Setting up SSL for Emby

May 14, 2017

Ok, so.. I'm having a real hard time here! And I was wondering if you could give me a hand @@Swynol for setting up SSL for Emby.

I started on the following topic...

Setting up SSL for Emby (WIP)

and then I followed up with the following post..

HOW TO: NGINX Reverse Proxy

I managed to follow your tutorial for the most part (I think? ). I appreciate all your write-ups on the subject. I know you've worked a lot on the subject! That being said, I'm hitting a few roadblocks here.. Was wondering if you could try and give me a hand!? I've got a few extra services I'd like to setup eventually, but we'll get to that.. Right now I can't even get emby working properly. Currently, I've copied the config from above your 2nd post, but I've copied the config from your other post and results weren't similar.

First things first.. I have an issue from without my local network. Without even trying to add the domain part to the equation..I understand that this little server section is supposed to be used to redirect any http requests to https.

server {
listen 80 default_server;
listen [::]:80 default_server;
server_name _;
     return 301 https://$host$request_uri;
}

If, let's say, I enter adress http://192.168.0.111 in my browser locally with the config, it goes nowhere. If I try https, then it works fine and brings me to the nginx server. Thing worth noting.. The default config that comes from nginx worked fine for simply entering my local ip address and accessing nginx. so this is my first issue.

Secondly, I'm wondering if it's possible to have a different result to my domain.ca and emby.domain.ca. Let me explain.. I'd like to have emby.domain.ca access my emby server, but I'd like that when I enter domain.ca, it goes to an html website. Is it possible to tell nginx to seperate those? So far, the tests I've done, whatever change to a proxy_pass to any server_namefor emby.domain.ca, it's had a mirror effect on domain.ca

I'm not certain if any of these elements make any sense? I can gladly clarify any of these, but I'd really appreciate your help in figuring these elements out as I'm trying to get ssl setup and running! We'll get to domain-related issues later though! Right now it's more about local nginx behavior that doesn't feel right at all.

Thanks!

SilentStrike

Edited May 16, 2017 by SilentStrike

May 15, 2017

@@SilentStrike

Ok, something doesnt sound quite right. can you post your whole config. remove any domain names

I just tested on mine, going to http://192.168.10.10 (my internal IP for Emby) it automatically changes it to https

And yes if you setup separate server blocks for emby.domain.ca and domain.ca it should work but it will depend what settings you have on your domain registrar. i would recommend having a subdomain going to a html site, for example www.domain.ca. I have a similar setup where www.domain.com goes to a html page hosted by my NGINX box.

May 15, 2017

@@Swynol , thanks for looking into this with me!

Alright, so.. Here's the my config file, lacking domain name.

worker_processes  2;

events {
    worker_connections  8192;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
## End: Timeouts ##

## Default Listening ##

server {
listen 80 default_server;
listen [::]:80 default_server; 
server_name _;
     return 301 https://$host$request_uri;
}    

##EMBY Server##
    
	server {
		listen [::]:443 ssl;
		listen 443 ssl;
		server_name emby.domain.ca; 
			
		ssl_session_timeout 30m;
		ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
			ssl_certificate SSL/cert.pem;
			ssl_certificate_key SSL/private.key;
		ssl_session_cache shared:SSL:10m;
    
        #add_header Public-Key-Pins '
        #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE=";
        #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg=";
        #pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys=";
        #max-age=86400; includeSubDomains';
        
        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors domain.ca emby.domain.ca;";
      
		location / {
			proxy_pass http://192.168.0.111:8096; 

					proxy_set_header Range $http_range;
					proxy_set_header If-Range $http_if_range;
					proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

			#Next three lines allow websockets
			proxy_http_version 1.1;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "upgrade";
        }
    }
	
## HTML Website ##
	
	server {
        listen [::]:443 ssl;
		listen 443 ssl;
        server_name  www.domain.ca;
		
		ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
			ssl_certificate      SSL/cert.pem;
			ssl_certificate_key  SSL/private.key;
		ssl_session_timeout  30m;
		ssl_session_cache shared:SSL:10m;
		
		ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }
}

I might be off with the HTML website server block.. I mean, that's a possibility.. But everything else is pretty much a copy paste from your configuration. (And heck, if I take out the www server block, it doesn't change anything).

I was wondering if for some reason some regional settings would have misinterpreted something in the configuration, but there doesn't seem to be anything that would be hit by this kind of issue. Other than that, I'm pretty much clueless as to why these issues would arise.

Thanks for looking into this!

