HOW TO: Emby with NGINX - With CSP options

[pwhodges 2012]

Have you set up https with its certificate yet?

Paul

[Guest]

On 3/2/2024 at 8:34 AM, weble said:

You could be running an older version that doesn’t know that line yet? If you swap back to 

listen 443 ssl http2;

does it work?

 

 

yeah Im on the latest Official nginx downloads and this is not recognized for me on debian 

[darkassassin07 652]

@CorruptedHart11  nginx v1.25.4?

 

Remove 'http2'.

[Guest]

that's what I mean, I have to use the previous version as http2 on its own line makes the service not start

[Guest]

Yeah sorry I was on stable branch instead of mainline nginx v1.25.4 that fixed it

[XSR 12]

Here is my working example config for:

Emby and Nginx for Windows with Cloudfared tunnel or without tunnel.

https://gist.github.com/XSR1/68463a31f9220fd5524955ed991504f3

Ps. It's working with Nextcloud and Filebrowser uploading for large files..

Edited April 1, 2024 by XSR

[crusher11 1101]

If I'm using the config from the OP, is there any way to add DSM access to that config so I can use that setup and domain to create file request links?

[crusher11 1101]

From the Synology side my understanding is I just need to open the right port, so funnelling a subdomain to that port should work. I'm just not sure how to go about adding an additional subdomain/port to the given config.

[plessers@gmail.com 32]

Hi everyone,

I still have problems with streaming movies trough nginx.
Following case

-  movie 3Mbps

- ISP upstream limit 10Mbps

 

If I stream direct from my server to a client outside my netwerk 

http://myserver.org:8096 

the file is streamed fine (direct play) with a +/- constant stream of +/- 4Mbps:

 

However, if I stream trough nginx, it keeps stuttering

I already figured out that I needed to disable buffering

proxy_buffering off; 

But with this setting (and only this setting), my upstream seems to be "soft-limited" to +/- 2Mbps:

(No need to mention that connection server --> nginx --> router is all 1Gbps)

Is there any explanation for this behavior?
How can I disable buffering (because than I had other problems) but still able to play my video's?

 

kind regards,

bartplessers

 

PS

I'm not using vanilla nginx, but "Nginx Proxy Manager" https://nginxproxymanager.com/ as an addon on my Home Assistant server https://www.home-assistant.io/

 

 

 

 

 

 

[Neminem 1518]

I also use NPM have no problem.

Here is my config.

Custom location : 

add_header X-Content-Type-Options "nosniff" always;
add_header Referrer-Policy "no-referrer" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-XSS-Protection "1; mode=block" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-Permitted-Cross-Domain-Policies "master-only" always;
add_header Pragma "no-cache" always;
add_header Cache-Control "no-store" always;

I don't use Advanced.

Let see if you can use some of this.

 

[weble 19]

@plessers@gmail.com

If your using NPM you need to setup a custom location for emby and ideally you also use advanced.

I just spun up a docker container to test this, it works great, nice interface but I am old school and prefer nginx config files.

Under Advanced tab use this:
 

    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;
    sendfile        off;  ##sendfile not used in a proxy env
    proxy_buffering off;

    gzip on;   ## Compresses the content to the client, speeds up client browsing.
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;

    proxy_connect_timeout 1h;
    proxy_send_timeout 1h;
    proxy_read_timeout 1h;
    tcp_nodelay on;  ## Sends data as fast as it can not buffering large chunks

Under custom location use this:

    location / {
        proxy_pass http://xxx.xxx.xxx.xxx:8096;  ## Enter the IP and port of the backend emby server here.
        client_max_body_size 1000M;  ## Allows for mobile device large photo uploads.

        proxy_hide_header X-Powered-By;     ## Hides nginx server version from bad guys.
        proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
        proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
        proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        #proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

    ## ADDITIONAL SECURITY SETTINGS ##
    ## Optional settings to improve security ##
    ## add these after you have completed your testing and ssl setup ##
    ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
    ##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header Strict-Transport-Security "max-age=15552000; preload" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        }

If your still having issues, its possible your client or server is limiting the bitrate. Double check your emby settings for that.

[plessers@gmail.com 32]

1 hour ago, weble said:

If your still having issues, its possible your client or server is limiting the bitrate. Double check your emby settings for that.

 

wow. quick reaction and..... problem seems to be solved (tested for +/- 45min)

thanx a lot!!!

[Shidapu 14]

The Nginx setting does not work for me. Error: unknown directive "http2"

http2 on; ## Enables HTTP2

I'm gonna continue using the following:

listen      443 ssl http2;
listen     	[::]:443 ssl http2;

Running Nginx for Windows 1.25.4.1

Edited July 12, 2024 by Shidapu

[darkassassin07 652]

'http2' as a seprate directive was depreciated half a dozen nginx versions ago. Just omit that line and use it within the listen directive as you found.

Edited July 12, 2024 by darkassassin07

[Shidapu 14]

13 minutes ago, darkassassin07 said:

'http2' as a seprate directive was depreciated half a dozen nginx versions ago. Just omit that line and use it within the listen directive as you found.

Yes you are right.

Quote

Changes with nginx 1.25.1                                        13 Jun 2023

    *) Feature: the "http2" directive, which enables HTTP/2 on a per-server
       basis; the "http2" parameter of the "listen" directive is now
       deprecated.

But I'm running Nginx for Windows http://nginx-win.ecsds.eu/download/ and i guess they have not omit to that change just yet..

