pir8radio 1289 Posted July 1, 2021 Author Share Posted July 1, 2021 On 6/25/2021 at 11:04 PM, TristenP said: thank you works now and the second think why didnt worked was the firewall. Can you help me to get xteve working with the nginx config ? that works with example.example.com/xteve ? the original url from xteve is (ip:port/web/) I think i need to rewrite it but i dont know how. example : location /xteve { proxy_pass ip:port; proxy_hide_header X-Powered-By; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Ssl on; proxy_redirect default; @pir8radio @dapper Try: location ~/xteve(.*)$ { proxy_pass http://YOURIPADDRESS:YOURPORT$1; proxy_hide_header X-Powered-By; proxy_set_header Host $host; proxy_set_header X-Forwarded-Proto $scheme; proxy_set_header X-Forwarded-Ssl on; proxy_redirect default; } 1 Link to comment Share on other sites More sharing options...
tua911111 0 Posted July 2, 2021 Share Posted July 2, 2021 (edited) @pir8radio Hello, I hoping you can help me with an issue I'm having. I have also setup my emby server using NGINX along with docker (if this matters). My issues is that I can't seem to get these live "two way real time info to and from emby and the client." The reason I believe this is true is b/c I have am playing a video on one browser and on a second browser from the dashboard, I don't see the other browser's progress (like the time changing). Another issue that I've been having is that I want to send messages to people using the message icon and when I click send, nothing happens. I have copied your NGINX.conf almost exactly with changing the slightest things. worker_processes auto; events { worker_connections 8192; } http { default_type application/octet-stream; server_names_hash_bucket_size 64; server_tokens off; ## The below will create a separate log file for your emby server which includes ## userId's and other emby specific info, handy for external log viewers. ## Cloudflare users will want to swap $remote_addr in first line below to $http_CF_Connecting_IP ## to log the real client IP address log_format emby '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorization"'; log_format default '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port'; sendfile off; ## Sendfile not used in a proxy environment. gzip on; ## Compresses the content to the client, speeds up client browsing. gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; proxy_connect_timeout 1h; proxy_send_timeout 1h; proxy_read_timeout 1h; tcp_nodelay on; ## Sends data as fast as it can not buffering large chunks, saves about 200ms per request. ## The below will force all nginx traffic to SSL, make sure all other server blocks only listen on 443 server { listen 80 default_server; server_name _; return 301 https://$host$request_uri; } ## Start of actual server blocks server { listen [::]:443 ssl http2; ## Listens on port 443 IPv6 with http2 and ssl enabled listen 443 ssl http2; ## Listens on port 443 IPv4 with http2 and ssl enabled proxy_buffering off; ## Sends data as fast as it can not buffering large chunks. server_name test.com; ## enter your service name and domain name here example emby.domainname.com ## SSL SETTINGS ## ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate /etc/ssl/private/fullchain.pem; ## The file path was set by docker to use /etc/ssl/private. ssl_certificate_key /etc/ssl/private/privkey.pem; ssl_session_cache shared:SSL:10m; location ^~ /swagger { ## Disables access to swagger interface return 404; } location /emby/ { proxy_pass http://172.17.0.1:8096/; ## Enter the IP and port of the backend emby server here. proxy_hide_header X-Powered-By; ## Hides nginx server version from bad guys. proxy_set_header Range $http_range; ## Allows specific chunks of a file to be requested. proxy_set_header If-Range $http_if_range; ## Allows specific chunks of a file to be requested. proxy_set_header X-Real-IP $remote_addr; ## Passes the real client IP to the backend server. #proxy_set_header X-Real-IP $http_CF_Connecting_IP; ## if you use cloudflare un-comment this line and comment out above line. proxy_set_header Host $host; ## Passes the requested domain name to the backend server. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## Adds forwarded IP to the list of IPs that were forwarded to the backend server. ## ADDITIONAL SECURITY SETTINGS ## ## Optional settings to improve security ## ## add these after you have completed your testing and ssl setup ## ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ## ## See https://hstspreload.org/ read through the "Deployment Recommendations" section first! ## # add_header 'Referrer-Policy' 'origin-when-cross-origin'; # add_header Strict-Transport-Security "max-age=15552000; preload" always; # add_header X-Frame-Options "SAMEORIGIN" always; # add_header X-Content-Type-Options "nosniff" always; # add_header X-XSS-Protection "1; mode=block" always; ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client. proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; } } } Edited July 2, 2021 by tua911111 Link to comment Share on other sites More sharing options...
