CivBase 2 Posted December 30, 2019 Share Posted December 30, 2019 I've been looking, but I cannot find any examples of how to self-host Emby behind an NGINX reverse proxy at anything other than the root path on port 80. I host a website under the www subdomain at the root path on port 80, so that's not an option. I'm fine with any of these solutions: Use a different port (http://www.mydomain.com:8096/) Use a different subdomain (http://emby.mydomain.com/) Use a different path (http://www.mydomain.com/emby/) My current configuration is an attempt at solution #3 because that's the one I was able to get furthest on. I think I'd prefer solution #1 or #2, but I'm not picky. I'd also like to setup SSL, but I need to get this working before I can worry about encryption. That said, the SSL configuration for my website might be responsible for my current problem. All requests to port 80 are redirected to 443, which has SSL enabled. The server just directs everything on the /emby path to localhost:8096, which Emby binds to. I'm able to load the index page, but it fails to load the Javascript used to render any actual content. It looks like the server isn't able to serve the Javascript file over HTTPS. I have very limited experience with NGINX and Emby and I have no idea how to fix it. Here's my NGINX server configuration: server { listen 443 ssl default_server; listen [::]:443 ssl default_server; root /█████/website; server_name █████; ssl on; ssl_certificate /█████/cert.pem; ssl_certificate_key /█████/privkey.pem; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.4.4 8.8.8.8; location /static { alias /█████/website/static; } location / { try_files $uri @wsgi; } location @wsgi { proxy_pass http://unix:/tmp/gunicorn.sock; include proxy_params; } location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { access_log off; log_not_found off; expires max; } location /emby { proxy_pass http://127.0.0.1:8096; } } server { listen 80 default_server; listen [::]:80 default_server; server_name █████; return 301 https://$host$request_uri; } Link to comment Share on other sites More sharing options...
Luke 37007 Posted December 30, 2019 Share Posted December 30, 2019 Hi there, have you compared to @@pir8radio's configuration? Link to comment Share on other sites More sharing options...
CivBase 2 Posted December 30, 2019 Author Share Posted December 30, 2019 Hi there, have you compared to @@pir8radio's configuration? Yah, but it looks like he's hosting at the root path on ports 80 and 443. His configuration does specify emby.mydomain.com instead of just mydomain.com, but I tried creating two server configurations on port 80 with different subdomains and NGINX spat out this error: nginx: [emerg] a duplicate default server for 0.0.0.0:80 in /etc/nginx/sites-enabled/█████:47 nginx: configuration file /etc/nginx/nginx.conf test failed Here's the NGINX server config file I used to produce that error: server { listen 443 ssl default_server; listen [::]:443 ssl default_server; root /█████/website; server_name █████.com; ssl on; ssl_certificate /█████/cert.pem; ssl_certificate_key /█████/privkey.pem; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.4.4 8.8.8.8; location /static { alias /█████/website/static; } location / { try_files $uri @wsgi; } location @wsgi { proxy_pass http://unix:/tmp/gunicorn.sock; include proxy_params; } location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { access_log off; log_not_found off; expires max; } } server { listen 80 default_server; listen [::]:80 default_server; server_name █████.com; return 301 https://$host$request_uri; } server { listen 80 default_server; listen [::]:80 default_server; server_name emby.█████.com; location / { proxy_pass http://127.0.0.1:8096; } } Link to comment Share on other sites More sharing options...
Justy 2 Posted December 30, 2019 Share Posted December 30, 2019 (edited) Hi, I'm not a pro. But i'm missing the cipher suites and the ssl protocols:something like (there are many more; plz check which you need): ssl_protocols TLSv1.2 TLSv1.1 TLSv1;ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384';ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.4.4 8.8.8.8; Edited December 30, 2019 by Justy Link to comment Share on other sites More sharing options...
CivBase 2 Posted December 30, 2019 Author Share Posted December 30, 2019 Hi, I'm not a pro. But i'm missing the cipher suites and the ssl protocols: something like (there are many more; plz check which you need): ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers 'ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-256-GCM-SHA384'; ssl_prefer_server_ciphers on; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.4.4 8.8.8.8; I just added that, but I'm getting the same error still Link to comment Share on other sites More sharing options...
Justy 2 Posted December 30, 2019 Share Posted December 30, 2019 the error you produced is because of double entry in your config: line 37 till end: server { listen 80 default_server; listen [::]:80 default_server; server_name █████.com; return 301 https://$host$request_uri; } server { listen 80 default_server; listen [::]:80 default_server; server_name emby.█████.com; location / { proxy_pass http://127.0.0.1:8096; } Link to comment Share on other sites More sharing options...
