Setting up SSL for Emby (WIP)

November 28, 2017

A few potential things.

If you haven't setup nginx, nginx won't forward automatically to Emby.

If organizr is listening on 443, what port is nginx listening on? Org

A fairly recent change means that if you are using a reverse proxy with the Require "https for external connections" checked you will need to forward traffic from your reverse proxy to Emby's https port. Earlier instructions said to pass traffic to the regular non-SSL http port.

Not sure how to set up Nginx, can't find any decent qnap instructions. Have tried copying Swynol settings to the conf file I could find and I get this when I connect to port 89 and 443

See below..

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.

Commercial support is available at nginx.com.

Thank you for using nginx.

I have setup Organizr internal only..

I have setup emby with the tick.

I know my problem is the whole Nginx setup is all wrong.. :-(

Edited November 28, 2017 by deiniol39

November 29, 2017

So... Can't get past the Verification stage for generating a validated SSL cert. Self-signed is in place now but it doesn't work for external connections even though port 8920 is forwarded.

Is there no way to get an SSL cert without having access to some DNS or HTTP stuff? I don't have any of that, just a dynamic DNS address pointing to my IP.

At https://zerossl.com/free-ssl/#crt my only options are HTTP or DNS verification. I don't have or want an HTTP server (only emby) and I have no idea where one would edit or place a DNS record.

Hi Xen0sys. Do you own your domain name or are you using a free DDNS service like no-ip, dyn-dns etc? if its one of the free ones you wont be able to get a proper cert because you can only get a cert for a domain you own.

If you own a domain name then you have to do the verification to prove that you own the domain name.

November 29, 2017

Not sure how to set up Nginx, can't find any decent qnap instructions. Have tried copying Swynol settings to the conf file I could find and I get this when I connect to port 89 and 443

See below..

Welcome to nginx!

If you see this page, the nginx web server is successfully installed and working. Further configuration is required.

For online documentation and support please refer to nginx.org.

Commercial support is available at nginx.com.

Thank you for using nginx.

I have setup Organizr internal only..

I have setup emby with the tick.

I know my problem is the whole Nginx setup is all wrong.. :-(

not used a QNAP before so not sure how to set it up.

If your getting the above then it looks like NGINX is working but is using the default config. I'm not sure if the file structure is the same as windows but if you go into the NGINX folder, there should be another folder called conf. in here you put your nginx.conf file.

if you are accessing organizr using port 443 you will have to change this, not sure how you have organizr setup but you can put it inside NGINX and use NGINX to serve Organizr.

November 29, 2017

not used a QNAP before so not sure how to set it up.

If your getting the above then it looks like NGINX is working but is using the default config. I'm not sure if the file structure is the same as windows but if you go into the NGINX folder, there should be another folder called conf. in here you put your nginx.conf file.

if you are accessing organizr using port 443 you will have to change this, not sure how you have organizr setup but you can put it inside NGINX and use NGINX to serve Organizr.

I've switched of Organizr for now, been looking through folder last night. Can't find one called conf. I might try and create one top level and see what that does.. I have adjusted your big config file to match up with my system. SO I will play more this evening or if I get a chance at lunch time..

Great little tutorial though Swynol

Diolch ti..

November 29, 2017

looks like the conf goes here - .qpkg/QNginx/etc/nginx/nginx.conf

Looks like setting up NGINX on a QNAP is a pain in the ar*e. looking at this guide - https://forum.qnap.com/viewtopic.php?t=11184

I was wondering from the name if you were Welsh or live in Wales

Edited November 29, 2017 by Swynol

November 29, 2017

I've switched of Organizr for now, been looking through folder last night. Can't find one called conf. I might try and create one top level and see what that does.. I have adjusted your big config file to match up with my system. SO I will play more this evening or if I get a chance at lunch time..

Great little tutorial though Swynol

Diolch ti..

On qnap you might want to go the docker route. Try linuxserver/letsencrypt

Here is an article about it: https://www.linuxserver.io/2017/11/28/how-to-setup-a-reverse-proxy-with-letsencrypt-ssl-for-all-your-docker-apps/

And here's one about docker on qnap: https://www.linuxserver.io/2017/09/17/how-to-setup-containers-on-qnap/

November 29, 2017

looks like the conf goes here - .qpkg/QNginx/etc/nginx/nginx.conf

Looks like setting up NGINX on a QNAP is a pain in the ar*e. looking at this guide - https://forum.qnap.com/viewtopic.php?t=11184

I was wondering from the name if you were Welsh or live in Wales

I am Swynol, from Anglesey.. Born and Bred

November 30, 2017

Little update, Have apps running in Docker now, bit tricky because I was running and Qnap and not many instructions. Bit of a learning curve, but if anybody is stuck let me know and I will try and help.. Next playing with reverse proxy

Thanks aptalca for the link would never would have got started without those..

