Jump to content


Photo

Configuring emby with nginx-proxy + let's encrypt

docker nginx-proxy letsencrypt emby

  • Please log in to reply
12 replies to this topic

#1 gregaou OFFLINE  

gregaou

    Newbie

  • Members
  • 4 posts
  • Local time: 06:19 PM

Posted 10 October 2019 - 11:11 AM

Hello everybody,

 

I started to use Emby like every others services i use with docker.

 

For that i use :

 

My docker compose for emby :

version: '2'

services:
   emby:
     container_name: emby
     image: emby/embyserver:latest
     restart: unless-stopped
     volumes:
       - ${LOCAL_DATA_DIR}:/config
       - ${LOCAL_MEDIA_DIR}/movies:/movies
       - ${LOCAL_MEDIA_DIR}/tvshows:/tvshows
     environment:
       GID: 1000
       UID: 1000
       VIRTUAL_HOST: emby.xxx.xxx
       VIRTUAL_PORT: 8096
       LETSENCRYPT_HOST: emby.xxx.xxx
       LETSENCRYPT_EMAIL: my.mail@xxx.xxx

networks:
    default:
       external:
         name: webproxy

That's generate the following nginx configuration:

# emby.xxx.xxx
upstream emby.xxx.xxx {
				## Can be connected with "webproxy" network
			# emby
			server 172.18.0.18:8096;
}
server {
	server_name emby.xxx.xxx;
	listen 80 ;
	access_log /var/log/nginx/access.log vhost;
	return 301 https://$host$request_uri;
}
server {
	server_name emby.xxx.xxx;
	listen 443 ssl http2 ;
	access_log /var/log/nginx/access.log vhost;
	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
	ssl_ciphers 'ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA:ECDHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:!DSS';
	ssl_prefer_server_ciphers on;
	ssl_session_timeout 5m;
	ssl_session_cache shared:SSL:50m;
	ssl_session_tickets off;
	ssl_certificate /etc/nginx/certs/emby.xxx.xxx.crt;
	ssl_certificate_key /etc/nginx/certs/emby.xxx.xxx.key;
	ssl_dhparam /etc/nginx/certs/emby.xxx.xxx.dhparam.pem;
	ssl_stapling on;
	ssl_stapling_verify on;
	ssl_trusted_certificate /etc/nginx/certs/emby.xxx.xxx.chain.pem;
	add_header Strict-Transport-Security "max-age=31536000" always;
	include /etc/nginx/vhost.d/default;
	location / {
		proxy_pass http://emby.xxx.xxx;
	}
}

But with configuration I have some trouble like Timeout for validating my license key, or like

Check for plugin updates failed


Connection to https://www.mb3admin.com/admin/service/EmbyPackages.json timed out
at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)
at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsync(HttpRequestOptions options, String httpMethod)
at Emby.Server.Implementations.Updates.InstallationManager.GetAvailablePackagesWithoutRegistrationInfo(Boolean enableCache, CancellationToken cancellationToken)
at Emby.Server.Implementations.Updates.InstallationManager.GetAvailablePluginUpdates(Version applicationVersion, CancellationToken cancellationToken)
at Emby.Server.Implementations.ScheduledTasks.PluginUpdateTask.Execute(CancellationToken cancellationToken, IProgress`1 progress)
at Emby.Server.Implementations.ScheduledTasks.ScheduledTaskWorker.ExecuteInternal(TaskOptions options)

Is there a way to avoid docker host network mode ?

 

Thank in advance



#2 mastrmind11 OFFLINE  

mastrmind11

    Advanced Member

  • Members
  • 3004 posts
  • Local time: 12:19 PM
  • LocationLong Island, NY

Posted 10 October 2019 - 11:16 AM

nope.  your server has to be able to reach mb3admin.com in order to validate your premiere status.  check your outbound firewall.



#3 gregaou OFFLINE  

gregaou

    Newbie

  • Members
  • 4 posts
  • Local time: 06:19 PM

Posted 10 October 2019 - 11:30 AM

I think my container is able to reach mb3admin.com cause inside the container this command works.

wget https://www.mb3admin.com/admin/service/EmbyPackages.json

Server logs:

2019-10-10 15:21:04.622 Error HttpClient: Connection to https://emby.media/community/index.php?/blog/rss/1-media-browser-developers-blog timed out
2019-10-10 15:21:04.629 Error App: Error downloading news
	*** Error Report ***
	Version: 4.2.1.0
	Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3
	Operating system: Unix 4.15.0.65
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Runtime: file:///system/System.Private.CoreLib.dll
	Processor count: 4
	Program data path: /config
	Application directory: /system
	MediaBrowser.Model.Net.HttpException: MediaBrowser.Model.Net.HttpException: Connection to https://emby.media/community/index.php?/blog/rss/1-media-browser-developers-blog timed out ---> System.OperationCanceledException: The operation was canceled.
	   at System.Net.Http.HttpClient.HandleFinishSendAsyncError(Exception e, CancellationTokenSource cts)
	   at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)
	   --- End of inner exception stack trace ---
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsync(HttpRequestOptions options, String httpMethod)
	   at Emby.Server.Implementations.News.NewsEntryPoint.DownloadNews(String path)
	   at Emby.Server.Implementations.News.NewsEntryPoint.OnTimerFired(Object state)
	Source: Emby.Server.Implementations
	TargetSite: Void MoveNext()
	InnerException: System.OperationCanceledException: The operation was canceled.
	Source: System.Net.Http
	TargetSite: Void HandleFinishSendAsyncError(System.Exception, System.Threading.CancellationTokenSource)
	   at System.Net.Http.HttpClient.HandleFinishSendAsyncError(Exception e, CancellationTokenSource cts)
	   at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)
	
2019-10-10 15:21:06.783 Error HttpClient: Connection to https://www.mb3admin.com/admin/service/EmbyPackages.json timed out
2019-10-10 15:21:06.790 Error TaskManager: Error
	*** Error Report ***
	Version: 4.2.1.0
	Command line: /system/EmbyServer.dll -programdata /config -ffdetect /bin/ffdetect -ffmpeg /bin/ffmpeg -ffprobe /bin/ffprobe -restartexitcode 3
	Operating system: Unix 4.15.0.65
	64-Bit OS: True
	64-Bit Process: True
	User Interactive: True
	Runtime: file:///system/System.Private.CoreLib.dll
	Processor count: 4
	Program data path: /config
	Application directory: /system
	MediaBrowser.Model.Net.HttpException: MediaBrowser.Model.Net.HttpException: Connection to https://www.mb3admin.com/admin/service/EmbyPackages.json timed out ---> System.OperationCanceledException: The operation was canceled.
	   at System.Net.Http.HttpClient.HandleFinishSendAsyncError(Exception e, CancellationTokenSource cts)
	   at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)
	   --- End of inner exception stack trace ---
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsync(HttpRequestOptions options, String httpMethod)
	   at Emby.Server.Implementations.Updates.InstallationManager.GetAvailablePackagesWithoutRegistrationInfo(Boolean enableCache, CancellationToken cancellationToken)
	   at Emby.Server.Implementations.Updates.InstallationManager.GetAvailablePluginUpdates(Version applicationVersion, CancellationToken cancellationToken)
	   at Emby.Server.Implementations.ScheduledTasks.PluginUpdateTask.Execute(CancellationToken cancellationToken, IProgress`1 progress)
	   at Emby.Server.Implementations.ScheduledTasks.ScheduledTaskWorker.ExecuteInternal(TaskOptions options)
	Source: Emby.Server.Implementations
	TargetSite: Void MoveNext()
	InnerException: System.OperationCanceledException: The operation was canceled.
	Source: System.Net.Http
	TargetSite: Void HandleFinishSendAsyncError(System.Exception, System.Threading.CancellationTokenSource)
	   at System.Net.Http.HttpClient.HandleFinishSendAsyncError(Exception e, CancellationTokenSource cts)
	   at System.Net.Http.HttpClient.FinishSendAsyncUnbuffered(Task`1 sendTask, HttpRequestMessage request, CancellationTokenSource cts, Boolean disposeCts)
	   at Emby.Server.Implementations.HttpClientManager.CoreHttpClientManager.SendAsyncInternal(HttpRequestOptions options, String httpMethod)


Edited by gregaou, 10 October 2019 - 11:34 AM.


#4 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 152563 posts
  • Local time: 12:19 PM

Posted 10 October 2019 - 12:43 PM

Hi there, have you compared your config to @pir8radio?

#5 gregaou OFFLINE  

gregaou

    Newbie

  • Members
  • 4 posts
  • Local time: 06:19 PM

Posted 10 October 2019 - 12:46 PM

This config : https://emby.media/c...nginx/?p=457670 ?

 

I've already saw this but i saw nothing relevant


Edited by gregaou, 10 October 2019 - 12:47 PM.


#6 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 3371 posts
  • Local time: 11:19 AM
  • LocationChicago

Posted 10 October 2019 - 10:49 PM

yea that looks like an outbound issue, not an nginx issue. 



