Emby to advertise HTTPS when on NGINX

embylogo

If you run Emby behind NGINX, then you would normally Connect to NGINX with HTTPS then NGINX will forward the request over your LAN using HTTP. This prevents double de-crypt/encrypt which uses more CPU cycles.

However if you use Emby Connect or Alexa for Emby then you will probably have noticed that on the Emby Server Dashboard is displays your external connection as HTTP and using port 80, which means Alexa wont work as it requires HTTPS on port 443.

So rather than create a double de-crypt/encrypt scenario we can edit the Emby system.xml file which fakes emby into advertising its external connections on HTTPS and port 443.

First we do need to create a real .pfx cert with a password. There are 2 ways to create a SSL cert:-

  1. Zero SSL Tool Uses an automated tool.
  2. DNS Verification Uses manual TXT records on your DNS.

Once you have that. Head over to your Emby Dashboard and go to Advanced.

Change your settings like the image below Emby Settings

Public HTTP - 80
Public HTTPS - 443
External Domain - your emby subdomain
SSL Certificate - point it to your .pfx
Certificate password - your .pfx password
Require HTTPS - UNTICKED!

Save and Restart Emby.

Now head to your emby server install location. Normally on windows its C:\Users\%username%\AppData\Roaming\Emby-Server\config

open up system.xml in notepad or notepad++ and look for the line

<EnableHttps>false</EnableHttps>

change false to true

<EnableHttps>true</EnableHttps>

save and then restart emby again.

Your emby dashboard should now be advertising https:// on port 443.

SSL Config For NGINX

ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      E:\le64\Domain.crt;
ssl_certificate_key  E:\le64\Domain.key;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;


proxy_hide_header X-Powered-By;
add_header x-xss-protection 1;
proxy_hide_header X-Frame-Options;
add_header X-Content-Type-Options "nosniff"  always;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
add_header 'Referrer-Policy' 'origin';
add_header Content-Security-Policy "frame-ancestors mydomain.media www.mydomain.media update.mydomain.media blog.mydomain.media cctv.mydomain.media emby.mydomain.media guest.mydomain.media htpc.mydomain.media nzb.mydomain.media plex.mydomain.media prtg.mydomain.media smartthings.mydomain.media sonarr.mydomain.media stats.mydomain.media heat.mydomain.media home.mydomain.media unifi.mydomain.media utorrent.mydomain.media radarr.mydomain.media ombi.mydomain.media requests.mydomain.media sophos.mydomain.media;";
add_header X-Frame-Options "ALLOW-FROM https://home.mydomain.media";

Unifi Firewall Logging with syslog

enter image description here

How to Enable syslogging of Unifi Firewall.

It's fairly easy to enable syslog in Unifi Controller, however to log blocked or dropped traffic at the firewall needs a few extra steps. By default anything blocked by the firewall isnt logged.

Unifi config.json.

The Unifi USG comes with pre-defined firewall rules. We need to edit these rules which can be done on the USG using command line and then also needs a json file to persist after a reboot or re-provision. We also need to create some new rules and enable syslog server.

First we need to find a syslog server. For this example I will use kiwi syslog which is free.

enter image description here

Download here

Install to an easy to find location and run the console, we will come back to configure it later.

Login to your Unifi controller and go to settings and enable remote logging and enter the IP of where the kiwi syslog server is and normally the default port is 514.

enter image description here

Now go to Routing and Firewall and select firewall.

We need to create 2 new rules, both identical, 1 in WAN_LOCAL and the other in WAN_IN

New Rule

Name - LAST - default drop and log
Enabled - ON
After pre-defined rules
Drop
All
Advanced - Enable Logging
Tick New, Established, Relate, Invalid
Dont match on ipsec
Leave rest default

enter image description here

So we should have something like this

enter image description here

enter image description here

Next we need to change the pre-defined firewall rules on the USG.

SSH onto your USG and login

configure
set firewall name WAN_LOCAL rule 3002 log enable
set firewall name WAN_IN rule 3002 log enable
commit
save

Next we need to configure Kiwi to capture the logs.

More to come soon

The next part is optional. The syslog logs in kiwi contain alot of information but this doesnt really mean much to us. I recommend using something like sumologic to collect parse and visualize the data.

