Jump to content


Photo

NGINX Reverse Proxy Config for Emby + Website With SSL

nginx reverse proxy ssl website

  • Please log in to reply
9 replies to this topic

#1 CivBase OFFLINE  

CivBase

    Newbie

  • Members
  • 5 posts

Posted 30 December 2019 - 03:40 PM

I've been looking, but I cannot find any examples of how to self-host Emby behind an NGINX reverse proxy at anything other than the root path on port 80.  I host a website under the www subdomain at the root path on port 80, so that's not an option.

 

I'm fine with any of these solutions:

  1. Use a different port (http://www.mydomain.com:8096/)
  2. Use a different subdomain (http://emby.mydomain.com/)
  3. Use a different path (http://www.mydomain.com/emby/)

My current configuration is an attempt at solution #3 because that's the one I was able to get furthest on.  I think I'd prefer solution #1 or #2, but I'm not picky.

 

I'd also like to setup SSL, but I need to get this working before I can worry about encryption.  That said, the SSL configuration for my website might be responsible for my current problem.  All requests to port 80 are redirected to 443, which has SSL enabled.  The server just directs everything on the /emby path to localhost:8096, which Emby binds to.

 

I'm able to load the index page, but it fails to load the Javascript used to render any actual content.  It looks like the server isn't able to serve the Javascript file over HTTPS.  I have very limited experience with NGINX and Emby and I have no idea how to fix it.

 

5e0a4e186c3c5_emby.png

 

Here's my NGINX server configuration:

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        root /█████/website;

        server_name █████;

        ssl on;
        ssl_certificate /█████/cert.pem;
        ssl_certificate_key /█████/privkey.pem;

        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.4.4 8.8.8.8;

        location /static {
            alias /█████/website/static;
        }

        location / {
            try_files $uri @wsgi;
        }

        location @wsgi {
            proxy_pass http://unix:/tmp/gunicorn.sock;
            include proxy_params;
        }

        location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
            access_log off;
            log_not_found off;
            expires max;
        }

        location /emby {
            proxy_pass http://127.0.0.1:8096;
        }
}

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        server_name █████;

        return 301 https://$host$request_uri;
}


#2 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 148965 posts
  • Local time: 06:14 AM

Posted 30 December 2019 - 03:41 PM

Hi there, have you compared to @pir8radio's configuration?

#3 CivBase OFFLINE  

CivBase

    Newbie

  • Members
  • 5 posts

Posted 30 December 2019 - 03:59 PM

Hi there, have you compared to @pir8radio's configuration?

Yah, but it looks like he's hosting at the root path on ports 80 and 443.  His configuration does specify emby.mydomain.com instead of just mydomain.com, but I tried creating two server configurations on port 80 with different subdomains and NGINX spat out this error:

 

nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /etc/nginx/sites-enabled/:47
nginx: configuration file /etc/nginx/nginx.conf test failed

 

Here's the NGINX server config file I used to produce that error:

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        root /█████/website;

        server_name █████.com;

        ssl on;
        ssl_certificate /█████/cert.pem;
        ssl_certificate_key /█████/privkey.pem;

        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.4.4 8.8.8.8;

        location /static {
            alias /█████/website/static;
        }

        location / {
            try_files $uri @wsgi;
        }

        location @wsgi {
            proxy_pass http://unix:/tmp/gunicorn.sock;
            include proxy_params;
        }

        location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
            access_log off;
            log_not_found off;
            expires max;
        }
}

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        server_name █████.com;

        return 301 https://$host$request_uri;
}

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        server_name emby.█████.com;

        location / {
            proxy_pass http://127.0.0.1:8096;
        }
}

 



#4 Justy OFFLINE  

Justy

    Member

  • Members
  • 23 posts
  • Local time: 12:14 PM
  • LocationGermany

Posted 30 December 2019 - 03:59 PM

Hi,

 

I'm not a pro. But i'm missing the cipher suites and the ssl protocols:

something like (there are many more; plz check which you need):

 

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384';
ssl_prefer_server_ciphers on;

ssl_stapling on;

ssl_stapling_verify on;

resolver 8.8.4.4 8.8.8.8;


Edited by Justy, 30 December 2019 - 04:02 PM.


#5 CivBase OFFLINE  

CivBase

    Newbie

  • Members
  • 5 posts

Posted 30 December 2019 - 04:13 PM

Hi,

 

I'm not a pro. But i'm missing the cipher suites and the ssl protocols:

something like (there are many more; plz check which you need):

 

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384';
ssl_prefer_server_ciphers on;

ssl_stapling on;

ssl_stapling_verify on;

resolver 8.8.4.4 8.8.8.8;

I just added that, but I'm getting the same error still :(



#6 Justy OFFLINE  

Justy

    Member

  • Members
  • 23 posts
  • Local time: 12:14 PM
  • LocationGermany

Posted 30 December 2019 - 04:18 PM

the error you produced is because of double entry in your config:

 

line 37 till end:

server {
        listen 80 default_server;
        listen [::]:80 default_server;
 
        server_name █████.com;
 
        return 301 https://$host$request_uri;
}
 
server {
        listen 80 default_server;
        listen [::]:80 default_server;
 
        server_name emby.█████.com;
 
        location / {
            proxy_pass http://127.0.0.1:8096;
        }

 



#7 Justy OFFLINE  

Justy

    Member

  • Members
  • 23 posts
  • Local time: 12:14 PM
  • LocationGermany

Posted 30 December 2019 - 04:24 PM

Mine looks like this:

server {
    
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_certificate     /etc/ssl/certs/openmediavault.crt;
    ssl_certificate_key /etc/ssl/private/openmediavault.key;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    server_name emby.emby4ever.de;
    index index.html;
    access_log /var/log/nginx/1c5b4f27-66bb-4384-a5c0-access.log;
    error_log  /var/log/nginx/1c5b4f27-66bb-4384-a5c0-error.log;
    large_client_header_buffers 4 8k;
    server_tokens off;
    	
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_prefer_server_ciphers on;
	



location ^~ /swagger {   ## Disables access to swagger interface
        return 404;
}

location  / {
proxy_pass http://192.168.178.24:8096; # Local emby ip and non SSL port


proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;

add_header 'Referrer-Policy' 'no-referrer';
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff"  always;
add_header X-Xss-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'none'; child-src 'self'; font-src 'self' data:; connect-src 'self' wss: ws: https://mb3admin.com https://github.com/MediaBrowser/; media-src 'self' blob: data: https://github.com/MediaBrowser/; manifest-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; worker-src 'self' blob:; script-src 'self' https://www.gstatic.com; img-src data: https: http: ; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css" always;

#Next three lines allow websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";


}







}

 



#8 CivBase OFFLINE  

CivBase

    Newbie

  • Members
  • 5 posts

Posted 30 December 2019 - 04:28 PM

 

the error you produced is because of double entry in your config

 

I guess I can't differentiate between subdomains that way, but I'm not sure what the right way is or if it's even possible with NGINX.  I've found many examples that seem to specify multiple server blocks on the same port, but the error message seems to indicate that isn't right.  I just gave up on solution #2 after a while for this reason.



#9 Justy OFFLINE  

Justy

    Member

  • Members
  • 23 posts
  • Local time: 12:14 PM
  • LocationGermany

Posted 31 December 2019 - 03:56 AM

Hi,

 

I don't use atm two domains/subdomains myself. But I would try something like this (I've used the config from your first post):

(You could also devide it in two files separately  (you don't have to, but it will be much clearer) in /etc/nginx/sites-available/www.example.com and /etc/nginx/sites-available/emby.example.com)

server {
listen 80;
listen [::]:80;

server_name emby.█████.com;
     

location / {
    proxy_pass http://192.168.178.24:8096; # Local emby ip and non SSL port


    proxy_hide_header X-Powered-By;
    proxy_set_header Range $http_range;
    proxy_set_header If-Range $http_if_range;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_redirect off;

    #add_header 'Referrer-Policy' 'no-referrer';
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
    #add_header X-Frame-Options "SAMEORIGIN" always;
    #add_header X-Content-Type-Options "nosniff" always;
    #add_header X-Xss-Protection "1; mode=block" always;
    #add_header Content-Security-Policy "default-src 'none'; child-src 'self'; font-src 'self' data:; connect-src 'self' wss: ws: https://mb3admin.com https://github.com/MediaBrowser/; media-src 'self' blob: data: https://github.com/MediaBrowser/; manifest-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; worker-src 'self' blob:; script-src 'self' https://www.gstatic.com; img-src data: https: http: ; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css" always;

    #Next three lines allow websockets
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    
}


server {
            listen 443 ssl default_server;
            listen [::]:443 ssl default_server;
     
            root /█████/website;
     
            server_name █████.com;
     
            ssl on;
            ssl_certificate /█████/cert.pem;
            ssl_certificate_key /█████/privkey.pem;
     
            ssl_stapling on;
            ssl_stapling_verify on;
            resolver 8.8.4.4 8.8.8.8;
     
            location /static {
                alias /█████/website/static;
            }
     
            location / {
                try_files $uri @wsgi;
            }
     
            location @wsgi {
                proxy_pass http://unix:/tmp/gunicorn.sock;
                include proxy_params;
            }
     
            location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
                access_log off;
                log_not_found off;
                expires max;
            }
     
            
    }
     
   

Edited by Justy, 31 December 2019 - 04:20 AM.


#10 KMBanana OFFLINE  

KMBanana

    Advanced Member

  • Members
  • 143 posts
  • Local time: 06:14 AM

Posted 31 December 2019 - 05:33 AM

You can absolutely have multiple server blocks for different subdomains, I use several.  Only 1 should have the "default_server" on the listen lines, but I'm not sure if this is your only issue.  







Also tagged with one or more of these keywords: nginx, reverse proxy, ssl, website

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users