Carlo 4328 Posted December 23, 2021 Share Posted December 23, 2021 On 12/16/2021 at 4:51 PM, dhenzler said: I tried to get Cloudflare to work. But it doesn't recognize any of my websites... ccskeet.com, rent14me.com, keystonebolt.com All of these work just fine. Just curious but what do you mean by doesn't recognize your sites? Did you switch the hostnames of your name servers as instructed by Cloudflare? Nothing is going to work until you do that first step. Link to comment Share on other sites More sharing options...
ohitsyouagain 0 Posted December 23, 2021 Share Posted December 23, 2021 I guess i missed the significance of using their nameservers. Link to comment Share on other sites More sharing options...
Carlo 4328 Posted December 23, 2021 Share Posted December 23, 2021 They have to be able to control the domain in order to control dynamically where things point. They may switch where things point based on network congestion to get you quicker routing or any number of things. The directions for setting this up should be "in your face" after logging in and clicking on your domain unless you dismissed the message prior. If it doesn't show you then click DNS and the two name servers are listed here: All you need to do is login to your register (where you got the domain from) and change the authorized name servers to use the ones CloudFlare shows. You do not transfer the domain or anything like that. If you don't like CF for some reason you just remove their name servers replacing them. Link to comment Share on other sites More sharing options...
dhenzler 9 Posted December 24, 2021 Share Posted December 24, 2021 2 hours ago, cayars said: They have to be able to control the domain in order to control dynamically where things point. They may switch where things point based on network congestion to get you quicker routing or any number of things. The directions for setting this up should be "in your face" after logging in and clicking on your domain unless you dismissed the message prior. If it doesn't show you then click DNS and the two name servers are listed here: All you need to do is login to your register (where you got the domain from) and change the authorized name servers to use the ones CloudFlare shows. You do not transfer the domain or anything like that. If you don't like CF for some reason you just remove their name servers replacing them. Oh, I see now... have seen that before, but never used it. Pretty busy with Christmas cooking... Yeah I'm the cook too. So will probably do this on the 26th. But thanks for the info. Now if I can only get TrueNAS Scale to let me log in to Filezilla my life will be complete... Merry Christmas ! 1 Link to comment Share on other sites More sharing options...
CorruptedHart11 0 Posted December 30, 2021 Share Posted December 30, 2021 May I ask how you add other services to the .conf? such as emby.example.com and a second or third site like cameras.example.com, I figure its adding multiple blocks but Im unsure which. Much appreciated Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted December 31, 2021 Author Share Posted December 31, 2021 56 minutes ago, CorruptedHart11 said: May I ask how you add other services to the .conf? such as emby.example.com and a second or third site like cameras.example.com, I figure its adding multiple blocks but Im unsure which. Much appreciated pretty much a new server and location block change the things you want, maybe a separate log file, server name, then update the proxy_pass line to your camera dvr ip and port. then cameras.yourdomain.com should be accessible server { listen [::]:443 ssl http2; ## Listens on port 443 IPv6 with http2 and ssl enabled listen 443 ssl http2; ## Listens on port 443 IPv4 with http2 and ssl enabled proxy_buffering off; ## Sends data as fast as it can not buffering large chunks. server_name emby.domainname.com; ## enter your service name and domain name here example emby.domainname.com access_log logs/emby.log emby; ## Creates a log file with this name and the log info above. ## SSL SETTINGS ## ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate ssl/pub.pem; ## Location of your public PEM file. ssl_certificate_key ssl/pvt.pem; ## Location of your private PEM file. ssl_session_cache shared:SSL:10m; location ^~ /swagger { ## Disables access to swagger interface return 404; } location / { proxy_pass http://127.0.0.1:8096; ## Enter the IP and port of the backend emby server here. proxy_hide_header X-Powered-By; ## Hides nginx server version from bad guys. proxy_set_header Range $http_range; ## Allows specific chunks of a file to be requested. proxy_set_header If-Range $http_if_range; ## Allows specific chunks of a file to be requested. proxy_set_header X-Real-IP $remote_addr; ## Passes the real client IP to the backend server. #proxy_set_header X-Real-IP $http_CF_Connecting_IP; ## if you use cloudflare un-comment this line and comment out above line. proxy_set_header Host $host; ## Passes the requested domain name to the backend server. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## Adds forwarded IP to the list of IPs that were forwarded to the backend server. ## ADDITIONAL SECURITY SETTINGS ## ## Optional settings to improve security ## ## add these after you have completed your testing and ssl setup ## ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ## ## See https://hstspreload.org/ read through the "Deployment Recommendations" section first! ## add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header Strict-Transport-Security "max-age=15552000; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client. proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; } } 1 Link to comment Share on other sites More sharing options...