Edited November 30, 2017 by deiniol39

November 30, 2017

On qnap you might want to go the docker route. Try linuxserver/letsencrypt

Here is an article about it: https://www.linuxserver.io/2017/11/28/how-to-setup-a-reverse-proxy-with-letsencrypt-ssl-for-all-your-docker-apps/

And here's one about docker on qnap: https://www.linuxserver.io/2017/09/17/how-to-setup-containers-on-qnap/

Thanks aptalca for the link would never would have got started without those..

December 1, 2017

Any idea why I am getting this guys.. Followed swynol instructions. Got docker to work for my apps, but when it come time to encrypt and create the reverse proxy

that you are serving files from the webroot path you provided.

/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory

[cont-init.d] 50-config: exited 1.

[cont-finish.d] executing container finish scripts...

[cont-finish.d] done.

[s6-finish] syncing disks.

[s6-finish] sending all processes the TERM signal.

[s6-finish] sending all processes the KILL signal and exiting.

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.

[s6-init] ensuring user provided files have correct perms...exited 0.

[fix-attrs.d] applying ownership & permissions fixes...

[fix-attrs.d] done.

[cont-init.d] executing container initialization scripts...

[cont-init.d] 10-adduser: executing...

usermod: no changes

-------------------------------------

_ _ _

| |___| (_) ___

| / __| | |/ _ \

| \__ \ | | (_) |

|_|___/ |_|\___/

|_|

Brought to you by linuxserver.io

We gratefully accept donations at:

https://www.linuxserver.io/donations/

-------------------------------------

GID/UID

-------------------------------------

User uid: 1000

User gid: 100

-------------------------------------

[cont-init.d] 10-adduser: exited 0.

[cont-init.d] 20-config: executing...

[cont-init.d] 20-config: exited 0.

[cont-init.d] 30-keygen: executing...

using keys found in /config/keys

[cont-init.d] 30-keygen: exited 0.

[cont-init.d] 50-config: executing...

2048 bit DH parameters present

SUBDOMAINS entered, processing

Sub-domains processed are: -d emby.mydomain.cymru -d radarr.mydomain.cymru -d sonarr.mydomain.cymru -d nzbget.mydomain.cymru

E-mail address entered: me@.com

Generating new certificate

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Obtaining a new certificate

Performing the following challenges:

tls-sni-01 challenge for mydomain.cymru

tls-sni-01 challenge for emby.mydomain.cymru

tls-sni-01 challenge for radarr.mydomain.cymru

tls-sni-01 challenge for sonarr.mydomain.cymru

tls-sni-01 challenge for nzbget.mydomain.cymru

Waiting for verification...

Cleaning up challenges

Failed authorization procedure. mydomain.cymru (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for mydomain.cymru, nzbget.mydomain.cymru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :

: Connection refused, sonarr.mydomain.cymru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused, radarr.mydomain.cymru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connectio

n refused, emby.mydomain.cymru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused

IMPORTANT NOTES:

- The following errors were reported by the server:

Domain: mydomain.cymru

Type: unknownHost

Detail: No valid IP addresses found for mydomain.cymru

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A record(s) for that domain

contain(s) the right IP address.

- The following errors were reported by the server:

Domain: nzbget.mydomain.cymru

Type: connection

Detail: Connection refused

Domain: sonarr.mydomain.cymru

Type: connection

Detail: Connection refused

Domain: radarr.mydomain.cymru

Type: connection

Detail: Connection refused

Domain: emby.mydomain.cymru

Type: connection

Detail: Connection refused

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A record(s) for that domain

contain(s) the right IP address. Additionally, please check that

your computer has a publicly routable IP address and that no

firewalls are preventing the server from communicating with the

client. If you're using the webroot plugin, you should also verify

that you are serving files from the webroot path you provided.

/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory

[cont-init.d] 50-config: exited 1.

[cont-finish.d] executing container finish scripts...

[cont-finish.d] done.

[s6-finish] syncing disks.

[s6-finish] sending all processes the TERM signal.

[s6-finish] sending all processes the KILL signal and exiting.

December 1, 2017

I hope it works with a self-signed certificate too?

December 1, 2017

I hope it works with a self-signed certificate too?

Most devices will reject self signed certs and that's going to result in connection failures.

December 1, 2017

@@deiniol39

Your docker container can't be reached from the outside internet. There's a lot of potential ways for this to break so you're going to have to check them one by one.

