Emby, Cloudflare, and NGINX Setup Question

[Tech127 20]

I have successfully migrated from simply having DDNS forward to my IP and having port 8920 open to now having Cloudflare. Cloudflare works, but when adding NGINX, it doesn't seem to. At least not on port 443. Here are some details:

DNS-o-matic has entries for emby.mydomain.net and sonarr.mydomain.net pointing to Cloudflare. Cloudflare is receiving the DDNS IP updates correctly.

domains.google is pointed to the Cloudflare name servers and has a DNSSEC keytag from Cloudflare. There are no other entries at all

Cloudflare has A records for emby.mydomain.com and sonarr.mydomain.com. Both point to my IP (updated by dnsomatic), TTL auto, status: proxied. DNSSEC is enabled and happy. Encryption is full, Always use HTTPS and Auto HTTPS rewrites are enabled.

Here is nginx.conf on my Windows Server 2019 Essentials which is from Pir8radio's post and my info added as prompted in his comments:

worker_processes  auto;

error_log  logs/error.log;

events {
    worker_connections  8192;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_names_hash_bucket_size 64;
    server_tokens off;

    ## The below will create a separate log file for your emby server which includes
    ## userId's and other emby specific info, handy for external log viewers.
    ## Cloudflare users will want to swap $remote_addr in first line below to $http_CF_Connecting_IP
    ## to log the real client IP address
    log_format  emby  '$http_CF_Connecting_IP - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorization"';

    log_format  sonarr  '$http_CF_Connecting_IP - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_sonarr_authorization"';


    log_format default '$remote_addr - $remote_user [$time_local] "$request" '
                      '$status $body_bytes_sent "$http_referer" '
                      '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port';

    sendfile        off;  ## Sendfile not used in a proxy environment.

    gzip on;   ## Compresses the content to the client, speeds up client browsing.
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;

    proxy_connect_timeout 1h;
    proxy_send_timeout 1h;
    proxy_read_timeout 1h;
    tcp_nodelay on;  ## Sends data as fast as it can not buffering large chunks, saves about 200ms per request.

## EMBY ##
server {
    ##listen [::]:80;           ## Listens on port 80 IPv6
    ##listen 80;             ## Listens on port 80 IPv4
    listen [::]:443 ssl http2;    ## Listens on port 443 IPv6 with http2 and ssl enabled
    listen 443 ssl http2;    ## Listens on port 443 IPv4 with http2 and ssl enabled
    proxy_buffering off;        ## Sends data as fast as it can not buffering large chunks.

    server_name emby.mydomain.net;    ## enter your service name and domain name here example emby.domainname.com

    access_log  logs/emby.log  emby;  ## Creates a log file with this name and the log info above.

     ## SSL SETTINGS ##
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_certificate      SSL/CF_Certificate.pem;  ## Location of your public PEM file.
    ssl_certificate_key  SSL/CF_Private.key;  ## Location of your private PEM file.
        ssl_session_cache shared:SSL:10m;

     location ^~ /swagger {   ## Disables access to swagger interface
        return 404;
}

     location / {
        proxy_pass http://127.0.0.1:8096;  ## Enter the IP and port of the backend emby server here.

    proxy_hide_header X-Powered-By;     ## Hides nginx server version from bad guys.
    proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
    #proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

     ## ADDITIONAL SECURITY SETTINGS ##
     ## Optional settings to improve security ##
     ## add these after you have completed your testing and ssl setup ##
     ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
     ##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
    add_header 'Referrer-Policy' 'origin-when-cross-origin';
    add_header Strict-Transport-Security "max-age=15552000; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
    }
}

## SONARR ##
server {
    ##listen [::]:80;           ## Listens on port 80 IPv6
    ##listen 80;             ## Listens on port 80 IPv4
    listen [::]:443 ssl http2;    ## Listens on port 443 IPv6 with http2 and ssl enabled
    listen 443 ssl http2;    ## Listens on port 443 IPv4 with http2 and ssl enabled
    proxy_buffering off;        ## Sends data as fast as it can not buffering large chunks.

    server_name sonarr.mydomain.net;    ## enter your service name and domain name here example emby.domainname.com

    access_log  logs/sonarr.log  sonarr;  ## Creates a log file with this name and the log info above.

     ## SSL SETTINGS ##
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
    ssl_certificate      SSL/CF_Certificate.pem;  ## Location of your public PEM file.
    ssl_certificate_key  SSL/CF_Private.key;  ## Location of your private PEM file.
        ssl_session_cache shared:SSL:10m;

     location ^~ /swagger {   ## Disables access to swagger interface
        return 404;
}

     location / {
        proxy_pass http://127.0.0.1:8989;  ## Enter the IP and port of the backend emby server here.

    proxy_hide_header X-Powered-By;     ## Hides nginx server version from bad guys.
    proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
    proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
    #proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

     ## ADDITIONAL SECURITY SETTINGS ##
     ## Optional settings to improve security ##
     ## add these after you have completed your testing and ssl setup ##
     ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
     ##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
    add_header 'Referrer-Policy' 'origin-when-cross-origin';
    add_header Strict-Transport-Security "max-age=15552000; preload" always;
    add_header X-Frame-Options "SAMEORIGIN" always;
    add_header X-Content-Type-Options "nosniff" always;
    add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
    }
}

}

Now, here's the issue...if I forward port 443 to 192.168.127.200 port 8920, Emby works if I enter https://emby.mydomain.net port 443 into the app. If I try to load sonarr.mydomain.net, it just goes to the Emby login page. If I change the port forwarding to 443, 192.168.127.200 port 443, nothing works.

If I read every post I could find correctly, I should only have to forward port 443 to my server which is 192.168.127.200, but it doesn't work.  I'm not convinced NGINX is doing anything

I've been working on this for 3 days straight. What the heck am I doing wrong??

Edited September 1, 2020 by TechLife

[Luke 42089]

@pir8radio may have some tips.

[Tech127 20]

Thanks for the reply, Luke. I finally figured it out about 15 minutes ago. Unfortunately, I don't know exactly how I finally got it to work or I'd post it.

Edited September 2, 2020 by TechLife

[Tech127 20]

On a similar note, I also got the following error:

bind() to 0.0.0.0:80 failed (10013: An attempt was made to access a socket in a way forbidden by its access permissions)

In my case I was able to go in RegEdit to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP and change the value of  REG_DWORD "Start" from 3 to 0, rebooted the server and nginx was happy across the board.

This has definitely been a challenge, but well worth it now that it's working!

Edited September 2, 2020 by TechLife

[Luke 42089]

Try restarting the server after changing the port setting. You could even try restarting the machine if desired.