NGINX - troubleshooting

[vdatanet 1549]

2 minutes ago, crusher11 said:

Yes, connection refused.

Can you look at the nginx log?

access_log  logs/emby.log  emby;  ## Creates a log file with this name and the log info above.

[rodainas 188]

8 minutes ago, crusher11 said:

Yes, connection refused.

Well, we eliminate with that test cloudfare from the equation, you there are just connecting to nginx via lan, and is rejecting it, as vdatanet said something is wrong with that nginx.

Edited July 12, 2021 by rodainas

[crusher11 859]

9 minutes ago, vdatanet said:

Can you look at the nginx log?

access_log  logs/emby.log  emby;  ## Creates a log file with this name and the log info above.

As with the SSL I'm not sure where that path is going or if it's actually something that can work. 

[vdatanet 1549]

I can no longer help here. This is a Synology-Docker-Nginx configuration. I have experience in Nginx on Ubuntu, but not in your configuration. Maybe you should ask for help in Synology forums.

I think with the Emby - Cloudflare combination you have enough, you don't have to make things more complicated.

Until you can get Nginx running, forward ports 80 and 443 to the Emby's public ports and use Cloudflare. Those setting worked.

[rodainas 188]

8 minutes ago, crusher11 said:

As with the SSL I'm not sure where that path is going or if it's actually something that can work. 

As previously said, someone with docker experience may help you there, if I were you I will look for a tutorial on how to set up nginx wih docker, if you cant troubleshoot it adds another layer of difficulty here

Edited July 12, 2021 by rodainas

[crusher11 859]

There are three NGINX config files, in different folders. I finally found the correct one and updated that, instead of a similar-but-unused one.

We're in.

 

[rodainas 188]

Try again

So you get error when you do http://192.168.0.2:8080 ?

[crusher11 859]

1 minute ago, rodainas said:

Try again

So you get error when you do http://192.168.0.2:8080 ?

Not anymore, that opens Emby. As does http://domain and https://domain (which redirects automatically to HTTPS).

 

Here's the actual config:

Quote

worker_processes  auto;

error_log  stderr info;

events {
    worker_connections  8192;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_names_hash_bucket_size 64;
    server_tokens off;

    ## The below will create a separate log file for your emby server which includes
    ## userId's and other emby specific info, handy for external log viewers.
    log_format  emby  '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorization"';

    log_format default '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port';
    access_log  stderr emby;  ## Creates a log file with this name and the log info above.

    sendfile        off;  ## Sendfile not used in a proxy environment.

    gzip on;   ## Compresses the content to the client, speeds up client browsing.
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;

    proxy_connect_timeout 1h;
    proxy_send_timeout 1h;
    proxy_read_timeout 1h;
    tcp_nodelay on;  ## Sends data as fast as it can not buffering large chunks, saves about 200ms per request.
    

server {
    listen [::]:8080;           ## Listens on port 80 IPv6
    listen 8080;             ## Listens on port 80 IPv4
    listen [::]:4343 ssl http2;    ## Listens on port 443 IPv6 with http2 and ssl enabled
    listen 4343 ssl http2;    ## Listens on port 443 IPv4 with http2 and ssl enabled

    server_name [domain];    ## enter your service name and domain name here example emby.domainname.com

     ## SSL SETTINGS ##
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_certificate      /etc/nginx/cert.pem;  ## Location of your public PEM file.
    ssl_certificate_key  /etc/nginx/private.key;  ## Location of your private PEM file.
        ssl_session_cache shared:SSL:10m;

     location ^~ /swagger {   ## Disables access to swagger interface
        return 404;
}

     location / {
        proxy_pass http://192.168.0.2:8096;  ## Enter the IP and port of the backend emby server here.

    proxy_hide_header X-Powered-By;     ## Hides nginx server version from bad guys.
    proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

     ## ADDITIONAL SECURITY SETTINGS ##
     ## Optional settings to improve security ##
     ## add these after you have completed your testing and ssl setup ##
     ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
     ##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
    add_header 'Referrer-Policy' 'origin-when-cross-origin';
    add_header Strict-Transport-Security "max-age=10" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
    }
}
}

 

[crusher11 859]

So at the moment Emby's SSL setting is still "preferred" rather than "handled by reverse proxy", and CF is still set to "flexible" rather than "full". Change those back?