Your DNS has to go to your WAN IP address. If you're running Emby from home check https://whatismyipaddress.com/

Port 443 has to be open on your router and forwarding to what's running docker.

Your letsencrypt container has to be listening on the port that your router is forwarding to (In all likelihood also 443)

The host firewall needs to be allowing the traffic to/from these ports.

December 1, 2017

Any idea why I am getting this guys.. Followed swynol instructions. Got docker to work for my apps, but when it come time to encrypt and create the reverse proxy

that you are serving files from the webroot path you provided.

/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory

[cont-init.d] 50-config: exited 1.

[cont-finish.d] executing container finish scripts...

[cont-finish.d] done.

[s6-finish] syncing disks.

[s6-finish] sending all processes the TERM signal.

[s6-finish] sending all processes the KILL signal and exiting.

[s6-init] making user provided files available at /var/run/s6/etc...exited 0.

[s6-init] ensuring user provided files have correct perms...exited 0.

[fix-attrs.d] applying ownership & permissions fixes...

[fix-attrs.d] done.

[cont-init.d] executing container initialization scripts...

[cont-init.d] 10-adduser: executing...

usermod: no changes

-------------------------------------

_ _ _

| |___| (_) ___

| / __| | |/ _ \

| \__ \ | | (_) |

|_|___/ |_|\___/

|_|

Brought to you by linuxserver.io

We gratefully accept donations at:

https://www.linuxserver.io/donations/

-------------------------------------

GID/UID

-------------------------------------

User uid: 1000

User gid: 100

-------------------------------------

[cont-init.d] 10-adduser: exited 0.

[cont-init.d] 20-config: executing...

[cont-init.d] 20-config: exited 0.

[cont-init.d] 30-keygen: executing...

using keys found in /config/keys

[cont-init.d] 30-keygen: exited 0.

[cont-init.d] 50-config: executing...

2048 bit DH parameters present

SUBDOMAINS entered, processing

Sub-domains processed are: -d emby.mydomain.cymru -d radarr.mydomain.cymru -d sonarr.mydomain.cymru -d nzbget.mydomain.cymru

E-mail address entered: me@.com

Generating new certificate

Saving debug log to /var/log/letsencrypt/letsencrypt.log

Obtaining a new certificate

Performing the following challenges:

tls-sni-01 challenge for mydomain.cymru

tls-sni-01 challenge for emby.mydomain.cymru

tls-sni-01 challenge for radarr.mydomain.cymru

tls-sni-01 challenge for sonarr.mydomain.cymru

tls-sni-01 challenge for nzbget.mydomain.cymru

Waiting for verification...

Cleaning up challenges

Failed authorization procedure. mydomain.cymru (tls-sni-01): urn:acme:error:unknownHost :: The server could not resolve a domain name :: No valid IP addresses found for mydomain.cymru, nzbget.mydomain.cymru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :

: Connection refused, sonarr.mydomain.cymru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused, radarr.mydomain.cymru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connectio

n refused, emby.mydomain.cymru (tls-sni-01): urn:acme:error:connection :: The server could not connect to the client to verify the domain :: Connection refused

IMPORTANT NOTES:

- The following errors were reported by the server:

Domain: mydomain.cymru

Type: unknownHost

Detail: No valid IP addresses found for mydomain.cymru

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A record(s) for that domain

contain(s) the right IP address.

- The following errors were reported by the server:

Domain: nzbget.mydomain.cymru

Type: connection

Detail: Connection refused

Domain: sonarr.mydomain.cymru

Type: connection

Detail: Connection refused

Domain: radarr.mydomain.cymru

Type: connection

Detail: Connection refused

Domain: emby.mydomain.cymru

Type: connection

Detail: Connection refused

To fix these errors, please make sure that your domain name was

entered correctly and the DNS A record(s) for that domain

contain(s) the right IP address. Additionally, please check that

your computer has a publicly routable IP address and that no

firewalls are preventing the server from communicating with the

client. If you're using the webroot plugin, you should also verify

that you are serving files from the webroot path you provided.

/var/run/s6/etc/cont-init.d/50-config: line 127: cd: /config/keys/letsencrypt: No such file or directory

[cont-init.d] 50-config: exited 1.

[cont-finish.d] executing container finish scripts...

[cont-finish.d] done.

[s6-finish] syncing disks.

[s6-finish] sending all processes the TERM signal.

[s6-finish] sending all processes the KILL signal and exiting.

