HOW TO: emby with NGINX - With Windows Specific Tips and CSP options

[rbjtech 4270]

2 minutes ago, Alexwerilles said:

Does anyone know a code to limit download speed that works with this @pir8radio config? I never managed to make it work

For static web pages, it's relatively easy, but for dynamic content / streaming/ hls (ie emby traffic) then it's not going to work without some server based control...

[Alexwerilles 3]

1 minute ago, rbjtech said:

For static web pages, it's relatively easy, but for dynamic content / streaming/ hls (ie emby traffic) then it's not going to work without some server based control...

In this thread there are some people saying they managed to make it work

[rbjtech 4270]

16 minutes ago, Alexwerilles said:

In this thread there are some people saying they managed to make it work

sure - but as I said - this is only for static downloads - ie the contents of the emby downloads folder.  For that it's possible yes - just follow the thread above.

But if you want proper bandwidth management for anything else (normal streaming etc) then this solution is not going to work.

[Alexwerilles 3]

17 minutes ago, rbjtech said:

sure - but as I said - this is only for static downloads - ie the contents of the emby downloads folder.  For that it's possible yes - just follow the thread above.

But if you want proper bandwidth management for anything else (normal streaming etc) then this solution is not going to work.

I just want the download limitation. But this option doesn't even work for me, or I don't know the correct place to put it. every time I put it inside my nginx configuration, nginx breaks

[rbjtech 4270]

It depends on your install.

Look at the weblog from nginx (in /var/log/nginx - ie tail emby.log.1) and this will show all the url's that nginx has been serving for emby.

Do a download in emby via nginx- and then look at the tail of the above log again to see exactly where the download location is.

Then add that file location to the config above.

If you are not using linux for nginx - then other OS's will likely have differing locations for the downloads and possible web logs.

Edited October 11, 2023 by rbjtech

[Alexwerilles 3]

6 minutes ago, rbjtech said:

It depends on your install.

Look at the weblog from nginx (in /var/log/nginx - ie tail access.log.1) and this will show all the url's that nginx has been serving for emby.

Do a download in emby via nginx- and then look at the tail of the above log again to see exactly where the download location is.

Then add that file location to the config above.

If you are not using linux for nginx - then other OS's will likely have differing locations for the downloads and possible web logs.

I did what you said, the download location is the same as indicated in the topic apparently. Can I send my configuration?

[rbjtech 4270]

Just now, Alexwerilles said:

I did what you said, the download location is the same as indicated in the topic apparently. Can I send my configuration?

If you have copied the above, then I'm afraid that is as much as I know also.   Maybe try the nginx forums 

[rbjtech 4270]

So I don't think the 'location' is correct.

From a quick search and reply from Luke - and my own nginx logs - the location should be

/Sync/JobItems/{Id}/File

and my own remote nginx log (I did a test download) is agreeing with the path.

91.230.225.149 - - [11/Oct/2023:17:03:49 +0100] "GET /Sync/Items/Ready?TargetId=abdd8......

So when you download something - go look at the file system where it is stored (temporarily) and use that location to limit the download.

You'll need to piece it together I'm afraid - each system is different - as nginx is not part of emby, nor is it supported by them.

Edited October 11, 2023 by rbjtech

[Alexwerilles 3]

but where do I insert this:

 

location  ~ /Sync/JobItems/{Id}/File


proxy_pass my ip; # Local emby ip and non SSL port

proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_redirect off;


#Next three lines allow websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";

limit_rate 2500k;             # Speed limit (here is on kb/s)
limit_conn addr 1;            # Number of simultaneous downloads per IP
limit_conn_status 460;                  # custom error page
proxy_buffering on;

}

error_page 460 /460.html;               # for a custom local hosted error page (named 460.html)
        location = /460.html {
          root /var/www/html;           # path to the local error page
           internal;
       }

 

 

i my config current config, that's the problem:

 

server {
    listen [::]:80;             ## Listens on port 80 IPv6
    listen 80;            ## Listens on port 80 IPv4
    listen [::]:443 ssl http2;    ## Listens on port 443 IPv6 with http2 and ssl enabled
    listen 443 ssl http2;    ## Listens on port 443 IPv4 with http2 and ssl enabled
    proxy_buffering off;        ## Sends data as fast as it can not buffering large chunks.

    server_name emby.my ip;    ## enter your service name and domain name here

    access_log  /var/log/nginx/embyaccess.log;  ## Creates a log file with this name and the log info above.