Below is a screenshot of my dashboard. It displays the number of blocked connections by their geo-location. A list of top 10 blocked IPs, the total number of blocked requests over 24 hours and finally a graph of the number of blocked connections in 30 min increments. These numbers come from the firewall rule [WAN_LOCAL-4000-D].

enter image description here

Head over to the next Guide "Syslog to SumoLogic" to setup the visualization of the logs.

Disable Wifi on Sonos Devices

enter image description here

Disabling the WiFi Link on a Sonos Music Player

SonosNet

All Sonos players attempt to establish a peer-to-peer wireless mesh network known as SonosNet as soon as they are powered up. While this is convenient, there are several situations in which turning off this WiFi connection makes sense:

You own a single player that you connected directly to your home router with an Ethernet cable. You don't need the built-in SonosNet, so why not deactivate it to reduce power consumption and electromagnetic radiations.

SonosNet relies on the spanning tree protocol (aka STP) to function properly, so if your other network equipment doesn't support this functionality your entire network will be overloaded by broadcast storms and frequently crash.

Instead of upgrading your network it is much easier and cheaper to eliminate the source of the problem. You're worried about WiFi-Jacking. Why leave a backdoor in your network that can't be strongly secured? It is possible to switch on or off the wireless adapter of each Sonos player individually. Here's how in 3 simple steps.

Step 1: Finding the IP address of the device

From the Sonos controller, click on the "about my sonos system" menu. You should see something like this:

PLAY:5: Bedroom
Serial Number: 00-0E-58-2D-B0-C3:3 
Version: 4.2 (build 24071060) 
Hardware Version: 1.16.4.1-1 
IP Address: 192.168.1.27 
OTP: 1.1.1(1-16-4-zp5s-0.5)

In the example above, the address is 192.168.1.27. We'll refer to it as in the rest of this article.

Step 2: Checking the status of the Wifi link

Sonos provides a little known on the port 1400 of their players that you can access from any web browser at the following URL:

http://<sonos_ip>:1400/status/ifconfig

You should see something like this:

enter image description here

The entrie labeled 'eth0' and 'eth1' correspond to the 2 wired ports. The 'lo' and 'br0' interfaces are virtual networking devices used internally by the Linux kernel. The entry we're interested in is labeled 'ath0', which stands for Atheros device 0. Atheros is the manufacturer of the embedded WiFi chip.

Step 3: Disabling the link

To disable the WiFi link start by issuing the following HTTP request:

http://<sonos_ip>:1400/wifictrl?wifi=off

You should get the following answer:

wifictrl request succeeded HTTP 200 OK

You can also check that the link has indeed been disabled by going back to the status page. The 'ath0' entry should not be present anymore. The setting is not persistent, so if you happen to be unable to connect to your player after disabling the WiFi you can undo the change by power cycling the player.

If you want to disable the WiFi link for good, simply issue the following http request:

http://<sonos_ip>:1400/wifictrl?wifi=persist-off

The change will now be preserved even after an upgrade. If you ever need to connect the player wirelessly in the future you can turn the WiFi back on as follow:

http://<sonos_ip>:1400/wifictrl?wifi=on

Impact on power consumption

I measured the power consumption of several players with a wattmeter which is accurate to +/- 0.5 watt. Turning off the WiFi link reduces the power consumption of the players by about 2 Watts. Here are the results measured when the players are idle:

Play:5 -       
Wifi On = 6.5W      
Wifi Off = 4.5W

Connect -  
Wifi On = 4W            
Wifi Off = 2W

Unifi Sonos and VLANs

enter image description here

For the security consious out there you may have split your home network up into VLANs. If you've found this page by searching then you probably already know what a VLAN is and its purpose.

At home I have split my network into 4 VLANs.

VLAN1 - Main data VLAN for all my devices VLAN40 - VLAN for guests to use VLAN60 - Security VLAN, CCTV, alarms etc VLAN80 - IOT devices, internet of things, zwave, zigbee, sonos and home automation etc.

The idea of keeping IOT devices on a seperate VLAN to other devices is mainly for security. Most IOT devices are easily hackable and if this does happen they will only be able to access devices on VLAN80 and not my other devices.

