Jump to content

Setting up SSL for Emby (WIP)


Swynol

Recommended Posts

Swynol

Ok this is going to be a long post. In this thread I will show you 2 different ways in which I setup a HTTPS connection to my emby server. Both ways require a certificate which again I will show you how i got mine using Lets Encrypt on Windows. 

 

I will break the posts up into Sections.

 

Part.1 - Setting up a DDNS (Dynamic DNS host) Only require if you ISP IP is dynamic i.e. changes.

     Part.1.A - Setting Up DDNS using your own Domain Name

Part.2 - Getting a Domain Name (Optional but looks fancier) 

Part.3 - Getting a SSL Cert from Lets Encrypt the easy way.

Part 3a - Using LE.exe to get Certificates (recommended)

Part.4 - Setting up HTTPS by changing default port to 443

Part.5 - Setting up HTTPS using reverse proxy

Edited by Swynol
  • Like 12
Link to comment
Share on other sites

Swynol

Part.1 - Dynamic DNS

 

There are many services that offer a Dynamic DNS service and most are free. If you have a static IP from your ISP then you can skip this part but if you're like me then my ISP IP address changes every time my router restarts.

 

I use Namecheap for a DDNS but you can also use noip, dynDNS. For the purpose of this thread I will demonstrate using No-ip.

 

Goto noip.com and create an account.

Click on Dynamic DNS (Free) on the left hand side.

Click create a hostname.

Hostname = what ever you want your hostname to be called

Domain = what the part after your hostname will be.

i.e embySSLtest.ddns.net

 

589e0dc4577e5_Untitled.jpg

 

Now you need to configure how the DDNS address will get your ISP IP address. There is software available which will run constantly on your PC and check for IP updates or some routers support a DDNS services.

On my BT router under Advanced settings > Broadband > Dynamic DNS I can enter the account details we have just setup.

 

589e0db597dfb_Untitled1.jpg

 

 

Once that has been done we then need to Port Forward Emby's ports on our router. For this write up we will need to forward port 443 to the Internal IP address of your Emby Server. for example 192.168.1.100

To test your DDNS you can also temporarily forward port 8096 to your emby server. Then all you have to type in the Web address bar is http://embyssltest.ddns.net:8096 and it should take you to the web app

Edited by Swynol
  • Like 3
Link to comment
Share on other sites

Swynol

Part.2 - Getting a Domain Name.

 

Getting a personal domain name not only looks better but makes getting a SSL cert much easier. There are plenty of registrars out there, goDaddy, crazydomains, 123.reg, namecheap etc.

 

For the purpose of this write up i will use namecheap.

 

Create an account with namecheap.com and login.

Click Domains at the top and registration. 

Now type in the search box what you want your personal domain to be called. i.e. embyssltest.com

 

 

589e12a1b30fd_Untitled2.jpg

 

once you have decided on your name and bought it you need to set it up so that your new domain name knows where your emby server is. We do that by setting up a record to tell embyssltest.com to point to embyssltest.ddns.net that we set up earlier.

 

On namecheap head to Advanced DNS

Under host records - click add new record

Select CNAME. 

host = emby

value = embyssltest.ddns.net (change it to your DDNS)

TTL = Automatic

 

So now we should have emby.embyssltest.com which forwards to embyssltest.ddns.net

 

589e13f262acd_Untitled3.jpg

 

 

Hope your still with me. only a few more things to setup!

 

Edited by Swynol
  • Like 3
Link to comment
Share on other sites

Swynol

Part.3 - SSL Cert.

 

There are various ways to get a SSL cert, some you have to pay for others are free either using OpenSSL or Lets Encrypt. I used the Lets Encrypt service which is free but comes with some limitations. The main one being that the cert expires every 90 days.

 

To get a cert from lets encrypt there are various tools you can run however the easiest is using a site called www.sslforfree.com

 

Head over to www.sslforfree.com

In the big box you need to enter your domain name you bought above. (you can enter as many subdomains as you need by separating them with a space. so i did embyssltest.com emby.embyssltest.com 

click create free ssl certificate

Click on Manual Verification (DNS)

Green box Manually verify domain

 

 

589e1be1d4099_Untitled4.jpg

 

You should now see the above.

