Jump to content

Configuring emby with nginx-proxy + let's encrypt


gregaou

Recommended Posts

Hello everybody,

 

I started to use Emby like every others services i use with docker.

 

For that i use :

 

My docker compose for emby :

version: '2'

services:
   emby:
     container_name: emby
     image: emby/embyserver:latest
     restart: unless-stopped
     volumes:
       - ${LOCAL_DATA_DIR}:/config
       - ${LOCAL_MEDIA_DIR}/movies:/movies
       - ${LOCAL_MEDIA_DIR}/tvshows:/tvshows
     environment:
       GID: 1000
       UID: 1000
       VIRTUAL_HOST: emby.xxx.xxx
       VIRTUAL_PORT: 8096
       LETSENCRYPT_HOST: emby.xxx.xxx
       LETSENCRYPT_EMAIL: my.mail@[member="xxx"].xxx

networks:
    default:
       external:
         name: webproxy

That's generate the following nginx configuration:

# emby.xxx.xxx
upstream emby.xxx.xxx {
				## Can be connected with "webproxy" network
			# emby
			server 172.18.0.18:8096;
}
server {
	server_name emby.xxx.xxx;
	listen 80 ;
	access_log /var/log/nginx/access.log vhost;
	return 301 https://$host$request_uri;
}
server {
	server_name emby.xxx.xxx;
	listen 443 ssl http2 ;
	access_log /var/log/nginx/access.log vhost;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
	ssl_prefer_server_ciphers on;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;
	ssl_certificate /etc/nginx/certs/emby.xxx.xxx.crt;
	ssl_certificate_key /etc/nginx/certs/emby.xxx.xxx.key;
	ssl_dhparam /etc/nginx/certs/emby.xxx.xxx.dhparam.pem;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/nginx/certs/emby.xxx.xxx.chain.pem;
	add_header Strict-Transport-Security "max-age=31536000" always;
	include /etc/nginx/vhost.d/default;
	location / {
		proxy_pass http://emby.xxx.xxx;
	}
}

But with configuration I have some trouble like Timeout for validating my license key, or like

Check for plugin updates failed


Connection to https://www.mb3admin.com/admin/service/EmbyPackages.json timed out
at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)
at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsync(HttpRequestOptions options, String httpMethod)
at Emby.Server.Implementations.Updates.InstallationManager.GetAvailablePackagesWithoutRegistrationInfo(Boolean enableCache, CancellationToken cancellationToken)
at Emby.Server.Implementations.Updates.InstallationManager.GetAvailablePluginUpdates(Version applicationVersion, CancellationToken cancellationToken)
at Emby.Server.Implementations.ScheduledTasks.PluginUpdateTask.Execute(CancellationToken cancellationToken, IProgress`1 progress)
at Emby.Server.Implementations.ScheduledTasks.ScheduledTaskWorker.ExecuteInternal(TaskOptions options)

Is there a way to avoid docker host network mode ?

 

Thank in advance

Link to comment
Share on other sites

mastrmind11

nope.  your server has to be able to reach mb3admin.com in order to validate your premiere status.  check your outbound firewall.

Link to comment
Share on other sites

I think my container is able to reach mb3admin.com cause inside the container this command works.

wget https://www.mb3admin.com/admin/service/EmbyPackages.json

Server logs:

2019-10-10 15:21:04.622 Error HttpClient: Connection to https://emby.media/community/index.php?/blog/rss/1-media-browser-developers-blog timed out
2019-10-10 15:21:04.629 Error App: Error downloading news
	*** Error Report ***
	Version: 4.2.1.0
	Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3
	Operating system: Unix 4.15.0.65
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Runtime: file:///system/System.Private.CoreLib.dll
	Processor count: 4
	Program data path: /config
	Application directory: /system
	MediaBrowser.Model.Net.HttpException: MediaBrowser.Model.Net.HttpException: Connection to https://emby.media/community/index.php?/blog/rss/1-media-browser-developers-blog timed out ---> System.OperationCanceledException: The operation was canceled.
	   at System.Net.Http.HttpClient.HandleFinishSendAsyncError(Exception e, CancellationTokenSource cts)
	   at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)
	   --- End of inner exception stack trace ---
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsync(HttpRequestOptions options, String httpMethod)
	   at Emby.Server.Implementations.News.NewsEntryPoint.DownloadNews(String path)
	   at Emby.Server.Implementations.News.NewsEntryPoint.OnTimerFired(Object state)
	Source: Emby.Server.Implementations
	TargetSite: Void MoveNext()
	InnerException: System.OperationCanceledException: The operation was canceled.
	Source: System.Net.Http
	TargetSite: Void HandleFinishSendAsyncError(System.Exception, System.Threading.CancellationTokenSource)
	   at System.Net.Http.HttpClient.HandleFinishSendAsyncError(Exception e, CancellationTokenSource cts)
	   at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)
	
