Reverse proxy with nginx ERR_TOO_MANY_REDIRECTS

[Smaky 131]

Yesterday my router failed and I had to reset it. After setting everything up again, I had to remap my ports to the emby server so I can reach from out there. In my initial setup prior to the router failure, I had port 443 for SSL access and nginx configured to do reverse proxy. Upon reconfiguration I noticed my ISP is now blocking port 443 so I modified my configuration to use another port (8097).

 

The problem I am facing now is that whenever I try to access the site using the external URL I get an ERR_TOO_MANY_REDIRECTS. My ngix conf file looks like this:

#user nobody;
# multiple workers works !
worker_processes 2;

#error_log  logs/error.log;
#error_log  logs/error.log  notice;
#error_log  logs/error.log  info;

#pid        logs/nginx.pid;

#pcre_jit on;

events {
	worker_connections 8192;
    # max value 32768, nginx recycling connections+registry optimization = 
    #   this.value * 20 = max concurrent connections currently tested with one worker
    #   C1000K should be possible depending there is enough ram/cpu power
    # multi_accept on;
}


http {
	#include      /nginx/conf/naxsi_core.rules;
    include       mime.types;
    default_type  application/octet-stream;

    #log_format  main  '$remote_addr $remote_port - $remote_user [$time_local] "$request" '
    #                  '$status $body_bytes_sent "$http_referer" '
    #                  '"$http_user_agent" "$http_x_forwarded_for"';

    #access_log  logs/access.log  main;

    sendfile        off;
    #tcp_nopush     on;

	server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;
	
	## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
	## End: Timeouts ##

	gzip on;
	gzip_disable "msie6";

	gzip_comp_level 6;
	gzip_min_length 1100;
	gzip_buffers 16 8k;
	gzip_proxied any;
	gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml;
	
	##EMBY Server##

	server {
		listen [::]:80;
		listen 80;
		listen [::]:8097 ssl;
		listen 8097 ssl;
		
		server_name emby.mydomain.com; #your subdomain.domainname.com here

		ssl_session_timeout 30m;
		ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
		ssl_certificate "H:\SSL Certificates\certificate.pem"; #your .pem file you created earlier.
		ssl_certificate_key "H:\SSL Certificates\private.key"; #your private.key
		ssl_session_cache shared:SSL:10m;
		if ($scheme = http) {
			return 301 https://$server_name$request_uri;
		}

	location / {
		proxy_pass http://192.168.10.20:8096; # Local emby ip and non SSL port

		add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always;
		add_header Content-Security-Policy "default-src 'self' https://mb3admin.com; script-src 'self' 'unsafe-inline' https://www.gstatic.com https://mb3admin.com blob:; connect-src 'self' https://mb3admin.com wss://emby.feterspace.com.mx; img-src 'self' data: https://raw.github.com/ http://embydata.com/ https://github.com/ https://raw.githubusercontent.com/ https://emby.media/ http://www.chronowerks.com/ http://i66.tinypic.com/ http://dvblogic.com/ https://upload.wikimedia.org/ https://serverwmc.github.io/ http://getvera.com/ http://i66.tinypic.com/ http://getvera.com/wp-content/ https://i.ytimg.com/; style-src 'self' 'unsafe-inline'; font-src 'self'; frame-src 'self'; media-src 'self' http://127.0.0.1:8096 blob:; object-src 'none'";
		add_header X-Frame-Options "SAMEORIGIN" always;
		add_header X-Xss-Protection "1; mode=block" always;
		add_header X-Content-Type-Options "nosniff" always;
		add_header Referrer-Policy "no-referrer-when-downgrade";
		
		proxy_hide_header X-Powered-By;
		proxy_set_header Range $http_range;
		proxy_set_header If-Range $http_if_range;
		proxy_set_header X-Real-IP $remote_addr;
		proxy_set_header Host $host;
		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
		proxy_set_header X-Forwarded-Proto $remote_addr;
		proxy_set_header X-Forwarded-Protocol $scheme;
				
		proxy_redirect off;
		
		#Next three lines allow websockets
		proxy_http_version 1.1;
		proxy_set_header Upgrade $http_upgrade;
		proxy_set_header Connection "upgrade";
		}
	}
	
}

Not sure what might have gone wrong.

[Luke 42081]

Did you enable the emby setting to require https?

[Smaky 131]

Thanks @Luke it semes that was what I was missing.

[Smaky 131]

I guess I responded too soon... after enabling "Allow remote connections to this Emby Server" and "Require https for external connections" it initially worked... a few minutes later while browsing the library I am again getting these errors.

 

 

[Smaky 131]

Ok.. i got it working now... I enabled "Allow remote connections to this Emby Server"  but disabled "Require https for external connections". This way the server is responding. Now the question is... why I need to enable remote connections. I had the impression that with nginx acting as a proxy server, nginx would pass the remote connection to Emby server as a local connection. 

[pir8radio 1312]

Ok.. i got it working now... I enabled "Allow remote connections to this Emby Server"  but disabled "Require https for external connections". This way the server is responding. Now the question is... why I need to enable remote connections. I had the impression that with nginx acting as a proxy server, nginx would pass the remote connection to Emby server as a local connection. 

 

Not entirely true...  If the nginx is setup correctly, which yours looks like it is, it will pass the remote IP to emby.  The goal of a reverse proxy is to be transparent to whatever sits behind it.         So if you connect to your emby server through the reverse proxy, you should still see your external address on the emby dashboard.      It sounds like all as we would expect...    

[Smaky 131]

Thanks for the clarification @pir8radio it is clearer now.