Jump to content

error in login screen with nginx


IssueFindings
Go to solution Solved by IssueFindings,

Recommended Posts

IssueFindings

Hello,

 

I decide to manage my Emby access through https with nginx. I create a certificate and the file /etc/nginx/sites-available/emby.conf with the content below :

server {
    listen 80;
    server_name mywebsite;
    location '/.well-known/acme-challenge' {
        default_type "text/plain";
        root /var/www/emby;
        }
    location '/' {
        return 301 https://mywebsite$request_uri;
        }
    }

    server {
        listen 443;
        ssl on;

        ssl_protocols TLSv1.2;

        ssl_certificate      /etc/certificates/mywebsite/fullchain.pem;
        ssl_certificate_key  /etc/certificates/mywebsite/privkey.pem;
        ssl_session_cache none;
        ssl_session_tickets off;

        ssl_stapling on;
        ssl_stapling_verify on;
        ssl_trusted_certificate /etc/certificates/mywebsite/chain.pem;

        ssl_dhparam /etc/nginx/dhparam.pem;

        ssl_prefer_server_ciphers on;
        ssl_ciphers '!kEECDH+ECDSA+AES128 kEECDH+ECDSA+AES256 !kEECDH+AES128 kEECDH+AES256 !kEDH+AES128 kEDH+AES256 +SHA !aNULL !eNULL !LOW !kECDH !DSS !MD5 !RC4 !EXP !PSK !SRP !CAMELLIA !SEED';

        add_header Strict-Transport-Security "max-age=31536000; includeSubDomains; preload";
        add_header Content-Security-Policy "default-src https://mywebsite:443 ";
        add_header X-Frame-Options "DENY";
        add_header X-Xss-Protection "1; mode=block";
        add_header X-Content-Type-Options "nosniff"; 

        server_name mywebsite;
        server_tokens off;

location / {
          proxy_pass http://192.168.X.X:8096; 
          proxy_set_header Range $http_range;
          proxy_set_header If-Range $http_if_range;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header Host $host;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

         #Next three lines allow websockets
         proxy_http_version 1.1;
         proxy_set_header Upgrade $http_upgrade;
         proxy_set_header Connection "upgrade";
          }
    }

With this code, I obtain the login screen below (with two blank fields between the welcome message and the login field. How I can fix that ? When I access to Emby in my local network, so without nginx, I don't have these fields and the text is displayed in the middle of my screen and not on the left.

5966360b8b90c_Capturedecran20170712a1629

 

Have a nice day.

Edited by IssueFindings
Link to post
Share on other sites
mastrmind11

Not sure since I'm not in front of my server, but try setting add_header X-Frame-Options to "SAMEORIGIN" instead of "DENY"

Edited by mastrmind11
Link to post
Share on other sites
pir8radio

loose the      add_header Content-Security-Policy "default-src https://YOURSERVER:443 ";

 

Its too tight and blocking your css and fonts..   Emby web gui can't be limited to just your domain, it grabs fonts and other stuff from the web.

 

also remove your real domain name from your original post.  :)

Edited by pir8radio
Link to post
Share on other sites
IssueFindings

Many thanks for your answer. Based on that, I changed this in my code :

add_header Content-Security-Policy "default-src https://mywebsite:443; script-src https://mywebsite:443; style-src https://mywebsite:443";

I reloaded my server, and unfortunately my issue is still pending... :(

 

Any idea ?

Link to post
Share on other sites
pir8radio

@@IssueFindings Remove the whole line and try it.   That's still your issue. 

 

Again you are only allowing stuff from YOURSITE...  emby pulls things like fonts from  HTTPS://FONTS.GSTATIC.COM and other remote sites.  You will need to list these sites in your Content Security Policy, or remove the policy to confirm everything is working, then add these sites in.

 

You are not entering that header correctly...   See the PM I sent you showing the errors from your site.

Edited by pir8radio
Link to post
Share on other sites
IssueFindings

Hello,

 

Many thanks for this detailled answer !! How you obtain the PM ? It's a very interesting report :)

Even if, the login screen is not perfect, it works. I prefer to maintain restrictions.

 

#Emby developpers : why we need to load contents for external website ? If I select a self-hosted solution, it's to control everything (especially I don't want Google spyware). For futher versions, could you fix it ?

 

Have a nice day.

Link to post
Share on other sites
  • Solution
IssueFindings

Hello,

 

I try with the code below (based on these explanations) and that works. I just wonder me if this code permit to load data from another website than https://mywebsite:443. What do you think ? I'm not sure to well understand impacts of keywords 'unsafe-inline' and 'unsafe-eval' (I dislike the preposition "unsafe-...").

add_header Content-Security-Policy "default-src https://mywebsite:443 'unsafe-inline' 'unsafe-eval'";

Have a nice day.

Link to post
Share on other sites
pir8radio

Hello,

 

Many thanks for this detailled answer !! How you obtain the PM ? It's a very interesting report :)

Even if, the login screen is not perfect, it works. I prefer to maintain restrictions.

 

#Emby developpers : why we need to load contents for external website ? If I select a self-hosted solution, it's to control everything (especially I don't want Google spyware). For futher versions, could you fix it ?

 

Have a nice day.

 

 

If you use Chrome to browse your site, right click the page, go to INSPECT then click the NETWORK tab   errors should show at the bottom when you reload.

Link to post
Share on other sites

We don't pull anything from external websites other than google cast and YouTube libraries, and if those fail it will not prevent the web app from loading.

Link to post
Share on other sites
pir8radio

We don't pull anything from external websites other than google cast and YouTube libraries, and if those fail it will not prevent the web app from loading.

 

Yea the sender javascript calls a bunch of additional fonts from gstatic as well but this is normal. That has to be pulled from remotely probably because google changes it so often.    

 

You can always run a https://builtwith.com/ on your site to see what is running on it.

Link to post
Share on other sites
IssueFindings

Hello,

 

It's probably a stupid question, but why Emby need to load something from google cast and YouTube libraries ?

You are true, I can connect to Emby with only Emby ressources. It's just that the login screen looks like strange. No more.

 

@@pir8radio : many thanks for the link ! I just need time to well understand all the report and fix my security issues detected.

 

Have a nice day.

Link to post
Share on other sites
IssueFindings

Hello,

 

Sorry but how I can do that (I mean, not load them) and keep a login screen without the 2 blank fields ? By advance, many thanks for your time and explanations.

Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...