2019-10-10 15:21:06.783 Error HttpClient: Connection to https://www.mb3admin.com/admin/service/EmbyPackages.json timed out
2019-10-10 15:21:06.790 Error TaskManager: Error
	*** Error Report ***
	Version: 4.2.1.0
	Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3
	Operating system: Unix 4.15.0.65
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Runtime: file:///system/System.Private.CoreLib.dll
	Processor count: 4
	Program data path: /config
	Application directory: /system
	MediaBrowser.Model.Net.HttpException: MediaBrowser.Model.Net.HttpException: Connection to https://www.mb3admin.com/admin/service/EmbyPackages.json timed out ---> System.OperationCanceledException: The operation was canceled.
	   at System.Net.Http.HttpClient.HandleFinishSendAsyncError(Exception e, CancellationTokenSource cts)
	   at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)
	   --- End of inner exception stack trace ---
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsync(HttpRequestOptions options, String httpMethod)
	   at Emby.Server.Implementations.Updates.InstallationManager.GetAvailablePackagesWithoutRegistrationInfo(Boolean enableCache, CancellationToken cancellationToken)
	   at Emby.Server.Implementations.Updates.InstallationManager.GetAvailablePluginUpdates(Version applicationVersion, CancellationToken cancellationToken)
	   at Emby.Server.Implementations.ScheduledTasks.PluginUpdateTask.Execute(CancellationToken cancellationToken, IProgress`1 progress)
	   at Emby.Server.Implementations.ScheduledTasks.ScheduledTaskWorker.ExecuteInternal(TaskOptions options)
	Source: Emby.Server.Implementations
	TargetSite: Void MoveNext()
	InnerException: System.OperationCanceledException: The operation was canceled.
	Source: System.Net.Http
	TargetSite: Void HandleFinishSendAsyncError(System.Exception, System.Threading.CancellationTokenSource)
	   at System.Net.Http.HttpClient.HandleFinishSendAsyncError(Exception e, CancellationTokenSource cts)
	   at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)

Edited by gregaou
Link to comment
Share on other sites

  • 4 weeks later...
D34DC3N73R

Not sure if this will help, but it's what I'm using for emby in bridge mode with a subdomain proxy.

version: '3'
services:
    letsencrypt:
        container_name: letsencrypt
        image: linuxserver/letsencrypt
        ports:
            - 443:443
            - 80:80
        cap_add:
            - NET_ADMIN
        restart: unless-stopped
        environment:
            - PGID=$PGID
            - PUID=$PUID
            - EMAIL=admin@domain.tld
            - URL=domain.tld
            - SUBDOMAINS=wildcard
            - TZ=$TZ
            - VALIDATION=dns
            - DNSPLUGIN=cloudflare
        volumes:
            - $HOME/.config/letsencrypt:/config

    emby:
        image: emby/embyserver:beta
        container_name: emby
        restart: unless-stopped
        ports:
            - 8096:8096
            - 8920:8920
        environment:
            - TZ=$TZ
            - UID=$PUID
            - GID=$PGID
            - GIDLIST=44
            - NVIDIA_VISIBLE_DEVICES=all
            - NVIDIA_DRIVER_CAPABILITIES=all
        volumes:
            - $HOME/.config/emby:/config
            - $HOME/media/Video:/media/Video
            - $HOME/media/Music:/media/Music
            - /dev/shm/emby:/transcode

nginx conf

server {
        listen 80;
        server_name emby.domain.tld;
        return 301 https://$server_name$request_uri;
}


server {
    listen 443 ssl http2;

    server_name emby.domain.tld;

        include /config/nginx/ssl.conf;

        client_max_body_size 0;
        add_header Content-Security-Policy "frame-ancestors domain.tld emby.domain.tld;";


    location / {
        proxy_pass http://192.168.1.111:8096;
        proxy_hide_header X-Powered-By;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header Strict-Transport-Security "max-age=15552000; preload" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
    }
}


Link to comment
Share on other sites

  • 1 month later...
oneduality

It would be amazing if Emby just supported lets encrypt natively.. I was using LE certificates for a while but didn't want to deal with the renewals by hand anymore so I just bought a 4 year cert 

It seems building it in would be very simple to do, there are tons of opensource projects for generating certificates in many languages

Link to comment
Share on other sites

mastrmind11

doc

 

It would be amazing if Emby just supported lets encrypt natively.. I was using LE certificates for a while but didn't want to deal with the renewals by hand anymore so I just bought a 4 year cert 

It seems building it in would be very simple to do, there are tons of opensource projects for generating certificates in many languages

certbot.

Link to comment
Share on other sites

BAlGaInTl

It would be amazing if Emby just supported lets encrypt natively.. I was using LE certificates for a while but didn't want to deal with the renewals by hand anymore so I just bought a 4 year cert 

 

It seems building it in would be very simple to do, there are tons of opensource projects for generating certificates in many languages

 

 

doc

 

certbot.

 

Also Cloudflare....

 

You can generate a cert there and not have to worry about renewals at all.  Plus you get the added feature of obscuring your WAN IP.

 

Working great for me, and it's one less thing I have to worry about.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...