Jump to content

HOW TO: emby with NGINX - With Windows Specific Tips and CSP options


pir8radio

Recommended Posts

On 12/16/2021 at 4:51 PM, dhenzler said:

I tried to get Cloudflare to work.  But it doesn't recognize any of my websites... ccskeet.com, rent14me.com, keystonebolt.com  All of these work just fine.

Just curious but what do you mean by doesn't recognize your sites?
Did you switch the hostnames of your name servers as instructed by Cloudflare?
Nothing is going to work until you do that first step.

Link to comment
Share on other sites

They have to be able to control the domain in order to control dynamically where things point.  They may switch where things point based on network congestion to get you quicker routing or any number of things.

The directions for setting this up should be "in your face" after logging in and clicking on your domain unless you dismissed the message prior.
If it doesn't show you then click DNS and the two name servers are listed here:
image.png.507a9b07fca584844ab48a208c7f2a1a.png

All you need to do is login to your register (where you got the domain from) and change the authorized name servers to use the ones CloudFlare shows.
You do not transfer the domain or anything like that.  If you don't like CF for some reason you just remove their name servers replacing them.

Link to comment
Share on other sites

dhenzler
2 hours ago, cayars said:

They have to be able to control the domain in order to control dynamically where things point.  They may switch where things point based on network congestion to get you quicker routing or any number of things.

The directions for setting this up should be "in your face" after logging in and clicking on your domain unless you dismissed the message prior.
If it doesn't show you then click DNS and the two name servers are listed here:
image.png.507a9b07fca584844ab48a208c7f2a1a.png

All you need to do is login to your register (where you got the domain from) and change the authorized name servers to use the ones CloudFlare shows.
You do not transfer the domain or anything like that.  If you don't like CF for some reason you just remove their name servers replacing them.

Oh, I see now... have seen that before, but never used it.   Pretty busy with Christmas cooking... Yeah I'm the cook too.  So will probably do this on the 26th.  But thanks for the info.

Now if I can only get TrueNAS Scale to let me log in to Filezilla my life will be complete...

Merry Christmas !

  • Like 1
Link to comment
Share on other sites

CorruptedHart11

May I ask how you add other services to the .conf? such as emby.example.com and a second or third site like cameras.example.com, I figure its adding multiple blocks but Im unsure which. Much appreciated 

Link to comment
Share on other sites

pir8radio
56 minutes ago, CorruptedHart11 said:

May I ask how you add other services to the .conf? such as emby.example.com and a second or third site like cameras.example.com, I figure its adding multiple blocks but Im unsure which. Much appreciated 

 

pretty much a new server and location block    change the things you want, maybe a separate log file, server name, then update the proxy_pass line to your camera dvr ip and port.   then cameras.yourdomain.com should be accessible

 

server {

    listen [::]:443 ssl http2;	## Listens on port 443 IPv6 with http2 and ssl enabled
    listen 443 ssl http2;	## Listens on port 443 IPv4 with http2 and ssl enabled
    proxy_buffering off;        ## Sends data as fast as it can not buffering large chunks.

    server_name emby.domainname.com;    ## enter your service name and domain name here example emby.domainname.com

    access_log  logs/emby.log  emby;  ## Creates a log file with this name and the log info above.

     ## SSL SETTINGS ##
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	ssl_certificate      ssl/pub.pem;  ## Location of your public PEM file.
	ssl_certificate_key  ssl/pvt.pem;  ## Location of your private PEM file.
        ssl_session_cache shared:SSL:10m;

     location ^~ /swagger {   ## Disables access to swagger interface
        return 404;
}

     location / {
        proxy_pass http://127.0.0.1:8096;  ## Enter the IP and port of the backend emby server here.

	proxy_hide_header X-Powered-By;	 ## Hides nginx server version from bad guys.
	proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
	proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
	proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        #proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

     ## ADDITIONAL SECURITY SETTINGS ##
     ## Optional settings to improve security ##
     ## add these after you have completed your testing and ssl setup ##
     ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
     ##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
	add_header 'Referrer-Policy' 'origin-when-cross-origin';
	add_header Strict-Transport-Security "max-age=15552000; preload" always;
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
    }
}

