Jump to content

HOW TO: emby with NGINX - With Windows Specific Tips and CSP options


pir8radio

Recommended Posts

pir8radio
On 6/25/2021 at 11:04 PM, TristenP said:

thank you works now and the second think why didnt worked was the firewall. Can you help me to get xteve working with the nginx config ? that works with example.example.com/xteve ? the original url from xteve is  (ip:port/web/) I think i need to rewrite it but i dont know how.

example

 


location /xteve {
			proxy_pass ip:port;
			proxy_hide_header X-Powered-By;
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Forwarded-Ssl on;
			proxy_redirect default;

@pir8radio @dapper

 

 

Try:

location ~/xteve(.*)$ {
            proxy_pass http://YOURIPADDRESS:YOURPORT$1;
			proxy_hide_header X-Powered-By;
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-Proto $scheme;
			proxy_set_header X-Forwarded-Ssl on;
			proxy_redirect default;

}

 

  • Agree 1
Link to comment
Share on other sites

tua911111

@pir8radio Hello, I hoping you can help me with an issue I'm having. I have also setup my emby server using NGINX along with docker (if this matters). My issues is that I can't seem to get these live "two way real time info to and from emby and the client." The reason I believe this is true is b/c I have am playing a video on one browser and on a second browser from the dashboard, I don't see the other browser's progress (like the time changing). Another issue that I've been having is that I want to send messages to people using the message icon and when I click send, nothing happens. 

I have copied your NGINX.conf almost exactly with changing the slightest things. 

 

worker_processes  auto;

events {
    worker_connections  8192;
}
http {
    default_type  application/octet-stream;
    server_names_hash_bucket_size 64;
    server_tokens off;

    ## The below will create a separate log file for your emby server which includes

    ## userId's and other emby specific info, handy for external log viewers.

    ## Cloudflare users will want to swap $remote_addr in first line below to $http_CF_Connecting_IP

    ## to log the real client IP address

    log_format  emby  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorization"';

    log_format default '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port';

    sendfile        off;  ## Sendfile not used in a proxy environment.

    gzip on;   ## Compresses the content to the client, speeds up client browsing.
	gzip_disable "msie6";

	gzip_comp_level 6;
	gzip_min_length 1100;
	gzip_buffers 16 8k;
	gzip_proxied any;
	gzip_types
	    text/plain
	    text/css
	    text/js
	    text/xml
	    text/javascript
	    application/javascript
	    application/x-javascript
	    application/json
	    application/xml
	    application/rss+xml
	    image/svg+xml;

    proxy_connect_timeout 1h;
    proxy_send_timeout 1h;
    proxy_read_timeout 1h;
    tcp_nodelay on;  ## Sends data as fast as it can not buffering large chunks, saves about 200ms per request.

    ## The below will force all nginx traffic to SSL, make sure all other server blocks only listen on 443
server {
    listen 80 default_server;
    server_name _;
    return 301 https://$host$request_uri;
}

    ## Start of actual server blocks
server {
    listen [::]:443 ssl http2;	## Listens on port 443 IPv6 with http2 and ssl enabled
    listen 443 ssl http2;	## Listens on port 443 IPv4 with http2 and ssl enabled
    proxy_buffering off;        ## Sends data as fast as it can not buffering large chunks.

    server_name test.com;   ## enter your service name and domain name here example emby.domainname.com

     ## SSL SETTINGS ##
        ssl_session_timeout 30m;

        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;

	ssl_certificate             /etc/ssl/private/fullchain.pem; ## The file path was set by docker to use /etc/ssl/private. 

        ssl_certificate_key         /etc/ssl/private/privkey.pem;

        ssl_session_cache shared:SSL:10m;

     location ^~ /swagger {   ## Disables access to swagger interface

        return 404;

}

     location /emby/ {

        proxy_pass http://172.17.0.1:8096/;  ## Enter the IP and port of the backend emby server here.

	proxy_hide_header X-Powered-By;	 ## Hides nginx server version from bad guys.

	proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.

	proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.

	proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.

        #proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.

        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.

        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.



     ## ADDITIONAL SECURITY SETTINGS ##

     ## Optional settings to improve security ##

     ## add these after you have completed your testing and ssl setup ##

     ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##

     ##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##

	# add_header 'Referrer-Policy' 'origin-when-cross-origin';

	# add_header Strict-Transport-Security "max-age=15552000; preload" always;

	# add_header X-Frame-Options "SAMEORIGIN" always;

	# add_header X-Content-Type-Options "nosniff" always;

	# add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.

        proxy_http_version 1.1;

        proxy_set_header Upgrade $http_upgrade;

        proxy_set_header Connection $http_connection;

    }

}

}

 

Edited by tua911111
Link to comment
Share on other sites

  • 3 weeks later...
Bartype
On 3/3/2021 at 6:13 AM, dapper said:

And the important certificates/files to make it all work. 

cloudflare-allow.conf



# https://www.cloudflare.com/ips
# IPv4
allow 103.21.244.0/22;
allow 103.22.200.0/22;
allow 103.31.4.0/22;
allow 104.16.0.0/12;
allow 108.162.192.0/18;
allow 131.0.72.0/22;
allow 141.101.64.0/18;
allow 162.158.0.0/15;
allow 172.64.0.0/13;
allow 173.245.48.0/20;
allow 188.114.96.0/20;
allow 190.93.240.0/20;
allow 197.234.240.0/22;
allow 198.41.128.0/17;
allow 127.0.0.1/32;

cert.pem (your site's cert)



-----BEGIN CERTIFICATE-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
-----END CERTIFICATE-----

private.key (your site's key)



