Can somebody educate me on reverse proxies?

[Jdiesel 1114]

A bit of background, I am occasionally having issues with poor peering from my rented server located in Germany. Yes I know having a server located so far away is my main problem but the cost of it can not be matched anywhere in North America. I also suspect that certain internet backbones along my route may be filtering and throttling certain traffic. I have heard that transmitting data over port 443 can combat this type of throttling. In addition I would like to use Cloudflare or Incapsula to hopefully improve my peering. This leads me to wanting to setup a reverse proxy using nginx.

 

Has anyone done this with Emby? If so does all traffic flow through port 443 or just the Emby interface? How about the websockets? 

 

I plan to dive into this and hopefully get it working but if anyone has a nginx config file they would like to share I would appreciate the help.

Edited March 10, 2017 by Jdiesel

[pir8radio 1293]

A bit of background, I am occasionally having issues with poor peering from my rented server located in Germany. Yes I know having a server located so far away is my main problem but the cost of it can not be matched anywhere in North America. I also suspect that certain internet backbones along my route may be filtering and throttling certain traffic. I have heard that transmitting data over port 443 can combat this type of throttling. In addition I would like to use Cloudflare or Incapsula to hopefully improve my peering. This leads me to wanting to setup a reverse proxy using nginx.

 

Has anyone done this with Emby? If so does all traffic flow through port 443 or just the Emby interface? How about the websockets? 

 

I plan to dive into this and hopefully get it working but if anyone has a nginx config file they would like to share I would appreciate the help.

 

You don't really need nginx if you dont have a specific need for it..  Cloudflare runs nginx as a reverse proxy already...  You could if you wanted too...  I do.. but in your case if you don't need it why have two reverse proxies.  Cloudflare should help you..  I have not forced 443 because i thought a few clients didn't support https that may have changed by now.   I'll add a link to my config below. 

 

You say no one in North America can match your colo price?  How much are you paying, there are a few colo's that offer $59.00/month for unlimited/unmetered gigabit internet, 4U rack space.  

 

This is a stripped down version of my config with notes.

 

 

server {
    listen [::]:80;                                 ## Listen on IPv6 Port 80
    listen 80;                                      ## Listen on IPv4 Port 80
    listen [::]:443 ssl;                            ## Listen on IPv6 Port 443
    listen 443 ssl;                                 ## Listen on IPv4 Port 443
    server_name emby.domain.net;                    ## Respond to this domain name request

	access_log  logs/emby.log  emby;            ## Site log

        ## SSL INFO ##
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	ssl_certificate      ssl/_pub.pem;
	ssl_certificate_key  ssl/_pvt.pem;
        ssl_session_cache shared:SSL:10m;

     location / {
        proxy_pass http://127.0.0.1:8080;           ## Backend Server

	proxy_hide_header X-Powered-By;             ## Hide NGINX Version
	proxy_set_header Range $http_range;         ## Stream Compatibility
	proxy_set_header If-Range $http_if_range;   ## Stream Compatibility
	proxy_set_header X-Real-IP $remote_addr;    ## Tell backend Clients real IP
        proxy_set_header Host $host;                ## Forward host header 
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        
        ## WEBSOCKET SUPPORT ##
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

}
}

 

 

Edited March 10, 2017 by pir8radio

[Jdiesel 1114]

You don't really need nginx if you dont have a specific need for it..  Cloudflare runs nginx as a reverse proxy already...  You could if you wanted too...  I do.. but in your case if you don't need it why have two reverse proxies.  Cloudflare should help you..  I have not forced 443 because i thought a few clients didn't support https that may have changed by now.   I'll add a link to my config. 

 

You say no one in North America can match your colo price?  How much are you paying, there are a few colo's that offer $59.00/month for unlimited/unmetered gigabit internet, 4U rack space.  