Anyway this post will explain how to get the Sonos devices on VLAN80 to communicate with the controllers (iPhone, iPad, PC) on VLAN1.

With Unifi we need to enable igmp-proxy. To set it we need to SSH onto the USG.

and enter the following commands

configure
edit protocols igmp-proxy
set interface eth1.80 role downstream
set interface eth1.80 threshold 1
set interface eth1 role upstream
set interface eth1 threshold 1
show
exit
commit
save

eth1.80 = the VLAN of the sonos devices (IOT) eth1 = VLAN1 the main data VLAN with the Sonos controllers on.

I recommend restarting the igmp-proxy service on the USG. To do so enter the command

restart igmp-proxy

Now it is set, you will have to re-configure the Sonos Device with the controller.

With Unifi, the CLI commands arent persistent with a re-provision. To make the changes stick we need to use a config.gateway.json file

Its location is

C:\users\%username%\Ubiquiti Unifi\data\sites\default\

Edit the config.gateway.json file and enter the below

    {
"protocols": {
        "igmp-proxy": {
            "interface": {
                "eth1": {
                    "role": "upstream",
                    "threshold": "1"
                },
                "eth1.80": {
                    "role": "downstream",
                    "threshold": "1"
                }
            }
        },
        "static": {
            "interface-route": {
                "0.0.0.0/0": {
                    "next-hop-interface": {
                        "pppoe0": {
                            "distance": "1"
                        }
                    }
                }
            }
        }
    }
}

Obviously changing the VLAN numbers to what ever yours are.

Troubleshooting Ok well this didnt really work straight away for me.

To check that igmp is working you can issue the following commands

show ip multicast mfc

and

show ip multicast interfaces 

This should show any multicast data its source and where it is going. For example

enter image description here

On the top half you can see see the source and that some data is going from eth1 to eth1.80. However with the command Show IP multicast interfaces you can see that no multicast data is coming into eth1.80 interface, it seems to be going out on eth1 and into eth1.60. To resolve this I had to issue the restart igmp-proxy command to restart the service. A USG re-provision didnt work.

Unifi Portal - Responsive Design

enter image description here By Default the Unifi Guest/Hotspot portal is a fixed webpage. Todays standards call for a responsive webpage design and with a little tweaking we can achieve it.

First we need to browse to the location of our Unifi Controller.

for Windows OS, normally located

C:\Users\Swynol\Ubiquiti UniFi

Head deeper into the folder at the path below

C:\Users\Swynol\Ubiquiti UniFi\data\sites\default\app-unifi-hotspot-portal

we now need to add a new css file

Open notepad or notepad++ and paste the following contents

    html {
  background: url(/guest/s/default/portalfile/58b4ac1420c21de2551c3c24?portalfile=true) no-repeat center center fixed;
  -webkit-background-size: cover;
  -moz-background-size: cover;
  -o-background-size: cover;
  background-size: cover;
}

Save it and call the document 'background.css' save it to the CSS folder in the above location.

We now need to edit the index.html file (right click open with notepad)

We need to add the line below to the header section of the file

<link href="css/background.css" rel="stylesheet"> 

it should now look like this

    <!DOCTYPE html>
<html lang="en" ng-controller="MainController as mainCtrl">
  <head>
    <meta charset="utf-8">
    <title unifi-portal-custom-title></title>
    <meta name="viewport" content="width=device-width, initial-scale=1">
    <link rel="apple-touch-icon-precomposed" href="images/favicons/favicon-152.png">
    <meta name="msapplication-TileColor" content="#0193d7">
    <meta name="msapplication-TileImage" content="images/favicons/favicon-144.png">
    <link rel="apple-touch-icon-precomposed" sizes="152x152" href="images/favicons/favicon-152.png">
    <link rel="apple-touch-icon-precomposed" sizes="144x144" href="images/favicons/favicon-144.png">
    <link rel="apple-touch-icon-precomposed" sizes="120x120" href="images/favicons/favicon-120.png">
    <link rel="apple-touch-icon-precomposed" sizes="72x72" href="images/favicons/favicon-72.png">
    <link rel="apple-touch-icon-precomposed" href="images/favicons/favicon-57.png">
    <link rel="icon" href="images/favicons/favicon-32.png" sizes="32x32">
    <link href="fonts/1.3.2/lato/style.css" rel="stylesheet">
    <link href="fonts/1.3.2/ubnt-icon/style.css" rel="stylesheet">
    <link href="css/app.css?v=1.3.2" rel="stylesheet">
    <link href="css/background.css" rel="stylesheet"> 
    <script src="config/config.js?v=1.3.2"></script>
    <script src="js/vendor.js?v=1.3.2"></script>
    <script src="js/components.js?v=1.3.2"></script>
    <script src="js/main.js?v=1.3.2"></script>
  </head>

Save it.