You need to add a dns A record

December 1, 2017

You need to add a dns A record

How will that work if I don't have a static address.. My IP will change thats why I have created a DNS link with noip

December 1, 2017

How will that work if I don't have a static address.. My IP will change thats why I have created a DNS link with noip

Using a dynamic DNS service should be fine. A dynamic DNS still uses an A record though and you need to make sure it's correct, the dynamic means the service to allow you to quickly and automatically update it.

Since you probably shouldn't share your DNS here with us you can check it with this site. http://viewdns.info/dnsrecord/

Make sure the A Record correctly matches the IP address from https://whatismyipaddress.com

As an additional note on DDNS services, you probably want to set it up so it updates automatically. My router does this for me, but there are other tools available. I found this with about 30seconds of googling, looks OK but I can't personally vouch for it. https://github.com/coppit/docker-no-ip

December 2, 2017

Using a dynamic DNS service should be fine. A dynamic DNS still uses an A record though and you need to make sure it's correct, the dynamic means the service to allow you to quickly and automatically update it.

Since you probably shouldn't share your DNS here with us you can check it with this site. http://viewdns.info/dnsrecord/

Make sure the A Record correctly matches the IP address from https://whatismyipaddress.com

As an additional note on DDNS services, you probably want to set it up so it updates automatically. My router does this for me, but there are other tools available. I found this with about 30seconds of googling, looks OK but I can't personally vouch for it. https://github.com/coppit/docker-no-ip

I just want to add, I personally use duckdns, which is a great service, and we happen to have a docker for that as well.

Sign up for duckdns, you get 5 free subdomains forever, no restrictions. Then you can set up our docker on your qnap, enter your duckdns token and it will make sure your ip is up to date

https://hub.docker.com/r/linuxserver/duckdns/

You can either forward your own domain to the duckdns subdomain, or you can get a letsencrypt cert directly for the duckdns subdomain. Use the full url as the domain, ie. "customsubdomain.duckdns.org" and you can get it to cover sub-subdomains such as emby.customsubdomain.duckdns.org

December 12, 2017

Hi Xen0sys. Do you own your domain name or are you using a free DDNS service like no-ip, dyn-dns etc? if its one of the free ones you wont be able to get a proper cert because you can only get a cert for a domain you own.

If you own a domain name then you have to do the verification to prove that you own the domain name.

Ahh... The former. I figured it might have that limitation.

December 12, 2017

Alright, so there are a few problems I'm having which I can't figure out. Hoping someone can help (and I apologize if these issues have been brought up previously, but I couldn't find anything on them).

I went through the initial 5 steps and purchased a domain off namecheap.com. I should note that I did not purchase a .com, but rather a .media domain name, so not sure if that's the cause of all my issues. I then setup the A+ dynamic IP and used dns as the host. I went to sslforfree.com and created the ssl for the main domain and the dns.mydomain.media, converted the files to .pem and loaded it into Emby. I set the secure port to 443 (for both internal and external). What I could NOT get working was setting up a CNAME for dns, as when I then typed dns.mydomain.media in a browser, nothing loaded and it gave me a dns error. I fiddled with it so many times, but could not get it working. My port 443 is forwarded to my computer. I then decided to try setting up a URL Redirect Record in namecheap instead of using the CNAME. I used @ as the host, so that just mydomain.media would forward, and i set https://dns.mydomain.media as the redirect url. This worked. My emby server loaded and it was secure. So this is the first issue I ran into: that CNAME would not work. Regardless, it was a workaround that seemed to work and proved that port 443 was in fact open and forwarding to my computer.

Now, I also have services like Sickrage and Radarr setup on my computer, so I decided to remove the pem file from Emby and try the nginx process. I set my nginx conf file up as shared by multiple people (with separate ports for each service), and nginx seems to be running (as there are three nginx.exe showing in my task manager). Problem is now no url is resolving. Not quite sure what I should setup in the DNS on namecheap. What I've done is added a separate A+ dynamic ip record for each subdomain I want (ie emby.mydomain.media, sickrage.mydomain.media, radarr.mydomain.media). I then tryed the CNAMEs again, using emby as a host, then sickrage, and radarr, each pointing to it's specific A+ url. That never worked. I then tried URL Redirects for each... doesn't work either. And yes, I did update the ssl certificate and added all of the subdomains.

Any thoughts on how to get this working?

December 12, 2017

@@anujpuri85

quite alot going on there. I think we first need to get CNAMEs working.

remove @ URL redirect.

So on namecheap you have a A+ Dynamic DNS record. Host = dns value = xxx.xxx.xxx.xxx (your WAN IP)

create a CNAME with Host = emby value = dns.mydomain.media

give it 10 - 15 mins to replicate. then ping emby.mydomain.media. it should reply with your WAN IP. if after 30mins it still doesnt work, contact the online namecheap chat and ask them to check their servers as its probably not replicating correctly.