You now need to head back over to your domain registrar and Advanced DNS

Just as before when we created the CNAME record we now need to add a new record this time choosing TXT record

Using the details above you populate your TXT record. create 1 TXT record per entry above.

Host = _acme-challenge

Value = 4G1h1vHrggXbdIXHvfLlaQHaA_o-eg6T3BxXp7JqbHU

TTL = 1min

 

Host = _acme-challenge.emby

Value = m0TCGHyHl7m16P7T8z9HlKAkAdbgT2kJ_JLrncknalM

TTL = 1min

 

Notice above I removed the domain name from the Host as this is added automatically. .embyssltest.com

 

589e1d45a7b86_Untitled5.jpg

 

Save the TXT records and wait a few mins for propagation

 

Click on the Verify links to check that the TXT records are working. You should see the TXT record in your browser. Now click Download SSL Certificate.

 

You should now have a zip file which contains 3 files

certificate.crt

ca_bundle.crt 

private.key

 

congrats you now have your SSL cert!

 

 

 

 

To BE Continued......

Edited by Swynol
  • Like 4
Link to comment
Share on other sites

Swynol

Part.4 - Setting up SSL connection to emby by changing emby's default SSL port.

 

We now need to create a .pfx file from the .crt and .key files we have.

i used OpenSSL to convert mine but an easier way is to use - https://www.sslshopper.com/ssl-converter.html

 

Fill in the boxes as i have done below

 

589e28147fae8_Untitled.jpg

leave the pfx password box blank as emby requires a blank password.

 

Click convert and we should now have a cert.pfx file. Save the file somewhere were we can import it into emby. for example C:\SSL\

 

Now head over to emby server and manage server.

Click Advanced and fill in the boxes as below

 

589e297aec802_Untitled1.jpg

 

The Public https port needs to be 443 and set your external domain to your domain name. click save. 

 

Lets try to navigate to https://emby.embyssltest.com 

 

congrats this is one way to set up a ssl connection. Only issue is that this way uses port 443 so nothing else in your home network can then have an incoming connection on port 443. not ideal. 

 

EDIT: another reason to not set it up this way is documented here - https://emby.media/community/index.php?/topic/30792-howto-use-custom-ssl-cert-and-keep-private-key-secure/ because emby requires a .pfx with no password it could be classed as insecure as you private.key is accessible without a password. So again another +1 for using nginx reverse proxy.

Edited by Swynol
  • Like 4
Link to comment
Share on other sites

Swynol

Part.5 - Setting up a reverse proxy instead of using Part.4 above.

 

This is my preferred way. I only learnt how to setup and use a reverse proxy today so I am no professional. This way allows you to use many applications or services behind one port. in this case port 443.

 

First we need to create a .pem certificate from our our 3 SSL files we got earlier.

 

Open a blank notepad

then open your certificate.crt with notepad. copy the contents into the blank notepad. then open the ca_bundle.crt with notepad and copy the contents again below the previous then save the file as cert.pem

 

-----BEGIN CERTIFICATE-----

(Your Primary SSL certificate: certificate.crt)

-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----

(Your Root certificate: ca_bundle

 

Big thanks to members on here helping me through this setup.

 

First we need a reverse proxy I recommend nginx lion - http://nginx-win.ecsds.eu/

 

download the zip and extract the contents to C:\

 

we should now have C:\nginx 1.11.9-lion\

go into the conf folder and edit the nginx.conf (maybe called nginx-win.conf. if so rename to nginx.conf)

 

For somewhere to start delete everything in the conf file and copy what i have in the spoiler into your conf file.

