HOW TO: Emby with NGINX - With CSP options

[rbjtech 5284]

17 minutes ago, solidsnakex37 said:

It is from a known source/client, so that's where I've been confused. I will be watching something and it's working fine, in my firewall logs I see it's going to my internal NGINX IP, Source IP is the device IP, then Destination is my Private IP/18443. Then out of the blue, in the middle of watching something, I get a page "err_ssl_unrecognized_name_alert" and then I see on my firewall that the traffic from my same source IP is now trying to hit my public IP/8920

Then it will randomly resolve itself but I have no real root cause/reason it's happening

Did the clients maybe have a previous connection via 8920 before you implemented the RP and it's reaching out using those creds ?   Either that, or the emby clients have some legacy code somewhere that is still using 8920.   I'm presuming that as you are dropping the connection, there is no real way to know the http header etc to find out more Agent info..

[solidsnakex37 55]

22 minutes ago, rbjtech said:

Did the clients maybe have a previous connection via 8920 before you implemented the RP and it's reaching out using those creds ?   Either that, or the emby clients have some legacy code somewhere that is still using 8920.   I'm presuming that as you are dropping the connection, there is no real way to know the http header etc to find out more Agent info..

It's odd, as I was troubleshooting it, if I go to app.media.emby and I click on the server I am connecting to, then go to View Server Info, that is where i see the Remote Address as my publicIP:8920, the "last connection to" is my domain, then it will switch back at some point. I don't use app.emby.media to connect, but I used it to see if I could see the server details as it happened. 

I will grab a .har file next time it occurs and see if that gives me more details, which I haven't done yet. 

[Moreje 16]

On 6/11/2024 at 5:39 PM, weble said:

@plessers@gmail.com

If your using NPM you need to setup a custom location for emby and ideally you also use advanced.

I just spun up a docker container to test this, it works great, nice interface but I am old school and prefer nginx config files.

Under Advanced tab use this:
 

    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;
    sendfile        off;  ##sendfile not used in a proxy env
    proxy_buffering off;

    gzip on;   ## Compresses the content to the client, speeds up client browsing.
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;

    proxy_connect_timeout 1h;
    proxy_send_timeout 1h;
    proxy_read_timeout 1h;
    tcp_nodelay on;  ## Sends data as fast as it can not buffering large chunks

Under custom location use this:

    location / {
        proxy_pass http://xxx.xxx.xxx.xxx:8096;  ## Enter the IP and port of the backend emby server here.
        client_max_body_size 1000M;  ## Allows for mobile device large photo uploads.

        proxy_hide_header X-Powered-By;     ## Hides nginx server version from bad guys.
        proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
        proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
        proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        #proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

    ## ADDITIONAL SECURITY SETTINGS ##
    ## Optional settings to improve security ##
    ## add these after you have completed your testing and ssl setup ##
    ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
    ##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header Strict-Transport-Security "max-age=15552000; preload" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        }

If your still having issues, its possible your client or server is limiting the bitrate. Double check your emby settings for that.

I also use NPM

where do I need to copy and paste all these settings?

what do I need to put in location?

my first try resulted in emby not accessible anymore

please help me!

[Moreje 16]

after few tests, I've noticed that :

Quote

proxy_set_header Host $host;

in the custom location configuration makes my emby unreachable.

any idea why?

thank you

[weble 19]

38 minutes ago, Moreje said:

after few tests, I've noticed that :

in the custom location configuration makes my emby unreachable.

any idea why?

thank you

Double check your syntax and indentation. Use my June 11 post a page or two back to verify. 

[guunter 49]

4 hours ago, Moreje said:

after few tests, I've noticed that :

in the custom location configuration makes my emby unreachable.

any idea why?

thank you

I just put everything in the advanced tab and point it to location. I have since switched to caddy because it works way easier

[Moreje 16]

I don't know what you mean by syntax, I put exactly this: 

Quote

proxy_set_header Host $host;

and this line results in emby not reachable (error 400)

if I comment it out: access is possible

[guunter 49]

4 hours ago, Moreje said:

I don't know what you mean by syntax, I put exactly this: 

and this line results in emby not reachable (error 400)

if I comment it out: access is possible

Did you try Emby without these advanced options? It should still work without those settings in there for location. 