-----BEGIN PRIVATE KEY-----
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX
XXXXXXXXXXXXXXXXXXXXXXXX
-----END PRIVATE KEY-----


origin-pull-ca.pem

https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls

https://support.cloudflare.com/hc/en-us/article_attachments/360044928032/origin-pull-ca.pem



-----BEGIN CERTIFICATE-----
MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNV
BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmln
aW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZv
cm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkx
MDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNV
BAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYD
VQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQD
ExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI
42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20e
ihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBw
hLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoY
QSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3
Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRn
aL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5
lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGR
PpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5Hh
CvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa
+4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMB
AAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1Ud
DgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REz
alfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1
QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3IS
zVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoX
VcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz
6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z
0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc
5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/
fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2j
bA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGm
iYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07F
AnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tM
fVQ6VpyjEXdiIXWUq/o=
-----END CERTIFICATE-----


certPlusOrigin.pem

Your Cert + the Cloudflare certs combined into 1 file

https://support.cloudflare.com/hc/en-us/articles/115000479507-Managing-Cloudflare-Origin-CA-certificates

https://support.cloudflare.com/hc/article_attachments/360037898732/origin_ca_ecc_root.pem

https://support.cloudflare.com/hc/article_attachments/360037885371/origin_ca_rsa_root.pem

https://support.cloudflare.com/hc/en-us/article_attachments/360044928032/origin-pull-ca.pem

 



-----BEGIN CERTIFICATE-----
[same as "cert.pem"]
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIEADCCAuigAwIBAgIID+rOSdTGfGcwDQYJKoZIhvcNAQELBQAwgYsxCzAJBgNV
BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91
ZEZsYXJlIE9yaWdpbiBTU0wgQ2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQH
Ew1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMB4XDTE5MDgyMzIx
MDgwMFoXDTI5MDgxNTE3MDAwMFowgYsxCzAJBgNVBAYTAlVTMRkwFwYDVQQKExBD
bG91ZEZsYXJlLCBJbmMuMTQwMgYDVQQLEytDbG91ZEZsYXJlIE9yaWdpbiBTU0wg
Q2VydGlmaWNhdGUgQXV0aG9yaXR5MRYwFAYDVQQHEw1TYW4gRnJhbmNpc2NvMRMw
EQYDVQQIEwpDYWxpZm9ybmlhMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKC
AQEAwEiVZ/UoQpHmFsHvk5isBxRehukP8DG9JhFev3WZtG76WoTthvLJFRKFCHXm
V6Z5/66Z4S09mgsUuFwvJzMnE6Ej6yIsYNCb9r9QORa8BdhrkNn6kdTly3mdnykb
OomnwbUfLlExVgNdlP0XoRoeMwbQ4598foiHblO2B/LKuNfJzAMfS7oZe34b+vLB
yrP/1bgCSLdc1AxQc1AC0EsQQhgcyTJNgnG4va1c7ogPlwKyhbDyZ4e59N5lbYPJ
SmXI/cAe3jXj1FBLJZkwnoDKe0v13xeF+nF32smSH0qB7aJX2tBMW4TWtFPmzs5I
lwrFSySWAdwYdgxw180yKU0dvwIDAQABo2YwZDAOBgNVHQ8BAf8EBAMCAQYwEgYD
VR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUJOhTV118NECHqeuU27rhFnj8KaQw
HwYDVR0jBBgwFoAUJOhTV118NECHqeuU27rhFnj8KaQwDQYJKoZIhvcNAQELBQAD
ggEBAHwOf9Ur1l0Ar5vFE6PNrZWrDfQIMyEfdgSKofCdTckbqXNTiXdgbHs+TWoQ
wAB0pfJDAHJDXOTCWRyTeXOseeOi5Btj5CnEuw3P0oXqdqevM1/+uWp0CM35zgZ8
VD4aITxity0djzE6Qnx3Syzz+ZkoBgTnNum7d9A66/V636x4vTeqbZFBr9erJzgz
hhurjcoacvRNhnjtDRM0dPeiCJ50CP3wEYuvUzDHUaowOsnLCjQIkWbR7Ni6KEIk
MOz2U0OBSif3FTkhCgZWQKOOLo1P42jHC3ssUZAtVNXrCk3fw9/E15k8NPkBazZ6
0iykLhH1trywrKRMVw67F44IE8Y=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIICiTCCAi6gAwIBAgIUXZP3MWb8MKwBE1Qbawsp1sfA/Y4wCgYIKoZIzj0EAwIw
gY8xCzAJBgNVBAYTAlVTMRMwEQYDVQQIEwpDYWxpZm9ybmlhMRYwFAYDVQQHEw1T
YW4gRnJhbmNpc2NvMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMTgwNgYDVQQL
Ey9DbG91ZEZsYXJlIE9yaWdpbiBTU0wgRUNDIENlcnRpZmljYXRlIEF1dGhvcml0
eTAeFw0xOTA4MjMyMTA4MDBaFw0yOTA4MTUxNzAwMDBaMIGPMQswCQYDVQQGEwJV
UzETMBEGA1UECBMKQ2FsaWZvcm5pYTEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzEZ
MBcGA1UEChMQQ2xvdWRGbGFyZSwgSW5jLjE4MDYGA1UECxMvQ2xvdWRGbGFyZSBP
cmlnaW4gU1NMIEVDQyBDZXJ0aWZpY2F0ZSBBdXRob3JpdHkwWTATBgcqhkjOPQIB
BggqhkjOPQMBBwNCAASR+sGALuaGshnUbcxKry+0LEXZ4NY6JUAtSeA6g87K3jaA
xpIg9G50PokpfWkhbarLfpcZu0UAoYy2su0EhN7wo2YwZDAOBgNVHQ8BAf8EBAMC
AQYwEgYDVR0TAQH/BAgwBgEB/wIBAjAdBgNVHQ4EFgQUhTBdOypw1O3VkmcH/es5
tBoOOKcwHwYDVR0jBBgwFoAUhTBdOypw1O3VkmcH/es5tBoOOKcwCgYIKoZIzj0E
AwIDSQAwRgIhAKilfntP2ILGZjwajktkBtXE1pB4Y/fjAfLkIRUzrI15AiEA5UCL
XYZZ9m2c3fKwIenMMojL1eqydsgqj/wK4p5kagQ=
-----END CERTIFICATE-----