May 15, 2017

emby block looks good. if you navigate to http://emby.domain.ca it should force you to https://emby.domain.ca

with the html block, have you put the index.html files in the c:\nginx\html and is the main file called index.html? have you created a CNAME to forward www. to your static WAN IP or Dynamic DNS?

May 15, 2017

@@Swynol , thanks for looking into this with me!

Alright, so.. Here's the my config file, lacking domain name.
I might be off with the HTML website server block.. I mean, that's a possibility.. But everything else is pretty much a copy paste from your configuration. (And heck, if I take out the www server block, it doesn't change anything).

I was wondering if for some reason some regional settings would have misinterpreted something in the configuration, but there doesn't seem to be anything that would be hit by this kind of issue. Other than that, I'm pretty much clueless as to why these issues would arise.

Thanks for looking into this!

What happens if you remove server_name _; from your default_server block? If that doesn't work try replacing that with

server_name ~^.*$ which is a bit messy.

Don't forget you have to kill and restart nginx with any config changes.

Edited May 15, 2017 by pir8radio

May 16, 2017

Right now Emby doesn't even load when I go for emby.domain.ca..

And changing, or deleting doesn't change anything.

May 16, 2017

Right now Emby doesn't even load when I go for emby.domain.ca..

Well, then @@Swynol was heading in the right direction with checking out how your domain name is setup @ your registrar... I'll stand clear.. lol ^_^

May 16, 2017

Well, then @@Swynol was heading in the right direction with checking out how your domain name is setup @ your registrar... I'll stand clear.. lol

The thing is.. If I change my config and take the one from his first post.. That works. For emby.domain.ca

Edited May 16, 2017 by SilentStrike

May 16, 2017

The thing is.. If I change my config and take the one from his first post.. That works. For emby.domain.ca

post the config that works... So we can compare.

May 16, 2017

Ok... Soooooo... I did a few extra tests, just to check..

If I take the domain management part out, and enter my http external IP address in the address bar, it automatically goes to https. (as "server_name _; ") . So that's good.

If I try it locally, http://192.168.0.111, nothing happens. If I try it with https though, it works.

Here's a little interesting detail.. My html server block seems to be working. Basically if I try my external IP Adress (and no domain name) it'll just take the first server block as "the called server". Anyways, that basically just confirms that both blocks seem fine.

I guess I need help managing my domain properly though. I'm on GoDaddy, if that helps you to help me!

May 16, 2017

Ok... Soooooo... I did a few extra tests, just to check..

If I take the domain management part out, and enter my http external IP address in the address bar, it automatically goes to https. (as "server_name _; ") . So that's good.

If I try it locally, http://192.168.0.111, nothing happens. If I try it with https though, it works.

Here's a little interesting detail.. My html server block seems to be working. Basically if I try my external IP Adress (and no domain name) it'll just take the first server block as "the called server". Anyways, that basically just confirms that both blocks seem fine.

I guess I need help managing my domain properly though. I'm on GoDaddy, if that helps you to help me!

well you will need to post how your go daddy is setup... I bet your doing some kind of forwarding rather than actually pointing your A and AAAA records to your internet IP.

May 16, 2017

well you will need to post how your go daddy is setup... I bet your doing some kind of forwarding rather than actually pointing your A and AAAA records to your internet IP.

I'm afraid.. That's maybe what I'm doing..? See the screenshot bellow (I didn't add the www.domain.ca yet, as I was merely focusing on emby.domain.ca)

But for some reason, I have a feeling I have to delete those forwards and clean up some records up top and add some there for everything to work?

May 16, 2017

I'm afraid.. That's maybe what I'm doing..? See the screenshot bellow (I didn't add the www.domain.ca yet, as I was merely focusing on emby.domain.ca)

But for some reason, I have a feeling I have to delete those forwards and clean up some records up top and add some there for everything to work?

you should only have one A record (unless you have a more complicated setup with multiple server locations) anything else should be a CNAME as Swynol said in an earlier post. Your A record should reference your IP address. Then the CNAMES are prefixes of your domain name, that point to your A record.. So you have one cname "ftp" which was probably default? You can delete it if you dont have an ftp server setup.. Try to create a CNAME emby that points to @ and see how things work.

May 16, 2017

you should only have one A record (unless you have a more complicated setup with multiple server locations) anything else should be a CNAME as Swynol said in an earlier post. Your A record should reference your IP address. Then the CNAMES are prefixes of your domain name, that point to your A record.. So you have one cname "ftp" which was probably default? You can delete it if you dont have an ftp server setup.. Try to create a CNAME emby that points to @ and see how things work.

my cname record should point to the name of my A record if I understand correctly? What does the @ define here? And yes, it was default. I'll get rid of it.