[crusher11 859]

Quote

proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        #proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.

This differs from my config. Worth changing?

[rodainas 188]

2 minutes ago, crusher11 said:

This differs from my config. Worth changing?

That depends, you got the explanation of what is does there.

If you use cloudfare and want to see real client ip, just uncomment second and comment first

[crusher11 859]

Just now, rodainas said:

That depends, you got the explanation of what is does there.

If you use cloudfare and want to see real client ip, just uncomment second and comment first

It's not an explanation I understand, however.

I changed the CloudFlare and Emby SSL settings and can still get to my server, so that's good.

[rodainas 188]

9 minutes ago, crusher11 said:

So at the moment Emby's SSL setting is still "preferred" rather than "handled by reverse proxy", and CF is still set to "flexible" rather than "full". Change those back?

If nginx is working correctly is irrelevant the ssl setting on emby, because you are reaching emby through nginx and nginx point to the ssl certificate before even reaching emby, if you want set it to handled by reverse proxy.

You can change cloudfare to full, if the certificate that nginx is pointing is correct (valid, correct path directory, etc) then it will be reachable through ssl, do the test and try it.

 

[rodainas 188]

1 minute ago, crusher11 said:

It's not an explanation I understand, however.

I changed the CloudFlare and Emby SSL settings and can still get to my server, so that's good.

Well with that last test you seem to be set, congrats there.

[crusher11 859]

Just now, rodainas said:

Well with that last test you seem to be set, congrats there.

I still don't understand the client IP settings thing.

[rodainas 188]

And if you want to be sure that nginx is doing the work you can disable remote connection on emby network settings, if it is still reachable from domain everything is working correctly.

Edited July 12, 2021 by rodainas

[rodainas 188]

Just now, crusher11 said:

I still don't understand the client IP settings thing.

You need to read a little to know how cloudfare works, when you use proxied, the server ip is obscured (it gives a cloudfare ip) and when your clients connects through cloudfare, their ip is obscured too, you get the client ip of cloudfare not your clients one.

[crusher11 859]

2 minutes ago, rodainas said:

You need to read a little to know how cloudfare works, when you use proxied, the server ip is obscured (it gives a cloudfare ip) and when your clients connects through cloudfare, their ip is obscured too, you get the client ip of cloudfare not your clients one.

As my config is set right now I'm getting the client IP not the CloudFlare one, right?

Getting where, exactly? What are the pros/cons of each?

[vdatanet 1549]

To recap, is Emby - Nginx - Cloudflare working?

[rodainas 188]

Just now, vdatanet said:

To recap, is Emby - Nginx - Cloudflare working?

Yes is working

To summarize here he had 2 problems unknown to him at the moment of the first post, a rogue instance of emby running on another device and at least 2 nginx config that he was editing that werent related to the actual nginx running on the system.

[rodainas 188]

9 minutes ago, crusher11 said:

As my config is set right now I'm getting the client IP not the CloudFlare one, right?

Getting where, exactly? What are the pros/cons of each?

proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.

That was your last nginx config you posted, 

That works if not using cloudfare.

If using cloudfare you will want to try

  proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.

 

There are no pros or cons with this, depends if it matter to you if you want to see the real ip or the client or not, performance wise is the same thing.

Edited July 12, 2021 by rodainas

[vdatanet 1549]

7 minutes ago, rodainas said:

Yes is working

[crusher11 859]

Yeah, I just edited the wrong config file. Which also means it was working just fine on the old router because all the things we needed to change were already changed. It was just pointing to the wrong local IP of the NAS due to the router change. 

[vdatanet 1549]

6 minutes ago, crusher11 said:

Yeah, I just edited the wrong config file. Which also means it was working just fine on the old router because all the things we needed to change were already changed. It was just pointing to the wrong local IP of the NAS due to the router change. 

This would not have happened if the connection to Emby had been to http://127.0.0.1:8086 as recommended: 

location / {
        proxy_pass http://127.0.0.1:8096;  ## Enter the IP and port of the backend emby server here.

 

[crusher11 859]

I'm now getting a "server not found" error on my domain.