 

 

 

#user nobody;

# multiple workers works !

worker_processes 2;

 

 

 

events {

worker_connections 8192;

}

 

 

http {

#include /nginx/conf/naxsi_core.rules;

include mime.types;

default_type application/octet-stream;

 

 

sendfile off;

 

server_names_hash_bucket_size 128;

map_hash_bucket_size 64;

 

## Start: Timeouts ##

client_body_timeout 10;

client_header_timeout 10;

keepalive_timeout 30;

send_timeout 10;

keepalive_requests 10;

## End: Timeouts ##

 

#gzip on;

 

 

##EMBY Server##

 

server {

listen [::]:80;

listen 80;

listen [::]:443 ssl;

listen 443 ssl;

server_name emby.embyssltest.com; #your subdomain.domainname.com here

 

ssl_session_timeout 30m;

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

ssl_certificate cert.pem; #your .pem file you created earlier.

ssl_certificate_key private.key; #your private.key

ssl_session_cache shared:SSL:10m;

if ($scheme = http) {

return 301 https://$server_name$request_uri;

}

 

location / {

proxy_pass http://192.168.1.10:8096; # Local emby ip and non SSL port

 

proxy_hide_header X-Powered-By;

proxy_set_header Range $http_range;

proxy_set_header If-Range $http_if_range;

proxy_set_header X-Real-IP $remote_addr;

proxy_set_header Host $host;

proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

 

#Next three lines allow websockets

proxy_http_version 1.1;

proxy_set_header Upgrade $http_upgrade;

proxy_set_header Connection "upgrade";

}

}

 

 

}

 

 

 

 

Save the config.

 

open a command prompt.

change to the directory where nginx is. i.e. cd c:\nginx 1.11.9-lion\

now type - nginx start

 

and thats it, you should now be able to go to https://emby.embyssltest.com which comes in on port 443 to nginx which uses the config to forward the request to your local IP and local port number.

 

Also don't forget, if you have previously port forwarded 8096 and 8920 on your router you can now block these ports.

Edited by Swynol
  • Like 2
Link to comment
Share on other sites

mediacowboy

Watching this forum as I am interested in doing the same thing. Thanks for the detailed write up.

Link to comment
Share on other sites

Swynol

there is a few issues that i will address soon. one being that the SSL cert is linked to the domain name you bought, however because we are using a CNAME from your domainname to the DDNS address all webbrowers will report it as not trusted for this reason. there is a way to fix this which i will do another write up on. all it needs is that you use your domain name for the DDNS services which is easy to do.

  • Like 1
Link to comment
Share on other sites

Swynol

Part 1.A.

 

Ok, so this is an extension of Part 1. Dynamic DNS. If you used Part.1 above then got a SSL Cert for your shiny new domain name and followed all the other steps. When browsing to https://emby.embyssltest.com you will connect via HTTPS however your browser will warn you that the Cert isnt trusted as it was assigned to embyssltest.com however you are browsing to embyssltest.ddns.net because of the CNAME and URL redirecting.

 

To fix this we need to setup your new domain name to do the Dynamic DNS'ing. For this I will demonstrate on NameCheap how I have mine setup. 

 

Head over to namecheap.com

Create an account or login to your existing account.

Go to Advanced DNS

Scroll to the bottom where is says Dynamic DNS and turn it on.

Create a A+ Dynamic DNS record. 

Host = a subdomain for example DNS

Value = 127.0.0.1 (this doesnt really matter as it will be dynamically updated)

TTL = Automatic

 

We also need to edit the CNAME we created in Part.2 for emby.

Under the Host Records

Find the CNAME we created for emby.

Host = emby

Value = DNS.embyssltest.com

 

We now need to find a way to update the NameCheap DDNS. Some routers will support this (follow Part.1 but substitute no-ip for the namecheap details) however if your router is like mine and doesnt support namecheap ddns then you need to download software to do this. Namecheap offer their own client. https://namecheap.simplekb.com/SiteContents/2-7C22D5236A4543EB827F3BD8936E153E/media/Dynamic%20DNS%20Client%20%202.0.0.7%20Beta.zip

 

Unzip it and enter your details for namecheap.

Once running it will update the 127.0.0.1 entry above with your external IP.

 

Now that is setup we need to revisit Part.3 Getting the SSL Cert. When applying for the cert you now need to add another subdomain. DNS.embyssltest.com. so it should now look like embyssltest.com emby.embyssltest.com dns.embyssltest.com. 

 

Now follow the other parts to configuring the SSL cert. Once done you should now get a nice green HTTPS:// connection to https://emby.embyssltest.com 

  • Like 2
Link to comment
Share on other sites

JunkStar

Great info! Never heard of sslforfree.com and it was a great help. For some reason my IIS stopped working with the acme-challenge and i couldnt figure out why. Now i will just use the manual method every 3 months.