And that's it. all done

NGINX Config

worker_processes  2;


events {
    worker_connections  8192;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    gzip on;
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
    text/plain
    text/css
    text/js
    text/xml
    text/javascript
    application/javascript
    application/x-javascript
    application/json
    application/xml
    application/rss+xml
    image/svg+xml;

    tcp_nodelay on;

    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
## End: Timeouts ##



## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

      return 301 https://$host$request_uri;
}   

## Organizr ##

    server {

    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name home.mydomain.media mydomain.media;

    include ssl.conf;

            location ^~ /.well-known/acme-challenge/ {
                }

            location / {
            root html\Organizr;
            index index.php index.html index.htm;
                }

            location ~ \.php$ {
            root           html\Organizr;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  E:/NGINX/html$fastcgi_script_name;
            include        fastcgi_params;
            fastcgi_param REMOTE_ADDR $http_x_real_ip;
            }

}



##EMBY Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name emby.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass http://127.0.0.1:8096;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering off;
        }
                location ^~ /.well-known/acme-challenge/ {
}


}

##Sophos UTM##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name sophos.mydomain.media; 

       include ssl.conf;

     location / {
        proxy_pass https://192.168.10.8:4444;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
                        location ^~ /.well-known/acme-challenge/ {
}

}


##Sonarr Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name sonarr.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass http://127.0.0.1:8989;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
                        location ^~ /.well-known/acme-challenge/ {
}
}

##Radarr Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name radarr.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass http://127.0.0.1:7878;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
}
        location ^~ /.well-known/acme-challenge/ {
}
}

##NZB Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name nzb.mydomain.media; 

    include ssl.conf;

        location / {
        proxy_pass http://127.0.0.1:6792;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
}
        location ^~ /.well-known/acme-challenge/ {
}
}



##Plex Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name plex.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass http://127.0.0.1:32400;  
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering off;
        }
        location ^~ /.well-known/acme-challenge/ {
}
}

##Unifi Server##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name unifi.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass https://127.0.0.1:8443;  

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    location /inform/ {
        proxy_pass https://127.0.0.1:8080;  

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
        location ^~ /.well-known/acme-challenge/ {
}
}

##Unifi Guest Portal##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name guest.mydomain.media; 

include ssl.conf;

     location / {
        proxy_pass https://127.0.0.1:8843;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_hide_header X-Powered-By;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        add_header Content-Security-Policy "frame-ancestors mydomain.media www.mydomain.media update.mydomain.media blog.mydomain.media cctv.mydomain.media emby.mydomain.media guest.mydomain.media htpc.mydomain.media nzb.mydomain.media plex.mydomain.media prtg.mydomain.media smartthings.mydomain.media sonarr.mydomain.media stats.mydomain.media heat.mydomain.media home.mydomain.media unifi.mydomain.media utorrent.mydomain.media radarr.mydomain.media ombi.mydomain.media requests.mydomain.media sophos.mydomain.media;";

    }
     location /ws/ {
                        proxy_pass https://127.0.0.1:8843/ws/;
                        proxy_http_version 1.1;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
                        add_header X-Xss-Protection "1; mode=block" always;
                        add_header X-Content-Type-Options "nosniff" always;
                        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
                        add_header X-Frame-Options "SAMEORIGIN" always;
                        add_header 'Referrer-Policy' 'no-referrer';
                        add_header Content-Security-Policy "frame-ancestors mydomain.media www.mydomain.media update.mydomain.media blog.mydomain.media cctv.mydomain.media emby.mydomain.media guest.mydomain.media htpc.mydomain.media nzb.mydomain.media plex.mydomain.media prtg.mydomain.media smartthings.mydomain.media sonarr.mydomain.media stats.mydomain.media heat.mydomain.media home.mydomain.media unifi.mydomain.media utorrent.mydomain.media radarr.mydomain.media ombi.mydomain.media requests.mydomain.media sophos.mydomain.media;";
                    }
        location ^~ /.well-known/acme-challenge/ {
}
}



