in the boxes as below The Public https port needs to be 443 and set your external domain to your domain name. click save. Lets try to navigate to https://emby.embyssltest.com congrats this is one way to set up a ssl connection. Only issue is that this way uses port 443 so nothing else in your home network can then have an incoming connection on port 443. not ideal. EDIT: another reason to not set it up this way is documented here - https://emby.media/community/index.php?/topic/30792-howto-use-custom-ssl-cert-and-keep-private-key-secure/ because emby requires a .pfx with no password it could be classed as insecure as you private.key is accessible without a password. So again another +1 for using nginx reverse proxy. Edited February 14, 2017 by Swynol 4
Swynol 375 Posted February 10, 2017 Author Posted February 10, 2017 (edited) Part.5 - Setting up a reverse proxy instead of using Part.4 above. This is my preferred way. I only learnt how to setup and use a reverse proxy today so I am no professional. This way allows you to use many applications or services behind one port. in this case port 443. First we need to create a .pem certificate from our our 3 SSL files we got earlier. Open a blank notepad then open your certificate.crt with notepad. copy the contents into the blank notepad. then open the ca_bundle.crt with notepad and copy the contents again below the previous then save the file as cert.pem -----BEGIN CERTIFICATE----- (Your Primary SSL certificate: certificate.crt) -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- (Your Root certificate: ca_bundle Big thanks to members on here helping me through this setup. First we need a reverse proxy I recommend nginx lion - http://nginx-win.ecsds.eu/ download the zip and extract the contents to C:\ we should now have C:\nginx 1.11.9-lion\ go into the conf folder and edit the nginx.conf (maybe called nginx-win.conf. if so rename to nginx.conf) For somewhere to start delete everything in the conf file and copy what i have in the spoiler into your conf file. #user nobody; # multiple workers works ! worker_processes 2; events { worker_connections 8192; } http { #include /nginx/conf/naxsi_core.rules; include mime.types; default_type application/octet-stream; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## #gzip on; ##EMBY Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name emby.embyssltest.com; #your subdomain.domainname.com here ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate cert.pem; #your .pem file you created earlier. ssl_certificate_key private.key; #your private.key ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } location / { proxy_pass http://192.168.1.10:8096; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } } Save the config. open a command prompt. change to the directory where nginx is. i.e. cd c:\nginx 1.11.9-lion\ now type - nginx start and thats it, you should now be able to go to https://emby.embyssltest.com which comes in on port 443 to nginx which uses the config to forward the request to your local IP and local port number. Also don't forget, if you have previously port forwarded 8096 and 8920 on your router you can now block these ports. Edited February 10, 2017 by Swynol 2
mediacowboy 438 Posted February 10, 2017 Posted February 10, 2017 Watching this forum as I am interested in doing the same thing. Thanks for the detailed write up.
Swynol 375 Posted February 10, 2017 Author Posted February 10, 2017 there is a few issues that i will address soon. one being that the SSL cert is linked to the domain name you bought, however because we are using a CNAME from your domainname to the DDNS address all webbrowers will report it as not trusted for this reason. there is a way to fix this which i will do another write up on. all it needs is that you use your domain name for the DDNS services which is easy to do. 1
Swynol 375 Posted February 14, 2017 Author Posted February 14, 2017 Part 1.A. Ok, so this is an extension of Part 1. Dynamic DNS. If you used Part.1 above then got a SSL Cert for your shiny new domain name and followed all the other steps. When browsing to https://emby.embyssltest.com you will connect via HTTPS however your browser will warn you that the Cert isnt trusted as it was assigned to embyssltest.com however you are browsing to embyssltest.ddns.net because of the CNAME and URL redirecting. To fix this we need to setup your new domain name to do the Dynamic DNS'ing. For this I will demonstrate on NameCheap how I have mine setup. Head over to namecheap.com Create an account or login to your existing account. Go to Advanced DNS Scroll to the bottom where is says Dynamic DNS and turn it on. Create a A+ Dynamic DNS record. Host = a subdomain for example DNS Value = 127.0.0.1 (this doesnt really matter as it will be dynamically updated) TTL = Automatic We also need to edit the CNAME we created in Part.2 for emby. Under the Host Records Find the CNAME we created for emby. Host = emby Value = DNS.embyssltest.com We now need to find a way to update the NameCheap DDNS. Some routers will support this (follow Part.1 but substitute no-ip for the namecheap details) however if your router is like mine and doesnt support namecheap ddns then you need to download software to do this. Namecheap offer their own client. https://namecheap.simplekb.com/SiteContents/2-7C22D5236A4543EB827F3BD8936E153E/media/Dynamic%20DNS%20Client%20%202.0.0.7%20Beta.zip Unzip it and enter your details for namecheap. Once running it will update the 127.0.0.1 entry above with your external IP. Now that is setup we need to revisit Part.3 Getting the SSL Cert. When applying for the cert you now need to add another subdomain. DNS.embyssltest.com. so it should now look like embyssltest.com emby.embyssltest.com dns.embyssltest.com. Now follow the other parts to configuring the SSL cert. Once done you should now get a nice green HTTPS:// connection to https://emby.embyssltest.com 2
JunkStar 11 Posted February 14, 2017 Posted February 14, 2017 (edited) Great info! Never heard of sslforfree.com and it was a great help. For some reason my IIS stopped working with the acme-challenge and i couldnt figure out why. Now i will just use the manual method every 3 months. BTW. Having a static WAN IP from your ISP makes life so much easier... Edited February 14, 2017 by JunkStar
