Guest MastaChaOS Posted December 18, 2018 Share Posted December 18, 2018 I followed a guide to get an nginx server up and running on an ubuntu server, and I got HTTPS working with certbot and everything, but I can't figure out how to get it to act as a reverse proxy. I tried following the guide that comes up on google, but it's for NGINX on Windows, and only addresses a single .conf file, while my setup has me using multiple .conf files from /etc/nginx/sites-enabled/ I tried mangling the .conf file example I found online into this setup, but even though nginx doesn't balk when I reload it, emby.mysite.com doesn't get me to my emby instance, it just gives a DNS error. Here's my nginx.conf user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #} and here's mysite.com from /etc/nginx/sites-enabled/ server { root /var/www/MYSITE.com/html; index index.html index.htm index.nginx-debian.html; server_name MYSITE.com www.MYSITE.com; location / { try_files $uri $uri/ =404; } listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/MYSITE.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/MYSITE.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = www.MYSITE.com) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = MYSITE.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; listen [::]:80; server_name MYSITE.com www.MYSITE.com; return 404; # managed by Certbot } I tried making an emby.mysite.com file, like this, but it doesn't work: ##EMBY Server## server { listen [::]:443 ssl; listen 443 ssl; server_name emby.MYSITE.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate /etc/letsencrypt/live/MYSITE.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/MYSITE.com/privkey.pem; # managed by Certbot ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors MYSITE.com emby.MYSITE.com;"; location / { proxy_pass http://192.168.0.102:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } I've tried a lot of things, but I just can't figure out what I need to do to get this working in NGINX. Any advice? Link to comment Share on other sites More sharing options...
Luke 37060 Posted December 18, 2018 Share Posted December 18, 2018 @@pir8radio may have some nginx tips. Thanks ! Link to comment Share on other sites More sharing options...
blim5001 8 Posted December 18, 2018 Share Posted December 18, 2018 You might want to wait for someone more knowledgable to come along... But my emby specific conf file, which looks pretty similar to your's except my proxy_pass line is: proxy_pass http://127.0.0.1:8096; # Local emby ip and non SSL port What DNS error do you get when trying to visit https://emby.MYSITE.com Link to comment Share on other sites More sharing options...
Guest MastaChaOS Posted December 18, 2018 Share Posted December 18, 2018 You might want to wait for someone more knowledgable to come along... But my emby specific conf file, which looks pretty similar to your's except my proxy_pass line is: proxy_pass http://127.0.0.1:8096; # Local emby ip and non SSL port What DNS error do you get when trying to visit https://emby.MYSITE.com I'm not running emby on the nginx server, which is why the IP I'm attempting to redirect to is different. The error I see is that there is no DNS for emby.mysite.com Link to comment Share on other sites More sharing options...
blim5001 8 Posted December 18, 2018 Share Posted December 18, 2018 Ah, that's a bit beyond my knowledge. I have only set up reverse proxy's on the same server. Sorry I can't be more help. Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted December 18, 2018 Share Posted December 18, 2018 (edited) I'm not running emby on the nginx server, which is why the IP I'm attempting to redirect to is different. The error I see is that there is no DNS for emby.mysite.com What happens if you go straight to your external IP and not use the domain name? Why do you have 2 server blocks in your domain.com file? Your emby.domain.com file looks more correct that the other one, try replacing your original w/ that one. The first one doesn't have a proxy_pass. edit: I see the try_files directive in the original one, but let's just start at the beginning. Edited December 18, 2018 by mastrmind11 Link to comment Share on other sites More sharing options...
Guest MastaChaOS Posted December 18, 2018 Share Posted December 18, 2018 (edited) If I browse to WAN_IP:8096, it works fine, just without SSL. The second server block in my domain file was added by certbot I believe. Exactly which file are you asking me to replace? I'm thinking that if I blow away my domain conf file, my web server won't actually serve its pages anymore, is that correct? Ideally, I'd like to keep it as a webserver, which does reverse proxy just for specified subdomains. Sorry if these are noobish questions. I'm coming from IIS (which I also wasn't able to get working) I replaced mysite.com with the emby.mysite.com version, any my site stopped working as I suspected, and the subdomain still did not work. Edited December 18, 2018 by MastaChaOS Link to comment Share on other sites More sharing options...