 

BTW. Having a static WAN IP from your ISP makes life so much easier...

Edited by JunkStar
Link to comment
Share on other sites

Swynol

Ye static IP's make life easier although there are advantages of having a external DHCP IP. 

 

ye sslforfree is a web front end for lets encrypt. it's referenced on their website which is how i found it. There are actually a few different ones but they all do the same thing. If using a reverse proxy which I'm guessing you are with IIS then at least you only have to update one set of certs for all your services behind IIS. before i had a bunch of certs, one for sonarr, one for NZB, one for emby, one for plex, one for htpc manager... the list goes on. Imagine updating them every 3 months. Running nginx has made life much easier in every way. 

  • Like 2
Link to comment
Share on other sites

JunkStar

Ye static IP's make life easier although there are advantages of having a external DHCP IP. 

 

ye sslforfree is a web front end for lets encrypt. it's referenced on their website which is how i found it. There are actually a few different ones but they all do the same thing. If using a reverse proxy which I'm guessing you are with IIS then at least you only have to update one set of certs for all your services behind IIS. before i had a bunch of certs, one for sonarr, one for NZB, one for emby, one for plex, one for htpc manager... the list goes on. Imagine updating them every 3 months. Running nginx has made life much easier in every way. 

 

Yeah im really tempted to setup a reverse proxy and also automate the LE SSL Cert process again but since i dont know what went wrong the last time im kinda hessitant..

Link to comment
Share on other sites

Swynol

i'm no expert on nginx reverse proxy but with help from members on here have managed to successfully setup around 12 services through it, some more difficult than others. I havent looked at automating the LE certs, maybe thats something i can do when i have more time to mess around.

 

Also if you follow the setup for nginx using the sslforfree certs you get a good HTTPS rating of A-, yes it could be better but i'm happy with that.

Link to comment
Share on other sites

Overseer

If using a reverse proxy which I'm guessing you are with IIS then at least you only have to update one set of certs for all your services behind IIS. before i had a bunch of certs, one for sonarr, one for NZB, one for emby, one for plex, one for htpc manager... the list goes on. Imagine updating them every 3 months. Running nginx has made life much easier in every way. 

 

Could you provide an example setup using nginx for all those?  I'm running Sonarr, Radarr, Sab, Emby and Ombi on a 2012R2 server and everything is local.  Looking to expand my horizons for on the road.

Link to comment
Share on other sites

shorty1483

Could you provide an example setup using nginx for all those?  I'm running Sonarr, Radarr, Sab, Emby and Ombi on a 2012R2 server and everything is local.  Looking to expand my horizons for on the road.

 

Do you want e.g. "example.com/emby" or "emby.example.com"?

 

This is my config for all my web tools as a sub behind the domain, So I call "domain/ombi", "domain/sabnzbd" + I made myself a starting webpage to access them all with a simple click.

http {
        include       mime.types;
        default_type  application/octet-stream;

	access_log off;

        sendfile        off;
	
	server_names_hash_bucket_size 128;
	map_hash_bucket_size 64;
	
	## Start: Timeouts ##
	client_body_timeout 10;
	client_header_timeout 10;
	keepalive_timeout 30;
	send_timeout 10;
	keepalive_requests 10;
	## End: Timeouts ##

        gzip on;
	gzip_disable "msie6";

	gzip_comp_level 6;
	gzip_min_length 1100;
	gzip_buffers 16 8k;
	gzip_proxied any;
	gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml;

	server {
	        listen 80;
		listen 443 ssl;
		server_name domain;
		if ($scheme = http) {
		   return 301 https://$server_name$request_uri;
		}
		 
		 ssl_certificate                 	cert/domain.ecdsa.pem;
                 ssl_certificate_key             	cert/domain.ecdsa.key.pem;
		 ssl_certificate                 	cert/domain.rsa.pem;
                 ssl_certificate_key             	cert/domain.rsa.key.pem;
		 ssl_dhparam 				cert/dhparam2048.pem;

		 ssl_session_timeout 			30m;
		 ssl_session_cache                      shared:SSL:10m;
		 ssl_prefer_server_ciphers 		on;
		 ssl_ecdh_curve 			X25519:prime256v1;
		 ssl_protocols				TLSv1 TLSv1.1 TLSv1.2;
		 ssl_ciphers ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!DSS;
		 
		 keepalive_timeout               	180;
		 
		 client_max_body_size            	1024m;
		 