Failinger 0 Posted January 3, 2022 Share Posted January 3, 2022 (edited) hey guys, im really struggling with my nginx setup on my Raspi 4(raspi os). normally im a windows / gui kinda guy , so terminal magic is not my strong suit. Maybe u guys can help /point me in the right direction everything worked out fine till the moment it tries to get the certs. I worked my way trough several fixes with no luck, i had it running on windows (same machine as emby) within a docker that brought out some other problems so i decided to ditch the shitty windows docker...now im kinda regretting my decision. im running emby on a different machine as stated above. Quote nginx: [emerg] cannot load certificate "/etc/nginx/ssl/pub.pem": BIO_new_file() failed (SSL: error:02001002:system library:fopen:No such file or directory:fopen('/etc/nginx/ssl/pub.pem','r') error:2006D080:BIO routines:BIO_new_file:no such file) my goal is to get nginx+cloudflare running on my Pi for Emby and Ombi on my Windows Server Edited January 3, 2022 by Failinger Link to comment Share on other sites More sharing options...
CorruptedHart11 0 Posted January 8, 2022 Share Posted January 8, 2022 @pir8radio When I add a second block such as ombi.example.com and redirect it, the first server block seems to catch the traffic and its redirected there. Could you possibly show me an example with multiple subdomains? Link to comment Share on other sites More sharing options...
redrobot2121 0 Posted January 10, 2022 Share Posted January 10, 2022 I have followed this guide and setup emby + nginx + cloudflare with the rules and stuff but recently it has become very slow with cloudflare. noticed anything like this? Link to comment Share on other sites More sharing options...
redrobot2121 0 Posted January 12, 2022 Share Posted January 12, 2022 On 12/16/2020 at 9:34 PM, pir8radio said: NGINX and emby Config Version 1.0.2 Last Update 9-23-2021 Update by Pir8Radio Why Use NGINX reverse proxy ahead of my application servers like emby? With NGINX or any reverse proxy ahead of an application server you have more control over your setup. You can do things the application servers were not built to handle, have better control over your security and logging, replace lines of code without editing the application server code, better control of caching, etc, etc.... One of the main reasons is so that you don't have to open a new port on your firewall for every application server you host, all you really need to open is 80 & 443 and the internet can reach all of your different servers through one entrance. Will NGINX work on my OS? Most likely, you can find various versions of NGINX for most OS's and they come in different flavors, with options baked in, or just the bare NGINX that you need to compile. See below for download links to get you started. Will NGINX break things on emby? Absolutely if you don't configure it correctly! I HIGHLY suggest when choosing a scheme to setup your domain URL you choose SUB-DOMAIN and NOT sub-directory, more below. Also if you come to the emby forum with things not working, or issues you have and you use a Reverse Proxy, PLEASE make sure that is one of the first things you mention in your forum post. ESPECIALLY if emby works on one platform or client, but not another. So many times people complain "but it works on chrome, so I didn't think it was the reverse proxy". Mention you have a Reverse Proxy please. If the reverse proxy is setup correctly it should be totally transparent to the user and the application server (emby). I'm not going to go into how to purchase and setup a domain name. Lots of how-to's on that out there. Once you have a domain name and its pointed to your IP address, you can go to that domain name and hit your server then continue on.... Sub-Domain vs Sub-Directory: Lets say your domain name is: domain.com there are two main ways you can direct traffic from the internet to your backend application servers like emby. One is sub-directory, something like domain.com/emby or domain.com/other-server This is doable in nginx, but there are some catches and you need to know how your reverse proxy and application server work in detail.. This often breaks different features in emby and other application servers.. To keep with our "Totally Transparent" goal sub-directory doesn't work well, it requires a lot of rewriting and work-arounds to make it work smoothly, if you choose sub-directory you will run into issues you will need to address. The other option is Sub-Domain, this is the cleanest, most transparent, easiest to setup and maintain, it's also what I highly suggest you setup. A sub-domain looks like: emby.domain.com or other-server.domain.com The below config is based on Sub-Domain I will include a sub-directory example as well. NGINX Downloads: Official nginx downloads(LINUX): nginx.org Official nginx downloads(Windows): nginx.org WINDOWS users I suggest this version: nginx-win.ecsds.eu download links are at the bottom of the page. This Windows version has lots of cool features compiled into it already, and is optimized for windows. They keep up with updates, its a FREE (for non-commercial) third party build that I highly recommend. Additional Links: Content Security Policy info (CSP) (For Advanced Users): A CSP WILL break your server if you don't know what you are doing, I suggest reading up, lots of googleing, and understand what a CSP's function is and is not prior to venturing into this area Example NGINX Reverse Proxy Config: 3-29-2020 - ADDED A LINE FOR CLOUDFLARE USERS SO THAT THE X-REAL-IP HEADER IS CORRECTED. THIS ONLY EFFECTS Cloudflare USERS. 