 

  • Like 1
Link to comment
Share on other sites

Failinger

hey guys, im really struggling with my nginx setup on my Raspi 4(raspi os). normally im a windows / gui kinda guy , so terminal magic is not my strong suit. Maybe u guys can help /point me in the right direction

everything worked out fine till the moment it tries to get the certs. I worked my way trough several fixes with no luck, i had it running on windows (same machine as emby) within a docker that brought out some other problems so i decided to ditch the shitty windows docker...now im kinda regretting my decision. 


im running emby on a different machine as stated above.
 

Quote

nginx: [emerg] cannot load certificate "/etc/nginx/ssl/pub.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/pub.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file)


 

my goal is to get nginx+cloudflare running on my Pi for Emby and Ombi on my Windows Server

Edited by Failinger
Link to comment
Share on other sites

CorruptedHart11

@pir8radio When I add a second block such as ombi.example.com and redirect it, the first server block seems to catch the traffic and its redirected there. 

 

Could you possibly show me an example with multiple subdomains? 

Link to comment
Share on other sites

redrobot2121

I have followed this guide and setup emby + nginx + cloudflare with the rules and stuff but recently it has become very slow with cloudflare. noticed anything like this?

 

Link to comment
Share on other sites

redrobot2121
On 12/16/2020 at 9:34 PM, pir8radio said:

NGINX and emby   image.png.30c3e86054a731539f1ec9d0dd024a7f.png

Config Version 1.0.2
Last Update 9-23-2021
Update by Pir8Radio

 

  • Why Use NGINX reverse proxy ahead of my application servers like emby?
  • With NGINX or any reverse proxy ahead of an application server you have more control over your setup.  You can do things the application servers were not built to handle,  have better control over your security and logging, replace lines of code without editing the application server code, better control of caching, etc, etc....   One of the main reasons is so that you don't have to open a new port on your firewall for every application server you host, all you really need to open is 80 & 443 and the internet can reach all of your different servers through one entrance.
  • Will NGINX work on my OS?
  • Most likely, you can find various versions of NGINX for most OS's and they come in different flavors, with options baked in, or just the bare NGINX that you need to compile.  See below for download links to get you started.
  • Will NGINX break things on emby?
  • Absolutely if you don't configure it correctly!    I HIGHLY suggest when choosing a scheme to setup your domain URL you choose SUB-DOMAIN and NOT sub-directory, more below.  Also if you come to the emby forum with things not working, or issues you have and you use a Reverse Proxy, PLEASE make sure that is one of the first things you mention in your forum post.  ESPECIALLY  if emby works on one platform or client, but not another.   So many times people complain  "but it works on chrome, so I didn't think it was the reverse proxy".  Mention you have a Reverse Proxy please.   If the reverse proxy is setup correctly it should be totally transparent to the user and the application server (emby). 

 

I'm not going to go into how to purchase and setup a domain name.   Lots of how-to's on that out there.     Once you have a domain name and its pointed to your IP address, you can go to that domain name and hit your server then continue on.... 

 

Sub-Domain vs Sub-Directory:

Lets say your domain name is:   domain.com     there are two main ways you can direct traffic from the internet to your backend application servers like emby.   One is sub-directory, something like domain.com/emby    or  domain.com/other-server     This is doable in nginx, but there are some catches and you need to know how your reverse proxy and application server work in detail.. This often breaks different features in emby and other application servers..    To keep with our "Totally Transparent" goal sub-directory doesn't work well, it requires a lot of rewriting and work-arounds to make it work smoothly, if you choose sub-directory you will run into issues you will need to address.     The other option is Sub-Domain, this is the cleanest, most transparent, easiest to setup and maintain, it's also what I highly suggest you setup.   A sub-domain looks like:   emby.domain.com     or   other-server.domain.com    The below config is based on Sub-Domain  I will include a sub-directory example as well.

