Jump to content

HOW TO: emby with NGINX - With Windows Specific Tips and CSP options


pir8radio

Recommended Posts

@pwhodges

As I said with error only happen in Galaxy Note 5 (old device) ... with other devices, it works perfectly.

I'll try to change the certificate later and see if it will solve the issue.

 

Thanks

Edited by iBoss
Link to comment
Share on other sites

pir8radio
Posted (edited)
On 7/20/2022 at 5:56 PM, iBoss said:

@pwhodges

As I said with error only happen in Galaxy Note 5 (old device) ... with other devices, it works perfectly.

I'll try to change the certificate later and see if it will solve the issue.

 

Thanks

and that note 5 device can surf the internet fine? other sites?

 

Edited by pir8radio
Link to comment
Share on other sites

pwhodges
On 20/07/2022 at 23:56, iBoss said:

As I said with error only happen in Galaxy Note 5 (old device) ...

Sometimes older devices don't get updated with the root certificates of newer certificate issuers; using a different one might well help.

Paul

Link to comment
Share on other sites

38 minutes ago, pir8radio said:

and that note 5 device can surf the internet fine? other sites?

 

Yes It can surf other sites fine.

Maybe the issue from the certificate not the Nginx ... I need to use emby without nginx and install the same Let’s Encrypt cert into emby and see the if the issue happen or not.

 

Anyone know how convert my public and private PEM files to work directly in emby setting.

 

thanks

Link to comment
Share on other sites

  • 1 month later...
shpitz461

Hi,

I'm trying to achieve an A+ rating @ https://securityheaders.io/

My only missing piece is contentSecurityPolicy/Content-Security-Policy, as soon as I enable it all my proxied sites break.

Any idea how to configure contentSecurityPolicy so that it doesn't break Emby and every other service I'm running on Traefik v2?

As soon as I turn on the following policy:

Quote

contentSecurityPolicy: "default-src 'unsafe-inline'; script-src 'self' http://*.mydomain.com https://*.mydomain.com http://mydomain.com https://mydomain.com"

...Browsing to Emby yields the following errors in Chrome:

Quote

Refused to load the font 'https://media.mydomain.com/web/modules/fonts/material-icons/LDItaoyNOAY6Uewc665JcIzCKsKc_M9flwmP_3.woff2' because it violates the following Content Security Policy directive: "default-src 'unsafe-inline'". Note that 'font-src' was not explicitly set, so 'default-src' is used as a fallback.

10Refused to load the image '<URL>' because it violates the following Content Security Policy directive: "default-src 'unsafe-inline'". Note that 'img-src' was not explicitly set, so 'default-src' is used as a fallback.

index.html#!/home:1 Refused to load manifest from 'https://media.mydomain.com/web/manifest.json' because it violates the following Content Security Policy directive: "default-src 'unsafe-inline'". Note that 'manifest-src' was not explicitly set, so 'default-src' is used as a fallback.

If I set the values to 'unsafe-inline' wouldn't that defeat the purpose of setting the header in the 1st place?

Thanks!

Link to comment
Share on other sites

  • 3 weeks later...

Hi @pir8radio

I'm hoping you can help me here.

First of all - thanks for the nginx/csp config - it's allowed me to get an A/A+ on the scanners. :)

However, there is one issue I'm having which is preventing nginx from passing the real IP's to emby.

I have to comment out the two lines below - or the proxy simply refuses to connect and I get an error on the remote browser. (ERR_CONNECTION_CLOSED)

proxy_set_header X-Real-IP $remote_addr; ## Passes the real client IP to the backend server.
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

This is obviously not directly impacting security - but because emby is now receiving the nginx g/w address (ngnix is on it's own dmz vlan) - fail2ban etc is no longer going to work.  I'm making the assumption that nginx passes this via the existing proxy_pass control and uses whatever ip/port is specified here as there is a firewall inbetween.   Emby works just fine (with the above lines commented), so I don't *think* it's related to that.

I'll dig a bit deeper today but if you have any thoughts on why this would stop it working, I'd appreciate it.

I can PM you nginx logs etc if you think that would help but there is nothing obvious in them.

Thanks !

Latest nginx on ubuntu 22.04.1 LTS/jammy

 

Link to comment
Share on other sites

On 9/9/2022 at 3:55 AM, rbjtech said:

Hi @pir8radio

I'm hoping you can help me here.

First of all - thanks for the nginx/csp config - it's allowed me to get an A/A+ on the scanners. :)

However, there is one issue I'm having which is preventing nginx from passing the real IP's to emby.