##CCTV Server##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name cctv.mydomain.media; 

        ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      E:\le64\Domain.crt;
ssl_certificate_key  E:\le64\Domain.key;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;


     location / {
        proxy_pass http://192.168.60.10:8099;  
        ##proxy_pass http://192.168.60.10:8099/ui3beta/ui3.htm; ##
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 }
        location ^~ /.well-known/acme-challenge/ {
}
}



##Heating##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name heat.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass http://192.168.80.9:80;  

    proxy_set_header Range $http_range;
    proxy_set_header If-Range $http_if_range;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
        location ^~ /.well-known/acme-challenge/ {
}
}

##uTorrent##

    server {
        listen [::]:443 ssl;
        listen 443 ssl;
        server_name utorrent.mydomain.media; 

            include ssl.conf;

    location / {
        proxy_pass http://127.0.0.1:7070/;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";  
        proxy_redirect  off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass_header Set-Cookie;
        proxy_pass_header P3P;
        }
    location ^~ /.well-known/acme-challenge/ {
}

}


#PRTG Stats Map##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name stats.mydomain.media; 

            include ssl.conf;

  location / {
        proxy_pass http://127.0.0.1:8081;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

      location /public/stats {
        proxy_pass http://127.0.0.1:8081/public/mapshow.htm?id=2069&mapid=1;
    }
      location /public/status {
        proxy_pass http://127.0.0.1:8081/public/mapshow.htm?id=2155&mapid=1EC016F4-43DC-44FD-A4F1-E10033FBD0CB;
    }
    location /public/topology {
        proxy_pass http://127.0.0.1:8081/public/mapshow.htm?id=2283&mapid=73F695B6-6CDE-4CD5-BB34-BD40DCD6192D;
    }

    ##HDD TEMPs##
    location /hdd/ {
        proxy_pass http://127.0.0.1:8929/status;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
        location ^~ /.well-known/acme-challenge/ {
}

    ##NGINX Status##
    location /nginx_status {
        # Turn on stats
        stub_status on;
        access_log   off;
   }

}

##Webpage##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name www.mydomain.media; 

            include ssl.conf;

    location / {
         root   html\AwelSwynol;
            index  index.html index.htm;

            proxy_set_header Range $http_range;
            proxy_set_header If-Range $http_if_range;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }
                    location ^~ /.well-known/acme-challenge/ {
}


}

## Blog ##

    server {

    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name blog.mydomain.media;

    index index.php;

        include ssl.conf;

        location ^~ /.well-known/acme-challenge/ {

}

        location ~ /config/ {
        root html\Blog;
        deny all;
            }

        location / {
        root html\Blog;
        try_files $uri $uri/ /index.php?$args;
            }

        location ~ \.php$ {
        root html\Blog;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME   E:/NGINX/html$fastcgi_script_name;
        include        fastcgi_params;
        fastcgi_param REMOTE_ADDR $http_x_real_ip;
  }

}


##HA-Bridge##

    server {
        listen [::]:443 ssl;
        listen 443 ssl;
        server_name smartthings.mydomain.media; 

            include ssl.conf;

            location / {
        proxy_pass http://192.168.10.10:82;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
                location ^~ /.well-known/acme-challenge/ {
}
        }

##Ombi##

    server {
        listen [::]:443 ssl;
        listen 443 ssl;
        server_name ombi.mydomain.media;

        include ssl.conf;

            location / {
        proxy_pass http://127.0.0.1:5000;

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_read_timeout  90;
        proxy_redirect http:/127.0.0.1:5000 https://$host;
        proxy_set_header X-Forwarded-Proto $scheme;
        }
                location ^~ /.well-known/acme-challenge/ {
}

        }

#404 ERROR##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name update.mydomain.media requests.mydomain.media esxi.mydomain.media; 

            include ssl.conf;

    location ^~ /.well-known/acme-challenge/ {
}

    location / {
            index  50x.html 50x.htm;

            proxy_set_header Range $http_range;
            proxy_set_header If-Range $http_if_range;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }
}


}

ZeroSSL - Windows Tool

enter image description here I have posted previously regarding gaining a SSL certificate for your own domain name. Previous post here.