-----BEGIN CERTIFICATE-----
MIIGCjCCA/KgAwIBAgIIV5G6lVbCLmEwDQYJKoZIhvcNAQENBQAwgZAxCzAJBgNV
BAYTAlVTMRkwFwYDVQQKExBDbG91ZEZsYXJlLCBJbmMuMRQwEgYDVQQLEwtPcmln
aW4gUHVsbDEWMBQGA1UEBxMNU2FuIEZyYW5jaXNjbzETMBEGA1UECBMKQ2FsaWZv
cm5pYTEjMCEGA1UEAxMab3JpZ2luLXB1bGwuY2xvdWRmbGFyZS5uZXQwHhcNMTkx
MDEwMTg0NTAwWhcNMjkxMTAxMTcwMDAwWjCBkDELMAkGA1UEBhMCVVMxGTAXBgNV
BAoTEENsb3VkRmxhcmUsIEluYy4xFDASBgNVBAsTC09yaWdpbiBQdWxsMRYwFAYD
VQQHEw1TYW4gRnJhbmNpc2NvMRMwEQYDVQQIEwpDYWxpZm9ybmlhMSMwIQYDVQQD
ExpvcmlnaW4tcHVsbC5jbG91ZGZsYXJlLm5ldDCCAiIwDQYJKoZIhvcNAQEBBQAD
ggIPADCCAgoCggIBAN2y2zojYfl0bKfhp0AJBFeV+jQqbCw3sHmvEPwLmqDLqynI
42tZXR5y914ZB9ZrwbL/K5O46exd/LujJnV2b3dzcx5rtiQzso0xzljqbnbQT20e
ihx/WrF4OkZKydZzsdaJsWAPuplDH5P7J82q3re88jQdgE5hqjqFZ3clCG7lxoBw
hLaazm3NJJlUfzdk97ouRvnFGAuXd5cQVx8jYOOeU60sWqmMe4QHdOvpqB91bJoY
QSKVFjUgHeTpN8tNpKJfb9LIn3pun3bC9NKNHtRKMNX3Kl/sAPq7q/AlndvA2Kw3
Dkum2mHQUGdzVHqcOgea9BGjLK2h7SuX93zTWL02u799dr6Xkrad/WShHchfjjRn
aL35niJUDr02YJtPgxWObsrfOU63B8juLUphW/4BOjjJyAG5l9j1//aUGEi/sEe5
lqVv0P78QrxoxR+MMXiJwQab5FB8TG/ac6mRHgF9CmkX90uaRh+OC07XjTdfSKGR
PpM9hB2ZhLol/nf8qmoLdoD5HvODZuKu2+muKeVHXgw2/A6wM7OwrinxZiyBk5Hh
CvaADH7PZpU6z/zv5NU5HSvXiKtCzFuDu4/Zfi34RfHXeCUfHAb4KfNRXJwMsxUa
+4ZpSAX2G6RnGU5meuXpU5/V+DQJp/e69XyyY6RXDoMywaEFlIlXBqjRRA2pAgMB
AAGjZjBkMA4GA1UdDwEB/wQEAwIBBjASBgNVHRMBAf8ECDAGAQH/AgECMB0GA1Ud
DgQWBBRDWUsraYuA4REzalfNVzjann3F6zAfBgNVHSMEGDAWgBRDWUsraYuA4REz
alfNVzjann3F6zANBgkqhkiG9w0BAQ0FAAOCAgEAkQ+T9nqcSlAuW/90DeYmQOW1
QhqOor5psBEGvxbNGV2hdLJY8h6QUq48BCevcMChg/L1CkznBNI40i3/6heDn3IS
zVEwXKf34pPFCACWVMZxbQjkNRTiH8iRur9EsaNQ5oXCPJkhwg2+IFyoPAAYURoX
VcI9SCDUa45clmYHJ/XYwV1icGVI8/9b2JUqklnOTa5tugwIUi5sTfipNcJXHhgz
6BKYDl0/UP0lLKbsUETXeTGDiDpxZYIgbcFrRDDkHC6BSvdWVEiH5b9mH2BON60z
0O0j8EEKTwi9jnafVtZQXP/D8yoVowdFDjXcKkOPF/1gIh9qrFR6GdoPVgB3SkLc
5ulBqZaCHm563jsvWb/kXJnlFxW+1bsO9BDD6DweBcGdNurgmH625wBXksSdD7y/
fakk8DagjbjKShYlPEFOAqEcliwjF45eabL0t27MJV61O/jHzHL3dknXeE4BDa2j
bA+JbyJeUMtU7KMsxvx82RmhqBEJJDBCJ3scVptvhDMRrtqDBW5JShxoAOcpFQGm
iYWicn46nPDjgTU0bX1ZPpTpryXbvciVL5RkVBuyX2ntcOLDPlZWgxZCBp96x07F
AnOzKgZk4RzZPNAxCXERVxajn/FLcOhglVAKo5H0ac+AitlQ0ip55D2/mf8o72tM
fVQ6VpyjEXdiIXWUq/o=
-----END CERTIFICATE-----

 

(The dhparam.pem & .htpasswd files are not mandatory for the setup and require more complex configuration that you can google)

Hi Dapper, it has been a while since you posted this config. Now, vacation has started at long last and i have the time to try things out. I hope i still may ask you for some help to get in the right direction to get this to work right. I have used your config as a base for my situation and nginx does test this config as 'ok', without errors. When i set this config 'live' i do get an

400 Bad Request

The SSL certificate error

when i try to access emby. I have followed the steps as far as i could follow them as described on cloudflare, but i am lost at the point where i have to create and 'upload' the origin cetificate to nginx. I already had registered a certificate at 'namecheap' for my domain in the format "emby.mydomain.com".

