feerlessleadr 155 Posted March 15, 2019 Share Posted March 15, 2019 This post isn't specifically about getting emby up and running, so hopefully it is ok. I followed the SSL/NGINX guide by @@Swynol & supplemented by @pir8radio in the sticky (although when I followed the guide, it was still just a thread in the Windows section, so it was a while ago). Based on that, I've been running (and still am) all of my apps behind my nginx proxy with no problem on my Windows 10 Pro server. However, I recently decided to add another application (lidarr) to the mix, and after getting everything all set up, when I navigate to lidarr.mydomain.com, I am always redirected to emby. I've quadruple checked my nginx config, I've checked my dns settings for my domain provider, I've cleared my browser cache/cookies, but no matter what I do, I can't get nginx to redirect to the correct local ip/port.Every other redirect set up in the below config works like it should. the only one that doesn't is lidarr. Here is my nginx config (with domain name removed): #user nobody; # multiple workers works ! worker_processes 2; events { worker_connections 8192; } http { #include /nginx/conf/naxsi_core.rules; include mime.types; default_type application/octet-stream; server_tokens off; sendfile off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## #gzip on; ##EMBY Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;"; location / { proxy_pass http://192.168.1.16:8096; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location ^~ /.well-known/acme-challenge/ { } } ##Radarr Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name radarr.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;"; location / { proxy_pass http://192.168.1.16:7878; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location ^~ /.well-known/acme-challenge/ { } } ##Sonarr Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name sonarr.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;"; location / { proxy_pass http://192.168.1.16:8989; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location ^~ /.well-known/acme-challenge/ { } } ##TinyCam Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name tiny.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;"; location / { proxy_pass http://192.168.1.24:8083; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location ^~ /.well-known/acme-challenge/ { } } ##GET Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name get.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;"; location / { proxy_pass http://192.168.1.16:9876; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location ^~ /.well-known/acme-challenge/ { } } ##Books Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name books.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;"; location / { proxy_pass http://192.168.1.16:8085; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location ^~ /.well-known/acme-challenge/ { } } ##Unifi Controller Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name controller.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;"; location / { proxy_pass https://192.168.1.16:8443; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location ^~ /.well-known/acme-challenge/ { } } ##NZBHydra Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name hydra.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;"; location / { proxy_pass http://192.168.1.16:5076; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location ^~ /.well-known/acme-challenge/ { } } ##Bitwarden Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name vault.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;"; location / { proxy_pass http://192.168.1.16:81; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location ^~ /.well-known/acme-challenge/ { } } ##Ombi Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name ombi.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;"; location / { proxy_pass http://192.168.1.16:3579; proxy_set_header Host $host; proxy_set_header X-Forwarded-Host $server_name; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Ssl on; proxy_set_header X-Forwarded-Proto $scheme; proxy_read_timeout 90; proxy_redirect http://192.168.1.16:3579 https://$host; } location ^~ /.well-known/acme-challenge/ { } } ##bazarr Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name bazarr.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;"; location / { proxy_pass http://192.168.1.16:6767; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location ^~ /.well-known/acme-challenge/ { } } ##portainer Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name port.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;"; location / { proxy_pass http://192.168.1.16:9000; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location ^~ /.well-known/acme-challenge/ { } } ##Syncthing Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name sync.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;"; location / { proxy_pass http://192.168.1.16:8384; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location ^~ /.well-known/acme-challenge/ { } } ##Lidarr Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name lidarr.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; proxy_hide_header X-Powered-By; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;"; location / { proxy_pass http://192.168.1.3:8686; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } location ^~ /.well-known/acme-challenge/ { } } } I recently installed an Ubuntu server, and have lidarr running in a docker container on that server, which is located at 192.168.1.3 on my internal lan. I can navigate to that app using the local lan address & IP. I also have a pihole running on the same server. Anyone have any ideas what I might be doing wrong? Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted March 15, 2019 Share Posted March 15, 2019 This post isn't specifically about getting emby up and running, so hopefully it is ok. I followed the SSL/NGINX guide by @@Swynol & supplemented by @pir8radio in the sticky (although when I followed the guide, it was still just a thread in the Windows section, so it was a while ago). Based on that, I've been running (and still am) all of my apps behind my nginx proxy with no problem on my Windows 10 Pro server. However, I recently decided to add another application (lidarr) to the mix, and after getting everything all set up, when I navigate to lidarr.mydomain.com, I am always redirected to emby. I've quadruple checked my nginx config, I've checked my dns settings for my domain provider, I've cleared my browser cache/cookies, but no matter what I do, I can't get nginx to redirect to the correct local ip/port.Every other redirect set up in the below config works like it should. the only one that doesn't is lidarr. Here is my nginx config (with domain name removed): I recently installed an Ubuntu server, and have lidarr running in a docker container on that server, which is located at 192.168.1.3 on my internal lan. I can navigate to that app using the local lan address & IP. I also have a pihole running on the same server. Anyone have any ideas what I might be doing wrong? So I'm going to guide you to figure it out on your own lol.... Something to remember, nginx treats the first server block as "default" meaning if the web traffic does not match any other server block, nginx will server the first block. So if we make an assumption that your traffic does not match any of the other server blocks, as in radarr.mydomain.com is not being seen by nginx, I would check and see if your domain name is sending to your server IP correctly... some domain names just "redirect" to the base domain name.. so radar.mydomain.com might just point to mydomain.com or you might have it setup to route to emby.mydomain.com.. At first glance this is what i'm guessing.. ill look over it when i get home. 1 Link to comment Share on other sites More sharing options...
feerlessleadr 155 Posted March 15, 2019 Author Share Posted March 15, 2019 Thanks for the advice - I ended up solving this, but I'm really not sure of what exactly I did to fix it. TLDR first: I'm running docker on windows, and it looks like an exe called 'vpnkit.exe' was binding to port 443, which after I killed that exe, restarted nginx, accessing lidarr.mydomain.com worked. Longer Version: I was playing around with my nginx config, and I deleted everything from my config, with the exception of the lidarr server block (I made no changes to the above details), restarted nginx, and found that the lidarr.mydomain.com was still not loading, which seemed to confirm that something in the server block was wrong. However, when I looked in the error log for nginx to see what might be the issue, I discovered this line: bind() to 0.0.0.0:443 failed (10013: An attempt was made to access a socket in a way forbidden by its access permissions) which was odd, because I never had that problem before, and all of my other subdomains loaded without problem. When I ran netstat –anb on my windows machine, I noticed that a process called 'vpnkit.exe' was also listening on port 443. After some googling, I realized that this is related to docker. After I killed this process, reloaded nginx with the same slimmed down conf (again, made no changes to the above server block details in the conf), and lidarr.mydomain.com loaded right up. I then restored the full nginx conf with all of my server blocks, and all of my subdomains (including lidarr.mydomain.com) load with no problem. Once I restart docker, the vpnkit.exe is restarted as well, but since nginx is already running, it gets priority on 443. I can't quite figure out how to stop vpnkid.exe from listening on port 443, and my googling is not turning up anything (presumably this is a bug in docker for windows), but since my nginx server starts way before docker for windows can, I won't worry about it too much. I'll eventually migrate all of my docker containers to my linux machine, but that is a project for another day Link to comment Share on other sites More sharing options...
Luke 37099 Posted March 16, 2019 Share Posted March 16, 2019 Thanks for the info. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now