This post will demonstrate gaining a cert using a Windows Tool. The tool is available from ZeroSSL here.

ZeroSSL Tool

Download the file which represents your file system x32 or x64. Unzip the file and you should see a single file called le64.exe

enter image description here

NGINX Config & File Structure

To get the tool to automatically fetch certificates we need to amend the NGINX config slighty.

We need to add the following line to each server block

   location ^~ /.well-known/acme-challenge/ {
}

Here is my emby block with the line above

##EMBY Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name emby.mydomain.com; 

    include ssl.conf;

     location / {
        proxy_pass http://127.0.0.1:8096;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering off;
        }
        location ^~ /.well-known/acme-challenge/ {
}
}

The extra line allows the ACME challenge to verify you own the domain that you are trying to get a certificate for. The line above needs to be added to each Server Block for it to work.

Save the config and restart NGINX

LE64.exe

Next we need to use a command line to start le64.exe with our custom arguments.

In your command prompt change the directory to where you extracted the LE64.exe to

CD C:\le64\

Now run the following command

le64.exe --key account.key --email "[email protected]" --csr domain.csr --csr-key domain.key --crt domain.crt --domains "mydomain.com,emby.mydomain.com,www.mydomain.com,plex.mydomain.com" --generate-missing --unlink --path E:\NGINX\html\.well-known\acme-challenge

There's a few options you need to change

  • --email "[email protected]" - to your email address keeping the ""
  • --domains "mydomain.com,emby.mydomain.com" (list all your domains you want the cert to cover - i think max is 50~)
  • --path E:\NGINX\html.well-known\acme-challenge (change E:\NGINX to your NGINX locaiton, keeping the html.well-known....

when you hit enter it will test your setup for the correct files and config, it basically gets a fake certificate. if this completes with no errors you now need to add the argument --live to the end of the script above, like so

le64.exe --key account.key --email "[email protected]" --csr domain.csr --csr-key domain.key --crt domain.crt --domains "mydomain.com,emby.mydomain.com,www.mydomain.com,plex.mydomain.com" --generate-missing --unlink --path E:\NGINX\html\.well-known\acme-challenge --live

hit enter and it should go off an fetch your real domain.csr account.key and domain.crt and domain.key. these will be downloaded into the le64 folder. Keep the csr and account.key safe, you will need these for renewal.

Now you have all this setup you can re-run the above le64.exe script come renew and its all done.

NSSM - Non Sucking Service Manager

enter image description here

NSSM is the Non-Sucking_Service-Manager.

It allows you to install any application as a Windows Service.

  1. Download NSSM from https://nssm.cc/download
  2. Extract the downloaded file. You should see the folder structure below NSSM folder
  3. Depending on which version of Windows you are using (x32 or x64) open the relevent folder which revels NSSM.exe.
  4. Copy NSSM.exe to C:\Windows\System32
  5. Open up a command prompt (start > CMD.exe) as an administrator
  6. Type NSSM install "servicename" like the image below NSSM service
  7. Fill in the details, example above shows CCleaner.
  8. Click "Install Service"
  9. To start the service, you can go back to your CMD prompt and type "nssm start ccleaner"

  10. alternatively you can start the service through the GUI, you can do so by going to "start" > Services > Ccleaner >right click > start Start Service

  11. To uninstall the service, run CMD again this time type nssm remove ccleaner

Smartthings RGBW Controller

Smartthings Logo

Technology is progressing at a rapid rate. Home automation appeared out of nowhere but has created its own foothold in the industry. Smartthings by Samsung is a modular home automation system which produces its own products but also allows third party products to be used within its ecosystem.

RGBW lighting is big at the moment, and most RGBW controllers are fairly expensive and a little hit and miss with Smartthings.

In comes the cheap H801 wifi RGBW controller.

enter image description here

This little device doesn't work straight out of the box it needs re-flashing with custom firmware using a FTDI usb to TTL serial board.

FTDI USB TO TTL

This post will explain how to get this to work within Smartthings.

