Jump to content

Stuck setting up reverse proxy w NGINX on Ubuntu


Guest MastaChaOS

Recommended Posts

Guest MastaChaOS
I followed a guide to get an nginx server up and running on an ubuntu server, and I got HTTPS working with certbot and everything, but I can't figure out how to get it to act as a reverse proxy. 
 
I tried following the guide that comes up on google, but it's for NGINX on Windows, and only addresses a single .conf file, while my setup has me using multiple .conf files from /etc/nginx/sites-enabled/ 
 
I tried mangling the .conf file example I found online into this setup, but even though nginx doesn't balk when I reload it, emby.mysite.com doesn't get me to my emby instance, it just gives a DNS error.

 

 

Here's my nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	 server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

and here's mysite.com from /etc/nginx/sites-enabled/

server {

        root /var/www/MYSITE.com/html;
        index index.html index.htm index.nginx-debian.html;

        server_name MYSITE.com www.MYSITE.com;

        location / {
                try_files $uri $uri/ =404;
        }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/MYSITE.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/MYSITE.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
server {
    if ($host = www.MYSITE.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = MYSITE.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        listen [::]:80;

        server_name MYSITE.com www.MYSITE.com;
    return 404; # managed by Certbot




}

I tried making an emby.mysite.com file, like this, but it doesn't work:

##EMBY Server##
    
    server {
listen [::]:443 ssl;
listen 443 ssl;
server_name emby.MYSITE.com; 
    
ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate /etc/letsencrypt/live/MYSITE.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/MYSITE.com/privkey.pem; # managed by Certbot
ssl_session_cache shared:SSL:10m;
    
        #add_header Public-Key-Pins '
        #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE=";
        #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg=";
        #pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys=";
        #max-age=86400; includeSubDomains';
        
        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors MYSITE.com emby.MYSITE.com;";
    
    
location / {
proxy_pass http://192.168.0.102:8096; 

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

#Next three lines allow websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
        }
    
}

I've tried a lot of things, but I just can't figure out what I need to do to get this working in NGINX.  Any advice?

Link to comment
Share on other sites

blim5001

You might want to wait for someone more knowledgable to come along...

 

But my emby specific conf file, which looks pretty similar to your's except my proxy_pass line is:

 
proxy_pass http://127.0.0.1:8096; # Local emby ip and non SSL port
 
What DNS error do you get when trying to visit https://emby.MYSITE.com
Link to comment
Share on other sites

Guest MastaChaOS

 

You might want to wait for someone more knowledgable to come along...

 

But my emby specific conf file, which looks pretty similar to your's except my proxy_pass line is:

 
proxy_pass http://127.0.0.1:8096; # Local emby ip and non SSL port
 
What DNS error do you get when trying to visit https://emby.MYSITE.com

 

 

I'm not running emby on the nginx server, which is why the IP I'm attempting to redirect to is different.  

 

The error I see is that there is no DNS for emby.mysite.com

Link to comment
Share on other sites

mastrmind11

I'm not running emby on the nginx server, which is why the IP I'm attempting to redirect to is different.  

 

The error I see is that there is no DNS for emby.mysite.com

What happens if you go straight to your external IP and not use the domain name?  

Why do you have 2 server blocks in your domain.com file?

Your emby.domain.com file looks more correct that the other one, try replacing your original w/ that one.  The first one doesn't have a proxy_pass.

 

edit:  I see the try_files directive in the original one, but let's just start at the beginning.

Edited by mastrmind11
Link to comment
Share on other sites

Guest MastaChaOS

If I browse to WAN_IP:8096, it works fine, just without SSL.

 

The second server block in my domain file was added by certbot I believe.

 

Exactly which file are you asking me to replace?  I'm thinking that if I blow away my domain conf file, my web server won't actually serve its pages anymore, is that correct?  Ideally, I'd like to keep it as a webserver, which does reverse proxy just for specified subdomains.  

