IkeTaylor11 60 Posted April 17, 2020 Share Posted April 17, 2020 Has anyone setup a successful CORS configuration using nginx to reverse proxy Emby? I have tried and no matter what I do I can't get any Emby app to load the server. The web portal works fine, but not the Emby apps. This is what I have tried for initial config. Although I would prefer to not use * for Access-Control-Allow-Origin. The setup below works great for my sonarr and radarr setups. ## Wide-open CORS config for nginx#location / {if ($request_method = 'OPTIONS') {add_header 'Access-Control-Allow-Origin' '*';add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';## Custom headers and headers various browsers *should* be OK with but aren't#add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';## Tell client that this pre-flight info is valid for 20 days#add_header 'Access-Control-Max-Age' 1728000;add_header 'Content-Type' 'text/plain; charset=utf-8';add_header 'Content-Length' 0;return 204;}if ($request_method = 'POST') {add_header 'Access-Control-Allow-Origin' '*';add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';}if ($request_method = 'GET') {add_header 'Access-Control-Allow-Origin' '*';add_header 'Access-Control-Allow-Methods' 'GET, POST, OPTIONS';add_header 'Access-Control-Allow-Headers' 'DNT,User-Agent,X-Requested-With,If-Modified-Since,Cache-Control,Content-Type,Range';add_header 'Access-Control-Expose-Headers' 'Content-Length,Content-Range';}} Link to comment Share on other sites More sharing options...
Luke 37060 Posted April 18, 2020 Share Posted April 18, 2020 I would suggest comparing your nginx setup to that of @@pir8radio. Link to comment Share on other sites More sharing options...
IkeTaylor11 60 Posted April 18, 2020 Author Share Posted April 18, 2020 I would suggest comparing your nginx setup to that of @@pir8radio. What I am asking about is well beyond a simple nginx setup to get things working. Don't get me wrong, everything works fine. I am just looking to secure things even further, hence my dive into CORS. But, I do not have the knowledge or expertise to know how to solve the CORS problem at this point. Thats why I was posing the question to the community in case someone has the solution. Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted April 18, 2020 Share Posted April 18, 2020 (edited) CORS isn't a security improvement (it actually allows stuff that are normally blocked) unless you are cross origin linking, then CORS can be used to secure that cross site linking without just opening the main entrance, its kind of like badge access to the main entrance, you allow what is in your CORS policy... right? I think CSP is more what you are looking for? Unless you are doing cross origin stuff today? maybe you just allowed all cross origin and now you want to narrow it down to your allowed servers? Here is a good example I found online: you basically allow something that was previously blocked. "The use-case for CORS is simple. Imagine the site alice.com has some data that the site bob.com wants to access. This type of request traditionally wouldn’t be allowed under the browser’s same origin policy. However, by supporting CORS requests, alice.com can add a few special response headers that allows bob.com to access the data." Edited April 18, 2020 by pir8radio Link to comment Share on other sites More sharing options...
IkeTaylor11 60 Posted April 18, 2020 Author Share Posted April 18, 2020 (edited) @@pir8radio i don't really want or need CORS. But, it looks like Emby is adding it. When i scan my site on securityheaders.com i see the headers below. I do not currently have any CORS config in my default nginx conf file or my emby conf file. I would like to change the access-control-allow-origin to not be a wildcard but cant figure out how to do it. Access-Control-Allow-Headers - Accept, Accept-Language, Authorization, Cache-Control, Content-Disposition, Content-Encoding, Content-Language, Content-Length, Content-MD5, Content-Range, Content-Type, Date, Host, If-Match, If-Modified-Since, If-None-Match, If-Unmodified-Since, Origin, OriginToken, Pragma, Range, Slug, Transfer-Encoding, Want-Digest, X-MediaBrowser-Token, X-Emby-Token, X-Emby-Client, X-Emby-Client-Version, X-Emby-Device-Id, X-Emby-Device-Name, X-Emby-Authorization Access-Control-Allow-Methods - GET, POST, PUT, DELETE, PATCH, OPTIONS Access-Control-Allow-Origin - * Edited April 18, 2020 by IkeTaylor11 1 Link to comment Share on other sites More sharing options...
satheshshiva 0 Posted January 24, 2021 Share Posted January 24, 2021 I face the same issue. Making the Cloudflare in the development fixes the issue. How would I make an override for emby in cloudflare? Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted January 24, 2021 Share Posted January 24, 2021 14 hours ago, satheshshiva said: I face the same issue. Making the Cloudflare in the development fixes the issue. How would I make an override for emby in cloudflare? what does your config look like? I have no issues, running cloudflare/nginx/emby with apps... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now