[TMCsw 248]

7 hours ago, Moreje said:

Quote

proxy_set_header Host $host;

and this line results in emby not reachable (error 400)

I'm not using NPM but here is how i use it in plain nginx:

proxy_set_header Host $host:$server_port;

 

[Edortaedd 1]

Hello everyone.

I'm currently setting up an Emby server on my Mini PC.

I currently have it with Proxmox.
In Proxmox, I have nginx (lxc) and Emby (Debian virtual machine)

The content is hosted using rclone (cache)

I've been doing some tests and I can't get a movie to play externally without constant buffering.
I'm attaching screenshots of the difference between internal server (192.168.xx.xx) and external (emby.xxxxxx.com)

Internal

External

The difference is too much.
Right now I have nginx with the configuration mentioned in this post. I'm attaching screenshots in case I'm setting something incorrectly.

Custom Locations

##code##

   location / {
        proxy_pass http://192.168.68.89:8096;  ## Enter the IP and port of the backend emby server here.
        client_max_body_size 1000M;  ## Allows for mobile device large photo uploads.

        proxy_hide_header X-Powered-By;     ## Hides nginx server version from bad guys.
        proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
        proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
        #proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

    ## ADDITIONAL SECURITY SETTINGS ##
    ## Optional settings to improve security ##
    ## add these after you have completed your testing and ssl setup ##
    ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
    ##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header Strict-Transport-Security "max-age=15552000; preload" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        }

##

Advanced

##code##

 include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;
    sendfile        off;  ##sendfile not used in a proxy env
    proxy_buffering off;

    gzip on;   ## Compresses the content to the client, speeds up client browsing.
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;

    proxy_connect_timeout 1h;
    proxy_send_timeout 1h;
    proxy_read_timeout 1h;
    tcp_nodelay on;  ## Sends data as fast as it can not buffering large chunks

##

 

I also have the rules set in my Cloudflare domain (I'm attaching screenshots as well)

I've added rule 2 because I noticed this. I don't know if it has anything to do with it..

I don't know what could be causing such a big difference in dropped frames. 

Can someone help me? Sorry for my English level.

Best regards!

[TMCsw 248]

3 hours ago, Edortaedd said:

I've been doing some tests and I can't get a movie to play externally without constant buffering.

I doubt that nginx is your problem here, a 71 Mbps stream is difficult to maintain (edit: over the internet)... …because

• what is your upload speed for your ISP?
• what is the receivers ISP download speed?
• many ISP's throttle streams at times!
• how many 'hops' are between the sender and receiver?

You may want to try reducing Internet streaming bitrate limit (Mbps), to something that works without buffering and doesn't make the video look like crap! 

 

Edited December 10, 2024 by TMCsw

[Edortaedd 1]

13 hours ago, TMCsw said:

I doubt that nginx is your problem here, a 71 Mbps stream is difficult to maintain (edit: over the internet)... …because

• what is your upload speed for your ISP?
• what is the receivers ISP download speed?
• many ISP's throttle streams at times!
• how many 'hops' are between the sender and receiver?

You may want to try reducing Internet streaming bitrate limit (Mbps), to something that works without buffering and doesn't make the video look like crap! 

 

thanks for all @TMCsw

I will answer what you ask me and then add new information that I have.

• what is your upload speed for your ISP?  -->1Gbps
• what is the receivers ISP download speed? -->1Gbps 

• many ISP's throttle streams at times! --> only this stream in both cases
• how many 'hops' are between the sender and receiver?  --> only 2 
• 

 

***New info.***

This morning I set it up using duckdns to rule out it being a Cloudflare issue, but the result is the same...

I have some parameter that makes the content through the external server different from the internal one.