 

Sorry if these are noobish questions.  I'm coming from IIS (which I also wasn't able to get working)

 

 

I replaced mysite.com with the emby.mysite.com version, any my site stopped working as I suspected, and the subdomain still did not work.

Edited by MastaChaOS
Link to comment
Share on other sites

Guest MastaChaOS

Update:

 

I was kind of able to get it working, but it's using mysite.com/emby instead of emby.mysite.com

server {

        root /var/www/MYSITE.com/html;
        index index.html index.htm index.nginx-debian.html;

        server_name MYSITE.com www.MYSITE.com;

        location / {
                try_files $uri $uri/ =404;
        }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/MYSITE.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/MYSITE.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

	 ## Emby ##
     location /emby {
          rewrite /emby/(.*) /$1 break;
          proxy_pass http://192.168.0.102:8096;
          proxy_redirect off;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #      auth_basic "Restricted";
    #      auth_basic_user_file "/etc/nginx/.htpasswd";

     }
	

}
server {
    if ($host = www.MYSITE.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = MYSITE.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        listen [::]:80;

        server_name MYSITE.com www.MYSITE.com;
    return 404; # managed by Certbot




}

Any idea what I can do so swap that around?

 

Thanks to everyone for the assistance!!

Link to comment
Share on other sites

mastrmind11

Update:

 

I was kind of able to get it working, but it's using mysite.com/emby instead of emby.mysite.com

server {

        root /var/www/MYSITE.com/html;
        index index.html index.htm index.nginx-debian.html;

        server_name MYSITE.com www.MYSITE.com;

        location / {
                try_files $uri $uri/ =404;
        }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/MYSITE.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/MYSITE.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

	 ## Emby ##
     location /emby {
          rewrite /emby/(.*) /$1 break;
          proxy_pass http://192.168.0.102:8096;
          proxy_redirect off;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    #      auth_basic "Restricted";
    #      auth_basic_user_file "/etc/nginx/.htpasswd";

     }
	

}
server {
    if ($host = www.MYSITE.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = MYSITE.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        listen [::]:80;

        server_name MYSITE.com www.MYSITE.com;
    return 404; # managed by Certbot




}

Any idea what I can do so swap that around?

 

Thanks to everyone for the assistance!!

lemme look at my config.  give me a few minutes to ssh in.

Link to comment
Share on other sites

mastrmind11

Here's mine which works w/ subdomains:

 

edit: This should get you at least an A on the security scanner sites.  Also, Since you're already in here mucking around w/ stuff, consider putting Cloudflare in front of everything.  Super simple to set up, and it will handle the *.yourdomain.com stuff for you (which is why it's not being done in my nginx conf)

 

server {
listen [::]:80 default_server;
listen 80 default_server;
        listen [::]:443 ssl http2 default_server;
        listen 443 ssl http2 default_server;
return 444;


        ssl_session_timeout 10m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_certificate /etc/ssl/certs/cert.pem;
        ssl_certificate_key /etc/ssl/private/key.pem;
} 


server {


# SSL configuration


include /etc/nginx/proxy.conf;


listen 443 ssl http2;
listen [::]:443 ssl http2;


server_name emby.nydomain.net;


#Add HSTS Header
add_header Strict-Transport-Security "max-age=15552000; preload" always;


add_header X-Content-Type-Options nosniff;
add_header X-Frame-Options SAMEORIGIN;
add_header X-XSS-Protection "1; mode=block";
add_header Referrer-Policy "no-referrer";


ssl on;
ssl_certificate /etc/ssl/certs/cert.pem;
ssl_certificate_key /etc/ssl/private/key.pem;


# Root location
root /var/www/html;


# Add index.php to the list if you are using PHP
index index.html index.htm index.php index.nginx-debian.html;


# Change the client side error pages (4xx) to prevent some information disclosure
error_page 401 403 404 /404.html;


# Deny access to .htaccess files, if Apache's document
# root concurs with nginx's one


location ~ /\.ht {
deny all;
}


location / {
proxy_pass http://10.0.1.152:8096;


proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


#Next three lines allow websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection; 
}
}
Edited by mastrmind11
Link to comment
Share on other sites