Bartype 1 Posted July 20, 2021 Share Posted July 20, 2021 (edited) On 3/3/2021 at 6:13 AM, dapper said: And the important certificates/files to make it all work. cloudflare-allow.conf # https://www.cloudflare.com/ips # IPv4 allow 103.21.244.0/22; allow 103.22.200.0/22; allow 103.31.4.0/22; allow 104.16.0.0/12; allow 108.162.192.0/18; allow 131.0.72.0/22; allow 141.101.64.0/18; allow 162.158.0.0/15; allow 172.64.0.0/13; allow 173.245.48.0/20; allow 188.114.96.0/20; allow 190.93.240.0/20; allow 197.234.240.0/22; allow 198.41.128.0/17; allow 127.0.0.1/32; cert.pem (your site's cert) -----BEGIN CERTIFICATE----- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX -----END CERTIFICATE----- private.key (your site's key) -----BEGIN PRIVATE KEY----- XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX XXXXXXXXXXXXXXXXXXXXXXXX -----END PRIVATE KEY----- origin-pull-ca.pem https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls https://support.cloudflare.com/hc/en-us/article_attachments/360044928032/origin-pull-ca.pem -----BEGIN CERTIFICATE----- MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNV BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmln aW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZv cm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkx MDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNV BAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYD VQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQD ExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD ggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI 42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20e ihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBw hLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoY QSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3 Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRn aL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5 lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGR PpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5Hh CvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa +4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMB AAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1Ud DgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REz alfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1 QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3IS zVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoX VcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz 6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z 0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc 5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/ fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2j bA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGm iYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07F AnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tM fVQ6VpyjEXdiIXWUq/o= -----END CERTIFICATE----- certPlusOrigin.pem Your Cert + the Cloudflare certs combined into 1 file https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates https://support.cloudflare.com/hc/article_attachments/360037898732/origin_ca_ecc_root.pem https://support.cloudflare.com/hc/article_attachments/360037885371/origin_ca_rsa_root.pem https://support.cloudflare.com/hc/en-us/article_attachments/360044928032/origin-pull-ca.pem -----BEGIN CERTIFICATE----- [same as "cert.pem"] -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIEADCCAuigAwIBAgIID+rOSdTGfGcwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91 ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQH Ew1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTE5MDgyMzIx MDgwMFoXDTI5MDgxNTE3MDAwMFowgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBD bG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wg Q2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw EQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC AQEAwEiVZ/UoQpHmFsHvk5isBxRehukP8DG9JhFev3WZtG76WoTthvLJFRKFCHXm V6Z5/66Z4S09mgsUuFwvJzMnE6Ej6yIsYNCb9r9QORa8BdhrkNn6kdTly3mdnykb OomnwbUfLlExVgNdlP0XoRoeMwbQ4598foiHblO2B/LKuNfJzAMfS7oZe34b+vLB yrP/1bgCSLdc1AxQc1AC0EsQQhgcyTJNgnG4va1c7ogPlwKyhbDyZ4e59N5lbYPJ SmXI/cAe3jXj1FBLJZkwnoDKe0v13xeF+nF32smSH0qB7aJX2tBMW4TWtFPmzs5I lwrFSySWAdwYdgxw180yKU0dvwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD VR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUJOhTV118NECHqeuU27rhFnj8KaQw HwYDVR0jBBgwFoAUJOhTV118NECHqeuU27rhFnj8KaQwDQYJKoZIhvcNAQELBQAD ggEBAHwOf9Ur1l0Ar5vFE6PNrZWrDfQIMyEfdgSKofCdTckbqXNTiXdgbHs+TWoQ wAB0pfJDAHJDXOTCWRyTeXOseeOi5Btj5CnEuw3P0oXqdqevM1/+uWp0CM35zgZ8 VD4aITxity0djzE6Qnx3Syzz+ZkoBgTnNum7d9A66/V636x4vTeqbZFBr9erJzgz hhurjcoacvRNhnjtDRM0dPeiCJ50CP3wEYuvUzDHUaowOsnLCjQIkWbR7Ni6KEIk MOz2U0OBSif3FTkhCgZWQKOOLo1P42jHC3ssUZAtVNXrCk3fw9/E15k8NPkBazZ6 0iykLhH1trywrKRMVw67F44IE8Y= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIICiTCCAi6gAwIBAgIUXZP3MWb8MKwBE1Qbawsp1sfA/Y4wCgYIKoZIzj0EAwIw gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0 eTAeFw0xOTA4MjMyMTA4MDBaFw0yOTA4MTUxNzAwMDBaMIGPMQswCQYDVQQGEwJV UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ MBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjE4MDYGA1UECxMvQ2xvdWRGbGFyZSBP cmlnaW4gU1NMIEVDQyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwWTATBgcqhkjOPQIB BggqhkjOPQMBBwNCAASR+sGALuaGshnUbcxKry+0LEXZ4NY6JUAtSeA6g87K3jaA xpIg9G50PokpfWkhbarLfpcZu0UAoYy2su0EhN7wo2YwZDAOBgNVHQ8BAf8EBAMC AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUhTBdOypw1O3VkmcH/es5 tBoOOKcwHwYDVR0jBBgwFoAUhTBdOypw1O3VkmcH/es5tBoOOKcwCgYIKoZIzj0E AwIDSQAwRgIhAKilfntP2ILGZjwajktkBtXE1pB4Y/fjAfLkIRUzrI15AiEA5UCL XYZZ9m2c3fKwIenMMojL1eqydsgqj/wK4p5kagQ= -----END CERTIFICATE----- -----BEGIN CERTIFICATE----- MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNV BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmln aW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZv cm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkx MDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNV BAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYD VQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQD ExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD ggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI 42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20e ihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBw hLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoY QSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3 Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRn aL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5 lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGR PpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5Hh CvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa +4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMB AAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1Ud DgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REz alfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1 QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3IS zVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoX VcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz 6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z 0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc 5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/ fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2j bA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGm iYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07F AnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tM fVQ6VpyjEXdiIXWUq/o= -----END CERTIFICATE----- (The dhparam.pem & .htpasswd files are not mandatory for the setup and require more complex configuration that you can google) Hi Dapper, it has been a while since you posted this config. Now, vacation has started at long last and i have the time to try things out. I hope i still may ask you for some help to get in the right direction to get this to work right. I have used your config as a base for my situation and nginx does test this config as 'ok', without errors. When i set this config 'live' i do get an 400 Bad Request The SSL certificate error when i try to access emby. I have followed the steps as far as i could follow them as described on cloudflare, but i am lost at the point where i have to create and 'upload' the origin cetificate to nginx. I already had registered a certificate at 'namecheap' for my domain in the format "emby.mydomain.com". When using an external registar and not cloudflare for your domain certificate, how are the certificates build up? And also, can you just edit them with an editor like notepad++ to combine them or do you really have to use openssl or something? Nginx is working fine in the 'old' situation with just the namecheap certificates, so as far as my troubleshooting experience goes it has something to do with "origin-pull-ca.pem" or "certPlusOrigin.pem" files. How can i best create these when using namecheap certs? Thank you in advance for all the help and information! Edited July 21, 2021 by Bartype Link to comment Share on other sites More sharing options...
Madflava 5 Posted August 5, 2021 Share Posted August 5, 2021 (edited) Im sure Im doing something stupid or wrong here but my setup is like this. I have a custom domain through GoDaddy and have a Powershell script that runs every hour to make sure the IP doesnt change. I pasted in your config, made the changes for server IP, etc (All of this is done through CLI in the Docker Nginx container) and this is the error I get: nginx: [emerg] "worker_processes" directive is not allowed here in /data/nginx/proxy_host/16.conf:1 Any thoughts? Edited August 5, 2021 by Madflava Link to comment Share on other sites More sharing options...
reggierat 18 Posted August 7, 2021 Share Posted August 7, 2021 (edited) Please delete, solved it Edited August 7, 2021 by reggierat Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted August 8, 2021 Author Share Posted August 8, 2021 21 hours ago, reggierat said: Please delete, solved it Sorry we missed it.. curious what your issue was and what you found though! anything I can change in the how to that helps? Link to comment Share on other sites More sharing options...
horstepipe 356 Posted September 5, 2021 Share Posted September 5, 2021 I‘m having quite long search times within emby, but I missed putting this on an ssd. So in the next days I‘ll correct that, but I‘m wondering whether maybe also Cloudflare in front of your nginx configuration makes some trouble. E.g. maybe search queries are being cached by cloudflare…? Or is this definitely being bypassed with the cloudflare rules you provided? Link to comment Share on other sites More sharing options...
Carlo 4328 Posted September 5, 2021 Share Posted September 5, 2021 Putting this on an SSD should make quite a difference so that would be the first thing to try. Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted September 5, 2021 Author Share Posted September 5, 2021 5 hours ago, horstepipe said: I‘m having quite long search times within emby, but I missed putting this on an ssd. So in the next days I‘ll correct that, but I‘m wondering whether maybe also Cloudflare in front of your nginx configuration makes some trouble. E.g. maybe search queries are being cached by cloudflare…? Or is this definitely being bypassed with the cloudflare rules you provided? I'm not seeing cloudflare issues.. i do see issues when my music library is included in the database.. local or through CF. But only about 5-7 seconds on a search. I did increase the database cache size to 1 gig i think... not sure if that helps, but has helped my page loads for music pages. what kind of search times are you seeing? and how big is your database? Mine is like 1.6gigs so the 1 gig cache seems to have helped a lot, my database (whole OS) is on a raided SSD though too.. Link to comment Share on other sites More sharing options...
horstepipe 356 Posted September 7, 2021 Share Posted September 7, 2021 thanks, my search times were about 20 seconds. But now I'm on an ssd and everything is good 1 Link to comment Share on other sites More sharing options...
