Emby to advertise HTTPS when on NGINX


UPDATE - March 2018

The instructions below are now obsolete. There is now a Option within Emby Server > Advanced to automatically configure Emby to advterise itself at HTTPS when going through a Reverse Proxy.

Secure Connection mode needs to be set to 'Handled By Reverse Proxy'

enter image description here

OLD Method Below

If you run Emby behind NGINX, then you would normally Connect to NGINX with HTTPS then NGINX will forward the request over your LAN using HTTP. This prevents double de-crypt/encrypt which uses more CPU cycles.

However if you use Emby Connect or Alexa for Emby then you will probably have noticed that on the Emby Server Dashboard is displays your external connection as HTTP and using port 80, which means Alexa wont work as it requires HTTPS on port 443.

So rather than create a double de-crypt/encrypt scenario we can edit the Emby system.xml file which fakes emby into advertising its external connections on HTTPS and port 443.

First we do need to create a real .pfx cert with a password. There are 2 ways to create a SSL cert:-

  1. Zero SSL Tool Uses an automated tool.
  2. DNS Verification Uses manual TXT records on your DNS.

Once you have that. Head over to your Emby Dashboard and go to Advanced.

Change your settings like the image below Emby Settings

Public HTTP - 80
Public HTTPS - 443
External Domain - your emby subdomain
SSL Certificate - point it to your .pfx
Certificate password - your .pfx password

Save and Restart Emby.

Now head to your emby server install location. Normally on windows its C:\Users\%username%\AppData\Roaming\Emby-Server\config

open up system.xml in notepad or notepad++ and look for the line


change false to true


save and then restart emby again.

Your emby dashboard should now be advertising https:// on port 443.

SSL Config For NGINX

ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      E:\le64\Domain.crt;
ssl_certificate_key  E:\le64\Domain.key;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;

proxy_hide_header X-Powered-By;
add_header x-xss-protection 1;
proxy_hide_header X-Frame-Options;
add_header X-Content-Type-Options "nosniff"  always;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
add_header 'Referrer-Policy' 'origin';
add_header Content-Security-Policy "frame-ancestors mydomain.media www.mydomain.media update.mydomain.media blog.mydomain.media cctv.mydomain.media emby.mydomain.media guest.mydomain.media htpc.mydomain.media nzb.mydomain.media plex.mydomain.media prtg.mydomain.media smartthings.mydomain.media sonarr.mydomain.media stats.mydomain.media heat.mydomain.media home.mydomain.media unifi.mydomain.media utorrent.mydomain.media radarr.mydomain.media ombi.mydomain.media requests.mydomain.media sophos.mydomain.media;";
add_header X-Frame-Options "ALLOW-FROM https://home.mydomain.media";