Guest MastaChaOS Posted December 18, 2018 Share Posted December 18, 2018 Update: I was kind of able to get it working, but it's using mysite.com/emby instead of emby.mysite.com server { root /var/www/MYSITE.com/html; index index.html index.htm index.nginx-debian.html; server_name MYSITE.com www.MYSITE.com; location / { try_files $uri $uri/ =404; } listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/MYSITE.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/MYSITE.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot ## Emby ## location /emby { rewrite /emby/(.*) /$1 break; proxy_pass http://192.168.0.102:8096; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # auth_basic "Restricted"; # auth_basic_user_file "/etc/nginx/.htpasswd"; } } server { if ($host = www.MYSITE.com) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = MYSITE.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; listen [::]:80; server_name MYSITE.com www.MYSITE.com; return 404; # managed by Certbot } Any idea what I can do so swap that around? Thanks to everyone for the assistance!! Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted December 18, 2018 Share Posted December 18, 2018 Update: I was kind of able to get it working, but it's using mysite.com/emby instead of emby.mysite.com server { root /var/www/MYSITE.com/html; index index.html index.htm index.nginx-debian.html; server_name MYSITE.com www.MYSITE.com; location / { try_files $uri $uri/ =404; } listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/MYSITE.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/MYSITE.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot ## Emby ## location /emby { rewrite /emby/(.*) /$1 break; proxy_pass http://192.168.0.102:8096; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # auth_basic "Restricted"; # auth_basic_user_file "/etc/nginx/.htpasswd"; } } server { if ($host = www.MYSITE.com) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = MYSITE.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; listen [::]:80; server_name MYSITE.com www.MYSITE.com; return 404; # managed by Certbot } Any idea what I can do so swap that around? Thanks to everyone for the assistance!! lemme look at my config. give me a few minutes to ssh in. Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted December 18, 2018 Share Posted December 18, 2018 (edited) Here's mine which works w/ subdomains: edit: This should get you at least an A on the security scanner sites. Also, Since you're already in here mucking around w/ stuff, consider putting Cloudflare in front of everything. Super simple to set up, and it will handle the *.yourdomain.com stuff for you (which is why it's not being done in my nginx conf) server { listen [::]:80 default_server; listen 80 default_server; listen [::]:443 ssl http2 default_server; listen 443 ssl http2 default_server; return 444; ssl_session_timeout 10m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate /etc/ssl/certs/cert.pem; ssl_certificate_key /etc/ssl/private/key.pem; } server { # SSL configuration include /etc/nginx/proxy.conf; listen 443 ssl http2; listen [::]:443 ssl http2; server_name emby.nydomain.net; #Add HSTS Header add_header Strict-Transport-Security "max-age=15552000; preload" always; add_header X-Content-Type-Options nosniff; add_header X-Frame-Options SAMEORIGIN; add_header X-XSS-Protection "1; mode=block"; add_header Referrer-Policy "no-referrer"; ssl on; ssl_certificate /etc/ssl/certs/cert.pem; ssl_certificate_key /etc/ssl/private/key.pem; # Root location root /var/www/html; # Add index.php to the list if you are using PHP index index.html index.htm index.php index.nginx-debian.html; # Change the client side error pages (4xx) to prevent some information disclosure error_page 401 403 404 /404.html; # Deny access to .htaccess files, if Apache's document # root concurs with nginx's one location ~ /\.ht { deny all; } location / { proxy_pass http://10.0.1.152:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; } } Edited December 18, 2018 by mastrmind11 Link to comment Share on other sites More sharing options...