judgey 13 Posted September 20, 2021 Share Posted September 20, 2021 Hey mate, im trying your config out but i get the following error Sep 20 17:45:30 Emby nginx[3410328]: nginx: [emerg] "worker_processes" directive is not allowed here in /etc/nginx/sites-enabled/emby:1 Sep 20 17:45:30 Emby nginx[3410328]: nginx: configuration file /etc/nginx/nginx.conf test failed Link to comment Share on other sites More sharing options...
judgey 13 Posted September 20, 2021 Share Posted September 20, 2021 I believe because I use a script to install apps this has the default config, but i don't have a clue how to make this config work with your config. Link to comment Share on other sites More sharing options...
judgey 13 Posted September 21, 2021 Share Posted September 21, 2021 @pir8radio ^^ Link to comment Share on other sites More sharing options...
judgey 13 Posted September 22, 2021 Share Posted September 22, 2021 Can anyone else help me with my config please as mine looks nothing like this. Thank you Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted September 24, 2021 Author Share Posted September 24, 2021 On 9/22/2021 at 4:04 AM, judgey said: Can anyone else help me with my config please as mine looks nothing like this. Thank you sorry.. You need to dig in and understand a bit what you have and what you are doing with it.. you probably have some docker or something that someone else pre-built. Are you using nginx for anything other than emby? If no you can just rename your main config file and start fresh.. go back to the old if you need to.. Link to comment Share on other sites More sharing options...
dual-o 19 Posted September 24, 2021 Share Posted September 24, 2021 On 9/5/2021 at 6:14 PM, pir8radio said: I'm not seeing cloudflare issues.. i do see issues when my music library is included in the database.. local or through CF. But only about 5-7 seconds on a search. I did increase the database cache size to 1 gig i think... not sure if that helps, but has helped my page loads for music pages. what kind of search times are you seeing? and how big is your database? Mine is like 1.6gigs so the 1 gig cache seems to have helped a lot, my database (whole OS) is on a raided SSD though too.. how do you increase the database cache size? thanks. Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted September 24, 2021 Author Share Posted September 24, 2021 3 hours ago, dual-o said: how do you increase the database cache size? thanks. Its built in the beta emby server GUI (Server/Database), but if you don't see it there see this post: 1 Link to comment Share on other sites More sharing options...
Tur0k 143 Posted September 27, 2021 Share Posted September 27, 2021 (edited) On 12/16/2020 at 8:34 AM, pir8radio said: NGINX and emby Config Version 1.0.2 Last Update 9-23-2021 Update by Pir8Radio Why Use NGINX reverse proxy ahead of my application servers like emby? With NGINX or any reverse proxy ahead of an application server you have more control over your setup. You can do things the application servers were not built to handle, have better control over your security and logging, replace lines of code without editing the application server code, better control of caching, etc, etc.... One of the main reasons is so that you don't have to open a new port on your firewall for every application server you host, all you really need to open is 80 & 443 and the internet can reach all of your different servers through one entrance. Will NGINX work on my OS? Most likely, you can find various versions of NGINX for most OS's and they come in different flavors, with options baked in, or just the bare NGINX that you need to compile. See below for download links to get you started. Will NGINX break things on emby? Absolutely if you don't configure it correctly! I HIGHLY suggest when choosing a scheme to setup your domain URL you choose SUB-DOMAIN and NOT sub-directory, more below. Also if you come to the emby forum with things not working, or issues you have and you use a Reverse Proxy, PLEASE make sure that is one of the first things you mention in your forum post. ESPECIALLY if emby works on one platform or client, but not another. So many times people complain "but it works on chrome, so I didn't think it was the reverse proxy". Mention you have a Reverse Proxy please. If the reverse proxy is setup correctly it should be totally transparent to the user and the application server (emby). I'm not going to go into how to purchase and setup a domain name. Lots of how-to's on that out there. Once you have a domain name and its pointed to your IP address, you can go to that domain name and hit your server then continue on.... Sub-Domain vs Sub-Directory: Lets say your domain name is: domain.com there are two main ways you can direct traffic from the internet to your backend application servers like emby. One is sub-directory, something like domain.com/emby or domain.com/other-server This is doable in nginx, but there are some catches and you need to know how your reverse proxy and application server work in detail.. This often breaks different features in emby and other application servers.. To keep with our "Totally Transparent" goal sub-directory doesn't work well, it requires a lot of rewriting and work-arounds to make it work smoothly, if you choose sub-directory you will run into issues you will need to address. The other option is Sub-Domain, this is the cleanest, most transparent, easiest to setup and maintain, it's also what I highly suggest you setup. A sub-domain looks like: emby.domain.com or other-server.domain.com The below config is based on Sub-Domain I will include a sub-directory example as well. NGINX Downloads: Official nginx downloads(LINUX): nginx.org Official nginx downloads(Windows): nginx.org WINDOWS users I suggest this version: nginx-win.ecsds.eu download links are at the bottom of the page. This Windows version has lots of cool features compiled into it already, and is optimized for windows. They keep up with updates, its a FREE (for non-commercial) third party build that I highly recommend. Additional Links: Content Security Policy info (CSP) (For Advanced Users): A CSP WILL break your server if you don't know what you are doing, I suggest reading up, lots of googleing, and understand what a CSP's function is and is not prior to venturing into this area Example NGINX Reverse Proxy Config: 3-29-2020 - ADDED A LINE FOR CLOUDFLARE USERS SO THAT THE X-REAL-IP HEADER IS CORRECTED. THIS ONLY EFFECTS Cloudflare USERS. 