NGINX redirecting subdomain to wrong internal ip/port

[feerlessleadr 154]

This post isn't specifically about getting emby up and running, so hopefully it is ok.

 

I followed the SSL/NGINX guide by @@Swynol & supplemented by @pir8radio in the sticky (although when I followed the guide, it was still just a thread in the Windows section, so it was a while ago). Based on that, I've been running (and still am) all of my apps behind my nginx proxy with no problem on my Windows 10 Pro server. 

 

However, I recently decided to add another application (lidarr) to the mix, and after getting everything all set up, when I navigate to lidarr.mydomain.com, I am always redirected to emby. I've quadruple checked my nginx config, I've checked my dns settings for my domain provider, I've cleared my browser cache/cookies, but no matter what I do, I can't get nginx to redirect to the correct local ip/port.Every other redirect set up in the below config works like it should. the only one that doesn't is lidarr. 

 

Here is my nginx config (with domain name removed):

#user  nobody;
# multiple workers works !
worker_processes  2;

events {
    worker_connections  8192;
}


http {
    #include      /nginx/conf/naxsi_core.rules;
    include       mime.types;
    default_type  application/octet-stream;
	server_tokens off;


    sendfile        off;
	
	gzip on;
	gzip_disable "msie6";

	gzip_comp_level 6;
	gzip_min_length 1100;
	gzip_buffers 16 8k;
	gzip_proxied any;
	gzip_types
	text/plain
	text/css
	text/js
	text/xml
	text/javascript
	application/javascript
	application/x-javascript
	application/json
	application/xml
	application/rss+xml
	image/svg+xml;

	tcp_nodelay on;
    
	server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
## End: Timeouts ##

    #gzip  on;

	

	##EMBY Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name emby.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }
	
	add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;";

     location / {
        proxy_pass http://192.168.1.16:8096;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
	location ^~ /.well-known/acme-challenge/ {
}
	

}

##Radarr Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name radarr.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;";

     location / {
        proxy_pass http://192.168.1.16:7878;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
		location ^~ /.well-known/acme-challenge/ {
}

}

##Sonarr Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name sonarr.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;";

     location / {
        proxy_pass http://192.168.1.16:8989;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
		location ^~ /.well-known/acme-challenge/ {
}

}

##TinyCam Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name tiny.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;";

     location / {
        proxy_pass http://192.168.1.24:8083;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
		location ^~ /.well-known/acme-challenge/ {
}

}

##GET Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name get.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;";

     location / {
        proxy_pass http://192.168.1.16:9876;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
		location ^~ /.well-known/acme-challenge/ {
}

}

##Books Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name books.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;";

     location / {
        proxy_pass http://192.168.1.16:8085;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
		location ^~ /.well-known/acme-challenge/ {
}

}

##Unifi Controller Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name controller.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;";

     location / {
        proxy_pass https://192.168.1.16:8443;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
		location ^~ /.well-known/acme-challenge/ {
}

}

##NZBHydra Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name hydra.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;";

     location / {
        proxy_pass http://192.168.1.16:5076;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
		location ^~ /.well-known/acme-challenge/ {
}

}

##Bitwarden Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name vault.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;";

     location / {
        proxy_pass http://192.168.1.16:81;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
		location ^~ /.well-known/acme-challenge/ {
}

}

##Ombi Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name ombi.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;";

     location / {
		proxy_pass http://192.168.1.16:3579;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-Host $server_name;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Ssl on;
		proxy_set_header X-Forwarded-Proto $scheme;
		proxy_read_timeout  90;
		proxy_redirect http://192.168.1.16:3579 https://$host;
	}
		location ^~ /.well-known/acme-challenge/ {
}

}

##bazarr Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name bazarr.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;";

     location / {
        proxy_pass http://192.168.1.16:6767;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
		location ^~ /.well-known/acme-challenge/ {
}

}

##portainer Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name port.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;";

     location / {
        proxy_pass http://192.168.1.16:9000;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
		location ^~ /.well-known/acme-challenge/ {
}

}

##Syncthing Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name sync.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;";

     location / {
        proxy_pass http://192.168.1.16:8384;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		
		#Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
       
    }
		location ^~ /.well-known/acme-challenge/ {
}

}

##Lidarr Server##
	
	server {
    listen [::]:80;
    listen 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name lidarr.mydomain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate      SSL/cert.pem;
		ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
    }