Guest MastaChaOS Posted December 18, 2018 Share Posted December 18, 2018 Here's mine which works w/ subdomains: edit: This should get you at least an A on the security scanner sites. Also, Since you're already in here mucking around w/ stuff, consider putting Cloudflare in front of everything. Super simple to set up, and it will handle the *.yourdomain.com stuff for you (which is why it's not being done in my nginx conf) <snip> I have a pihole running already with cloudflare. Honestly, DNS isn't my strong suit, and I'm not sure how I'd handle the subdomain stuff with DNS. I'll have to do some research, but I appreciate your help thus far! One more question: Now that I have ssl working via mysite.com/emby - how do I add that server to https://app.emby.media ? I've tried entering it with no port specified on the "add server" screen, but it doesn't seem to stick the next time I log in. Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted December 18, 2018 Share Posted December 18, 2018 (edited) I followed a guide to get an nginx server up and running on an ubuntu server, and I got HTTPS working with certbot and everything, but I can't figure out how to get it to act as a reverse proxy. I tried following the guide that comes up on google, but it's for NGINX on Windows, and only addresses a single .conf file, while my setup has me using multiple .conf files from /etc/nginx/sites-enabled/ I tried mangling the .conf file example I found online into this setup, but even though nginx doesn't balk when I reload it, emby.mysite.com doesn't get me to my emby instance, it just gives a DNS error. Here's my nginx.conf user www-data; worker_processes auto; pid /run/nginx.pid; include /etc/nginx/modules-enabled/*.conf; events { worker_connections 768; # multi_accept on; } http { ## # Basic Settings ## sendfile on; tcp_nopush on; tcp_nodelay on; keepalive_timeout 65; types_hash_max_size 2048; # server_tokens off; server_names_hash_bucket_size 64; # server_name_in_redirect off; include /etc/nginx/mime.types; default_type application/octet-stream; ## # SSL Settings ## ssl_protocols TLSv1 TLSv1.1 TLSv1.2; # Dropping SSLv3, ref: POODLE ssl_prefer_server_ciphers on; ## # Logging Settings ## access_log /var/log/nginx/access.log; error_log /var/log/nginx/error.log; ## # Gzip Settings ## gzip on; # gzip_vary on; # gzip_proxied any; # gzip_comp_level 6; # gzip_buffers 16 8k; # gzip_http_version 1.1; # gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript; ## # Virtual Host Configs ## include /etc/nginx/conf.d/*.conf; include /etc/nginx/sites-enabled/*; } #mail { # # See sample authentication script at: # # http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript # # # auth_http localhost/auth.php; # # pop3_capabilities "TOP" "USER"; # # imap_capabilities "IMAP4rev1" "UIDPLUS"; # # server { # listen localhost:110; # protocol pop3; # proxy on; # } # # server { # listen localhost:143; # protocol imap; # proxy on; # } #} and here's mysite.com from /etc/nginx/sites-enabled/ server { root /var/www/MYSITE.com/html; index index.html index.htm index.nginx-debian.html; server_name MYSITE.com www.MYSITE.com; location / { try_files $uri $uri/ =404; } listen [::]:443 ssl ipv6only=on; # managed by Certbot listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/MYSITE.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/MYSITE.com/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = www.MYSITE.com) { return 301 https://$host$request_uri; } # managed by Certbot if ($host = MYSITE.com) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; listen [::]:80; server_name MYSITE.com www.MYSITE.com; return 404; # managed by Certbot } I tried making an emby.mysite.com file, like this, but it doesn't work: ##EMBY Server## server { listen [::]:443 ssl; listen 443 ssl; server_name emby.MYSITE.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate /etc/letsencrypt/live/MYSITE.com/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/MYSITE.com/privkey.pem; # managed by Certbot ssl_session_cache shared:SSL:10m; #add_header Public-Key-Pins ' #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE="; #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg="; #pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys="; #max-age=86400; includeSubDomains'; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors MYSITE.com emby.MYSITE.com;"; location / { proxy_pass http://192.168.0.102:8096; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } I've tried a lot of things, but I just can't figure out what I need to do to get this working in NGINX. Any advice? What happens when you comment out all of these lines reload nginx.. your content security policy will not work. you never said what it was doing when you tried to access emby.mysite.com Im guessing a blank page? add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors MYSITE.com emby.MYSITE.com;"; Keep: add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; Edited December 18, 2018 by pir8radio Link to comment Share on other sites More sharing options...