I have subscribed to Emby Premiere but the result is the same.

 

Best regards!

[weble 19]

31 minutes ago, Edortaedd said:

thanks for all @TMCsw

I will answer what you ask me and then add new information that I have.

• what is your upload speed for your ISP?  -->1Gbps
• what is the receivers ISP download speed? -->1Gbps 

• many ISP's throttle streams at times! --> only this stream in both cases
• how many 'hops' are between the sender and receiver?  --> only 2 
• 

 

***New info.***

This morning I set it up using duckdns to rule out it being a Cloudflare issue, but the result is the same...

I have some parameter that makes the content through the external server different from the internal one.

I have subscribed to Emby Premiere but the result is the same.

 

Best regards!

It looks to me like you’re using your local pc to hit the external url. If Emby is on the same local network your router needs to support hairpin NAT. 
Also Cloudflare does not support video streaming over its proxy unless you’re paying for it. 

simple test to rule out hairpin NAT, install Emby app on your cell phone, take it off wifi and test. 

[Edortaedd 1]

12 minutes ago, weble said:

It looks to me like you’re using your local pc to hit the external url. If Emby is on the same local network your router needs to support hairpin NAT. 
Also Cloudflare does not support video streaming over its proxy unless you’re paying for it. 

simple test to rule out hairpin NAT, install Emby app on your cell phone, take it off wifi and test. 

hi @weble 

I tried on the phone and the same thing.
I have tried with Cloudflare+nginx and also with Duckdns (only) and nothing, the problem persists.

A friend has the same movie set up on his Emby server (with worse hardware than mine) and it works perfectly for him. (Duckdns).
I took these screenshots in the developer mode of the web browser, it's the only difference I've seen.

 

[runtimesandbox 171]

Anyone experiencing web socket failures when going through an nginx reverse proxy?

I've used the above config to set one up and i get problems with the websockets working but then stopping within 30 - 60 seconds noticeable by the fact the admin dashboard stops updating (now playing etc)

I have also tried it with a caddy reverse proxy and get the same issue

Going direct to the server I do not get the problem.

[sebasmiles 8]

On 6/11/2024 at 11:39 AM, weble said:

@plessers@gmail.com

If your using NPM you need to setup a custom location for emby and ideally you also use advanced.

I just spun up a docker container to test this, it works great, nice interface but I am old school and prefer nginx config files.

Under Advanced tab use this:
 

    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;
    sendfile        off;  ##sendfile not used in a proxy env
    proxy_buffering off;

    gzip on;   ## Compresses the content to the client, speeds up client browsing.
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;

    proxy_connect_timeout 1h;
    proxy_send_timeout 1h;
    proxy_read_timeout 1h;
    tcp_nodelay on;  ## Sends data as fast as it can not buffering large chunks

Under custom location use this:

    location / {
        proxy_pass http://xxx.xxx.xxx.xxx:8096;  ## Enter the IP and port of the backend emby server here.
        client_max_body_size 1000M;  ## Allows for mobile device large photo uploads.

        proxy_hide_header X-Powered-By;     ## Hides nginx server version from bad guys.
        proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
        proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
        proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        #proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

    ## ADDITIONAL SECURITY SETTINGS ##
    ## Optional settings to improve security ##
    ## add these after you have completed your testing and ssl setup ##
    ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
    ##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header Strict-Transport-Security "max-age=15552000; preload" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        }

If your still having issues, its possible your client or server is limiting the bitrate. Double check your emby settings for that.

So I tried filling this into the NPM web client but I am having issues. My main objective is to get rid of that pesky https error that comes up and tells me or my others in my family, but then the default ends up being the internal IP instead of the external one. This used to be seamless but not for a long time.

I put in the DDNS into the field on the network settings in emby and set the following as well, am I not supposed to do this final part? Any idea what I am doing wrong? Thanks!!