When using an external registar and not cloudflare for your domain certificate, how are the certificates build up? And also, can you just edit them with an editor like notepad++ to combine them or do you really have to use openssl or something?

Nginx is working fine in the 'old' situation with just the namecheap certificates, so as far as my troubleshooting experience goes it has something to do with "origin-pull-ca.pem" or "certPlusOrigin.pem" files. How can i best create these when using namecheap certs?

Thank you in advance for all the help and information!

 

Edited by Bartype
Link to comment
Share on other sites

  • 3 weeks later...
Madflava

Im sure Im doing something stupid or wrong here but my setup is like this. I have a custom domain through GoDaddy and have a Powershell script that runs every hour to make sure the IP doesnt change. I pasted in your config, made the changes for server IP, etc (All of this is done through CLI in the Docker Nginx container) and this is the error I get:

nginx: [emerg] "worker_processes" directive is not allowed here in /data/nginx/proxy_host/16.conf:1

 

Any thoughts?

Edited by Madflava
Link to comment
Share on other sites

pir8radio
21 hours ago, reggierat said:

Please delete, solved it

Sorry we missed it..   curious what your issue was and what you found though!   anything I can change in the how to that helps?

Link to comment
Share on other sites

  • 4 weeks later...
horstepipe

I‘m having quite long search times within emby, but I missed putting this on an ssd. So in the next days I‘ll correct that, but I‘m wondering whether maybe also Cloudflare in front of your nginx configuration makes some trouble. E.g. maybe search queries are being cached by cloudflare…? Or is this definitely being bypassed with the cloudflare rules you provided?

Link to comment
Share on other sites

Putting this on an SSD should make quite a difference so that would be the first thing to try.

Link to comment
Share on other sites

pir8radio
5 hours ago, horstepipe said:

I‘m having quite long search times within emby, but I missed putting this on an ssd. So in the next days I‘ll correct that, but I‘m wondering whether maybe also Cloudflare in front of your nginx configuration makes some trouble. E.g. maybe search queries are being cached by cloudflare…? Or is this definitely being bypassed with the cloudflare rules you provided?

I'm not seeing cloudflare issues..  i do see issues when my music library is included in the database..   local or through CF.     But only about 5-7 seconds on a search.   I did increase the database cache size to 1 gig i think...     not sure if that helps, but has helped my page loads for music pages.     what kind of search times are you seeing?  and how big is your database?  Mine is like 1.6gigs  so the 1 gig cache seems to have helped a lot,   my database (whole OS) is on a raided SSD though too..  

Link to comment
Share on other sites

  • 2 weeks later...

Hey mate, im trying your config out but i get the following error

Sep 20 17:45:30 Emby nginx[3410328]: nginx: [emerg] "worker_processes" directive is not allowed here in /etc/nginx/sites-enabled/emby:1
Sep 20 17:45:30 Emby nginx[3410328]: nginx: configuration file /etc/nginx/nginx.conf test failed
 

Link to comment
Share on other sites

I believe because I use a script to install apps this has the default config, but i don't have a clue how to make this config work with your config.

 

 

Link to comment
Share on other sites

pir8radio
On 9/22/2021 at 4:04 AM, judgey said:

Can anyone else help me with my config please as mine looks nothing like this.

 

Thank you 🙂

sorry..     You need to dig in and understand a bit what you have and what you are doing with it..  you probably have some docker or something that someone else pre-built.    Are you using nginx for anything other than emby?   If no you can just rename your main config file and start fresh..     go back to the old if you need to.. 

Link to comment
Share on other sites

On 9/5/2021 at 6:14 PM, pir8radio said:

I'm not seeing cloudflare issues..  i do see issues when my music library is included in the database..   local or through CF.     But only about 5-7 seconds on a search.   I did increase the database cache size to 1 gig i think...     not sure if that helps, but has helped my page loads for music pages.     what kind of search times are you seeing?  and how big is your database?  Mine is like 1.6gigs  so the 1 gig cache seems to have helped a lot,   my database (whole OS) is on a raided SSD though too..  

how do you increase the database cache size?

thanks.

Link to comment
Share on other sites

pir8radio
3 hours ago, dual-o said:

how do you increase the database cache size?

thanks.