What you need.

  1. H801 controller
  2. FTDI USB to TTL Serial board
  3. Mini USB to USB 2.0 cable
  4. Jumper Wires (4x Female to Male and 1x Male to Male)
  5. ESPeasy Flashing Software
  6. Custom Firmware
  7. Smartthings custom device handles and smart app.

Some images taken from Smartthings Forums, also help and support available here - https://community.smartthings.com/t/release-smartlife-h801-rgbw-led-strip-wifi-controller-bulb/51182/360

Here is the hardware needed.

Hardware needed

Flashing the Controller

  1. Unscrew the 4 screws on the H801 Controller and remove the board from the casing.

  2. When flashing the board it's recommended to use the FTDI to power the H801, for this we need to change the jumper on the FTDI board from 5v to 3.3v

  3. Using the 4x female to make jumpers connect the FTDI to the H801

H801 Rx to FTDI pin2 Rx H801 Tx to FTDI pin3 Tx H801 3.3v to FTDI pin4 VCC **Have FTDI power H801 to minimize communication issues! H801 Grd to FTDI pin6 Grd

Also use the male to male jumper to enable flash mode on the H801 (blue cable in picture below)

wiring

  1. Connect the USB cable from the FTDI to a laptop/PC. The board lights might flash temporarily and go off, this is normal.

  2. Download and extract ESPeasy_R120. I extracted it to C:\ESPeasy_R120

  3. Download the custom firmware and place in the ESPeasy_R120 folder.

  4. Find the COM port that the FTDI is using, in my case COM5. TO find COM port, right click my computer > Device Manager > USB Devices. Its normally called USB to Serial adapter/interface.

  5. Open a command prompt. Click Start > Run > CMD

  6. Change directory to where you extracted ESPeasy_R120 to. In my case CD C:\ESPeasy_R120

  7. Enter to the following command changing the COM5 to your COM port.

esptool.exe -vv -cd nodemcu -cb 115200 -cp COM5 -ca 0x00000 -cf SmartLifeRGBWController.ino.generic.bin

If successful the command prompt window should populate with a load of text and then some loading starts ****. once finished your device should be flashed with the custom firmware.

Configuring H801.

The H801 should now be flashed with custom firmware, however still needs to be configured.

  1. The H801 should now be broadcasting its own Wifi. connect to it with the password 'configme'.

  2. You should now get a menu where you can configure the H801 to connect to your own Wifi. If this doesnt show automatically, open up a web browser and go to 192.168.4.1.

  3. Once it is connected to your Wifi we need to head over to Smartthings to add the custom device handler and smart app.

Adding the H801 to Smartthings

  1. Head to the Smartthings IDE - https://graph-eu01-euwest1.api.smartthings.com/

  2. Click on 'My Device Handlers' then Setttings and add a Repo.

Owner = erocm123 Git Repo = SmartthingsPublic Branch = Master

Look for the below in the right hand section

erocm123/SmartThingsPublic/blob/master/devicetypes/erocm123/smartlife-rgbw-controller.src/smartlife-rgbw-controller.groovy

erocm123/SmartThingsPublic/blob/master/devicetypes/erocm123/smartlife-rgbw-virtual-switch.src/smartlife-rgbw-virtual-switch.groovy

Tick them and then tick Publish before clicking Save

  1. Now Click on 'My Smart Apps'. This time click on 'Update from Repo'. In the drop down box, chose SmartthingsPublic (master).

Again on the right hand side look for

erocm123/SmartThingsPublic/blob/master/smartapps/erocm123/smartlife-rgbw-light-connect.src/smartlife-rgbw-light-connect.groovy

Tick the box and tick the publish box before saving.

SmartThings Mobile App

Now we need to head over to the Smartthings mobile app.

  1. Open the app and head to Automation tab then SmartApps

  2. Scroll to the bottom and + Add a SmartApp

  3. Scroll to the bottom and click 'My Apps'

  4. Chose SmartLife RGBW Light (Connect)

2 places below can help with installing and any support required.

help video - https://www.youtube.com/watch?time_continue=268&v=3Kg_-bmBErM

help forum - https://community.smartthings.com/t/release-smartlife-h801-rgbw-led-strip-wifi-controller-bulb/51182/360