Swynol 375 Posted February 14, 2017 Author Posted February 14, 2017 Ye static IP's make life easier although there are advantages of having a external DHCP IP. ye sslforfree is a web front end for lets encrypt. it's referenced on their website which is how i found it. There are actually a few different ones but they all do the same thing. If using a reverse proxy which I'm guessing you are with IIS then at least you only have to update one set of certs for all your services behind IIS. before i had a bunch of certs, one for sonarr, one for NZB, one for emby, one for plex, one for htpc manager... the list goes on. Imagine updating them every 3 months. Running nginx has made life much easier in every way. 2
JunkStar 11 Posted February 15, 2017 Posted February 15, 2017 Ye static IP's make life easier although there are advantages of having a external DHCP IP. ye sslforfree is a web front end for lets encrypt. it's referenced on their website which is how i found it. There are actually a few different ones but they all do the same thing. If using a reverse proxy which I'm guessing you are with IIS then at least you only have to update one set of certs for all your services behind IIS. before i had a bunch of certs, one for sonarr, one for NZB, one for emby, one for plex, one for htpc manager... the list goes on. Imagine updating them every 3 months. Running nginx has made life much easier in every way. Yeah im really tempted to setup a reverse proxy and also automate the LE SSL Cert process again but since i dont know what went wrong the last time im kinda hessitant..
Swynol 375 Posted February 15, 2017 Author Posted February 15, 2017 i'm no expert on nginx reverse proxy but with help from members on here have managed to successfully setup around 12 services through it, some more difficult than others. I havent looked at automating the LE certs, maybe thats something i can do when i have more time to mess around. Also if you follow the setup for nginx using the sslforfree certs you get a good HTTPS rating of A-, yes it could be better but i'm happy with that.
Overseer 66 Posted February 16, 2017 Posted February 16, 2017 If using a reverse proxy which I'm guessing you are with IIS then at least you only have to update one set of certs for all your services behind IIS. before i had a bunch of certs, one for sonarr, one for NZB, one for emby, one for plex, one for htpc manager... the list goes on. Imagine updating them every 3 months. Running nginx has made life much easier in every way. Could you provide an example setup using nginx for all those? I'm running Sonarr, Radarr, Sab, Emby and Ombi on a 2012R2 server and everything is local. Looking to expand my horizons for on the road.
shorty1483 486 Posted February 16, 2017 Posted February 16, 2017 (edited) Could you provide an example setup using nginx for all those? I'm running Sonarr, Radarr, Sab, Emby and Ombi on a 2012R2 server and everything is local. Looking to expand my horizons for on the road. Do you want e.g. "example.com/emby" or "emby.example.com"? This is my config for all my web tools as a sub behind the domain, So I call "domain/ombi", "domain/sabnzbd" + I made myself a starting webpage to access them all with a simple click. http { include mime.types; default_type application/octet-stream; access_log off; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; server { listen 80; listen 443 ssl; server_name domain; if ($scheme = http) { return 301 https://$server_name$request_uri; } ssl_certificate cert/domain.ecdsa.pem; ssl_certificate_key cert/domain.ecdsa.key.pem; ssl_certificate cert/domain.rsa.pem; ssl_certificate_key cert/domain.rsa.key.pem; ssl_dhparam cert/dhparam2048.pem; ssl_session_timeout 30m; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on; ssl_ecdh_curve X25519:prime256v1; ssl_protocols TLSv1 TLSv1.1 TLSv1.2; ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!DSS; keepalive_timeout 180; client_max_body_size 1024m; ## Emby ## location / { # Send traffic to the backend proxy_pass http://127.0.0.1:8096; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $remote_addr; proxy_set_header X-Forwarded-Protocol $scheme; proxy_redirect off; # Send websocket data to the backend aswell proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } ## Ombi ## location /ombi { # Send traffic to the backend proxy_pass http://127.0.0.1:333/ombi; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $remote_addr; proxy_set_header X-Forwarded-Protocol $scheme; proxy_redirect off; # Send websocket data to the backend aswell proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } ## Sabnzbd ## location /sabnzbd { # Send traffic to the backend proxy_pass http://127.0.0.1:8080; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $remote_addr; proxy_set_header X-Forwarded-Protocol $scheme; proxy_redirect off; # Send websocket data to the backend aswell proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } ## Server Start page ## location /start { root html; index index.html index.htm; } } } Edited February 16, 2017 by shorty1483 2