Its built in the beta emby server GUI (Server/Database), but if you don't see it there see this post:

 

  • Like 1
Link to comment
Share on other sites

On 12/16/2020 at 8:34 AM, pir8radio said:

NGINX and emby   image.png.30c3e86054a731539f1ec9d0dd024a7f.png

Config Version 1.0.2
Last Update 9-23-2021
Update by Pir8Radio

 

  • Why Use NGINX reverse proxy ahead of my application servers like emby?
  • With NGINX or any reverse proxy ahead of an application server you have more control over your setup.  You can do things the application servers were not built to handle,  have better control over your security and logging, replace lines of code without editing the application server code, better control of caching, etc, etc....   One of the main reasons is so that you don't have to open a new port on your firewall for every application server you host, all you really need to open is 80 & 443 and the internet can reach all of your different servers through one entrance.
  • Will NGINX work on my OS?
  • Most likely, you can find various versions of NGINX for most OS's and they come in different flavors, with options baked in, or just the bare NGINX that you need to compile.  See below for download links to get you started.
  • Will NGINX break things on emby?
  • Absolutely if you don't configure it correctly!    I HIGHLY suggest when choosing a scheme to setup your domain URL you choose SUB-DOMAIN and NOT sub-directory, more below.  Also if you come to the emby forum with things not working, or issues you have and you use a Reverse Proxy, PLEASE make sure that is one of the first things you mention in your forum post.  ESPECIALLY  if emby works on one platform or client, but not another.   So many times people complain  "but it works on chrome, so I didn't think it was the reverse proxy".  Mention you have a Reverse Proxy please.   If the reverse proxy is setup correctly it should be totally transparent to the user and the application server (emby). 

 

I'm not going to go into how to purchase and setup a domain name.   Lots of how-to's on that out there.     Once you have a domain name and its pointed to your IP address, you can go to that domain name and hit your server then continue on.... 

 

Sub-Domain vs Sub-Directory:

Lets say your domain name is:   domain.com     there are two main ways you can direct traffic from the internet to your backend application servers like emby.   One is sub-directory, something like domain.com/emby    or  domain.com/other-server     This is doable in nginx, but there are some catches and you need to know how your reverse proxy and application server work in detail.. This often breaks different features in emby and other application servers..    To keep with our "Totally Transparent" goal sub-directory doesn't work well, it requires a lot of rewriting and work-arounds to make it work smoothly, if you choose sub-directory you will run into issues you will need to address.     The other option is Sub-Domain, this is the cleanest, most transparent, easiest to setup and maintain, it's also what I highly suggest you setup.   A sub-domain looks like:   emby.domain.com     or   other-server.domain.com    The below config is based on Sub-Domain  I will include a sub-directory example as well.

 

NGINX Downloads:

  • Official nginx downloads(LINUX):       nginx.org
  • Official nginx downloads(Windows):  nginx.org
  • WINDOWS users I suggest this version: nginx-win.ecsds.eu  download links are at the bottom of the page.    This Windows version has lots of cool features compiled into it already, and is optimized for windows.  They keep up with updates, its a FREE (for non-commercial) third party build that I highly recommend.

Additional Links:

Content Security Policy info (CSP) (For Advanced Users): 

  • A CSP WILL break your server if you don't know what you are doing, I suggest reading up, lots of googleing, and understand what a CSP's function is and is not prior to venturing into this area  🙂  

 

 

Example NGINX Reverse Proxy Config:

  • 3-29-2020 - ADDED A LINE FOR CLOUDFLARE USERS SO THAT THE X-REAL-IP HEADER IS CORRECTED. THIS ONLY EFFECTS Cloudflare USERS.
  • 4-11-2020 (V1.0.1) - MOVED proxy_buffering off; FROM LOCATION BLOCK TO SERVER BLOCK
  • 12-18-2020 (V1.0.2) - ADDED 301 SERVER SECTION TO FORCE ALL TRAFFIC TO SSL. 
  • 9-23-2021  no nginx config change, but cloudflare changed how they cache video files, so emby users that use Cloudflare now need to add a rule like below to make sure video is seekable and playable.  

 

 

** The below "Page Rules" are only needed for Cloudflare CDN users, otherwise ignore. 

image.png.af1f00331b49ae634ed71ac4d9d1f45b.png

 




worker_processes  auto;

error_log  logs/error.log;

events {
    worker_connections  8192;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_names_hash_bucket_size 64;
    server_tokens off;

    ## The below will create a separate log file for your emby server which includes
    ## userId's and other emby specific info, handy for external log viewers.
    ## Cloudflare users will want to swap $remote_addr in first line below to $http_CF_Connecting_IP
    ## to log the real client IP address
    log_format  emby  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorization"';


    log_format default '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port';

    sendfile        off;  ## Sendfile not used in a proxy environment.

    gzip on;   ## Compresses the content to the client, speeds up client browsing.
	gzip_disable "msie6";

	gzip_comp_level 6;
	gzip_min_length 1100;
	gzip_buffers 16 8k;
	gzip_proxied any;
	gzip_types
	    text/plain
	    text/css
	    text/js
	    text/xml
	    text/javascript
	    application/javascript
	    application/x-javascript
	    application/json
	    application/xml
	    application/rss+xml
	    image/svg+xml;

    proxy_connect_timeout 1h;
    proxy_send_timeout 1h;
    proxy_read_timeout 1h;
    tcp_nodelay on;  ## Sends data as fast as it can not buffering large chunks, saves about 200ms per request.

    ## The below will force all nginx traffic to SSL, make sure all other server blocks only listen on 443
server {
    listen 80 default_server;
    server_name _;

    return 301 https://$host$request_uri;
}

    ## Start of actual server blocks
server {

    listen [::]:443 ssl http2;	## Listens on port 443 IPv6 with http2 and ssl enabled
    listen 443 ssl http2;	## Listens on port 443 IPv4 with http2 and ssl enabled
    proxy_buffering off;        ## Sends data as fast as it can not buffering large chunks.

    server_name emby.domainname.com;    ## enter your service name and domain name here example emby.domainname.com

    access_log  logs/emby.log  emby;  ## Creates a log file with this name and the log info above.