Guest MastaChaOS

 

Here's mine which works w/ subdomains:

 

edit: This should get you at least an A on the security scanner sites.  Also, Since you're already in here mucking around w/ stuff, consider putting Cloudflare in front of everything.  Super simple to set up, and it will handle the *.yourdomain.com stuff for you (which is why it's not being done in my nginx conf)

 

<snip>

 

 

I have a pihole running already with cloudflare.  Honestly, DNS isn't my strong suit, and I'm not sure how I'd handle the subdomain stuff with DNS.  I'll have to do some research, but I appreciate your help thus far!

 

One more question:  Now that I have ssl working via mysite.com/emby - how do I add that server to https://app.emby.media ? I've tried entering it with no port specified on the "add server" screen, but it doesn't seem to stick the next time I log in.  

Link to comment
Share on other sites

pir8radio

 

I followed a guide to get an nginx server up and running on an ubuntu server, and I got HTTPS working with certbot and everything, but I can't figure out how to get it to act as a reverse proxy. 
 
I tried following the guide that comes up on google, but it's for NGINX on Windows, and only addresses a single .conf file, while my setup has me using multiple .conf files from /etc/nginx/sites-enabled/ 
 
I tried mangling the .conf file example I found online into this setup, but even though nginx doesn't balk when I reload it, emby.mysite.com doesn't get me to my emby instance, it just gives a DNS error.

 

 

Here's my nginx.conf

user www-data;
worker_processes auto;
pid /run/nginx.pid;
include /etc/nginx/modules-enabled/*.conf;

events {
	worker_connections 768;
	# multi_accept on;
}

http {

	##
	# Basic Settings
	##

	sendfile on;
	tcp_nopush on;
	tcp_nodelay on;
	keepalive_timeout 65;
	types_hash_max_size 2048;
	# server_tokens off;

	 server_names_hash_bucket_size 64;
	# server_name_in_redirect off;

	include /etc/nginx/mime.types;
	default_type application/octet-stream;

	##
	# SSL Settings
	##

	ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE
	ssl_prefer_server_ciphers on;

	##
	# Logging Settings
	##

	access_log /var/log/nginx/access.log;
	error_log /var/log/nginx/error.log;

	##
	# Gzip Settings
	##

	gzip on;

	# gzip_vary on;
	# gzip_proxied any;
	# gzip_comp_level 6;
	# gzip_buffers 16 8k;
	# gzip_http_version 1.1;
	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;

	##
	# Virtual Host Configs
	##

	include /etc/nginx/conf.d/*.conf;
	include /etc/nginx/sites-enabled/*;
}


#mail {
#	# See sample authentication script at:
#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
# 
#	# auth_http localhost/auth.php;
#	# pop3_capabilities "TOP" "USER";
#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
# 
#	server {
#		listen     localhost:110;
#		protocol   pop3;
#		proxy      on;
#	}
# 
#	server {
#		listen     localhost:143;
#		protocol   imap;
#		proxy      on;
#	}
#}

and here's mysite.com from /etc/nginx/sites-enabled/

server {

        root /var/www/MYSITE.com/html;
        index index.html index.htm index.nginx-debian.html;

        server_name MYSITE.com www.MYSITE.com;

        location / {
                try_files $uri $uri/ =404;
        }

    listen [::]:443 ssl ipv6only=on; # managed by Certbot
    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/MYSITE.com/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/MYSITE.com/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


}
server {
    if ($host = www.MYSITE.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


    if ($host = MYSITE.com) {
        return 301 https://$host$request_uri;
    } # managed by Certbot


        listen 80;
        listen [::]:80;

        server_name MYSITE.com www.MYSITE.com;
    return 404; # managed by Certbot




}

I tried making an emby.mysite.com file, like this, but it doesn't work:

##EMBY Server##
    
    server {
listen [::]:443 ssl;
listen 443 ssl;
server_name emby.MYSITE.com; 
    
ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate /etc/letsencrypt/live/MYSITE.com/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/MYSITE.com/privkey.pem; # managed by Certbot
ssl_session_cache shared:SSL:10m;
    
        #add_header Public-Key-Pins '
        #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE=";
        #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg=";
        #pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys=";
        #max-age=86400; includeSubDomains';
        
        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors MYSITE.com emby.MYSITE.com;";
    
    
location / {
proxy_pass http://192.168.0.102:8096; 

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

#Next three lines allow websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
        }
    
}

I've tried a lot of things, but I just can't figure out what I need to do to get this working in NGINX.  Any advice?