 

Edited March 31, 2025 by sebasmiles

[Siralop 0]

Im using Nginx Proxy Manager plus for TLS, having issues with Emby apps on TV' and IOS on and off the network, the windows app works just fine on the network, untested off the network. No issues with hitting the URL from any browser, mobile desktop. Anyone have Emby working with NPM plus? 

Details Tab

 

Custom Location Text- 
 

 location / {
        proxy_pass http://192.168.XX.XX:8096;  ## Enter the IP and port of the backend emby server here.
        client_max_body_size 1000M;  ## Allows for mobile device large photo uploads.

        proxy_hide_header X-Powered-By;     ## Hides nginx server version from bad guys.
        proxy_set_header Range $http_range;  ## Allows specific chunks of a file to be requested.
        proxy_set_header If-Range $http_if_range;  ## Allows specific chunks of a file to be requested.
        #proxy_set_header X-Real-IP $remote_addr;  ## Passes the real client IP to the backend server.
        proxy_set_header X-Real-IP $http_CF_Connecting_IP;  ## if you use cloudflare un-comment this line and comment out above line.
        proxy_set_header Host $host;  ## Passes the requested domain name to the backend server.
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;  ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

    ## ADDITIONAL SECURITY SETTINGS ##
    ## Optional settings to improve security ##
    ## add these after you have completed your testing and ssl setup ##
    ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
    ##         See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
        add_header 'Referrer-Policy' 'origin-when-cross-origin';
        add_header Strict-Transport-Security "max-age=15552000; preload" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header X-XSS-Protection "1; mode=block" always;

     ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection $http_connection;
        }

TLS Settings

 

Advance Config
 

include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;
    sendfile        off;  ##sendfile not used in a proxy env
    proxy_buffering off;

    gzip on;   ## Compresses the content to the client, speeds up client browsing.
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;

    proxy_connect_timeout 1h;
    proxy_send_timeout 1h;
    proxy_read_timeout 1h;
    tcp_nodelay on;  ## Sends data as fast as it can not buffering large chunks

[M1tch 2]

Long time Emby user here, but I've never really had the desire to make my server accessible outside of my home network.. until now. 

My ISP uses CGNAT but also gives me ipv6 (which seems pretty static). 

A reverse proxy seems to be the safest , most secure option, is this still valid considering my setup?  I understand I'd need to connect the domain and everything to my emby servers ipv6 address? 

Am I missing anything? 

 

[pwhodges 2012]

That should work OK. 

If you've been allocated a /48 or /64 block of IPv6 addresses (as you're supposed to be), then you may need to choose one to give your computer as a static address for a simple DNS setup (I give my servers IPv6 addresses with the last part being the same as their IPv4 addresses - yes, I have multiple IPv4 addresses which I got 20 years ago, before it became too hard - but that's not relevant in your case).

Paul

[M1tch 2]

Thanks -  a quick google shows I have /56 block.
I need to refresh my ipv6 understanding, so apologies if a stupid question.. would the domain be need to be attached to the address assigned to the Emby server or the wan ip? 

[pwhodges 2012]

In IPv6 they are the same - no NAT is involved. Your WAN allocation is the whole /56; your Emby computer will use one or maybe several addresses in that block, as well as a link-local address which is not routable.  The IPv6 address is chosen automagically; I'm not sure how stable it will be, so I give my machines static IPv6 addresses (which I suppose may be against the spirit of things, but seems a good idea for a server).

(A /56 is also a common allocation, and is ample; after all, a /96 is as many addresses as the whole of IPv4...)

Paul

[M1tch 2]

OK I'm up and running and can now access Emby remotely!.. Thank you @pwhodges. I have a new domain (cloudflare) and have DNS records AAAA for mydomain.com  and emby.mydomain.com. (same v6 IP address for my emby server) I have the cert and config'd my nginx using @JasonNalleypost.

One query I have is that I can browse to both mydomain.com and emby.mydomain.com and both direct to emby. I expected only to be able to reach emby via the sub domain?  Is this expected or have I messed up some config?  If I were to add another service / subdomain in the nginx server block where would mydomain.com resolve to then? 