#7 gregaou OFFLINE  

gregaou

    Newbie

  • Members
  • 4 posts
  • Local time: 06:19 PM

Posted 11 October 2019 - 02:26 AM

@pir8radio Maybe i'm not sure, but i need to find a way to identify where my request is blocked. Do you have an idea ?



#8 pir8radio OFFLINE  

pir8radio

    NGINX

  • Members
  • 3371 posts
  • Local time: 11:19 AM
  • LocationChicago

Posted 12 October 2019 - 09:11 AM

can you ping it (mb3admin.com)?   if yes what does a trace route show?



#9 D34DC3N73R OFFLINE  

D34DC3N73R

    Advanced Member

  • Members
  • 107 posts
  • Local time: 09:19 AM

Posted 05 November 2019 - 11:24 PM

Not sure if this will help, but it's what I'm using for emby in bridge mode with a subdomain proxy.

version: '3'
services:
    letsencrypt:
        container_name: letsencrypt
        image: linuxserver/letsencrypt
        ports:
            - 443:443
            - 80:80
        cap_add:
            - NET_ADMIN
        restart: unless-stopped
        environment:
            - PGID=$PGID
            - PUID=$PUID
            - EMAIL=admin@domain.tld
            - URL=domain.tld
            - SUBDOMAINS=wildcard
            - TZ=$TZ
            - VALIDATION=dns
            - DNSPLUGIN=cloudflare
        volumes:
            - $HOME/.config/letsencrypt:/config

    emby:
        image: emby/embyserver:beta
        container_name: emby
        restart: unless-stopped
        ports:
            - 8096:8096
            - 8920:8920
        environment:
            - TZ=$TZ
            - UID=$PUID
            - GID=$PGID
            - GIDLIST=44
            - NVIDIA_VISIBLE_DEVICES=all
            - NVIDIA_DRIVER_CAPABILITIES=all
        volumes:
            - $HOME/.config/emby:/config
            - $HOME/media/Video:/media/Video
            - $HOME/media/Music:/media/Music
            - /dev/shm/emby:/transcode

nginx conf

server {
        listen 80;
        server_name emby.domain.tld;
        return 301 https://$server_name$request_uri;
}


server {
    listen 443 ssl http2;

    server_name emby.domain.tld;

        include /config/nginx/ssl.conf;

        client_max_body_size 0;
        add_header Content-Security-Policy "frame-ancestors domain.tld emby.domain.tld;";


    location / {
        proxy_pass http://192.168.1.111:8096;
        proxy_hide_header X-Powered-By;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;


        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header Strict-Transport-Security "max-age=15552000; preload" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
    }
}




#10 oneduality OFFLINE  

oneduality

    Advanced Member

  • Members
  • 32 posts
  • Local time: 12:19 PM

Posted 29 December 2019 - 10:00 PM

It would be amazing if Emby just supported lets encrypt natively.. I was using LE certificates for a while but didn't want to deal with the renewals by hand anymore so I just bought a 4 year cert 

It seems building it in would be very simple to do, there are tons of opensource projects for generating certificates in many languages



#11 mastrmind11 OFFLINE  

mastrmind11

    Advanced Member

  • Members
  • 3004 posts
  • Local time: 12:19 PM
  • LocationLong Island, NY

Posted 03 January 2020 - 06:42 PM

doc

 

It would be amazing if Emby just supported lets encrypt natively.. I was using LE certificates for a while but didn't want to deal with the renewals by hand anymore so I just bought a 4 year cert 

It seems building it in would be very simple to do, there are tons of opensource projects for generating certificates in many languages

certbot.



#12 BAlGaInTl OFFLINE  

BAlGaInTl

    Advanced Member

  • Members
  • 794 posts
  • Local time: 12:19 PM

Posted 03 January 2020 - 11:03 PM

It would be amazing if Emby just supported lets encrypt natively.. I was using LE certificates for a while but didn't want to deal with the renewals by hand anymore so I just bought a 4 year cert 

It seems building it in would be very simple to do, there are tons of opensource projects for generating certificates in many languages

 

 

doc

 

certbot.

 

Also Cloudflare....

 

You can generate a cert there and not have to worry about renewals at all.  Plus you get the added feature of obscuring your WAN IP.

 

Working great for me, and it's one less thing I have to worry about.



#13 mastrmind11 OFFLINE  

mastrmind11

    Advanced Member

  • Members
  • 3004 posts
  • Local time: 12:19 PM
  • LocationLong Island, NY

Posted 04 January 2020 - 08:28 AM

+1 cloudflare







Also tagged with one or more of these keywords: docker, nginx-proxy, letsencrypt, emby

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users