IssueFindings 1 Posted July 12, 2017 Share Posted July 12, 2017 (edited) Hello, I decide to manage my Emby access through https with nginx. I create a certificate and the file /etc/nginx/sites-available/emby.conf with the content below : server { listen 80; server_name mywebsite; location '/.well-known/acme-challenge' { default_type "text/plain"; root /var/www/emby; } location '/' { return 301 https://mywebsite$request_uri; } } server { listen 443; ssl on; ssl_protocols TLSv1.2; ssl_certificate /etc/certificates/mywebsite/fullchain.pem; ssl_certificate_key /etc/certificates/mywebsite/privkey.pem; ssl_session_cache none; ssl_session_tickets off; ssl_stapling on; ssl_stapling_verify on; ssl_trusted_certificate /etc/certificates/mywebsite/chain.pem; ssl_dhparam /etc/nginx/dhparam.pem; ssl_prefer_server_ciphers on; ssl_ciphers '!kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 !kEECDH+AES128 kEECDH+AES256 !kEDH+AES128 kEDH+AES256 +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED'; add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload"; add_header Content-Security-Policy "default-src https://mywebsite:443 "; add_header X-Frame-Options "DENY"; add_header X-Xss-Protection "1; mode=block"; add_header X-Content-Type-Options "nosniff"; server_name mywebsite; server_tokens off; location / { proxy_pass http://192.168.X.X:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } With this code, I obtain the login screen below (with two blank fields between the welcome message and the login field. How I can fix that ? When I access to Emby in my local network, so without nginx, I don't have these fields and the text is displayed in the middle of my screen and not on the left. Have a nice day. Edited July 13, 2017 by IssueFindings Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted July 12, 2017 Share Posted July 12, 2017 (edited) Not sure since I'm not in front of my server, but try setting add_header X-Frame-Options to "SAMEORIGIN" instead of "DENY" Edited July 12, 2017 by mastrmind11 Link to comment Share on other sites More sharing options...
IssueFindings 1 Posted July 12, 2017 Author Share Posted July 12, 2017 Many thanks for your answer. Unfortunately, the issue is still pending... Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted July 12, 2017 Share Posted July 12, 2017 (edited) loose the add_header Content-Security-Policy "default-src https://YOURSERVER:443 "; Its too tight and blocking your css and fonts.. Emby web gui can't be limited to just your domain, it grabs fonts and other stuff from the web. also remove your real domain name from your original post. Edited July 12, 2017 by pir8radio Link to comment Share on other sites More sharing options...
Luke 36884 Posted July 13, 2017 Share Posted July 13, 2017 Thanks @@pir8radio ! Link to comment Share on other sites More sharing options...
IssueFindings 1 Posted July 13, 2017 Author Share Posted July 13, 2017 Many thanks for your answer. Based on that, I changed this in my code : add_header Content-Security-Policy "default-src https://mywebsite:443; script-src https://mywebsite:443; style-src https://mywebsite:443"; I reloaded my server, and unfortunately my issue is still pending... Any idea ? Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted July 14, 2017 Share Posted July 14, 2017 (edited) @@IssueFindings Remove the whole line and try it. That's still your issue. Again you are only allowing stuff from YOURSITE... emby pulls things like fonts from HTTPS://FONTS.GSTATIC.COM and other remote sites. You will need to list these sites in your Content Security Policy, or remove the policy to confirm everything is working, then add these sites in. You are not entering that header correctly... See the PM I sent you showing the errors from your site. Edited July 14, 2017 by pir8radio Link to comment Share on other sites More sharing options...
IssueFindings 1 Posted July 15, 2017 Author Share Posted July 15, 2017 Hello, Many thanks for this detailled answer !! How you obtain the PM ? It's a very interesting report Even if, the login screen is not perfect, it works. I prefer to maintain restrictions. #Emby developpers : why we need to load contents for external website ? If I select a self-hosted solution, it's to control everything (especially I don't want Google spyware). For futher versions, could you fix it ? Have a nice day. Link to comment Share on other sites More sharing options...
Solution IssueFindings 1 Posted July 15, 2017 Author Solution Share Posted July 15, 2017 Hello, I try with the code below (based on these explanations) and that works. I just wonder me if this code permit to load data from another website than https://mywebsite:443. What do you think ? I'm not sure to well understand impacts of keywords 'unsafe-inline' and 'unsafe-eval' (I dislike the preposition "unsafe-..."). add_header Content-Security-Policy "default-src https://mywebsite:443 'unsafe-inline' 'unsafe-eval'"; Have a nice day. Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted July 15, 2017 Share Posted July 15, 2017 Hello, Many thanks for this detailled answer !! How you obtain the PM ? It's a very interesting report Even if, the login screen is not perfect, it works. I prefer to maintain restrictions. #Emby developpers : why we need to load contents for external website ? If I select a self-hosted solution, it's to control everything (especially I don't want Google spyware). For futher versions, could you fix it ? Have a nice day. If you use Chrome to browse your site, right click the page, go to INSPECT then click the NETWORK tab errors should show at the bottom when you reload. Link to comment Share on other sites More sharing options...
Luke 36884 Posted July 15, 2017 Share Posted July 15, 2017 We don't pull anything from external websites other than google cast and YouTube libraries, and if those fail it will not prevent the web app from loading. Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted July 15, 2017 Share Posted July 15, 2017 We don't pull anything from external websites other than google cast and YouTube libraries, and if those fail it will not prevent the web app from loading. Yea the sender javascript calls a bunch of additional fonts from gstatic as well but this is normal. That has to be pulled from remotely probably because google changes it so often. You can always run a https://builtwith.com/ on your site to see what is running on it. Link to comment Share on other sites More sharing options...
IssueFindings 1 Posted July 18, 2017 Author Share Posted July 18, 2017 Hello, It's probably a stupid question, but why Emby need to load something from google cast and YouTube libraries ? You are true, I can connect to Emby with only Emby ressources. It's just that the login screen looks like strange. No more. @@pir8radio : many thanks for the link ! I just need time to well understand all the report and fix my security issues detected. Have a nice day. Link to comment Share on other sites More sharing options...
Luke 36884 Posted July 18, 2017 Share Posted July 18, 2017 If you don't use those features then we don't need to load them. Link to comment Share on other sites More sharing options...
IssueFindings 1 Posted July 18, 2017 Author Share Posted July 18, 2017 Hello, Sorry but how I can do that (I mean, not load them) and keep a login screen without the 2 blank fields ? By advance, many thanks for your time and explanations. Link to comment Share on other sites More sharing options...
Luke 36884 Posted July 18, 2017 Share Posted July 18, 2017 Didn't @@pir8radio give you a way in post #7? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now