4-11-2020 (V1.0.1) - MOVED proxy_buffering off; FROM LOCATION BLOCK TO SERVER BLOCK 12-18-2020 (V1.0.2) - ADDED 301 SERVER SECTION TO FORCE ALL TRAFFIC TO SSL. 9-23-2021 no nginx config change, but cloudflare changed how they cache video files, so emby users that use Cloudflare now need to add a rule like below to make sure video is seekable and playable. ** The below "Page Rules" are only needed for Cloudflare CDN users, otherwise ignore. worker_processes auto; error_log logs/error.log; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_names_hash_bucket_size 64; server_tokens off; ## The below will create a separate log file for your emby server which includes ## userId's and other emby specific info, handy for external log viewers. ## Cloudflare users will want to swap $remote_addr in first line below to $http_CF_Connecting_IP ## to log the real client IP address log_format emby '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorization"'; log_format default '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port'; sendfile off; ## Sendfile not used in a proxy environment. gzip on; ## Compresses the content to the client, speeds up client browsing. gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; proxy_connect_timeout 1h; proxy_send_timeout 1h; proxy_read_timeout 1h; tcp_nodelay on; ## Sends data as fast as it can not buffering large chunks, saves about 200ms per request. ## The below will force all nginx traffic to SSL, make sure all other server blocks only listen on 443 server { listen 80 default_server; server_name _; return 301 https://$host$request_uri; } ## Start of actual server blocks server { listen [::]:443 ssl http2; ## Listens on port 443 IPv6 with http2 and ssl enabled listen 443 ssl http2; ## Listens on port 443 IPv4 with http2 and ssl enabled proxy_buffering off; ## Sends data as fast as it can not buffering large chunks. server_name emby.domainname.com; ## enter your service name and domain name here example emby.domainname.com access_log logs/emby.log emby; ## Creates a log file with this name and the log info above. ## SSL SETTINGS ## ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate ssl/pub.pem; ## Location of your public PEM file. ssl_certificate_key ssl/pvt.pem; ## Location of your private PEM file. ssl_session_cache shared:SSL:10m; location ^~ /swagger { ## Disables access to swagger interface return 404; } location / { proxy_pass http://127.0.0.1:8096; ## Enter the IP and port of the backend emby server here. proxy_hide_header X-Powered-By; ## Hides nginx server version from bad guys. proxy_set_header Range $http_range; ## Allows specific chunks of a file to be requested. proxy_set_header If-Range $http_if_range; ## Allows specific chunks of a file to be requested. proxy_set_header X-Real-IP $remote_addr; ## Passes the real client IP to the backend server. #proxy_set_header X-Real-IP $http_CF_Connecting_IP; ## if you use cloudflare un-comment this line and comment out above line. proxy_set_header Host $host; ## Passes the requested domain name to the backend server. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## Adds forwarded IP to the list of IPs that were forwarded to the backend server. ## ADDITIONAL SECURITY SETTINGS ## ## Optional settings to improve security ## ## add these after you have completed your testing and ssl setup ## ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ## ## See https://hstspreload.org/ read through the "Deployment Recommendations" section first! ## add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header Strict-Transport-Security "max-age=15552000; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client. proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; } } } Well, it happened. I am moving off of PFSense. I am moving my homelab firewall over to a Fortinet Fortigate 60F and am working on getting Fortinet NSE certified for work. To that end I need to get SSL renewal and my reverse proxy services off the firewall. In the PfSense world I was using the HAProxy (reverse proxy) addon alongside the Let's Encrypt ACME SSL certificate client with a good deal of luck. for security stacking I used PFblockerNG to filter out known bad sources and geofence access to my region of the world. I setup a sort of honey pot to catch and deny list bad requests based on SNI (IP, subdomain, etc.) requests. I was working on programming deny listing bad login attempts. Now, I am working on transitioning over to NGINX (another technology I would like to learn more about). initially I would like the reverse proxy, SSL offload, and SSL renewal hosted on this separate VM. I have installed Nginx on a separate ubuntu VM and have it mapped to the NGINX mainline branch for patching. Currently, this VM is on the same subnet and VLAN as my Emby server. I already have public domains pointing to my public IP. I have not made the switch over on my firewall for port forwarding just yet as NGINX isn't reverse proxying and offloading SSL encryption just yet. I am working on setting up the DDNS on my fortigate and figuring out how to setup my Hairpin "loopback" NAT. I don't plan on using Cloudflare's CDN proxy. In my scenario: I took the example Nginx reverse proxy config that Pir8Radio so graciously provided and: 1. Updated line 70 "server_name..." with my public subdomain. 2. updated line 86 "proxy_pass..." with my Emby server's local subnet IP. 3. I then edited /etc/nginx/nginx.conf removed everything except for line 1 "user nginx;" and added my updated (with my environmental variables) Nginx Reverse proxy config to the end of it. 4. I then attempted to run an Nginx reload (sudo nginx -s reload) and get the following message: nginx: [emerg] cannot load certificate "/etc/nginx/ssl/pub.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/pub.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) I am pretty sure that this means I have the config in the right place and the NGINX program is able to read it but can't find the SSL server side certificate. My hope is to use let's encrypt for SSL. in pfsense i was able to add an acme and have that acme automatically update the certificate and reload HAProxy. is there a recommended way to get this done in NGINX? Any assistance would be greatly appreciated. Edited September 27, 2021 by Tur0k Link to comment Share on other sites More sharing options...