Edited May 16, 2017 by SilentStrike

May 16, 2017

You will need to fix your A record too, to point to your IP address and not be "forwarded". Unless thats a godaddy thing.

godaddy uses @ to reference your domain name.

May 16, 2017

This is what I got.

So far, it just says that the DNS address can't be found. I'm thinking it just taking time to take into effect? Do the records look good?

On another note, I'm trying to get rid of that domain forward, but I can't figure out how. Working on that atm.

May 16, 2017

yes DNS changes can take as long as the TTL (Time To Live) is set too before they refresh... But that looks correct.

Edited May 16, 2017 by pir8radio

May 16, 2017

Alright, so it's been an hour since the change, which is what my TTL was set to. Still no result.

Can't delete the forward on the domain though.. I dunno if that would interfere?

Edit: Just managed to delete the forward on the domain, and it changed a few records, so I changed those again. I'll wait and see what happens.

Edited May 16, 2017 by SilentStrike

May 16, 2017

worker_processes  2;

events {
    worker_connections  8192;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
## End: Timeouts ##

## Default Listening ##

server {
listen 80 default_server;
listen [::]:80 default_server; 
server_name _;
     return 301 https://$host$request_uri;
}    

	
## HTML Website ##
	
	server {
        listen [::]:443 ssl;
		listen 443 ssl;
        server_name  www.domain.ca;
		
		ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
			ssl_certificate      SSL/cert.pem;
			ssl_certificate_key  SSL/private.key;
		ssl_session_timeout  30m;
		ssl_session_cache shared:SSL:10m;
		
		ssl_ciphers  HIGH:!aNULL:!MD5;
        ssl_prefer_server_ciphers  on;

        location / {
            root   html;
            index  index.html index.htm;
        }
    }
	


##EMBY Server##
    
	server {
		listen [::]:443 ssl;
		listen 443 ssl;
		server_name emby.domain.ca; 
			
		ssl_session_timeout 30m;
		ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
			ssl_certificate SSL/cert.pem;
			ssl_certificate_key SSL/private.key;
		ssl_session_cache shared:SSL:10m;
    
        #add_header Public-Key-Pins '
        #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE=";
        #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg=";
        #pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys=";
        #max-age=86400; includeSubDomains';
        
        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors domain.ca emby.domain.ca;";
      
		location / {
			proxy_pass http://192.168.0.111:8096; 

					proxy_set_header Range $http_range;
					proxy_set_header If-Range $http_if_range;
					proxy_set_header X-Real-IP $remote_addr;
			proxy_set_header Host $host;
			proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

			#Next three lines allow websockets
			proxy_http_version 1.1;
			proxy_set_header Upgrade $http_upgrade;
			proxy_set_header Connection "upgrade";
        }
    }
	
}

Alright.. So.... Above is my current config. Things are starting to work, slowly.

http is converted to https, no issues. Website also seems secure for the domains I actually requested a certificate for.

www.domain.ca goes to my html server block. As planned.

domain.ca grabs the first server block in my config file. (If I put my emby block first, it goes to emby, no issues. if the html block is first, it goes there.)

However, emby.domain.ca doesn't seem to be working. It actually converts my http request to https, but nothing loads.

Above is my current config.

May 16, 2017

Ok... Soooooo... I did a few extra tests, just to check..

If I take the domain management part out, and enter my http external IP address in the address bar, it automatically goes to https. (as "server_name _; ") . So that's good.

If I try it locally, http://192.168.0.111, nothing happens. If I try it with https though, it works.

Here's a little interesting detail.. My html server block seems to be working. Basically if I try my external IP Adress (and no domain name) it'll just take the first server block as "the called server". Anyways, that basically just confirms that both blocks seem fine.

I guess I need help managing my domain properly though. I'm on GoDaddy, if that helps you to help me!

sorry for the lack of posts. Our work was hit by the Wanna Cry ransomware..... so its been a busy few days.

using the internal IP on http wont work as its not going through NGINX so it doesnt get redirected to https this happens because nginx is only listening out for emby.domain.ca www.domain.ca etc.

using your external IP i.e. http://7.7.7.7 (what ever the IP is) is coming into your router on port 80 which i'm guessing is forwarded to your NGINX server and then yes it will reply with the first server block. Again if you did https://7.7.7.7 would come in on port 443 which again is forwarded to NGINX and uses the first server block.

May 16, 2017

ok to work on the emby block.

can you ping emby.domain.ca and see if it responds with your WAN IP address.

Also i noticed on the screen shot above that under the forwarding rule there is a subdomain section. i wonder if that needs to be set as emby.domain.ca

Edited May 16, 2017 by Swynol

May 16, 2017

Alright, so... There's some positive stuff going on! Ha. But also some confusing stuff!