		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
		add_header X-Frame-Options "SAMEORIGIN" always;
		proxy_hide_header X-Powered-By;
		add_header 'Referrer-Policy' 'no-referrer';
		add_header Content-Security-Policy "frame-ancestors mydomain.com;emby.mydomain.com;radarr.mydomain.com;sonarr.mydomain.com;get.mydomain.com;books.mydomain.com;hydra.mydomain.com;tiny.mydomain.com;vault.mydomain.com;ombi.mydomain.com;bazarr.mydomain.com;port.mydomain.com;budget.mydomain.com;sync.mydomain.com;lidarr.mydomain.com;";

     location / {
        proxy_pass http://192.168.1.3:8686;  # Local emby ip and non SSL port

		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		
		#Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
       
    }
		location ^~ /.well-known/acme-challenge/ {
}

}

}

I recently installed an Ubuntu server, and have lidarr running in a docker container on that server, which is located at 192.168.1.3 on my internal lan. I can navigate to that app using the local lan address & IP. I also have a pihole running on the same server. 

 

Anyone have any ideas what I might be doing wrong?

[pir8radio 1292]

This post isn't specifically about getting emby up and running, so hopefully it is ok.

 

I followed the SSL/NGINX guide by @@Swynol & supplemented by @pir8radio in the sticky (although when I followed the guide, it was still just a thread in the Windows section, so it was a while ago). Based on that, I've been running (and still am) all of my apps behind my nginx proxy with no problem on my Windows 10 Pro server. 

 

However, I recently decided to add another application (lidarr) to the mix, and after getting everything all set up, when I navigate to lidarr.mydomain.com, I am always redirected to emby. I've quadruple checked my nginx config, I've checked my dns settings for my domain provider, I've cleared my browser cache/cookies, but no matter what I do, I can't get nginx to redirect to the correct local ip/port.Every other redirect set up in the below config works like it should. the only one that doesn't is lidarr. 

 

Here is my nginx config (with domain name removed):

I recently installed an Ubuntu server, and have lidarr running in a docker container on that server, which is located at 192.168.1.3 on my internal lan. I can navigate to that app using the local lan address & IP. I also have a pihole running on the same server. 

 

Anyone have any ideas what I might be doing wrong?

 

 

 

So I'm going to guide you to figure it out on your own lol....     Something to remember, nginx treats the first server block as "default"  meaning if the web traffic does not match any other server block, nginx will server the first block.

 

So if we make an assumption that your traffic does not match any of the other server blocks,   as in radarr.mydomain.com is not being seen by nginx,  I would check and see if your domain name is sending to your server IP correctly...    some domain names just "redirect" to the base domain name..    so radar.mydomain.com might just point to mydomain.com  or you might have it setup to route to emby.mydomain.com.. 

 

At first glance this is what i'm guessing..        ill look over it when i get home. 

[feerlessleadr 154]

Thanks for the advice - I ended up solving this, but I'm really not sure of what exactly I did to fix it. 

 

TLDR first: I'm running docker on windows, and it looks like an exe called 'vpnkit.exe' was binding to port 443, which after I killed that exe, restarted nginx, accessing lidarr.mydomain.com worked. 

 

Longer Version: I was playing around with my nginx config, and I deleted everything from my config, with the exception of the lidarr server block (I made no changes to the above details), restarted nginx, and found that the lidarr.mydomain.com was still not loading, which seemed to confirm that something in the server block was wrong. However, when I looked in the error log for nginx to see what might be the issue, I discovered this line:

bind() to 0.0.0.0:443 failed (10013: An attempt was made to access a socket in a way forbidden by its access permissions)

which was odd, because I never had that problem before, and all of my other subdomains loaded without problem. When I ran netstat –anb on my windows machine, I noticed that a process called 'vpnkit.exe' was also listening on port 443. After some googling, I realized that this is related to docker. After I killed this process, reloaded nginx with the same slimmed down conf (again, made no changes to the above server block details in the conf), and lidarr.mydomain.com loaded right up. 

 

I then restored the full nginx conf with all of my server blocks, and all of my subdomains (including lidarr.mydomain.com) load with no problem. 

 

Once I restart docker, the vpnkit.exe is restarted as well, but since nginx is already running, it gets priority on 443. I can't quite figure out how to stop vpnkid.exe from listening on port 443, and my googling is not turning up anything (presumably this is a bug in docker for windows), but since my nginx server starts way before docker for windows can, I won't worry about it too much. 

 

I'll eventually migrate all of my docker containers to my linux machine, but that is a project for another day

[Luke 37022]

Thanks for the info.