		 ## Emby ##
		 location / {
		  # Send traffic to the backend
                   proxy_pass http://127.0.0.1:8096;
                   proxy_set_header X-Real-IP $remote_addr;
                   proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
                   proxy_set_header Host $host;
                   proxy_set_header X-Forwarded-Proto $remote_addr;
                   proxy_set_header X-Forwarded-Protocol $scheme;
                   proxy_redirect off;

                # Send websocket data to the backend aswell
                   proxy_http_version 1.1;
                   proxy_set_header Upgrade $http_upgrade;
                   proxy_set_header Connection "upgrade";
			}
		
		## Ombi ##
		 location /ombi {
		# Send traffic to the backend
                  proxy_pass http://127.0.0.1:333/ombi;
                  proxy_set_header X-Real-IP $remote_addr;
                  proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
                  proxy_set_header Host $host;
                  proxy_set_header X-Forwarded-Proto $remote_addr;
                  proxy_set_header X-Forwarded-Protocol $scheme;
                  proxy_redirect off;

                # Send websocket data to the backend aswell
                  proxy_http_version 1.1;
                  proxy_set_header Upgrade $http_upgrade;
                  proxy_set_header Connection "upgrade";
			}
		
		## Sabnzbd ##
		 location /sabnzbd {
		# Send traffic to the backend
                  proxy_pass http://127.0.0.1:8080;
                  proxy_set_header X-Real-IP $remote_addr;
                  proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
                  proxy_set_header Host $host;
                  proxy_set_header X-Forwarded-Proto $remote_addr;
                  proxy_set_header X-Forwarded-Protocol $scheme;
                  proxy_redirect off;

                # Send websocket data to the backend aswell
                  proxy_http_version 1.1;
                  proxy_set_header Upgrade $http_upgrade;
                  proxy_set_header Connection "upgrade";
			}
			
		## Server Start page ##
		  location /start {
		  root html;
		  index index.html index.htm;
			}
		}

}
Edited by shorty1483
  • Like 2
Link to comment
Share on other sites

Swynol

i have mine setup as emby.mydomain.com sonarr.mydomain.com etc... i have a folder called SSL in nginx/conf with my pem and key file. and those 2 files provide the HTTPS:// for all my services. also theres a redirect on http to https to force people to connect to https. most services run on the same machine some are on another. eventually there will be some VLAN setting i need to play with.


#user  nobody;
# multiple workers works !
worker_processes  2;



events {
    worker_connections  8192;
}


http {
    #include      /nginx/conf/naxsi_core.rules;
    include       mime.types;
    default_type  application/octet-stream;


    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
## End: Timeouts ##

    #gzip  on;

	

	##EMBY Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name emby.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

     location / {
        proxy_pass http://192.168.1.10:8096;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
	

}


	##Sonarr Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name sonarr.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

     location / {
        proxy_pass http://127.0.0.1:8989;  

	proxy_hide_header X-Powered-By;
	proxy_set_header Range $http_range;
	proxy_set_header If-Range $http_if_range;
	proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

	##NZB Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name nzb.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

     location / {
        proxy_pass http://127.0.0.1:6789;  

	proxy_hide_header X-Powered-By;
	proxy_set_header Range $http_range;
	proxy_set_header If-Range $http_if_range;
	proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

	##Plex Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name plex.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

     location / {
        proxy_pass http://127.0.0.1:32400;  

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

	##Unifi Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name unifi.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

     location / {
        proxy_pass https://192.168.1.10:8928;  

		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		
		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }
}

##Unifi Guest Portal##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name guest.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

     location / {
        proxy_pass https://127.0.0.1:8843;

		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		
		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }
	 location /ws/ {
                        proxy_pass http://127.0.0.1:8843/ws/;
                        proxy_http_version 1.1;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
                }
}

	

	##CCTV Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name cctv.mydomain.com; 
	