Looks like things are starting to work out. emby.domain.ca, www.domain.ca, or even radarr.domain.ca all seem to work and go to their respective server blocks. I'm on my computer at work, and everything works fine.

The thing is.. It's only working on my work computer. I asked a friend of mine to test it, and I also tried from my cellphone, and it says ERR_ADDRESS_UNREACHABLE.

Now you asked me to ping domain.ca and see if it responds properly. Well the ping doesn't go through, but it resolves my IP Address. Is this what was intended?

Another factor that might be playing into account here, is my computer's firewall. I've deactivated my Windows Firewall, but I use Eset Smart Security which has an integrated firewall. Technically it interacts with me every single time someone tries to communicate with my computer. That being said, I openned and allowed access to port 443 and 80.

Edit: Alright, so I figured I could actually try and disable my firewall to test out to see if anything changed. Nothing changed. So I think that might rule out the fact that the firewall is interfering in some way?

Edited May 16, 2017 by SilentStrike

May 16, 2017

Now you asked me to ping domain.ca and see if it responds properly. Well the ping doesn't go through, but it resolves my IP Address. Is this what was intended? - yes this is intended, just wanted to make sure the CNAMEs were working correctly.

The thing is.. It's only working on my work computer. I asked a friend of mine to test it, and I also tried from my cellphone, and it says ERR_ADDRESS_UNREACHABLE. - This could be a DNS issue or a cache issue. if you can ask your friend to do the ping test to emby.domain.ca and see if it resolved the IP. Same on your phone. DNS propagation can take up to 24hrs. usually i would expect it to take no more than 2 hours.I dont think its your firewall as ERR_ADDRESS_UNREACHABLE usually means that the domain name cant resolve an IP or its resolving the wrong IP. if it was a firewall it would be something like ERR_CONNECTION_REFUSED

I'm starting to run out of ideas.

Edited May 16, 2017 by Swynol

May 16, 2017

Alright, let's add to the mystery, shall we?

My friend and my phone tried pinging domain.ca and it resolved my address. So I wondered... "Is my problem here https forwarding again?" So I tried https://www.domain.ca on my phone, instead of www.domain.ca and that worked.. I tried other services as well, sonarr.domain.ca.. Nope, nothing... https://sonarr.domain.ca, well damn, that worked. Only service not working right now is emby. Whether I try http or https.. Here's my new error.

DNS_PROBE_FINISHED_NXDOMAIN

I'm very confused by the behavior now.

May 16, 2017

strangley i have been having issues with one of my services not redirecting http to https.

let try adding the 301 redirect to the server block

		if ($scheme = http) {
        return 301 https://$server_name$request_uri;
	}

so your emby block will look like this

##EMBY Server##

    server {
        listen [::]:443 ssl;
        listen 443 ssl;
        server_name emby.domain.ca;
            
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
            ssl_certificate SSL/cert.pem;
            ssl_certificate_key SSL/private.key;
        ssl_session_cache shared:SSL:10m;
    if ($scheme = http) {
return 301 https://$server_name$request_uri;
    }

#add_header Public-Key-Pins '
#pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNUFEwyUE=";
#pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/utLMkBgFF2Fuihg=";
#pin-sha256="Vjs8r4z+80wjNcr1KepWQboSIRi63WsWXhIMN+eWys=";
#max-age=86400; includeSubDomains';

add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
proxy_hide_header X-Powered-By;
add_header 'Referrer-Policy' 'no-referrer';
add_header Content-Security-Policy "frame-ancestors domain.ca emby.domain.ca;";

        location / {
            proxy_pass http://192.168.0.111:8096; 

                    proxy_set_header Range $http_range;
                    proxy_set_header If-Range $http_if_range;
                    proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            #Next three lines allow websockets
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
}
}
    
}

Edited May 16, 2017 by Swynol

Sign In

Setting up SSL for Emby

Recommended Posts

SilentStrike 1

Swynol 375

SilentStrike 1

Swynol 375

pir8radio 1312

SilentStrike 1

pir8radio 1312

SilentStrike 1

pir8radio 1312

SilentStrike 1

pir8radio 1312

SilentStrike 1

pir8radio 1312

SilentStrike 1

pir8radio 1312

SilentStrike 1

pir8radio 1312

SilentStrike 1

SilentStrike 1

Swynol 375

Swynol 375

SilentStrike 1

Swynol 375

SilentStrike 1

Swynol 375

Create an account or sign in to comment

Create an account

Sign in

Activity