     ## SSL SETTINGS ##
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	ssl_certificate      ssl/pub.pem;  ## Location of your public PEM file.
	ssl_certificate_key  ssl/pvt.pem;  ## Location of your private PEM file.
        ssl_session_cache shared:SSL:10m;

     location ^~ /swagger {   ## Disables access to swagger interface
        return 404;
}

     location / {
        proxy_pass http://127.0.0.1:8096;  ## Enter the IP and port of the backend emby server here.

	proxy_hide_header X-Powered-By;	 ## Hides nginx server version from bad guys.
	proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
	proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
	proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        #proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

     ## ADDITIONAL SECURITY SETTINGS ##
     ## Optional settings to improve security ##
     ## add these after you have completed your testing and ssl setup ##
     ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
     ##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
	add_header 'Referrer-Policy' 'origin-when-cross-origin';
	add_header Strict-Transport-Security "max-age=15552000; preload" always;
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
    }
}
}

 

Well, it happened.  I am moving off of PFSense.  I am moving my homelab firewall over to a Fortinet Fortigate 60F and am working on getting Fortinet NSE certified for work.  To that end I need to get SSL renewal and my reverse proxy services off the firewall.  In the PfSense world I was using the HAProxy (reverse proxy) addon alongside the Let's Encrypt ACME SSL certificate client with a good deal of luck.  for security stacking I used PFblockerNG to filter out known bad sources and geofence access to my region of the world.  I setup a sort of honey pot to catch and deny list bad requests based on SNI (IP, subdomain, etc.) requests.  I was working on programming deny listing bad login attempts. 

Now, I am working on transitioning over to NGINX (another technology I would like to learn more about).  initially I would like the reverse proxy, SSL offload, and SSL renewal hosted on this separate VM.  I have installed Nginx on a separate ubuntu VM and have it mapped to the NGINX mainline branch for patching.  Currently, this VM is on the same subnet and VLAN as my Emby server.  I already have public domains pointing to my public IP.  I have not made the switch over on my firewall for port forwarding just yet as NGINX isn't reverse proxying and offloading SSL encryption just yet.  I am working on setting up the DDNS on my fortigate and figuring out how to setup my Hairpin "loopback" NAT.  I don't plan on using Cloudflare's CDN proxy. 

In my scenario: I took the example Nginx reverse proxy config that Pir8Radio so graciously provided and:
1. Updated line 70 "server_name..." with my public subdomain.  

2. updated line 86 "proxy_pass..." with my Emby server's local subnet IP. 

3. I then edited /etc/nginx/nginx.conf removed everything except for line 1 "user  nginx;" and added my updated (with my environmental variables) Nginx Reverse proxy config to the end of it.  

4. I then attempted to run an Nginx reload (sudo nginx -s reload) and get the following message: 

nginx: [emerg] cannot load certificate "/etc/nginx/ssl/pub.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/pub.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

I am pretty sure that this means I have the config in the right place and the NGINX program is able to read it but can't find the SSL server side certificate.  My hope is to use let's encrypt for SSL.  in pfsense i was able to add an acme and have that acme automatically update the certificate and reload HAProxy.  is there a recommended way to get this done in NGINX?  Any assistance would be greatly appreciated.  

Edited by Tur0k
Link to comment
Share on other sites

LeidenSpain

Hi,

I use Nginx Proxy Manager to manage my proxy, since it was very confusing for me directly by files.
As I already commented in another thread, I have come across the problem that the MiStick does not support login with emby: it sees the server, it sees the users, but it returns "wrong ID or password", even if it is a user without password.

What I have done to try to make it work (possibly wrong, and that is why it gives an error), is to stop the NPM docker, and edit the configuration file corresponding to my proxy for emby.

I have deleted the original content and copied that of @pir8radio, modifying the following lines:

server_name emby.my_server.us;
ssl_certificate /etc/letsencrypt/live/npm-6/fullchain.pem; 
ssl_certificate_key /etc/letsencrypt/live/npm-6/privkey.pem;
proxy_pass http://192.168.3.10:8096/; ## Enter the IP and port of the backend emby server here.

The SSL files are the same from the original config file.

 

But when starting the container it shows me this error:

nginx: [emerg] "worker_processes" directive is not allowed here in /data/nginx/proxy_host/4.conf:6

I have seen that it happens to more people, but the origin and how to solve it has not been clear to me.

 

I hope I have given all the necessary explanations.

Greetings and thanks

Edited by LeidenSpain
Link to comment
Share on other sites

pir8radio
On 9/27/2021 at 3:19 AM, Tur0k said:

Well, it happened.  I am moving off of PFSense.  I am moving my homelab firewall over to a Fortinet Fortigate 60F and am working on getting Fortinet NSE certified for work.  To that end I need to get SSL renewal and my reverse proxy services off the firewall.  In the PfSense world I was using the HAProxy (reverse proxy) addon alongside the Let's Encrypt ACME SSL certificate client with a good deal of luck.  for security stacking I used PFblockerNG to filter out known bad sources and geofence access to my region of the world.  I setup a sort of honey pot to catch and deny list bad requests based on SNI (IP, subdomain, etc.) requests.  I was working on programming deny listing bad login attempts. 

Now, I am working on transitioning over to NGINX (another technology I would like to learn more about).  initially I would like the reverse proxy, SSL offload, and SSL renewal hosted on this separate VM.  I have installed Nginx on a separate ubuntu VM and have it mapped to the NGINX mainline branch for patching.  Currently, this VM is on the same subnet and VLAN as my Emby server.  I already have public domains pointing to my public IP.  I have not made the switch over on my firewall for port forwarding just yet as NGINX isn't reverse proxying and offloading SSL encryption just yet.  I am working on setting up the DDNS on my fortigate and figuring out how to setup my Hairpin "loopback" NAT.  I don't plan on using Cloudflare's CDN proxy. 

In my scenario: I took the example Nginx reverse proxy config that Pir8Radio so graciously provided and:
1. Updated line 70 "server_name..." with my public subdomain.  