4-11-2020 (V1.0.1) - MOVED proxy_buffering off; FROM LOCATION BLOCK TO SERVER BLOCK 12-18-2020 (V1.0.2) - ADDED 301 SERVER SECTION TO FORCE ALL TRAFFIC TO SSL. 9-23-2021 no nginx config change, but cloudflare changed how they cache video files, so emby users that use Cloudflare now need to add a rule like below to make sure video is seekable and playable. ** The below "Page Rules" are only needed for Cloudflare CDN users, otherwise ignore. worker_processes auto; error_log logs/error.log; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_names_hash_bucket_size 64; server_tokens off; ## The below will create a separate log file for your emby server which includes ## userId's and other emby specific info, handy for external log viewers. ## Cloudflare users will want to swap $remote_addr in first line below to $http_CF_Connecting_IP ## to log the real client IP address log_format emby '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorization"'; log_format default '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port'; sendfile off; ## Sendfile not used in a proxy environment. gzip on; ## Compresses the content to the client, speeds up client browsing. gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; proxy_connect_timeout 1h; proxy_send_timeout 1h; proxy_read_timeout 1h; tcp_nodelay on; ## Sends data as fast as it can not buffering large chunks, saves about 200ms per request. ## The below will force all nginx traffic to SSL, make sure all other server blocks only listen on 443 server { listen 80 default_server; server_name _; return 301 https://$host$request_uri; } ## Start of actual server blocks server { listen [::]:443 ssl http2; ## Listens on port 443 IPv6 with http2 and ssl enabled listen 443 ssl http2; ## Listens on port 443 IPv4 with http2 and ssl enabled proxy_buffering off; ## Sends data as fast as it can not buffering large chunks. server_name emby.domainname.com; ## enter your service name and domain name here example emby.domainname.com access_log logs/emby.log emby; ## Creates a log file with this name and the log info above. ## SSL SETTINGS ## ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate ssl/pub.pem; ## Location of your public PEM file. ssl_certificate_key ssl/pvt.pem; ## Location of your private PEM file. ssl_session_cache shared:SSL:10m; location ^~ /swagger { ## Disables access to swagger interface return 404; } location / { proxy_pass http://127.0.0.1:8096; ## Enter the IP and port of the backend emby server here. proxy_hide_header X-Powered-By; ## Hides nginx server version from bad guys. proxy_set_header Range $http_range; ## Allows specific chunks of a file to be requested. proxy_set_header If-Range $http_if_range; ## Allows specific chunks of a file to be requested. proxy_set_header X-Real-IP $remote_addr; ## Passes the real client IP to the backend server. #proxy_set_header X-Real-IP $http_CF_Connecting_IP; ## if you use cloudflare un-comment this line and comment out above line. proxy_set_header Host $host; ## Passes the requested domain name to the backend server. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## Adds forwarded IP to the list of IPs that were forwarded to the backend server. ## ADDITIONAL SECURITY SETTINGS ## ## Optional settings to improve security ## ## add these after you have completed your testing and ssl setup ## ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ## ## See https://hstspreload.org/ read through the "Deployment Recommendations" section first! ## add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header Strict-Transport-Security "max-age=15552000; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client. proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; } } } thank you sir, can you kindly help me with one thing? i want my videos to directly stream from the server, i don't want it to go through cf. i want them to bypass cloud flare completely. how can i do that? all my videos are in mp4 and streams directly Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted January 14, 2022 Author Share Posted January 14, 2022 On 1/12/2022 at 2:26 AM, redrobot2121 said: thank you sir, can you kindly help me with one thing? i want my videos to directly stream from the server, i don't want it to go through cf. i want them to bypass cloud flare completely. how can i do that? all my videos are in mp4 and streams directly you can set that up but it will expose your server ip address and not hide it behind cloudflare.. which is one of the main reasons for using CF.. otherwise why do you want CF at all? nginx can do everything else cf can.. except edge servers.. Link to comment Share on other sites More sharing options...