Emby Setup:

public HTTP port number = 80 

public HTTP port number = 443

External Domain =  mydomain.com (should this be emby.mydomain.com? )

Read proxy headers to determine client IP addresses = Only when they contain remote network addresses 

Secure connection mode = Handled by reverse proxy

Nginx Conf

worker_processes auto; #lets nginx decide how many cores/threads to use on your processor

events {
    worker_connections 2048; #change as needed for your traffic,  2048 us a good starting point for low traffic environments, moving it up will devote more resources
}

http {
    include       mime.types;
    default_type  application/octet-stream;
	server_tokens off;
    sendfile      off;
    keepalive_timeout 65;

    # Extended gzip settings
    gzip on;
    gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript image/svg+xml application/font-woff application/font-woff2 font/ttf font/otf font/eot;
    gzip_min_length 1000;
    gzip_vary on;
    gzip_comp_level 6;
    gzip_proxied any;
    gzip_buffers 16 8k;

    limit_req_zone $binary_remote_addr zone=one:10m rate=1r/s; #enables a request limit, so each IP address accessing your server can only make 1 request per second, it's useful for preventing request floods
	    
	# Redirect HTTP to HTTPS for Emby subdomain
    server {
        listen 80;
	listen [::]:80;
        server_name emby.mydomain.com;	#Update with your domain
        return 301 https://$host$request_uri;
    }

    # HTTPS server block for Emby subdomain
    server {
        listen 443 ssl;
	listen [::]:443 ssl;
        server_name emby.mydomain.com;  #Update with your domain

        ssl_certificate      /usr/local/etc/nginx/ssl/sslcert.crt;	#Update with your ssl certificate file
        ssl_certificate_key  /usr/local/etc/nginx/ssl/sslcertkey.key;	#Update with your ssl certificate file
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.3;	#Force TLS v1.2 and higher
        ssl_session_cache    shared:SSL:1m;
        ssl_ciphers 'TLS13-AES-256-GCM-SHA384:TLS13-CHACHA20-POLY1305-SHA256:TLS13-AES-128-GCM-SHA256:ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
        ssl_prefer_server_ciphers  on;

        ssl_stapling on;
        ssl_stapling_verify on;
        resolver 8.8.8.8 8.8.4.4;

        # Security headers for Emby
        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=63072000; includeSubDomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;";  #replace with your root domain (ie google.com) and your subdomain (ie emby.google.com)
        proxy_hide_header X-Powered-By;
        add_header Content-Security-Policy "upgrade-insecure-requests";

        location / {
            proxy_pass http://127.0.0.1:8096; # Adjust as per your Emby server IP and port

            proxy_set_header Range $http_range;
            proxy_set_header If-Range $http_if_range;
            proxy_set_header X-Real-IP $http_CF_Connecting_IP;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

            # WebSocket support
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
        }
    }
}

 

 

Edited August 2, 2025 by M1tch

[pwhodges 2012]

You defined both your base domain and the subdomain as pointing to the server, so it's no big surprise that both work.  If you want to use just the subdomain, remove the AAAA record for the main domain (it doesn't need one unless you're using it for something), and change the domain in the Emby setup to be the subdomain (i.e. the actual domain you use to access Emby - note that technically, subdomains are domains, adding "sub" is just a reminder to yourself).

But I don't use nginx, so I don't know why it worked with no server_name directive for the base domain in the configuration.

Paul

[Shiroyama 1]

I am using NPM on LAN only, are these settings relevant in LAN or are they required for WAN access specifically?

[weble 19]

7 minutes ago, Shiroyama said:

I am using NPM on LAN only, are these settings relevant in LAN or are they required for WAN access specifically?

It’s got some optimizations for Emby in the config. Honestly if you’re only using it local and don’t have issues, you should be fine leaving it as is. Just make sure you have websocket support turned on. 

If you do take this online one day, consider that NPM has some exploits unpatched and you may want to look into something else like NPM plus which is a fork, or Trafik / caddy if your using docker, or regular nginx (even in a docker container).