2. updated line 86 "proxy_pass..." with my Emby server's local subnet IP. 

3. I then edited /etc/nginx/nginx.conf removed everything except for line 1 "user  nginx;" and added my updated (with my environmental variables) Nginx Reverse proxy config to the end of it.  

4. I then attempted to run an Nginx reload (sudo nginx -s reload) and get the following message: 

nginx: [emerg] cannot load certificate "/etc/nginx/ssl/pub.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/pub.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)

I am pretty sure that this means I have the config in the right place and the NGINX program is able to read it but can't find the SSL server side certificate.  My hope is to use let's encrypt for SSL.  in pfsense i was able to add an acme and have that acme automatically update the certificate and reload HAProxy.  is there a recommended way to get this done in NGINX?  Any assistance would be greatly appreciated.  

yea you might have to edit that line..        i dont know what your public cert looks like,  so you will need to update the public and private cert locations,    pub.pem   pvt.pem  you can change those names to match your cert files or change the file names to match the configs.    

  • Like 1
Link to comment
Share on other sites

pir8radio
On 9/29/2021 at 12:09 PM, LeidenSpain said:

Hi,

I use Nginx Proxy Manager to manage my proxy, since it was very confusing for me directly by files.
As I already commented in another thread, I have come across the problem that the MiStick does not support login with emby: it sees the server, it sees the users, but it returns "wrong ID or password", even if it is a user without password.

What I have done to try to make it work (possibly wrong, and that is why it gives an error), is to stop the NPM docker, and edit the configuration file corresponding to my proxy for emby.

I have deleted the original content and copied that of @pir8radio, modifying the following lines:


server_name emby.my_server.us;
ssl_certificate /etc/letsencrypt/live/npm-6/fullchain.pem; 
ssl_certificate_key /etc/letsencrypt/live/npm-6/privkey.pem;
proxy_pass http://192.168.3.10:8096/; ## Enter the IP and port of the backend emby server here.

The SSL files are the same from the original config file.

 

But when starting the container it shows me this error:


nginx: [emerg] "worker_processes" directive is not allowed here in /data/nginx/proxy_host/4.conf:6

I have seen that it happens to more people, but the origin and how to solve it has not been clear to me.

 

I hope I have given all the necessary explanations.

Greetings and thanks

yea certain parameters in the config need to be in certain locations,   its tough to copy/paste using those proxy managers...     they use config "includes" and grab various config files and inject them in different spots of the main config...  its often tough to follow..   This is why i like one big config file (unless its really big and complex production setup).  I host like 10 or so sites and have a decent sized config, but still all in one file..     At my work we use includes due to the complexity. 

  • Like 1
Link to comment
Share on other sites

LeidenSpain
6 minutes ago, pir8radio said:

yea certain parameters in the config need to be in certain locations,   its tough to copy/paste using those proxy managers...     they use config "includes" and grab various config files and inject them in different spots of the main config...  its often tough to follow..   This is why i like one big config file (unless its really big and complex production setup).  I host like 10 or so sites and have a decent sized config, but still all in one file..     At my work we use includes due to the complexity. 

I did that test at the time, but it showed another error.
Clearly looking for a file, but it is not where you expect

Link to comment
Share on other sites

pir8radio
13 minutes ago, LeidenSpain said:

I did that test at the time, but it showed another error.
Clearly looking for a file, but it is not where you expect

the config can be intimidating at first..  but its really easy to learn if you have any kind of coding experience that helps, (html even) but i would suggest not using the proxy manager.. but that is really just my opinion since ive never used one, its hard for me to help troubleshoot..   I have no clue what the manager is doing to the configs..    it could be you change something manually, and the manager moves and rewrites things based on what it thinks is correct.

  • Like 1
Link to comment
Share on other sites

LeidenSpain
1 hour ago, pir8radio said:

the config can be intimidating at first..  but its really easy to learn if you have any kind of coding experience that helps, (html even) but i would suggest not using the proxy manager.. but that is really just my opinion since ive never used one, its hard for me to help troubleshoot..   I have no clue what the manager is doing to the configs..    it could be you change something manually, and the manager moves and rewrites things based on what it thinks is correct.

I am usually one of those who prefers to do everything by hand, and have control of everything. Because I don't like it, when I change my mobile I don't let the applications reinstall themselves, I prefer to do it one by one, and see that each one works as I want.

I am usually one of those who prefers to do everything by hand, and have control of everything. Because I don't like it, when I change my mobile I don't let the applications reinstall themselves, I prefer to do it one by one, and see that each one works as I want.

 

If I leave the line "worker_processes auto;" it shows me this message:

"nginx: [emerg]" worker_processes "directive is not allowed here in /data/nginx/proxy_host/4.conf:1,"

 

If I remove "worker_processes auto;" the result is this:

"nginx: [emerg]" events "directive is not allowed here in /data/nginx/proxy_host/4.conf:3"

line 3 corresponds to:

events {
     worker_connections 8192;
}

 

 

The original configuration file is this:

# ------------------------------------------------------------
# emby.my_server.us
# ------------------------------------------------------------

server {
  set $forward_scheme http;
  set $server         "192.168.3.10";
  set $port           8096;

listen 80;
listen [::]:80;

listen 443 ssl http2;
listen [::]:443;

  server_name emby.my_server.us;

  # Let's Encrypt SSL
  include conf.d/include/letsencrypt-acme-challenge.conf;
  include conf.d/include/ssl-ciphers.conf;
  ssl_certificate /etc/letsencrypt/live/npm-6/fullchain.pem;
  ssl_certificate_key /etc/letsencrypt/live/npm-6/privkey.pem;

  # Block Exploits
  include conf.d/include/block-exploits.conf;

  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000; preload" always;

    # Force SSL
    include conf.d/include/force-ssl.conf;

proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $http_connection;
proxy_http_version 1.1;

  access_log /data/logs/proxy-host-4_access.log proxy;
  error_log /data/logs/proxy-host-4_error.log warn;

  location / {

  # HSTS (ngx_http_headers_module is required) (63072000 seconds = 2 years)
  add_header Strict-Transport-Security "max-age=63072000; preload" always;

    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection $http_connection;
    proxy_http_version 1.1;
    
    # Proxy!
    include conf.d/include/proxy.conf;
  }

  # Custom
  include /data/nginx/custom/server_proxy[.]conf;
}

 

If I find how to solve it, be clear that I will inform you so that I can help others.

