nginx reverse proxy configuration

[D34DC3N73R 18]

I have external access configured via nginx reverse proxy. My external domain is https://emby.domain.tld and the port is 443. I have forwarding enabled for http connections to https. However, when I look at transcoding logs, I see http://emby.domain.tld:8096/...  (which does not resolve) listed at the top. I sporadically run into issues when trying to play remotely. For instance, I couldn't get anything to play yesterday over an LTE connection and today, everything is playing without issue. I'm wondering if my external configuration is an issue, or if it's something else I should continue to track down. 

[Luke 37118]

Hi there, does your Emby Server dashboard display the correct remote address?

[D34DC3N73R 18]

Yes the dashboard displays
 

Remote (WAN) access: https://emby.domain.tld:443

I have no problems accessing the server from external networks, only sporadic issues streaming outside the home network. It just struck me as odd that the ffmpeg transcode log shows a url with the external domain and the local port. I'm trying to track down what's causing the streaming problems and I just want to rule out any reverse proxy issues.

[D34DC3N73R 18]

I guess I'm a little confused about the local https port. In the nginx config, I have proxy_pass set to http://local-ip:8096. In emby advanced settings, I have local and public http port 8096. I have 443 set as the public https port but left the local https port 8920, and I have "Secure connection mode:" set to "Handled by reverse proxy". Also in the nginx conf, I have any requests on port 80 set for "return 301 https://$server_name$request_uri;".

[Luke 37118]

can we look at a server log example? thanks.

[D34DC3N73R 18]

Here's a recent server log

embyserver.txt

[Luke 37118]

@@pir8radio can you link to your configuration so he can compare? Thanks.

[pir8radio 1292]

Don’t worry about what the log says within Emby it will always display wrong due to how emby assembled that log url. It’s not a true HTTP log. Emby takes what you have in its settings file for a url then slaps on the port used to connect to emby. So you get http://emby.domain.com:8096/ When really it’s httpS://emby.domain.com:443/

 

You will want to enable logging in nginx that will give you an accurate log and really helps troubleshooting with weird connection issues. I will post my current config as soon as I get home however it is on this site somewhere if you search through my posts.

 

 

Sent from my iPhone using Tapatalk

[D34DC3N73R 18]

I don't see any problems in the nginx error log regarding the emby subdomain. The following is my emby.conf

server {
        listen 80;
        server_name emby.domain.tld;
        return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;

    server_name emby.*;

    	add_header Strict-Transport-Security "max-age=31536000";

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;


    location / {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.0.178:8096;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $remote_addr;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_redirect off;

        #Send websocket data to the backend aswell
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

[pir8radio 1292]

I mean the actual emby server config. Not nginx.

 

 

Sent from my iPhone using Tapatalk

[D34DC3N73R 18]

Here are the emby server settings.

[pir8radio 1292]

Here are the emby server settings.

Sorry I hate Tapatalk I was mixing two threads up I’ll take a look at this as soon as I get in front of my PC

 

 

Sent from my iPhone using Tapatalk

[pir8radio 1292]

 

I don't see any problems in the nginx error log regarding the emby subdomain. The following is my emby.conf

server {
        listen 80;
        server_name emby.domain.tld;
        return 301 https://$server_name$request_uri;
}

server {
    listen 443 ssl;

    server_name emby.*;

    	add_header Strict-Transport-Security "max-age=31536000";

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;

	client_max_body_size 0;


    location / {
        include /config/nginx/proxy.conf;
        proxy_pass http://192.168.0.178:8096;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $remote_addr;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_redirect off;

        #Send websocket data to the backend aswell
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

 

I bet mp4's that direct stream don't work for you....   

 

Here is my current config:  https://emby.media/community/index.php?/topic/48236-setting-up-emby-behind-a-reverse-proxy-nginx/&do=findComment&comment=457670

Maybe we can make that one post sticky? @luke  lol i always have to search for it. 

[D34DC3N73R 18]

Thanks! I'm using the LSIO letsencrypt image and it didn't like some of the config, but I switched out what I could. It complained about worker_processes, events, the http section and the swagger line. I removed TLS 1/1.1, added 1.3, I'm not running ipv6 and I prefer to redirect to https rather than serve over http. I've tried out some direct streams (including an mp4) as well as transcodes and it seems to be working fine (will need additional testing). Thanks again for the suggestions. This is what I'm running right now.

server {
        listen 80;
        server_name emby.domain.tld;
        return 301 https://$server_name$request_uri;
}


server {
    listen 443 ssl http2;	## Listens on port 443 IPv4 with http2 and ssl enabled

    server_name emby.domain.tld;    ## enter your service name and domain name here example emby.domainname.com

        add_header Strict-Transport-Security "max-age=31536000";
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.3;

	ssl_certificate /config/keys/letsencrypt/fullchain.pem;
	ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
	ssl_dhparam /config/nginx/dhparams.pem;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
	ssl_prefer_server_ciphers on;
        ssl_session_cache shared:SSL:10m;

	client_max_body_size 0;


    location / {
        proxy_pass http://192.168.0.178:8096;
        proxy_hide_header X-Powered-By;	 ## Hides nginx server version from bad guys.
	proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
	proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
	proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