redrobot2121 0 Posted January 14, 2022 Share Posted January 14, 2022 4 hours ago, pir8radio said: you can set that up but it will expose your server ip address and not hide it behind cloudflare.. which is one of the main reasons for using CF.. otherwise why do you want CF at all? nginx can do everything else cf can.. except edge servers.. recently having issue with cloudflare pop servers, streams play directly but not with cloudflare Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted January 15, 2022 Author Share Posted January 15, 2022 18 hours ago, redrobot2121 said: recently having issue with cloudflare pop servers, streams play directly but not with cloudflare what do you mean "not with cloudflare" what happens? play but skipps, not at all? Link to comment Share on other sites More sharing options...
redrobot2121 0 Posted January 15, 2022 Share Posted January 15, 2022 9 hours ago, pir8radio said: what do you mean "not with cloudflare" what happens? play but skipps, not at all? very slow loading site, media does not play, request times out, edge servers are supper slow Link to comment Share on other sites More sharing options...
SkinnyT 1 Posted January 23, 2022 Share Posted January 23, 2022 I just finally got around to setting up my reverse proxy and I'm doing some testing now. From any web browser, everything works perfect. If I use the Emby app on my Android phone (via cellular), I type in my server address and leave the port blank and it connects immediately. I'm assuming that the app is connecting to the reverse proxy securely and then to my emby server locally over http. I poked around in the emby logs after signing in and found this: Host=emby.*****.com, User-Agent=Mozilla/5.0 (Linux; Android 12; Pixel 3 XL Build/SP1A.210812.016.A2; wv) AppleWebKit/537.36 (KHTML, like Gecko) Version/4.0 Chrome/97.0.4692.87 Mobile Safari/537.36, Content-Length=37, X-Forwarded-Scheme=https, X-Forwarded-Proto=https, X-Forwarded-For=174.*.*.60, X-Real-IP=174.*.*.60, x-requested-with=com.mb.android, sec-fetch-site=cross-site, sec-fetch-mode=cors, sec-fetch-dest=empty I'm completely new to ngnix and reverse proxies so I'm not sure if this is saying that I'm connected via https or not. Any help is much appreciated. Link to comment Share on other sites More sharing options...
dhenzler 9 Posted January 23, 2022 Share Posted January 23, 2022 18 minutes ago, SkinnyT said: I just finally got around to setting up my reverse proxy and I'm doing some testing now. From any web browser, everything works perfect. If I use the Emby app on my Android phone (via cellular), I type in my server address and leave the port blank and it connects immediately. I'm assuming that the app is connecting to the reverse proxy securely and then to my emby server locally over http. You should be typing in the address of the proxy server... NOT your Emby server. I also think you should be using SSL and so you would be seeing a warning unless you paid for a cert. You should configure your router so that Emby is NOT accessible on the Internet unless your reverse proxy provides the path. You should be using a fully qualified domain name that you already own followed by a PORT to access the Reverse Proxy IP. You'd have to use https://domain.com:6500 for instance. Configure your router to take the outside address of 6500 and use an inside address of 443 assigned to the IP of the reverse proxy server. I'm assuming you're using Nginx. Keep us posted. Dave Link to comment Share on other sites More sharing options...