     ## SSL SETTINGS ##
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_certificate      /etc/nginx/ssl/cert.pem;  ## Location of your public
    ssl_certificate_key  /etc/nginx/ssl/private.key;  ## Location of your private PEM file.

     location ^~ /swagger {   ## Disables access to swagger interface
        return 404;
}

     location / {
        proxy_pass http://127.0.0.1:myport;  ## Enter the IP here

    proxy_hide_header X-Powered-By;     ## Hides nginx server version from bad guys.
    proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
    #proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

     ## ADDITIONAL SECURITY SETTINGS ##
     ## Optional settings to improve security ##
     ## add these after you have completed your testing and ssl setup ##
     ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
     ##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
    add_header 'Referrer-Policy' 'origin-when-cross-origin';
    add_header Strict-Transport-Security "max-age=15552000; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;

    }
}

 

 

 

[weble 14]

@pir8radio

http2 is being depreciated on listen line.

change this

    ## Start of actual server blocks
server {

    listen [::]:443 ssl http2;	## Listens on port 443 IPv6 with http2 and ssl enabled
    listen 443 ssl http2;	## Listens on port 443 IPv4 with http2 and ssl enabled
    proxy_buffering off;        ## Sends data as fast as it can not buffering large chunks.

to this

server {

    listen [::]:443 ssl;	## Listens on port 443 IPv6 ssl enabled
    listen 443 ssl;	        ## Listens on port 443 IPv4 ssl enabled
    http2  on;                  ## Enables HTTP2
    proxy_buffering off;        ## Sends data as fast as it can not buffering large chunks.

 

Edited December 29, 2023 by weble

[weble 14]

anyone know how to set permissions-policy correctly for emby?

[crusher11 851]

I just updated my config to match the OP, and now NGINX won't run. It just constantly restarts on a loop.

[crusher11 851]

Apparently the culprit is the "http2 on" line, "unknown directive "http2".

[rbjtech 4270]

43 minutes ago, crusher11 said:

Apparently the culprit is the "http2 on" line, "unknown directive "http2".

Did you scroll up ... ?

https://emby.media/community/index.php?/topic/93074-how-to-emby-with-nginx-with-windows-specific-tips-and-csp-options/&do=findComment&comment=1309363

[crusher11 851]

30 minutes ago, rbjtech said:

Did you scroll up ... ?

https://emby.media/community/index.php?/topic/93074-how-to-emby-with-nginx-with-windows-specific-tips-and-csp-options/&do=findComment&comment=1309363

The line that's causing the problem is from the second of those blocks.

[weble 14]

56 minutes ago, crusher11 said:

The line that's causing the problem is from the second of those blocks.

You could be running an older version that doesn’t know that line yet? If you swap back to 

listen 443 ssl http2;

does it work?

 

 

[crusher11 851]

It doesn't work, but it at least gets past that point. It's now saying /etc/nginx/logs/error.log doesn't exist, despite...

[rbjtech 4270]

10 minutes ago, weble said:

You could be running an older version that doesn’t know that line yet? If you swap back to 

listen 443 ssl http2;

does it work?

 

 

Agreed - there is nothing wrong with the config above - it works just fine on mine -  nginx/1.25.3   (nginx -v to check)

[rbjtech 4270]

4 minutes ago, crusher11 said:

It doesn't work, but it at least gets past that point. It's now saying /etc/nginx/logs/error.log doesn't exist, despite...

You can't just copy a config and then expect it to work on your system 100% - it's just a template - you need to understand what it is doing and why and then edit the appropriate lines...

logs normally sit in /var/log/nginx - on a linux based install anyway ..?

Edited March 2 by rbjtech

[crusher11 851]

10 minutes ago, rbjtech said:

You can't just copy a config and then expect it to work on your system 100% - it's just a template - you need to understand what it is doing and why and then edit the appropriate lines...

logs normally sit in /var/log/nginx - on a linux based install anyway ..?

It's looking for an error.log file in a location that contains an error.log file, and complaining that it isn't there. Whether that's a typical location for the file or not seems less relevant than the fact that the file does exist in the location specified.

I tried creating another error.log file next to my .key and .pem files, and changed the address to match, and...it's still looking in the previous location and complaining it can't find the file. Which still exists.

I then changed it to /var/log/nginx as per your suggestion and it's still complaining it can't find /etc/nginx/logs/error.log despite nothing in the config asking for that file and that file actually existing.

Edited March 2 by crusher11

[rbjtech 4270]

Is this Windows or Linux nginx ?

Are you changing the correct .conf files ?

Without the .conf files (or snippets of) we can't really even attempt to help you...

Edited March 2 by rbjtech

[crusher11 851]

25 minutes ago, rbjtech said:

Is this Windows or Linux nginx ?

Are you changing the correct .conf files ?

Without the .conf files (or snippets of) we can't really even attempt to help you...

Synology. Config is exactly as in the OP, except I've put in my domain, the location of my certs, etc. And changed the HTTP2 bit, obviously.

The conf file must be the correct one, because changing the HTTP2 bit fixed that error and shifted to generating a different error.

 

EDIT: Okay, I'm a dumbass. The config generates both an emby.log and an error.log, and after fixing the error.log issue it moved right on to complaining about emby.log and I didn't notice the difference. I've fixed both, and now it's complaining that it can't bind to 0.0.0.0:443 because the address is already in use.

Edited March 2 by crusher11

[crusher11 851]

Forgot I was using different ports. Am now back online.

[bakes82 90]

9 hours ago, crusher11 said:

Synology.

You dont even need to run nginx on synology it has built in reverse proxy under Login Portal -> Advanced.  Then just have your router pass over the incoming port and set the DNS to point to the NAS.

[est3ban129 0]

I cannot connect like https://emby.domain.com:8920, is not posible set custom port on https ?