Guest MastaChaOS Posted December 19, 2018 Share Posted December 19, 2018 I tried removing those lines, and I still get a DNS error when I try the subdomain. Using domain.com/emby seems to work, so for now I guess I'll just stick with that, although I'd really prefer to have subdomains working. Link to comment Share on other sites More sharing options...
blim5001 8 Posted December 19, 2018 Share Posted December 19, 2018 might be a silly question, but have you set up an A Record for your subdomain? Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted December 19, 2018 Share Posted December 19, 2018 ^^ Set up an A record that points to your WAN IP, then a CNAME with the subdomain that points to your A record. Link to comment Share on other sites More sharing options...
Guest MastaChaOS Posted December 19, 2018 Share Posted December 19, 2018 might be a silly question, but have you set up an A Record for your subdomain? Oh geez, this was this issue all along Many thanks! Link to comment Share on other sites More sharing options...
Guest MastaChaOS Posted December 19, 2018 Share Posted December 19, 2018 ^^ Set up an A record that points to your WAN IP, then a CNAME with the subdomain that points to your A record. Got the A record up, which seems to work. For the CNAME, do I point it to the new A record (the subdomain), or just to my domain's A record? Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted December 19, 2018 Share Posted December 19, 2018 Got the A record up, which seems to work. For the CNAME, do I point it to the new A record (the subdomain), or just to my domain's A record? The CNAME should be just the subdomain, so "emby" and should be an alias of your A record. Sent from my SM-G965U using Tapatalk Link to comment Share on other sites More sharing options...
blim5001 8 Posted December 19, 2018 Share Posted December 19, 2018 remove the subdomain A record and replace it with a CNAME Record pointing to your domain If adding it in cloudflare, put emby in the name box and MYSITE.com in the domain name box Link to comment Share on other sites More sharing options...
Guest MastaChaOS Posted December 19, 2018 Share Posted December 19, 2018 This is how I have it set up. Did I do something wrong? It's working great with a subdomain now Link to comment Share on other sites More sharing options...
blim5001 8 Posted December 19, 2018 Share Posted December 19, 2018 If it's working I would just stick with it I (personally) don't think it matters too much if you use an A Record or a CNAME for the sub domain Using a CNAME means you would only need to change the main A record if you needed to change the ipaddress. Link to comment Share on other sites More sharing options...
Guest MastaChaOS Posted December 19, 2018 Share Posted December 19, 2018 well, I do have dynamic DNS behind all of this, so I'm hopefully it "just works" when my WAN IP changes here. Thanks to everyone for the help! Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted December 19, 2018 Share Posted December 19, 2018 (edited) well, I do have dynamic DNS behind all of this, so I'm hopefully it "just works" when my WAN IP changes here. Thanks to everyone for the help! yeah, it won't. You need to set it up like I showed you, and you need a dynamic dns repeater in between. Cloudflare and dns-o-matic work nicely together. There is a tutorial on the Cloudflare website about how to set it up w/ dns-o-matic. I've had it set up like this for over a year, through 3 IP changes, and never a problem. Here's the procedure I used, which works great. https://support.opendns.com/hc/en-us/community/posts/115000937008-How-to-set-up-DNS-O-MATIC-for-Cloudflare-and-the-other-way-around-and-a-FritzBox edit: You can ignore the fritzbox thing as long as you have your router set to report the WAN ip to dns-o-matic. edit2: here's a tutorial for using ddclient if your router doesn't support dynamic dns https://medium.com/@chrisneely/how-to-configure-dynamic-dns-updates-for-dns-o-matic-and-cloudflare-7529c471a1a9 Edited December 19, 2018 by mastrmind11 Link to comment Share on other sites More sharing options...
Spaceboy 2493 Posted December 19, 2018 Share Posted December 19, 2018 I just use cloud flare directly updated from my router. No need for dns o matic Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted December 19, 2018 Share Posted December 19, 2018 I just use cloud flare directly updated from my router. No need for dns o matic That assumes the router supports Cloudlfare directly. So ymmv 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now