 

So are you saying I can use my own signed certificates on Emby with a registered domain that Cloudflare is directed to? I mean I do have a few other services that I run on the server that I could use the reverse proxy for but if I can go simple all the better. I actually tried changing my https port to 443 however I wasn't able to connect to the server.

 

I'm actually renting not co-locating at the moment. I pay $60 usd for a i7 3770, 32GB ram, and 16TB of storage with an unlimited/unmetered 1GB connection.

[pir8radio 1293]

So are you saying I can use my own signed certificates on Emby with a registered domain that Cloudflare is directed to? I mean I do have a few other services that I run on the server that I could use the reverse proxy for but if I can go simple all the better. I actually tried changing my https port to 443 however I wasn't able to connect to the server.

 

I'm actually renting not co-locating at the moment. I pay $60 usd for a i7 3770, 32GB ram, and 16TB of storage with an unlimited/unmetered 1GB connection.

 

you can, I cant help you with the emby/ssl because i do use nginx.  Keep in mind that cloudflare will supply you with certs for your server so the path between CF and you are secure, they are long term certs that dont really matter because clients will no longer access your server directly,  all they do is secure the traffic from CF to your server, CF then supplies good SSL certs to the clients that connect to your site via CF.    If you want to see it all work check out my post here: https://emby.media/community/index.php?/topic/19457-help-me-test-my-emby-server/?p=188745  Just change to https

 

I have friends that use this place: http://webcs.com/webcsdocs/dedicated.php   still not as cheap as where you are at.

Edited March 10, 2017 by pir8radio

[Jdiesel 1114]

you can, I cant help you with the emby/ssl because i do use nginx.  Keep in mind that cloudflare will supply you with certs for your server so the path between CF and you are secure, they are long term certs that dont really matter because clients will no longer access your server directly,  all they do is secure the traffic from CF to your server, CF then supplies good SSL certs to the clients that connect to your site via CF.    If you want to see it all work check out my post here: https://emby.media/community/index.php?/topic/19457-help-me-test-my-emby-server/?p=188745  Just change to https

 

I have friends that use this place: http://webcs.com/webcsdocs/dedicated.php   still not as cheap as where you are at.

Very nice setup! 

 

I will have to do some more research on this to see if I can get Cloudflare setup without using a reverse proxy. My understanding is that Cloudflare only supports traffic on ports 80 and 443 so my first task would be to get Emby working over these ports.

[gstuartj 39]

I use CloudFlare with my Emby server. I do use my own reverse proxy as well, but you can easily change the port Emby is running on by clicking "Advanced" at the bottom of the left-side menu in the Dashboard. Alternatively, you can set up port forwarding on your router so that 443 external is directed to 8920 on the server. In CloudFlare you can use the "Flexible" setting for SSL, then it will accept your self-signed certificates generated by Emby.

[Jdiesel 1114]

Wow!

 

I just got my reverse proxy setup using nginx using Let's Encrypt certificates and Cloudflare. Browsing the web interface the fanart loads instantly now. Very impressed so far. I've only tested with the Android mobile client so far and it worked without any changes other than accepting the new certificate. Will all the other clients work over port 443?

[pir8radio 1293]

Wow!

 

I just got my reverse proxy setup using nginx using Let's Encrypt certificates and Cloudflare. Browsing the web interface the fanart loads instantly now. Very impressed so far. I've only tested with the Android mobile client so far and it worked without any changes other than accepting the new certificate. Will all the other clients work over port 443?

 

 

Add these settings to cloudflare under "Page Rules"  replayce "domainname.com" with your domain name.

 

This first rule forces all cached images to stay on the edge servers for 30 days and in clients for 1 year.  Otherwise they flush the edge servers quite often defeating the purpose of the cache.

 

 

This rule forces cloudflare to cache all images, normally they do not cache most emby images because emby doesn't have extensions on the majority of their images, so this rule forces (based on path) cloudflare to Cache the file no matter what.  You don't want to use "cache everything" on the root, bad things start to happen.. If emby makes a change it wont get pushed to CF, so CF will serve stale pages, this is ok with the images though as shown below.