Link to comment
Share on other sites

Tur0k
On 10/1/2021 at 8:26 AM, pir8radio said:

yea you might have to edit that line..        i dont know what your public cert looks like,  so you will need to update the public and private cert locations,    pub.pem   pvt.pem  you can change those names to match your cert files or change the file names to match the configs.    

I figured this out.  it took a lot of time and more snapshot restores than I would like to admit to.  I am running the "mainline" NGINX branch for Ubuntu 20.04 so I have version 1.21.3 which is much newer than what is available from ubuntu's dristros.  in that version there are still two ways to configure the reverse proxy

A. split .conf file (now in /etc/nginx/conf.d/xxx.conf)

B. Unified in the main .conf file (/etc/nginx/nginx.conf). 

All the instructions I found were for older versions of nginx that use /etc/nginx/sites-enabled/xx.conf location for the split conf file locations. 

The cloud services I use are: cloudflare for domain registrar/public DNS and let's encrypt for SSL.  I am using an ubuntu 20.04 VM server to host the proxy.

As soon as I would try to switch Nginx over to the /etc/nginx/nginx.conf with the configuration you graciously put together it wouldn't pass a nginx test or reload because it was missing:

1. The SSL full chain (public cert)

2. the private cert

3. The log file directory/file not being created. 

I was able to fix the log directory/file easily enough by pre-populating them.  I would get stuck because I was trying to also use certbot and integrate the let's encrypt certificates and automatic renewal with nginx at the same time so it would all work seamlessly and reload the nginx as soon as a let's encrypt cert was renewed.  Nginx wouldn't load because the config was missing the certificates and Certbot didn't know to put its settings in /etc/nginx/nginx.conf.  stand alone I could get certbot to register the domain and pickup the right certs on its own but I couldn't figure out what syntax was needed to replace the named /etc/nginx/ssl/xx.pem stuff.  

I ended up using the OEM /etc/nginx/nginx.conf, unlinking the /etc/nginx/conf.d/default.conf and creating a new /etc/nginx/conf.d/<mydomain>.conf file.  I configured the file as:

server {

        listen 80;

        server_name <mysubdomain>;

        location / {

                proxy_pass      http://<internal IP>:8096;

        }

}

 

At that point was able to get the reverse proxy working on port 80 no SSL.  I then reinstalled certbot and the nginx integration for it and was able to get it to update the /etc/nginx/conf.d/<mydomain>.conf file.  

 

		server {
		        server_name <my public subdomain>;
		        location / {
		                proxy_pass      http://<internal IP of emby server>:8096;
		        }
		
		    listen 443 ssl; # managed by Certbot
		    ssl_certificate /etc/letsencrypt/live/<my subdomain>/fullchain.pem; # managed by Certbot
		    ssl_certificate_key /etc/letsencrypt/live/<my Subdomain>/privkey.pem; # managed by Certbot
		    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
		    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
		
		}
		server {
		    if ($host = <my subdomain>) {
		        return 301 https://$host$request_uri;
		    } # managed by Certbot
		
		
		        listen 80;
		        server_name <my subdomain>;
    return 404; # managed by Certbot

 

I copied the contents of the /etc/nginx/conf.d/<my subdomain>.conf file. I then switched the file /etc/nginx/nginx.conf back to the one you developed for us that had my environmental variables.  commented out the defined certificate locations, and encryption variables and added the ones that certbot defined in the /etc/nginx/conf.d/<mydomain>.conf file : 

##SSL SETTINGS##
##        ssl_session_timeout 30m; ##10.3.21-removing to allow cert bot to handle
##        ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ##10.3.21-removing to allow cert bot to handle
##      ssl_certificate      ssl/pub.pem;  ## Location of your public PEM file. ##10.3.21-removing to allow cert bot to handle
##      ssl_certificate_key  ssl/pvt.pem;  ## Location of your private PEM file. ##10.3.21-removing to allow cert bot to handle
##        ssl_session_cache shared:SSL:10m; ##10.3.21-removing to allow cert bot to handle

ssl_certificate /etc/letsencrypt/live/<my subdomain>/fullchain.pem; # managed by Certbot
ssl_certificate_key /etc/letsencrypt/live/<my Subdomain>/privkey.pem; # managed by Certbot
include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot

now my NGINX install will pass a self test and reload the config.  It proxy's as expected and handles SSL offloading.  Additionally, I get an A+ rating instead of a B rating on SSL labs (https://www.ssllabs.com/ssltest/analyze.html?d=<mydomain>).

I am just about finished figuring out how to add DDclient to my nginx/certbot VM so I will have DDNS to my public DNS provider. 

how do I add other back end servers and subdomains to the /etc/nginx/nginx.conf file?  is there a way to only allow access to them from my internal subnets on the Nginx config?  

thank you for setting up the nginx.conf file and for your assistance with all of our issues.  I appreciate it.

Edited by Tur0k
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...