Jump to content

NGINX Reverse Proxy Config for Emby + Website With SSL


CivBase

Recommended Posts

I've been looking, but I cannot find any examples of how to self-host Emby behind an NGINX reverse proxy at anything other than the root path on port 80.  I host a website under the www subdomain at the root path on port 80, so that's not an option.

 

I'm fine with any of these solutions:

  1. Use a different port (http://www.mydomain.com:8096/)
  2. Use a different subdomain (http://emby.mydomain.com/)
  3. Use a different path (http://www.mydomain.com/emby/)

My current configuration is an attempt at solution #3 because that's the one I was able to get furthest on.  I think I'd prefer solution #1 or #2, but I'm not picky.

 

I'd also like to setup SSL, but I need to get this working before I can worry about encryption.  That said, the SSL configuration for my website might be responsible for my current problem.  All requests to port 80 are redirected to 443, which has SSL enabled.  The server just directs everything on the /emby path to localhost:8096, which Emby binds to.

 

I'm able to load the index page, but it fails to load the Javascript used to render any actual content.  It looks like the server isn't able to serve the Javascript file over HTTPS.  I have very limited experience with NGINX and Emby and I have no idea how to fix it.

 

5e0a4e186c3c5_emby.png

 

Here's my NGINX server configuration:

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        root /█████/website;

        server_name █████;

        ssl on;
        ssl_certificate /█████/cert.pem;
        ssl_certificate_key /█████/privkey.pem;

        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.4.4 8.8.8.8;

        location /static {
            alias /█████/website/static;
        }

        location / {
            try_files $uri @wsgi;
        }

        location @wsgi {
            proxy_pass http://unix:/tmp/gunicorn.sock;
            include proxy_params;
        }

        location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
            access_log off;
            log_not_found off;
            expires max;
        }

        location /emby {
            proxy_pass http://127.0.0.1:8096;
        }
}

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        server_name █████;

        return 301 https://$host$request_uri;
}
Link to comment
Share on other sites

Hi there, have you compared to @@pir8radio's configuration?

Yah, but it looks like he's hosting at the root path on ports 80 and 443.  His configuration does specify emby.mydomain.com instead of just mydomain.com, but I tried creating two server configurations on port 80 with different subdomains and NGINX spat out this error:

 

nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /etc/nginx/sites-enabled/:47

nginx: configuration file /etc/nginx/nginx.conf test failed

 

Here's the NGINX server config file I used to produce that error:

server {
        listen 443 ssl default_server;
        listen [::]:443 ssl default_server;

        root /█████/website;

        server_name █████.com;

        ssl on;
        ssl_certificate /█████/cert.pem;
        ssl_certificate_key /█████/privkey.pem;

        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.4.4 8.8.8.8;

        location /static {
            alias /█████/website/static;
        }

        location / {
            try_files $uri @wsgi;
        }

        location @wsgi {
            proxy_pass http://unix:/tmp/gunicorn.sock;
            include proxy_params;
        }

        location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
            access_log off;
            log_not_found off;
            expires max;
        }
}

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        server_name █████.com;

        return 301 https://$host$request_uri;
}

server {
        listen 80 default_server;
        listen [::]:80 default_server;

        server_name emby.█████.com;

        location / {
            proxy_pass http://127.0.0.1:8096;
        }
}

 

Link to comment
Share on other sites

Hi,

 

I'm not a pro. But i'm missing the cipher suites and the ssl protocols:

something like (there are many more; plz check which you need):

 

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384';
ssl_prefer_server_ciphers on;

ssl_stapling on;

ssl_stapling_verify on;

resolver 8.8.4.4 8.8.8.8;

Edited by Justy
Link to comment
Share on other sites

Hi,

 

I'm not a pro. But i'm missing the cipher suites and the ssl protocols:

 

something like (there are many more; plz check which you need):

 

ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384';

ssl_prefer_server_ciphers on;

ssl_stapling on;

ssl_stapling_verify on;

resolver 8.8.4.4 8.8.8.8;

I just added that, but I'm getting the same error still :(

Link to comment
Share on other sites

the error you produced is because of double entry in your config:

 

line 37 till end:

server {
        listen 80 default_server;
        listen [::]:80 default_server;
 
        server_name █████.com;
 
        return 301 https://$host$request_uri;
}
 
server {
        listen 80 default_server;
        listen [::]:80 default_server;
 
        server_name emby.█████.com;
 
        location / {
            proxy_pass http://127.0.0.1:8096;
        }

 