LeidenSpain 29 Posted September 29, 2021 Share Posted September 29, 2021 (edited) Hi, I use Nginx Proxy Manager to manage my proxy, since it was very confusing for me directly by files. As I already commented in another thread, I have come across the problem that the MiStick does not support login with emby: it sees the server, it sees the users, but it returns "wrong ID or password", even if it is a user without password. What I have done to try to make it work (possibly wrong, and that is why it gives an error), is to stop the NPM docker, and edit the configuration file corresponding to my proxy for emby. I have deleted the original content and copied that of @pir8radio, modifying the following lines: server_name emby.my_server.us; ssl_certificate /etc/letsencrypt/live/npm-6/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/npm-6/privkey.pem; proxy_pass http://192.168.3.10:8096/; ## Enter the IP and port of the backend emby server here. The SSL files are the same from the original config file. But when starting the container it shows me this error: nginx: [emerg] "worker_processes" directive is not allowed here in /data/nginx/proxy_host/4.conf:6 I have seen that it happens to more people, but the origin and how to solve it has not been clear to me. I hope I have given all the necessary explanations. Greetings and thanks Edited September 29, 2021 by LeidenSpain Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted October 1, 2021 Author Share Posted October 1, 2021 On 9/27/2021 at 3:19 AM, Tur0k said: Well, it happened. I am moving off of PFSense. I am moving my homelab firewall over to a Fortinet Fortigate 60F and am working on getting Fortinet NSE certified for work. To that end I need to get SSL renewal and my reverse proxy services off the firewall. In the PfSense world I was using the HAProxy (reverse proxy) addon alongside the Let's Encrypt ACME SSL certificate client with a good deal of luck. for security stacking I used PFblockerNG to filter out known bad sources and geofence access to my region of the world. I setup a sort of honey pot to catch and deny list bad requests based on SNI (IP, subdomain, etc.) requests. I was working on programming deny listing bad login attempts. Now, I am working on transitioning over to NGINX (another technology I would like to learn more about). initially I would like the reverse proxy, SSL offload, and SSL renewal hosted on this separate VM. I have installed Nginx on a separate ubuntu VM and have it mapped to the NGINX mainline branch for patching. Currently, this VM is on the same subnet and VLAN as my Emby server. I already have public domains pointing to my public IP. I have not made the switch over on my firewall for port forwarding just yet as NGINX isn't reverse proxying and offloading SSL encryption just yet. I am working on setting up the DDNS on my fortigate and figuring out how to setup my Hairpin "loopback" NAT. I don't plan on using Cloudflare's CDN proxy. In my scenario: I took the example Nginx reverse proxy config that Pir8Radio so graciously provided and: 1. Updated line 70 "server_name..." with my public subdomain. 2. updated line 86 "proxy_pass..." with my Emby server's local subnet IP. 3. I then edited /etc/nginx/nginx.conf removed everything except for line 1 "user nginx;" and added my updated (with my environmental variables) Nginx Reverse proxy config to the end of it. 4. I then attempted to run an Nginx reload (sudo nginx -s reload) and get the following message: nginx: [emerg] cannot load certificate "/etc/nginx/ssl/pub.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/pub.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) I am pretty sure that this means I have the config in the right place and the NGINX program is able to read it but can't find the SSL server side certificate. My hope is to use let's encrypt for SSL. in pfsense i was able to add an acme and have that acme automatically update the certificate and reload HAProxy. is there a recommended way to get this done in NGINX? Any assistance would be greatly appreciated. yea you might have to edit that line.. i dont know what your public cert looks like, so you will need to update the public and private cert locations, pub.pem pvt.pem you can change those names to match your cert files or change the file names to match the configs. 1 Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted October 1, 2021 Author Share Posted October 1, 2021 On 9/29/2021 at 12:09 PM, LeidenSpain said: Hi, I use Nginx Proxy Manager to manage my proxy, since it was very confusing for me directly by files. As I already commented in another thread, I have come across the problem that the MiStick does not support login with emby: it sees the server, it sees the users, but it returns "wrong ID or password", even if it is a user without password. What I have done to try to make it work (possibly wrong, and that is why it gives an error), is to stop the NPM docker, and edit the configuration file corresponding to my proxy for emby. I have deleted the original content and copied that of @pir8radio, modifying the following lines: server_name emby.my_server.us; ssl_certificate /etc/letsencrypt/live/npm-6/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/npm-6/privkey.pem; proxy_pass http://192.168.3.10:8096/; ## Enter the IP and port of the backend emby server here. The SSL