        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

     location / {
        proxy_pass http://192.168.1.101:8099;  

	proxy_hide_header X-Powered-By;
	proxy_set_header Range $http_range;
	proxy_set_header If-Range $http_if_range;
	proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }
}


	##HTPC Manager Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name htpc.mydomain.com; 
	

        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

     location / {
        proxy_pass http://127.0.0.1:8085;  

	proxy_hide_header X-Powered-By;
	proxy_set_header Range $http_range;
	proxy_set_header If-Range $http_if_range;
	proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }
}

	##Heating##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name heat.mydomain.com; 
	

        #path to your SSL files, nginx must now handle all of the SSL, not each individual server
        #to your backend is regular HTTP its assumed safe, its on your local network or the same PC as nginx
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

     location / {
        proxy_pass http://192.168.1.91:80;  

	proxy_hide_header X-Powered-By;
	proxy_set_header Range $http_range;
	proxy_set_header If-Range $http_if_range;
	proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }
}


	#uTorrent##

	server {
        listen [::]:80;
		listen 80;
		listen [::]:443 ssl;
		listen 443 ssl;
		server_name utorrent.mydomain.com; 
		
		ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
	

        #charset koi8-r;

        #access_log  logs/host.access.log  main;

	location / {
		proxy_pass http://127.0.0.1:7070/;
		
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		
		proxy_redirect  off;
		proxy_set_header Host $host;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_pass_header Set-Cookie;
        proxy_pass_header P3P;
	}

}

	##HDD Temps##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name hdd.mydomain.com; 
	

        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

     location / {
        proxy_pass http://127.0.0.1:8929/status;  

	proxy_hide_header X-Powered-By;
	proxy_set_header Range $http_range;
	proxy_set_header If-Range $http_if_range;
	proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

    }
}

}

Edited by Swynol
  • Like 2
Link to comment
Share on other sites

Overseer

Thank you @shorty1483 and @Swynol.  At first my eyes glazed over and a little bit of drool dribbled out of my mouth but after reading through a couple of times it makes sense.  I'm liking the simplicity  of the subdomain setup.  Will definitely give this a whirl over the long weekend here.

 

Thanks to you both for the response.

  • Like 1
Link to comment
Share on other sites

Swynol

ye no worries. it might look a bit daunghting at first but each section is pretty much just a copy of the previous. you can pretty much copy and paste this section for each service you need just change the port or IP as needed. also make sure your SSL cert has your subdomains listed.

##EMBY Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name emby.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

     location / {
        proxy_pass http://192.168.1.10:8096;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
	

}
  • Like 1
Link to comment
Share on other sites

zigzagtshirt

@@Swynol Where does it say on the site that the certs expire after 90 days?  I don't see it on there anywhere.  Is there a way to automate a regeneration of them once they expire?

Link to comment
Share on other sites

zigzagtshirt

Hoping someone can help.  I can't get this working.

 

I have my domain set up (and ddns within the domain) just as this tutorial explains.  I have changed the public https port number in Emby settings to 443 and set up port forwarding properly in router firewall, and disable my Norton firewall completely.  I have my external domain in the "External domain" field in Emby settings, and report https as external address checked.

 

When I go to https://emby.mydomain.com it won't connect.  When I go to emby.mydomain.com:8096 it connects with http just fine. 

 

When I use the port scanner on whatsmyip.org to scan 8096 is says "Port is open".  When I scan 443, it says "Port Closed".  This isn't a firewall issue because when I re-enable my Norton firewall and scan the port again, it says "Port timed out".  My understanding is that since it returned "Port Closed" (as opposed to "timed out") that it's getting through my firewall just fine, and that there is something not configured correctly with Emby.  

 

 

Also followed the directions exactly to create my certificate, and it is selected in the Emby settings.

 

Any ideas?

Edited by tsherran
Link to comment
Share on other sites

Happy2Play

Have you tried a different https port, not very common but could your ISP be blocking the port?

Link to comment
Share on other sites

zigzagtshirt

Called ISP and verified that they don't block it.

 

Also, changing external https port in Emby settings works just fine.  External port scan shows that it's open.  But when I change it back to 443, the port scan shows it as closed.

Edited by tsherran
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...