Swynol 375 Posted February 16, 2017 Author Posted February 16, 2017 (edited) i have mine setup as emby.mydomain.com sonarr.mydomain.com etc... i have a folder called SSL in nginx/conf with my pem and key file. and those 2 files provide the HTTPS:// for all my services. also theres a redirect on http to https to force people to connect to https. most services run on the same machine some are on another. eventually there will be some VLAN setting i need to play with. #user nobody; # multiple workers works ! worker_processes 2; events { worker_connections 8192; } http { #include /nginx/conf/naxsi_core.rules; include mime.types; default_type application/octet-stream; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## #gzip on; ##EMBY Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } location / { proxy_pass http://192.168.1.10:8096; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } ##Sonarr Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name sonarr.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } location / { proxy_pass http://127.0.0.1:8989; proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } ##NZB Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name nzb.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } location / { proxy_pass http://127.0.0.1:6789; proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } ##Plex Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name plex.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } location / { proxy_pass http://127.0.0.1:32400; proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } ##Unifi Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name unifi.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } location / { proxy_pass https://192.168.1.10:8928; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } ##Unifi Guest Portal## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name guest.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } location / { proxy_pass https://127.0.0.1:8843; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } location /ws/ { proxy_pass http://127.0.0.1:8843/ws/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } ##CCTV Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name cctv.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } location / { proxy_pass http://192.168.1.101:8099; proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } ##HTPC Manager Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name htpc.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } location / { proxy_pass http://127.0.0.1:8085; proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } ##Heating## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name heat.mydomain.com; #path to your SSL files, nginx must now handle all of the SSL, not each individual server #to your backend is regular HTTP its assumed safe, its on your local network or the same PC as nginx ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } location / { proxy_pass http://192.168.1.91:80; proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } #uTorrent## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name utorrent.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; #charset koi8-r; #access_log logs/host.access.log main; location / { proxy_pass http://127.0.0.1:7070/; proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_pass_header Set-Cookie; proxy_pass_header P3P; } } ##HDD Temps## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name hdd.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } location / { proxy_pass http://127.0.0.1:8929/status; proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; } } } Edited February 16, 2017 by Swynol 2
Overseer 66 Posted February 17, 2017 Posted February 17, 2017 Thank you @shorty1483 and @Swynol. At first my eyes glazed over and a little bit of drool dribbled out of my mouth but after reading through a couple of times it makes sense. I'm liking the simplicity of the subdomain setup. Will definitely give this a whirl over the long weekend here. Thanks to you both for the response. 1
Swynol 375 Posted February 17, 2017 Author Posted February 17, 2017 ye no worries. it might look a bit daunghting at first but each section is pretty much just a copy of the previous. you can pretty much copy and paste this section for each service you need just change the port or IP as needed. also make sure your SSL cert has your subdomains listed. ##EMBY Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } location / { proxy_pass http://192.168.1.10:8096; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } 1
shorty1483 486 Posted February 17, 2017 Posted February 17, 2017 @@Swynol YOu could probably include nginx as service. Source e.g. http://oss-world.blogspot.de/2015/10/install-nginx-as-windows-service-using.html
Swynol 375 Posted February 17, 2017 Author Posted February 17, 2017 (edited) thanks @@shorty1483 ye thats the way i run it using nssm. i should probably include that in the section above Edited February 17, 2017 by Swynol
zigzagtshirt 55 Posted February 17, 2017 Posted February 17, 2017 @@Swynol Where does it say on the site that the certs expire after 90 days? I don't see it on there anywhere. Is there a way to automate a regeneration of them once they expire?
zigzagtshirt 55 Posted February 18, 2017 Posted February 18, 2017 (edited) Hoping someone can help. I can't get this working. I have my domain set up (and ddns within the domain) just as this tutorial explains. I have changed the public https port number in Emby settings to 443 and set up port forwarding properly in router firewall, and disable my Norton firewall completely. I have my external domain in the "External domain" field in Emby settings, and report https as external address checked. When I go to https://emby.mydomain.com it won't connect. When I go to emby.mydomain.com:8096 it connects with http just fine. When I use the port scanner on whatsmyip.org to scan 8096 is says "Port is open". When I scan 443, it says "Port Closed". This isn't a firewall issue because when I re-enable my Norton firewall and scan the port again, it says "Port timed out". My understanding is that since it returned "Port Closed" (as opposed to "timed out") that it's getting through my firewall just fine, and that there is something not configured correctly with Emby. Also followed the directions exactly to create my certificate, and it is selected in the Emby settings. Any ideas? Edited February 18, 2017 by tsherran
Happy2Play 9060 Posted February 18, 2017 Posted February 18, 2017 Have you tried a different https port, not very common but could your ISP be blocking the port?
zigzagtshirt 55 Posted February 18, 2017 Posted February 18, 2017 (edited) Called ISP and verified that they don't block it. Also, changing external https port in Emby settings works just fine. External port scan shows that it's open. But when I change it back to 443, the port scan shows it as closed. Edited February 18, 2017 by tsherran
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now