 

NGINX Downloads:

  • Official nginx downloads(LINUX):       nginx.org
  • Official nginx downloads(Windows):  nginx.org
  • WINDOWS users I suggest this version: nginx-win.ecsds.eu  download links are at the bottom of the page.    This Windows version has lots of cool features compiled into it already, and is optimized for windows.  They keep up with updates, its a FREE (for non-commercial) third party build that I highly recommend.

Additional Links:

Content Security Policy info (CSP) (For Advanced Users): 

  • A CSP WILL break your server if you don't know what you are doing, I suggest reading up, lots of googleing, and understand what a CSP's function is and is not prior to venturing into this area  🙂  

 

 

Example NGINX Reverse Proxy Config:

  • 3-29-2020 - ADDED A LINE FOR CLOUDFLARE USERS SO THAT THE X-REAL-IP HEADER IS CORRECTED. THIS ONLY EFFECTS Cloudflare USERS.
  • 4-11-2020 (V1.0.1) - MOVED proxy_buffering off; FROM LOCATION BLOCK TO SERVER BLOCK
  • 12-18-2020 (V1.0.2) - ADDED 301 SERVER SECTION TO FORCE ALL TRAFFIC TO SSL. 
  • 9-23-2021  no nginx config change, but cloudflare changed how they cache video files, so emby users that use Cloudflare now need to add a rule like below to make sure video is seekable and playable.  

 

 

** The below "Page Rules" are only needed for Cloudflare CDN users, otherwise ignore. 

image.png.af1f00331b49ae634ed71ac4d9d1f45b.png

 

worker_processes  auto;

error_log  logs/error.log;

events {
    worker_connections  8192;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_names_hash_bucket_size 64;
    server_tokens off;

    ## The below will create a separate log file for your emby server which includes
    ## userId's and other emby specific info, handy for external log viewers.
    ## Cloudflare users will want to swap $remote_addr in first line below to $http_CF_Connecting_IP
    ## to log the real client IP address
    log_format  emby  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorization"';


    log_format default '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port';

    sendfile        off;  ## Sendfile not used in a proxy environment.

    gzip on;   ## Compresses the content to the client, speeds up client browsing.
	gzip_disable "msie6";

	gzip_comp_level 6;
	gzip_min_length 1100;
	gzip_buffers 16 8k;
	gzip_proxied any;
	gzip_types
	    text/plain
	    text/css
	    text/js
	    text/xml
	    text/javascript
	    application/javascript
	    application/x-javascript
	    application/json
	    application/xml
	    application/rss+xml
	    image/svg+xml;

    proxy_connect_timeout 1h;
    proxy_send_timeout 1h;
    proxy_read_timeout 1h;
    tcp_nodelay on;  ## Sends data as fast as it can not buffering large chunks, saves about 200ms per request.

    ## The below will force all nginx traffic to SSL, make sure all other server blocks only listen on 443
server {
    listen 80 default_server;
    server_name _;

    return 301 https://$host$request_uri;
}

    ## Start of actual server blocks
server {

    listen [::]:443 ssl http2;	## Listens on port 443 IPv6 with http2 and ssl enabled
    listen 443 ssl http2;	## Listens on port 443 IPv4 with http2 and ssl enabled
    proxy_buffering off;        ## Sends data as fast as it can not buffering large chunks.

    server_name emby.domainname.com;    ## enter your service name and domain name here example emby.domainname.com

    access_log  logs/emby.log  emby;  ## Creates a log file with this name and the log info above.