Link to comment
Share on other sites

Mine looks like this:

server {
    
    listen 443 ssl http2;
    listen [::]:443 ssl http2;
    ssl_certificate     /etc/ssl/certs/openmediavault.crt;
    ssl_certificate_key /etc/ssl/private/openmediavault.key;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    server_name emby.emby4ever.de;
    index index.html;
    access_log /var/log/nginx/1c5b4f27-66bb-4384-a5c0-access.log;
    error_log  /var/log/nginx/1c5b4f27-66bb-4384-a5c0-error.log;
    large_client_header_buffers 4 8k;
    server_tokens off;
    	
	ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
        ssl_prefer_server_ciphers on;
	



location ^~ /swagger {   ## Disables access to swagger interface
        return 404;
}

location  / {
proxy_pass http://192.168.178.24:8096; # Local emby ip and non SSL port


proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;

add_header 'Referrer-Policy' 'no-referrer';
add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff"  always;
add_header X-Xss-Protection "1; mode=block" always;
add_header Content-Security-Policy "default-src 'none'; child-src 'self'; font-src 'self' data:; connect-src 'self' wss: ws: https://mb3admin.com https://github.com/MediaBrowser/; media-src 'self' blob: data: https://github.com/MediaBrowser/; manifest-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; worker-src 'self' blob:; script-src 'self' https://www.gstatic.com; img-src data: https: http: ; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css" always;

#Next three lines allow websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";


}







}

 

Link to comment
Share on other sites

 

the error you produced is because of double entry in your config

 

I guess I can't differentiate between subdomains that way, but I'm not sure what the right way is or if it's even possible with NGINX.  I've found many examples that seem to specify multiple server blocks on the same port, but the error message seems to indicate that isn't right.  I just gave up on solution #2 after a while for this reason.

Link to comment
Share on other sites

Hi,

 

I don't use atm two domains/subdomains myself. But I would try something like this (I've used the config from your first post):

(You could also devide it in two files separately  (you don't have to, but it will be much clearer) in /etc/nginx/sites-available/www.example.com and /etc/nginx/sites-available/emby.example.com)

server {
listen 80;
listen [::]:80;

server_name emby.█████.com;
     

location / {
    proxy_pass http://192.168.178.24:8096; # Local emby ip and non SSL port


    proxy_hide_header X-Powered-By;
    proxy_set_header Range $http_range;
    proxy_set_header If-Range $http_if_range;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_redirect off;

    #add_header 'Referrer-Policy' 'no-referrer';
    #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always;
    #add_header X-Frame-Options "SAMEORIGIN" always;
    #add_header X-Content-Type-Options "nosniff" always;
    #add_header X-Xss-Protection "1; mode=block" always;
    #add_header Content-Security-Policy "default-src 'none'; child-src 'self'; font-src 'self' data:; connect-src 'self' wss: ws: https://mb3admin.com https://github.com/MediaBrowser/; media-src 'self' blob: data: https://github.com/MediaBrowser/; manifest-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; worker-src 'self' blob:; script-src 'self' https://www.gstatic.com; img-src data: https: http: ; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css" always;

    #Next three lines allow websockets
    proxy_http_version 1.1;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";

    
}


server {
            listen 443 ssl default_server;
            listen [::]:443 ssl default_server;
     
            root /█████/website;
     
            server_name █████.com;
     
            ssl on;
            ssl_certificate /█████/cert.pem;
            ssl_certificate_key /█████/privkey.pem;
     
            ssl_stapling on;
            ssl_stapling_verify on;
            resolver 8.8.4.4 8.8.8.8;
     
            location /static {
                alias /█████/website/static;
            }
     
            location / {
                try_files $uri @wsgi;
            }
     
            location @wsgi {
                proxy_pass http://unix:/tmp/gunicorn.sock;
                include proxy_params;
            }
     
            location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ {
                access_log off;
                log_not_found off;
                expires max;
            }
     
            
    }
     
   
Edited by Justy
Link to comment
Share on other sites

KMBanana

You can absolutely have multiple server blocks for different subdomains, I use several.  Only 1 should have the "default_server" on the listen lines, but I'm not sure if this is your only issue.  

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...