You need to forward both port 80 and port 443 to NGINX machine.

You need to change the ports on emby server back to original so HTTP is 8096 and HTTPS is 8920, restart Emby, then check the listening ports in NGINX and restart that. So NGINX will bind to ports 80 and 443.

December 12, 2017

@@Swynol

Alright, so I did what you said and pinging it shows my ip, but I don't get a response. Pinging emby.mydomain.media shows PING dns.mydomain.media (XX.XXX.XXX.XX): 56 data bytes. It then continues to show timeouts. Both 80 and 443 ports are forwarding to my computer. I also set the ports within emby to defaults.

Here's what my nginx.conf looks like:

#user  nobody;
# multiple workers works !
worker_processes  2;


events {
    worker_connections  8192;
}


http {
    #include      /nginx/conf/naxsi_core.rules;
    include       mime.types;
    default_type  application/octet-stream;


    sendfile        off;


    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;


## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
## End: Timeouts ##


    #gzip  on;






##EMBY Server##


server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name emby.mydomain.media; 


        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      SSL/cert.pem;
ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }


     location / {
        proxy_pass http://10.0.0.10:8096;  # Local emby ip and non SSL port


proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }




}




##Sickrage Server##


server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name shows.mydomain.media; 


        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      SSL/cert.pem;
ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }


     location / {
        proxy_pass http://10.0.0.10:8088;  


proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}


##NZB Server##


server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name down.mydomain.media; 


        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      SSL/cert.pem;
ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }


     location / {
        proxy_pass http://10.0.0.10:6868;  


proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}


##Radarr##


server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name radarr.mydomain.media; 




        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      SSL/cert.pem;
ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }


     location / {
        proxy_pass http://10.0.0.10:7878;  


proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


    }
}


##Ombi##


server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name ombi.mydomain.media; 




        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      SSL/cert.pem;
ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }


     location / {
        proxy_pass http://10.0.0.10:3579;  


proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


    }
}
}

December 13, 2017

ok so it sounds like the CNAMEs are working.

can you get to any of your services?

remove the below from your emby block

if ($scheme = http) {
return 301 https://$server_name$request_uri;
}

restart NGINX and then try connecting to emby using your domain name but use HTTP

December 13, 2017

Same result with the ping unfortunately. Going in a browser doesn't load anything and just gives me a dns error. If i do add the non-secure port at the end of the url in a browser, then emby loads. and I know the 443 port is forwarding, because setting up the ssl the other way (within emby) worked (although the cname didnt work, i had to do a URL forward to dns.mydomain.media).

December 13, 2017

Same result with the ping unfortunately. Going in a browser doesn't load anything and just gives me a dns error. If i do add the non-secure port at the end of the url in a browser, then emby loads. and I know the 443 port is forwarding, because setting up the ssl the other way (within emby) worked (although the cname didnt work, i had to do a URL forward to dns.mydomain.media).

Have you verified that your ISP isn't blocking 443 and 80? I know my ISP blocks commonly used ports like that.

December 13, 2017

Yep, I checked that too and they are not blocking them.

Setting up SSL for Emby (WIP)

Recommended Posts

deiniol39 18

Link to comment

Share on other sites

Swynol 375

Link to comment

Share on other sites

Swynol 375

Link to comment

Share on other sites

deiniol39 18

Link to comment

Share on other sites

Swynol 375

Link to comment

Share on other sites

aptalca 70

Link to comment

Share on other sites

deiniol39 18

Link to comment

Share on other sites

deiniol39 18

Link to comment

Share on other sites

deiniol39 18

Link to comment

Share on other sites

deiniol39 18

Link to comment

Share on other sites

wp.rauchholz 5

Link to comment

Share on other sites

Luke 37057

Link to comment

Share on other sites

KMBanana 84

Link to comment

Share on other sites

aptalca 70

Link to comment

Share on other sites

deiniol39 18

Link to comment

Share on other sites

KMBanana 84

Link to comment

Share on other sites

aptalca 70

Link to comment

Share on other sites

Econaut 1

Link to comment

Share on other sites

anujpuri85 1

Link to comment

Share on other sites

Swynol 375

Link to comment

Share on other sites

anujpuri85 1

Link to comment

Share on other sites

Swynol 375

Link to comment

Share on other sites

anujpuri85 1

Link to comment

Share on other sites

mediacowboy 438

Link to comment

Share on other sites

anujpuri85 1

Link to comment

Share on other sites

Create an account or sign in to comment

Create an account

Sign in