     ## SSL SETTINGS ##
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	ssl_certificate      ssl/pub.pem;  ## Location of your public PEM file.
	ssl_certificate_key  ssl/pvt.pem;  ## Location of your private PEM file.
        ssl_session_cache shared:SSL:10m;

     location ^~ /swagger {   ## Disables access to swagger interface
        return 404;
}

     location / {
        proxy_pass http://127.0.0.1:8096;  ## Enter the IP and port of the backend emby server here.

	proxy_hide_header X-Powered-By;	 ## Hides nginx server version from bad guys.
	proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
	proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
	proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        #proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

     ## ADDITIONAL SECURITY SETTINGS ##
     ## Optional settings to improve security ##
     ## add these after you have completed your testing and ssl setup ##
     ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
     ##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
	add_header 'Referrer-Policy' 'origin-when-cross-origin';
	add_header Strict-Transport-Security "max-age=15552000; preload" always;
	add_header X-Frame-Options "SAMEORIGIN" always;
	add_header X-Content-Type-Options "nosniff" always;
	add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
    }
}
}

 

thank you sir, can you kindly help me with one thing? i want my videos to directly stream from the server, i don't want it to go through cf. i want them to bypass cloud flare completely. how can i do that? all my videos are in mp4 and streams directly

Link to comment
Share on other sites

pir8radio
On 1/12/2022 at 2:26 AM, redrobot2121 said:

thank you sir, can you kindly help me with one thing? i want my videos to directly stream from the server, i don't want it to go through cf. i want them to bypass cloud flare completely. how can i do that? all my videos are in mp4 and streams directly

you can set that up but it will expose your server ip address and not hide it behind cloudflare..  which is one of the main reasons for using CF..  otherwise why do you want CF at all?  nginx can do everything else cf can..  except edge servers..

Link to comment
Share on other sites

redrobot2121
4 hours ago, pir8radio said:

you can set that up but it will expose your server ip address and not hide it behind cloudflare..  which is one of the main reasons for using CF..  otherwise why do you want CF at all?  nginx can do everything else cf can..  except edge servers..

recently having issue with cloudflare pop servers, streams play directly but not with cloudflare 

Link to comment
Share on other sites

pir8radio
18 hours ago, redrobot2121 said:

recently having issue with cloudflare pop servers, streams play directly but not with cloudflare 

what do you mean "not with cloudflare" what happens?     play but skipps, not at all?  

Link to comment
Share on other sites

redrobot2121
9 hours ago, pir8radio said:

what do you mean "not with cloudflare" what happens?     play but skipps, not at all?  

very slow loading site, media does not play, request times out, edge servers are supper slow

Link to comment
Share on other sites

  • 2 weeks later...

I just finally got around to setting up my reverse proxy and I'm doing some testing now.   From any web browser, everything works perfect.   If I use the Emby app on my Android phone (via cellular), I type in my server address and leave the port blank and it connects immediately.  I'm assuming that the app is connecting to the reverse proxy securely and then to my emby server locally over http.  I poked around in the emby logs after signing in and found this:

Host=emby.*****.com, User-Agent=Mozilla/5.0 (Linux; Android 12; Pixel 3 XL Build/SP1A.210812.016.A2; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/97.0.4692.87 Mobile Safari/537.36, Content-Length=37, X-Forwarded-Scheme=https, X-Forwarded-Proto=https, X-Forwarded-For=174.*.*.60, X-Real-IP=174.*.*.60, x-requested-with=com.mb.android, sec-fetch-site=cross-site, sec-fetch-mode=cors, sec-fetch-dest=empty

I'm completely new to ngnix and reverse proxies so I'm not sure if this is saying that I'm connected via https or not.  Any help is much appreciated.

Link to comment
Share on other sites

dhenzler
18 minutes ago, SkinnyT said:

I just finally got around to setting up my reverse proxy and I'm doing some testing now.   From any web browser, everything works perfect.   If I use the Emby app on my Android phone (via cellular), I type in my server address and leave the port blank and it connects immediately.  I'm assuming that the app is connecting to the reverse proxy securely and then to my emby server locally over http.

You should be typing in the address of the proxy server... NOT your Emby server.  I also think you should be using SSL and so you would be seeing a warning unless you paid for a cert.  You should configure your router so that Emby is NOT accessible on the Internet unless your reverse proxy provides the path.

You should be using a fully qualified domain name that you already own followed by a PORT to access the Reverse Proxy IP.  You'd have to use https://domain.com:6500 for instance.  Configure your router to take the outside address of 6500 and use an inside address of 443 assigned to the IP of the reverse proxy server.  I'm assuming you're using Nginx.