 

 

 

You can confirm things are working by loading your emby up in CHROME, right click go to "INSPECT" select the "NETWORK" tab and check the "Disable Cache" box..  right click the title "NAME" and add a custom header "cf-cache-status"   load up the page three or four times you should start seeing "HIT" under cf-cache-status, this means the resource has came from CF and not directly from your server!

 

Edited March 10, 2017 by pir8radio

[Jdiesel 1114]

Thanks!

 

What does your caching settings page look like?

[pir8radio 1293]

Cache level "standard", Always Online "ON" (doesn't really do much but keep the login page active when emby is down) Cache Expiration "Respect Existing Headers"  or  "Select"  Between emby's default cache settings and the two above rules those settings work well.   

Dont enable "auto minify" check boxes, or rocket loader, some strange client issues start to pop up.

Edited March 10, 2017 by pir8radio

[Jdiesel 1114]

I can't seem to get http to redirect to https, any suggestions?

server {
listen [::]:80 default_server;
listen 80 default_server;
return 301 https://$host$request_uri;
server_name domain.com; 
}

server {
listen [::]:443 ssl;
listen 443 ssl;
server_name domain.com; 
}

[pir8radio 1293]

is that all of your config...   are you sure https even works directly?       

 

Here is an example using a single server block... put your info in..

server {
	listen [::]:80;
	listen 80;
   	listen [::]:443 ssl;
    	listen 443 ssl;
	server_name DOMAIN.com;
	   ## FORCE SSL ##
	   if ($scheme = http) {
           return 301 https://$server_name$request_uri;
    
}
        ssl_session_timeout 10m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;   ## PICK YOUR OWN PROTOCOLS JUST EXAMPLE ##
	ssl_certificate      ## PATH TO CERT ## pub.pem;
	ssl_certificate_key  ## PATH TO CERT ## pvt.pem;
        ssl_session_cache shared:SSL:10m;

	location / {
        ## LOCATION STUFF HERE ##
}
}

Edited March 16, 2017 by pir8radio

[Jdiesel 1114]

No that is just a snippet of my config. I left all the SSL certificate and location settings per service out. Everything is setup and working over https but it is not directing all http requests to https. I would rather have this done globally rather than for each service I am running.

[pir8radio 1293]

EDIT: OHHH I get what you are saying...  lemme think...  lol

 

@@Jdiesel what about:

server {
listen [::]:80;
listen 80;
server_name domain.com www.domain.com other.domain.com another.domain.com  ## Server ABOVE 301 ##
return 301 https://$host$request_uri;
}



server {
listen [::]:443 ssl;
listen 443 ssl;
server_name domain.com; 
}

Edited March 16, 2017 by pir8radio

[bfir3 114]

I'm just wondering...yesterday I setup a Cloudflare account and configured my domain with it. I then updated the nameservers on my registrar (NameCheap) to point to the ones specified by Cloudflare. However I was never able to access the domain after this. I could never connect because the DNS wouldn't resolve. I left it overnight in hopes that it was just taking long to propagate but it still didn't work in the morning. I ensured the DNS settings in Cloudflare were correctly pointing to my server's IP address, and everything looked fine. Changing the nameservers back to default let me once again browse the domain without issues.

 

I could never ping the domain after updating the nameservers to the Cloudflare ones...any ideas what I could do to resolve this? (Although my speeds seem to have already improved fairly considerably just by using https, even without Cloudflare.

[pir8radio 1293]

How are your DNS records setup in cloud flare?