Justy 2 Posted December 30, 2019 Share Posted December 30, 2019 Mine looks like this: server { listen 443 ssl http2; listen [::]:443 ssl http2; ssl_certificate /etc/ssl/certs/openmediavault.crt; ssl_certificate_key /etc/ssl/private/openmediavault.key; ssl_dhparam /etc/ssl/certs/dhparam.pem; server_name emby.emby4ever.de; index index.html; access_log /var/log/nginx/1c5b4f27-66bb-4384-a5c0-access.log; error_log /var/log/nginx/1c5b4f27-66bb-4384-a5c0-error.log; large_client_header_buffers 4 8k; server_tokens off; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:DHE-DSS-AES128-GCM-SHA256:kEDH+AESGCM:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-DSS-AES128-SHA256:DHE-RSA-AES256-SHA256:DHE-DSS-AES256-SHA:DHE-RSA-AES256-SHA:AES128-GCM-SHA256:AES256-GCM-SHA384:AES128-SHA256:AES256-SHA256:AES128-SHA:AES256-SHA:AES:CAMELLIA:DES-CBC3-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA'; ssl_prefer_server_ciphers on; location ^~ /swagger { ## Disables access to swagger interface return 404; } location / { proxy_pass http://192.168.178.24:8096; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect off; add_header 'Referrer-Policy' 'no-referrer'; add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Xss-Protection "1; mode=block" always; add_header Content-Security-Policy "default-src 'none'; child-src 'self'; font-src 'self' data:; connect-src 'self' wss: ws: https://mb3admin.com https://github.com/MediaBrowser/; media-src 'self' blob: data: https://github.com/MediaBrowser/; manifest-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; worker-src 'self' blob:; script-src 'self' https://www.gstatic.com; img-src data: https: http: ; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css" always; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } Link to comment Share on other sites More sharing options...
CivBase 2 Posted December 30, 2019 Author Share Posted December 30, 2019 the error you produced is because of double entry in your config I guess I can't differentiate between subdomains that way, but I'm not sure what the right way is or if it's even possible with NGINX. I've found many examples that seem to specify multiple server blocks on the same port, but the error message seems to indicate that isn't right. I just gave up on solution #2 after a while for this reason. Link to comment Share on other sites More sharing options...
Justy 2 Posted December 31, 2019 Share Posted December 31, 2019 (edited) Hi, I don't use atm two domains/subdomains myself. But I would try something like this (I've used the config from your first post):(You could also devide it in two files separately (you don't have to, but it will be much clearer) in /etc/nginx/sites-available/www.example.com and /etc/nginx/sites-available/emby.example.com) server { listen 80; listen [::]:80; server_name emby.█████.com; location / { proxy_pass http://192.168.178.24:8096; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_redirect off; #add_header 'Referrer-Policy' 'no-referrer'; #add_header Strict-Transport-Security "max-age=63072000; includeSubdomains; preload" always; #add_header X-Frame-Options "SAMEORIGIN" always; #add_header X-Content-Type-Options "nosniff" always; #add_header X-Xss-Protection "1; mode=block" always; #add_header Content-Security-Policy "default-src 'none'; child-src 'self'; font-src 'self' data:; connect-src 'self' wss: ws: https://mb3admin.com https://github.com/MediaBrowser/; media-src 'self' blob: data: https://github.com/MediaBrowser/; manifest-src 'self'; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; worker-src 'self' blob:; script-src 'self' https://www.gstatic.com; img-src data: https: http: ; style-src 'unsafe-inline' 'self' https://fonts.googleapis.com/css" always; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } server { listen 443 ssl default_server; listen [::]:443 ssl default_server; root /█████/website; server_name █████.com; ssl on; ssl_certificate /█████/cert.pem; ssl_certificate_key /█████/privkey.pem; ssl_stapling on; ssl_stapling_verify on; resolver 8.8.4.4 8.8.8.8; location /static { alias /█████/website/static; } location / { try_files $uri @wsgi; } location @wsgi { proxy_pass http://unix:/tmp/gunicorn.sock; include proxy_params; } location ~* .(ogg|ogv|svg|svgz|eot|otf|woff|mp4|ttf|css|rss|atom|js|jpg|jpeg|gif|png|ico|zip|tgz|gz|rar|bz2|doc|xls|exe|ppt|tar|mid|midi|wav|bmp|rtf)$ { access_log off; log_not_found off; expires max; } } Edited December 31, 2019 by Justy Link to comment Share on other sites More sharing options...
KMBanana 83 Posted December 31, 2019 Share Posted December 31, 2019 You can absolutely have multiple server blocks for different subdomains, I use several. Only 1 should have the "default_server" on the listen lines, but I'm not sure if this is your only issue. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now