 

 

What happens when you comment out all of these lines reload nginx..

your content security policy will not work.   you never said what it was doing when you tried to access emby.mysite.com   Im guessing a blank page?

        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors MYSITE.com emby.MYSITE.com;";

Keep:   add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
Edited by pir8radio
Link to comment
Share on other sites

Guest MastaChaOS

I tried removing those lines, and I still get a DNS error when I try the subdomain.  Using domain.com/emby seems to work, so for now I guess I'll just stick with that, although I'd really prefer to have subdomains working.

Link to comment
Share on other sites

mastrmind11

^^

 

Set up an A record that points to your WAN IP, then a CNAME with the subdomain that points to your A record.

Link to comment
Share on other sites

Guest MastaChaOS

might be a silly question, but have you set up an A Record for your subdomain?

 

Oh geez, this was this issue all along  :blink:

 

Many thanks!

Link to comment
Share on other sites

Guest MastaChaOS

^^

 

Set up an A record that points to your WAN IP, then a CNAME with the subdomain that points to your A record.

 Got the A record up, which seems to work. 

 

For the CNAME, do I point it to the new A record (the subdomain), or just to my domain's A record?

Link to comment
Share on other sites

mastrmind11

Got the A record up, which seems to work.

 

For the CNAME, do I point it to the new A record (the subdomain), or just to my domain's A record?

The CNAME should be just the subdomain, so "emby" and should be an alias of your A record.

 

Sent from my SM-G965U using Tapatalk

Link to comment
Share on other sites

blim5001

remove the subdomain A record and replace it with a CNAME Record pointing to your domain

 

If adding it in cloudflare, put emby in the name box and MYSITE.com in the domain name box

Link to comment
Share on other sites

blim5001

If it's working I would just stick with it ;)

 

I (personally) don't think it matters too much if you use an A Record or a CNAME for the sub domain

 

Using a CNAME means you would only need to change the main A record if you needed to change the ipaddress.

Link to comment
Share on other sites

Guest MastaChaOS

well, I do have dynamic DNS behind all of this, so I'm hopefully it "just works" when my WAN IP changes here.  

 

Thanks to everyone for the help!

Link to comment
Share on other sites

mastrmind11

well, I do have dynamic DNS behind all of this, so I'm hopefully it "just works" when my WAN IP changes here.  

 

Thanks to everyone for the help!

yeah, it won't.  You need to set it up like I showed you, and you need a dynamic dns repeater in between.  Cloudflare and dns-o-matic work nicely together.  There is a tutorial on the Cloudflare website about how to set it up w/ dns-o-matic.  I've had it set up like this for over a year, through 3 IP changes, and never a problem.  

 

Here's the procedure I used, which works great.  https://support.opendns.com/hc/en-us/community/posts/115000937008-How-to-set-up-DNS-O-MATIC-for-Cloudflare-and-the-other-way-around-and-a-FritzBox

 

edit:  You can ignore the fritzbox thing as long as you have your router set to report the WAN ip to dns-o-matic.

 

edit2:  here's a tutorial for using ddclient if your router doesn't support dynamic dns https://medium.com/@chrisneely/how-to-configure-dynamic-dns-updates-for-dns-o-matic-and-cloudflare-7529c471a1a9

Edited by mastrmind11
Link to comment
Share on other sites

mastrmind11

I just use cloud flare directly updated from my router. No need for dns o matic

That assumes the router supports Cloudlfare directly.  So ymmv

  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...