SkinnyT 1 Posted January 24, 2022 Share Posted January 24, 2022 2 hours ago, dhenzler said: You should be typing in the address of the proxy server... NOT your Emby server. I also think you should be using SSL and so you would be seeing a warning unless you paid for a cert. You should configure your router so that Emby is NOT accessible on the Internet unless your reverse proxy provides the path. You should be using a fully qualified domain name that you already own followed by a PORT to access the Reverse Proxy IP. You'd have to use https://domain.com:6500 for instance. Configure your router to take the outside address of 6500 and use an inside address of 443 assigned to the IP of the reverse proxy server. I'm assuming you're using Nginx. Keep us posted. Dave I'm connecting to emby.domain.com. That points to my ngnix server which redirects to https and then points to my emby server locally. I can connect securely from any web browser that I've tried and it works just fine. Using the same address (emby.domain.com) in the Emby app and not entering any port info connects me as well. The only ports that are forwarded on my router are 80 and 443. In terms of connectivity, everything seems to be working well. Im just curious if theres a way to verify that the Emby apps (iOS, Roku, Amazon) are connecting over https. Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted January 25, 2022 Author Share Posted January 25, 2022 On 1/23/2022 at 7:34 PM, SkinnyT said: I'm connecting to emby.domain.com. That points to my ngnix server which redirects to https and then points to my emby server locally. I can connect securely from any web browser that I've tried and it works just fine. Using the same address (emby.domain.com) in the Emby app and not entering any port info connects me as well. The only ports that are forwarded on my router are 80 and 443. In terms of connectivity, everything seems to be working well. Im just curious if theres a way to verify that the Emby apps (iOS, Roku, Amazon) are connecting over https. who's config are you using.. most of the apps REQUIRE you to enter "https" and port "443" to actually use https.. at unless something has changed recently.. i suspect you are connecting using http and port 80 if using my config i think i have it set to force users to https... in that case you would have gotten a connection error if trying to use http/80. no real way in emby to tell if your client is using http or https.. that would be in the nginx logs if they are configured in your nginx config.. Link to comment Share on other sites More sharing options...
dhenzler 9 Posted January 25, 2022 Share Posted January 25, 2022 Why use the https://emby.xxxx.com when security of content can be had with the Nginx (self signed SSL) server alone. You just feel like contributing to Emby ? Link to comment Share on other sites More sharing options...
GrimReaper 3226 Posted January 25, 2022 Share Posted January 25, 2022 2 minutes ago, dhenzler said: You just feel like contributing to Emby ? What do you feel he'll be contributing? Link to comment Share on other sites More sharing options...
dhenzler 9 Posted January 25, 2022 Share Posted January 25, 2022 4 minutes ago, GrimReaper said: What do you feel he'll be contributing? Why use the https://emby.xxxx.com when security of content can be had with the Nginx (self signed SSL) server alone. You just feel like contributing to Emby ? $$$ what else ? Link to comment Share on other sites More sharing options...
GrimReaper 3226 Posted January 25, 2022 Share Posted January 25, 2022 2 minutes ago, dhenzler said: Why use the https://emby.xxxx.com when security of content can be had with the Nginx (self signed SSL) server alone. You just feel like contributing to Emby ? $$$ what else ? I'd say your perception is erroneous, as it is quite a stretch envisioning Emby making profit out of privately owned domain. Link to comment Share on other sites More sharing options...
dhenzler 9 Posted January 25, 2022 Share Posted January 25, 2022 2 minutes ago, GrimReaper said: I'd say your perception is erroneous, as it is quite a stretch envisioning Emby making profit out of privately owned domain. Whatever.... get a life ! Link to comment Share on other sites More sharing options...
GrimReaper 3226 Posted January 25, 2022 Share Posted January 25, 2022 (edited) 29 minutes ago, dhenzler said: Whatever.... get a life ! It's not "whatever" but spreading misinformation and somewhat slander. Noone is contributing anything because Emby is no way involved in using https via private domain nor does it profit out of it in any way. Edited January 25, 2022 by GrimReaper Link to comment Share on other sites More sharing options...
pir8radio 1289 Posted January 27, 2022 Author Share Posted January 27, 2022 On 1/25/2022 at 3:20 PM, dhenzler said: Why use the https://emby.xxxx.com when security of content can be had with the Nginx (self signed SSL) server alone. You just feel like contributing to Emby ? $$$ what else ? yea nothing here we are talking about earns emby money.... you cant use a self signed cert because its not accepted by FireTV and also I believe Roku, it will work on a web browser but with the usual popup warning... The "TV" apps will outright block it though... Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now