I have to comment out the two lines below - or the proxy simply refuses to connect and I get an error on the remote browser. (ERR_CONNECTION_CLOSED)

proxy_set_header X-Real-IP $remote_addr; ## Passes the real client IP to the backend server.
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

This is obviously not directly impacting security - but because emby is now receiving the nginx g/w address (ngnix is on it's own dmz vlan) - fail2ban etc is no longer going to work.  I'm making the assumption that nginx passes this via the existing proxy_pass control and uses whatever ip/port is specified here as there is a firewall inbetween.   Emby works just fine (with the above lines commented), so I don't *think* it's related to that.

I'll dig a bit deeper today but if you have any thoughts on why this would stop it working, I'd appreciate it.

I can PM you nginx logs etc if you think that would help but there is nothing obvious in them.

Thanks !

Latest nginx on ubuntu 22.04.1 LTS/jammy

 

the error on your remote browser, doesn't sound like a proxy error, are you sure fail2ban isnt blocking remote connections to nginx?    nginx will almost always give an error that says nginx somewhere.    Unless you specifically have config settings to just drop the connection.        
image.png.86a80ece7b3a1c8b8103c2b0eccfaad9.png

Edited by pir8radio
  • Thanks 1
Link to comment
Share on other sites

On 13/09/2022 at 01:38, pir8radio said:

the error on your remote browser, doesn't sound like a proxy error, are you sure fail2ban isnt blocking remote connections to nginx?    nginx will almost always give an error that says nginx somewhere.    Unless you specifically have config settings to just drop the connection.        
image.png.86a80ece7b3a1c8b8103c2b0eccfaad9.png

Hi - thanks for coming back to me.

All fixed.

It was basically the emby config, it had nothing to do with nginx.

For some reason I had not set emby to allow remote connections using the 'use reverse proxy' setting (I had naively removed all remote connection on the emby config..) - thus any X-Real-IP was being blocked by the emby web server as a non-local IP.   By leaving out the X-Real-IP config - it returned the local emby gateway address which of course would be allowed....

doh!

Thanks again.

Edited by rbjtech
  • Like 1
Link to comment
Share on other sites

11 hours ago, rbjtech said:

Hi - thanks for coming back to me.

All fixed.

It was basically the emby config, it had nothing to do with nginx.

For some reason I had not set emby to allow remote connections using the 'use reverse proxy' setting (I had naively removed all remote connection on the emby config..) - thus any X-Real-IP was being blocked by the emby web server as a non-local IP.   By leaving out the X-Real-IP config - it returned the local emby gateway address which of course would be allowed....

doh!

Thanks again.

nice, good job troubleshooting and fixing!

Link to comment
Share on other sites

horstepipe

Hey @pir8radio

I'm wondering whether this would be possible with nginx:

For my users I need to enable "allow remux" in playback settings, otherwise they are not able to play some of my iptv channels. Unfortunately enabling this option sometimes lets Emby server remux a video although this is not needed. So if I disable the setting, the video is being direct played fine.

So I'm wondering whether nginx could be configured to change the response

Enable Playback Remuxing: True

to

Enable Playback Remuxing: False

if the requested media is an mkv file e.g. ...?

Best regards and thanks for all your valuable input!

Edited by horstepipe
Link to comment
Share on other sites

I changed ISP and now I'm getting a 522 error from CloudFlare. I changed my IP on CloudFlare's DNS page to my new IP, it hasn't fixed it. canyouseeme.org is down, so that's not super helpful right now.

Link to comment
Share on other sites

On 9/19/2022 at 4:32 AM, horstepipe said:

Hey @pir8radio

I'm wondering whether this would be possible with nginx:

For my users I need to enable "allow remux" in playback settings, otherwise they are not able to play some of my iptv channels. Unfortunately enabling this option sometimes lets Emby server remux a video although this is not needed. So if I disable the setting, the video is being direct played fine.

So I'm wondering whether nginx could be configured to change the response

Enable Playback Remuxing: True

to

Enable Playback Remuxing: False

if the requested media is an mkv file e.g. ...?

Best regards and thanks for all your valuable input!

just saw this.. did you ever get your answer?    what is this above?  a header of some kind or?   looks like an emby client setting, and we cant force those from the server side.

Edited by pir8radio
Link to comment
Share on other sites

horstepipe
8 hours ago, pir8radio said:

looks like an emby client setting, and we cant force those from the server side.

no it is a server setting for each client. But nevermind, I solved my iptv remux problem so I was able to disable the setting for my users.

Best regards.

  • Thanks 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...