files are the same from the original config file. But when starting the container it shows me this error: nginx: [emerg] "worker_processes" directive is not allowed here in /data/nginx/proxy_host/4.conf:6 I have seen that it happens to more people, but the origin and how to solve it has not been clear to me. I hope I have given all the necessary explanations. Greetings and thanks yea certain parameters in the config need to be in certain locations, its tough to copy/paste using those proxy managers... they use config "includes" and grab various config files and inject them in different spots of the main config... its often tough to follow.. This is why i like one big config file (unless its really big and complex production setup). I host like 10 or so sites and have a decent sized config, but still all in one file.. At my work we use includes due to the complexity. 1 Link to comment Share on other sites More sharing options...
LeidenSpain 29 Posted October 1, 2021 Share Posted October 1, 2021 6 minutes ago, pir8radio said: yea certain parameters in the config need to be in certain locations, its tough to copy/paste using those proxy managers... they use config "includes" and grab various config files and inject them in different spots of the main config... its often tough to follow.. This is why i like one big config file (unless its really big and complex production setup). I host like 10 or so sites and have a decent sized config, but still all in one file.. At my work we use includes due to the complexity. I did that test at the time, but it showed another error. Clearly looking for a file, but it is not where you expect Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted October 1, 2021 Author Share Posted October 1, 2021 13 minutes ago, LeidenSpain said: I did that test at the time, but it showed another error. Clearly looking for a file, but it is not where you expect the config can be intimidating at first.. but its really easy to learn if you have any kind of coding experience that helps, (html even) but i would suggest not using the proxy manager.. but that is really just my opinion since ive never used one, its hard for me to help troubleshoot.. I have no clue what the manager is doing to the configs.. it could be you change something manually, and the manager moves and rewrites things based on what it thinks is correct. 1 Link to comment Share on other sites More sharing options...
LeidenSpain 29 Posted October 1, 2021 Share Posted October 1, 2021 1 hour ago, pir8radio said: the config can be intimidating at first.. but its really easy to learn if you have any kind of coding experience that helps, (html even) but i would suggest not using the proxy manager.. but that is really just my opinion since ive never used one, its hard for me to help troubleshoot.. I have no clue what the manager is doing to the configs.. it could be you change something manually, and the manager moves and rewrites things based on what it thinks is correct. I am usually one of those who prefers to do everything by hand, and have control of everything. Because I don't like it, when I change my mobile I don't let the applications reinstall themselves, I prefer to do it one by one, and see that each one works as I want. I am usually one of those who prefers to do everything by hand, and have control of everything. Because I don't like it, when I change my mobile I don't let the applications reinstall themselves, I prefer to do it one by one, and see that each one works as I want. If I leave the line "worker_processes auto;" it shows me this message: "nginx: [emerg]" worker_processes "directive is not allowed here in /data/nginx/proxy_host/4.conf:1," If I remove "worker_processes auto;" the result is this: "nginx: [emerg]" events "directive is not allowed here in /data/nginx/proxy_host/4.conf:3" line 3 corresponds to: events { worker_connections 8192; } The original configuration file is this: # ------------------------------------------------------------ # emby.my_server.us # ------------------------------------------------------------ server { set $forward_scheme http; set $server "192.168.3.10"; set $port 8096; listen 80; listen [::]:80; listen 443 ssl http2; listen [::]:443; server_name emby.my_server.us; # Let's Encrypt SSL include conf.d/include/letsencrypt-acme-challenge.conf; include conf.d/include/ssl-ciphers.conf; ssl_certificate /etc/letsencrypt/live/npm-6/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/npm-6/privkey.pem; # Block Exploits include conf.d/include/block-exploits.conf; # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) add_header Strict-Transport-Security "max-age=63072000; preload" always; # Force SSL include conf.d/include/force-ssl.conf; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; access_log /data/logs/proxy-host-4_access.log proxy; error_log /data/logs/proxy-host-4_error.log warn; location / { # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years) add_header Strict-Transport-Security "max-age=63072000; preload" always; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; proxy_http_version 1.1; # Proxy! include conf.d/include/proxy.conf; } # Custom include /data/nginx/custom/server_proxy[.]conf; } If I find how to solve it, be clear that I will inform you so that I can help others. Link to comment Share on other sites More sharing options...