[weble 19]

@ShidapuWhy not use the official NGINX for windows? It is at version 1.27 mainline and 1.26.1 stable. Link below to the download section:

https://nginx.org/en/download.html

[Shidapu 14]

21 minutes ago, weble said:

@ShidapuWhy not use the official NGINX for windows? It is at version 1.27 mainline and 1.26.1 stable. Link below to the download section:

https://nginx.org/en/download.html

Honestly i'm not quiet ready for that change just yet..

[vdrover 62]

@weble Thanks for posting the details of your npm config. Very helpful. Do you also enable websock support?

Additionally, I was getting these 2 log errors (204 and 404) on every page load (web app) before adding the custom location:

Quote

 

2024-08-01 17:10:13.876 Info Server: http/1.1 Response 204 to host1. Time: 1ms. POST https://emby_remote_ip/emby/Sessions/Capabilities/Full?X-Emby-Client=Emby Web&X-Emby-Device-Name=Google Chrome macOS&X-Emby-Device-Id=b99d2f16-b65a-4b7a-8c4d-a5bbf2826484&X-Emby-Client-Version=4.8.8.0&X-Emby-Token=x_secret1_x&X-Emby-Language=en-us&reqformat=json

2024-08-01 17:10:13.920 Info Server: http/1.1 Response 404 to host1. Time: 1ms. GET https://emby_remote_ip/embywebsocket?api_key=x_secret1_x&deviceId=b99d2f16-b65a-4b7a-8c4d-a5bbf2826484

 

Since adding the custom location and advanced config, I only get the 204 error.

Do you think that might be related to npm in some way? 

Finally, is there a way to configure the location that does not use hard-coding of the IP address?

Edited August 1, 2024 by vdrover

[cremonies 11]

On 6/11/2024 at 10:39 AM, weble said:

@plessers@gmail.com

If your using NPM you need to setup a custom location for emby and ideally you also use advanced.

I just spun up a docker container to test this, it works great, nice interface but I am old school and prefer nginx config files.

Under Advanced tab use this:
 

    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;
    sendfile        off;  ##sendfile not used in a proxy env
    proxy_buffering off;

    gzip on;   ## Compresses the content to the client, speeds up client browsing.
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;

    proxy_connect_timeout 1h;
    proxy_send_timeout 1h;
    proxy_read_timeout 1h;
    tcp_nodelay on;  ## Sends data as fast as it can not buffering large chunks

Under custom location use this:

    location / {
        proxy_pass http://xxx.xxx.xxx.xxx:8096;  ## Enter the IP and port of the backend emby server here.
        client_max_body_size 1000M;  ## Allows for mobile device large photo uploads.

        proxy_hide_header X-Powered-By;     ## Hides nginx server version from bad guys.
        proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
        proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
        proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        #proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

    ## ADDITIONAL SECURITY SETTINGS ##
    ## Optional settings to improve security ##
    ## add these after you have completed your testing and ssl setup ##
    ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
    ##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header Strict-Transport-Security "max-age=15552000; preload" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        }

If your still having issues, its possible your client or server is limiting the bitrate. Double check your emby settings for that.

What do I enter for "define location" it keeps telling me to enter a value.

[offroadguy56 0]

I too am using NPM. I did copy paste the original block of text from OP into the config file. But when I navigate to the domain I am greeted with the default welcome to nginx proxy manager, the host isn't up yet message. I came to the end of the topic and found the NPM specific setups but when I pasted those in I am still greeted with the same message. 

When I enable SSL I either get a 502 or nothing loads on the page depending on what settings I've used above. 

Not sure of the issue. 

[offroadguy56 0]

Can't edit a post.

An update to the above. I changed the network type from Host to br0. Instead of using IP of the host server it's now using the IP off the local network.

Quick initial testing shows that it is working with and without the NPM specific settings located further above. 

[guunter 49]

5 hours ago, offroadguy56 said:

Can't edit a post.

An update to the above. I changed the network type from Host to br0. Instead of using IP of the host server it's now using the IP off the local network.

Quick initial testing shows that it is working with and without the NPM specific settings located further above. 

You don’t need to define a location for NPM to work.

[solidsnakex37 55]

I have been using NGINX Docker in Unraid for almost 2 years and haven't had issues. Recently, I am finding that Emby remote connections are, at random, trying to hit my public IP via port 8920, and my pfsense firewall is blocking it. 

I can see the passed traffic to my private IP that NGINX is passing to Emby, but I cannot understand why Emby would even attempt to go to my public address and 8920, or how that's being hit at all. 

When this happens I can't connect to Emby remotely. I have a static IP from my ISP, so that never changes. 

I will notice, from time to time that in the Emby UI (non-admin) when you click on server info, the Remote (WAN) Address is showing my IP and 8920, not my domain

[rbjtech 5284]

Is the traffic from a known client source ?  If not, then I suspect it's just noise hitting your public IP with 8920.  Your f/w is doing what it's supposed to do as is dropping the connection before it even gets to your reverse proxy. 

[solidsnakex37 55]

8 hours ago, rbjtech said:

Is the traffic from a known client source ?  If not, then I suspect it's just noise hitting your public IP with 8920.  Your f/w is doing what it's supposed to do as is dropping the connection before it even gets to your reverse proxy. 

It is from a known source/client, so that's where I've been confused. I will be watching something and it's working fine, in my firewall logs I see it's going to my internal NGINX IP, Source IP is the device IP, then Destination is my Private IP/18443. Then out of the blue, in the middle of watching something, I get a page "err_ssl_unrecognized_name_alert" and then I see on my firewall that the traffic from my same source IP is now trying to hit my public IP/8920

Then it will randomly resolve itself but I have no real root cause/reason it's happening