[bfir3 114]

I've got two A records pointing to my server's IP address:

 

A   domain.com   123.456.789.100
A   www                 123.456.789.100

Edited March 17, 2017 by bfir3

[pir8radio 1293]

In normal home situations you should only have one A and one AAAA (ipv6 if you use it) record, anything else should be a CNAME 

 

cname "www" is an alias of "domain.com"   so that www.domain.com resolves to the A record for domain.com    But that shouldn't have made it not work..   unless you were trying www.domain.com     if you have any other subdomains   emby.domain.com you have to enter each one in cloudflare as its own CNAME cloudflare doesn't do wildcards.

Edited March 17, 2017 by pir8radio

[bfir3 114]

In normal home situations you should only have one A and one AAAA (ipv6 if you use it) record, anything else should be a CNAME 

 

cname "www" is an alias of "domain.com"   so that www.domain.com resolves to the A record for domain.com    But that shouldn't have made it not work..   unless you were trying www.domain.com     if you have any other subdomains   emby.domain.com you have to enter each one in cloudflare as its own CNAME cloudflare doesn't do wildcards.

 

Okay so now I have only one A record, and one CNAME record.

 

A              domain.com   123.456.789.111

CNAME   www   domain.com

 

I just changed my nameservers back to the ones provided by cloudflare. I can't access my domain anymore right now, but we'll see if it becomes accessible soon...

 

EDIT: I ran the check DNS Records API command on Cloudflare and got this:

{"success":false,"errors":[{"code":9106,"message":"Missing X-Auth-Email header"},{"code":9107,"message":"Missing X-Auth-Key header"}],"messages":[],"result":null}

Edited March 18, 2017 by bfir3

[Doonga 17]

Looks like you didn't send in your email and API key on your API request.

[pir8radio 1293]

 

Okay so now I have only one A record, and one CNAME record.

 

A              domain.com   123.456.789.111

CNAME   www   domain.com

 

I just changed my nameservers back to the ones provided by cloudflare. I can't access my domain anymore right now, but we'll see if it becomes accessible soon...

 

EDIT: I ran the check DNS Records API command on Cloudflare and got this:

{"success":false,"errors":[{"code":9106,"message":"Missing X-Auth-Email header"},{"code":9107,"message":"Missing X-Auth-Key header"}],"messages":[],"result":null}

 

yea the API needs Authentication to work.  Start by turning all of the orange clouds off on your DNS settings...  let that sit there for 5 or so mins... then ping your domain name...  see if the IP that comes back is yours..    What other CF settings did you change?   Are you forcing SSL in cloud flare?  Is DNSSEC off (most registrars don't support this yet).  Get it online without ssl first then work toward a secure connection.     If you get stuck and are willing to pm me your domain name we can do some testing.

[bfir3 114]

yea the API needs Authentication to work.  Start by turning all of the orange clouds off on your DNS settings...  let that sit there for 5 or so mins... then ping your domain name...  see if the IP that comes back is yours..    What other CF settings did you change?   Are you forcing SSL in cloud flare?  Is DNSSEC off (most registrars don't support this yet).  Get it online without ssl first then work toward a secure connection.     If you get stuck and are willing to pm me your domain name we can do some testing.

 

Okay, I can try this. I currently have nginx rewriting all http requests to https. I suppose you would recommend serving http and https separately while I test this until I can get SSL working?

[pir8radio 1293]

Yea, not sure where the issue is yet..  easier to get basic http working first... then start securing things up...  so you can see what you changed when things broke..

[bfir3 114]

Yea, not sure where the issue is yet..  easier to get basic http working first... then start securing things up...  so you can see what you changed when things broke..

 

Sounds good. I will try it late tonight when my users are asleep, lol.

[pir8radio 1293]

No that is just a snippet of my config. I left all the SSL certificate and location settings per service out. Everything is setup and working over https but it is not directing all http requests to https. I would rather have this done globally rather than for each service I am running.

 

You can do this within cloudflare as a page rule, then loose the redirect in nginx... Or leave it if you decide not to use cloudflare.

 

New rule:  http://*yourdomain.com/*     

Select: "Always use HTTPS"

Edited March 20, 2017 by pir8radio