Keep us posted.

Dave

Link to comment
Share on other sites

2 hours ago, dhenzler said:

You should be typing in the address of the proxy server... NOT your Emby server.  I also think you should be using SSL and so you would be seeing a warning unless you paid for a cert.  You should configure your router so that Emby is NOT accessible on the Internet unless your reverse proxy provides the path.

You should be using a fully qualified domain name that you already own followed by a PORT to access the Reverse Proxy IP.  You'd have to use https://domain.com:6500 for instance.  Configure your router to take the outside address of 6500 and use an inside address of 443 assigned to the IP of the reverse proxy server.  I'm assuming you're using Nginx.

Keep us posted.

Dave

I'm connecting to emby.domain.com.   That points to my ngnix server which redirects to https and then points to my emby server locally.  I can connect securely from any web browser that I've tried and it works just fine.   Using the same address (emby.domain.com) in the Emby app and not entering any port info connects me as well.   The only ports that are forwarded on my router are 80 and 443.  

In terms of connectivity, everything seems to be working well.   Im just curious if theres a way to verify that the Emby apps (iOS, Roku, Amazon) are connecting over https.

Link to comment
Share on other sites

pir8radio
On 1/23/2022 at 7:34 PM, SkinnyT said:

I'm connecting to emby.domain.com.   That points to my ngnix server which redirects to https and then points to my emby server locally.  I can connect securely from any web browser that I've tried and it works just fine.   Using the same address (emby.domain.com) in the Emby app and not entering any port info connects me as well.   The only ports that are forwarded on my router are 80 and 443.  

In terms of connectivity, everything seems to be working well.   Im just curious if theres a way to verify that the Emby apps (iOS, Roku, Amazon) are connecting over https.

who's config are you using..   most of the apps REQUIRE you to enter  "https"   and port "443" to actually use https..  at unless something has changed recently..  i suspect you are connecting using http    and port 80        if using my config i think i have it set to force users to https...    in that case you would have gotten a connection error if trying to use http/80.   no real way in emby to tell if your client is using http or https..   that would be in the nginx logs if they are configured in your nginx config..   

Link to comment
Share on other sites

GrimReaper
2 minutes ago, dhenzler said:

You just feel like contributing to Emby ?

What do you feel he'll be contributing? 

Link to comment
Share on other sites

dhenzler
4 minutes ago, GrimReaper said:

What do you feel he'll be contributing? 

Why use the https://emby.xxxx.com when security of content can be had with the Nginx (self signed SSL) server alone.  You just feel like contributing to Emby ?

$$$ what else ?

Link to comment
Share on other sites

GrimReaper
2 minutes ago, dhenzler said:

Why use the https://emby.xxxx.com when security of content can be had with the Nginx (self signed SSL) server alone.  You just feel like contributing to Emby ?

$$$ what else ?

I'd say your perception is erroneous, as it is quite a stretch envisioning Emby making profit out of privately owned domain. 

Link to comment
Share on other sites

dhenzler
2 minutes ago, GrimReaper said:

I'd say your perception is erroneous, as it is quite a stretch envisioning Emby making profit out of privately owned domain. 

Whatever.... get a life !

Link to comment
Share on other sites

GrimReaper
29 minutes ago, dhenzler said:

Whatever.... get a life !

It's not "whatever" but spreading misinformation and somewhat slander. Noone is contributing anything because Emby is no way involved in using https via private domain nor does it profit out of it in any way.

Edited by GrimReaper
Link to comment
Share on other sites

pir8radio
On 1/25/2022 at 3:20 PM, dhenzler said:

Why use the https://emby.xxxx.com when security of content can be had with the Nginx (self signed SSL) server alone.  You just feel like contributing to Emby ?

$$$ what else ?

yea nothing here we are talking about earns emby money....    you cant use a self signed cert because its not accepted by FireTV and also I believe Roku, it will work on a web browser but with the usual popup warning...     The "TV" apps will outright block it though...

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...