Tur0k 143 Posted October 3, 2021 Share Posted October 3, 2021 (edited) On 10/1/2021 at 8:26 AM, pir8radio said: yea you might have to edit that line.. i dont know what your public cert looks like, so you will need to update the public and private cert locations, pub.pem pvt.pem you can change those names to match your cert files or change the file names to match the configs. I figured this out. it took a lot of time and more snapshot restores than I would like to admit to. I am running the "mainline" NGINX branch for Ubuntu 20.04 so I have version 1.21.3 which is much newer than what is available from ubuntu's dristros. in that version there are still two ways to configure the reverse proxy A. split .conf file (now in /etc/nginx/conf.d/xxx.conf) B. Unified in the main .conf file (/etc/nginx/nginx.conf). All the instructions I found were for older versions of nginx that use /etc/nginx/sites-enabled/xx.conf location for the split conf file locations. The cloud services I use are: cloudflare for domain registrar/public DNS and let's encrypt for SSL. I am using an ubuntu 20.04 VM server to host the proxy. As soon as I would try to switch Nginx over to the /etc/nginx/nginx.conf with the configuration you graciously put together it wouldn't pass a nginx test or reload because it was missing: 1. The SSL full chain (public cert) 2. the private cert 3. The log file directory/file not being created. I was able to fix the log directory/file easily enough by pre-populating them. I would get stuck because I was trying to also use certbot and integrate the let's encrypt certificates and automatic renewal with nginx at the same time so it would all work seamlessly and reload the nginx as soon as a let's encrypt cert was renewed. Nginx wouldn't load because the config was missing the certificates and Certbot didn't know to put its settings in /etc/nginx/nginx.conf. stand alone I could get certbot to register the domain and pickup the right certs on its own but I couldn't figure out what syntax was needed to replace the named /etc/nginx/ssl/xx.pem stuff. I ended up using the OEM /etc/nginx/nginx.conf, unlinking the /etc/nginx/conf.d/default.conf and creating a new /etc/nginx/conf.d/<mydomain>.conf file. I configured the file as: server { listen 80; server_name <mysubdomain>; location / { proxy_pass http://<internal IP>:8096; } } At that point was able to get the reverse proxy working on port 80 no SSL. I then reinstalled certbot and the nginx integration for it and was able to get it to update the /etc/nginx/conf.d/<mydomain>.conf file. server { server_name <my public subdomain>; location / { proxy_pass http://<internal IP of emby server>:8096; } listen 443 ssl; # managed by Certbot ssl_certificate /etc/letsencrypt/live/<my subdomain>/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/<my Subdomain>/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot } server { if ($host = <my subdomain>) { return 301 https://$host$request_uri; } # managed by Certbot listen 80; server_name <my subdomain>; return 404; # managed by Certbot I copied the contents of the /etc/nginx/conf.d/<my subdomain>.conf file. I then switched the file /etc/nginx/nginx.conf back to the one you developed for us that had my environmental variables. commented out the defined certificate locations, and encryption variables and added the ones that certbot defined in the /etc/nginx/conf.d/<mydomain>.conf file : ##SSL SETTINGS## ## ssl_session_timeout 30m; ##10.3.21-removing to allow cert bot to handle ## ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ##10.3.21-removing to allow cert bot to handle ## ssl_certificate ssl/pub.pem; ## Location of your public PEM file. ##10.3.21-removing to allow cert bot to handle ## ssl_certificate_key ssl/pvt.pem; ## Location of your private PEM file. ##10.3.21-removing to allow cert bot to handle ## ssl_session_cache shared:SSL:10m; ##10.3.21-removing to allow cert bot to handle ssl_certificate /etc/letsencrypt/live/<my subdomain>/fullchain.pem; # managed by Certbot ssl_certificate_key /etc/letsencrypt/live/<my Subdomain>/privkey.pem; # managed by Certbot include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot now my NGINX install will pass a self test and reload the config. It proxy's as expected and handles SSL offloading. Additionally, I get an A+ rating instead of a B rating on SSL labs (https://www.ssllabs.com/ssltest/analyze.html?d=<mydomain>). I am just about finished figuring out how to add DDclient to my nginx/certbot VM so I will have DDNS to my public DNS provider. how do I add other back end servers and subdomains to the /etc/nginx/nginx.conf file? is there a way to only allow access to them from my internal subnets on the Nginx config? thank you for setting up the nginx.conf file and for your assistance with all of our issues. I appreciate it. Edited October 3, 2021 by Tur0k 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now