     ## ADDITIONAL SECURITY SETTINGS ##
     ## Optional settings to improve security ##
     ## add these after you have completed your testing and ssl setup ##
	add_header 'Referrer-Policy' 'origin-when-cross-origin';
	add_header Strict-Transport-Security "max-age=15552000; preload" always;
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
    }
}

 

 

Edited February 6, 2019 by D34DC3N73R

[pir8radio 1292]

keep in mind with HSTS  (strict transport security)  it will force https even if connecting via http.  but redirect works with it.   good to hear!

[Depechie 6]

hey @pir8radio I'm using nginx proxy manager instead of straight up nginx... any idea on how to load your custom config with that?

[pir8radio 1292]

14 hours ago, Glenn said:

hey @pir8radio I'm using nginx proxy manager instead of straight up nginx... any idea on how to load your custom config with that?

no clue lol...   never used it...   I think it builds the configs for you,  not sure if your custom script would even "stick".      I'll look into the manager sounds interesting, got a link to a windows version?

[Depechie 6]

It has a tab for custom Configs but when I add something in it, the proxy host will no longer come online.

It is a super handy tool for nginx noobs like me because it will handle most things automatically through the UI.

I run it in a docker container on Linux so no idea about Windows but maybe there is a docker image build for it?

Edited April 29, 2021 by Glenn

[SkinnyT 1]

On 4/29/2021 at 1:56 AM, Depechie said:

It has a tab for custom Configs but when I add something in it, the proxy host will no longer come online.

It is a super handy tool for nginx noobs like me because it will handle most things automatically through the UI.

I run it in a docker container on Linux so no idea about Windows but maybe there is a docker image build for it?

Did you ever figure this out in Nginx Proxy Manager?  I just set this up and I'm trying to get the kinks worked out.  

[CassTG 98]

I will pop my 2 pence in here.

Having tried most of the Proxy Managers, i don't understand the fascination with NPM. Sure the Webui is meant to make things easier but IMHO when i tried it it is not.

I settled on SWAG docker by linuxserver.io which is a breeze and managing four of my docker stacks, sure no UI but set up is so simple compared to NPM BUT more importantly they ship a shed load of proxy-confs for most of the major containers, all you do is edit the relevant conf and  change the subdomain you want to assign to that docker container. It does the rest.

It has NGINX built in, as well as LetsEncrypt/ZeroSSL and FAIL2BAN, so is a nice complete package.

You can obviously add extra config details if you wanted and it checks all is good before booting.

Plus each proxy-conf details at the top any specifics you may need to do to guarantee a working config (so it's near impossible to go wrong)

[mediaserver1 0]

@CassTG, can you please provide some more details about your setup. I am a noob and is working on setting up my first homelab including Emby. SWAG docker looks like a very good option for me. 

But I am not sure where to get started.

[CassTG 98]

43 minutes ago, mediaserver1 said:

@CassTG, can you please provide some more details about your setup. I am a noob and is working on setting up my first homelab including Emby. SWAG docker looks like a very good option for me. 

But I am not sure where to get started.

Hi

 

I did a complete server setup guide for dockers inc portainer, emby swag which can be seen here

Docker Setup

 

Then when you have completed that take a look at the fail2ban guide for extra security

Fail2ban guide

 

As a point to note on first guide, you will notice that swag validation is via http, this would mean port forwarding on your router port 80 to the docker so it can get certs, i do not use this method at all and use DNS validation which means no port forwarding required, however for that you need to have a domain provider which allows api access. Let me know who your domain name provider is and i will pop a guide on how to do it via dns

Edited January 30, 2022 by CassTG

[mediaserver1 0]

@CassTG, Thank you so much for the links. Your posts are very very helpful.

I am planning to go with Cloudflare.
Also my setup is behind a CGNAT (double NAT). Planning to use the free ngrok plan. Still workig the problem around how to link my domain to the tunnel address.

[CassTG 98]

1 hour ago, mediaserver1 said:

@CassTG, Thank you so much for the links. Your posts are very very helpful.

I am planning to go with Cloudflare.
Also my setup is behind a CGNAT (double NAT). Planning to use the free ngrok plan. Still workig the problem around how to link my domain to the tunnel address.

 

They have instructions for cloudflare dns 

Swag Cloudflare DNS

 

 

[iBoss 23]

@Depechie @SkinnyT

please tell me your issue, may be hope I can help