NGINX Blacklist IPs and Subnets

The ideal way to blacklist is at the router or firewall level. However there is an option to whitelist or blacklist using NGINX.

I use the following site to get a list of dodgy IP's

Copy and Paste that txt file into Notepad++

We now need to change the formatting for NGINX.

In Notepad ++ press Ctrl + H - this will open the replace menu.

enter image description here

Enter the details above.

  • Find What - ^
  • Make sure to have a space after the 'DENY'.
  • Click 'Replace All'.

And then use the details below,

enter image description here

  • Find What - $
  • Replace with - ;
  • And then 'Replace All'

Save the file as blacklist.conf and save it in the NGINX Conf folder.

Finally add this to the NGINX.conf in the HTTP Block

include blacklist.conf;

Restart NGINX and now all the IPs and Subnets listed will be blocked. Anyone trying to access your server from a blocked IP will get a HTTP 403 error, Access forbidden.

NGINX Log Rotation (MS Windows)

enter image description here

By Default NGINX logs all IPs going through the reverse proxy. The log will keep growing in size.

To ease of maintainance and troubleshooting, it is advisable to get NGINX to create a new access.log everyday.

If NGINX is running on Windows this can be accomplished using a BAT file.

Create a new BAT file with the following

@echo off
SET DATE=%date%



move C:\nginx\logs\Access.log C:\nginx\logs\Old_Logs\Access_%DATE_FRM%.log
move C:\nginx\logs\Error.log C:\nginx\logs\Old_Logs\Error_%DATE_FRM%.log
call C:\nginx\nginx -p C:\nginx -s reopen

Change the Path to the path of your NGINX Log folder. Also create a new folder in the 'Logs' folder called 'Old_Logs'

Save the BAT file.

We now need to create a Scheduled Task to run this BAT file once a Day.

Create a Basic Task

enter image description here

Daily Task or Weekly depending on how often you want to create a new log.

Choose a Time for it to change logs, i chose 00:00:01 so it would create a new log after midnight.

Next select the location of the BAT file and click next until your seen the screen below.

enter image description here

Make sure to put a tick in the 'Open the properties dialog....' box and click finish.

For The Task to restart NGINX the same user has to run the Task Scheduler and the Service.

Select the correct user in 'Change User or Group' and tick the 'Run with highest privileges' box and click 'ok'.

Next run 'services.msc'

Find your NGINX Service and right click on it 'properties'.

On the 'log on' tab change it from 'Local System Account' to 'This Account' and enter the same username as you did for the Task Scheduler.

Finally click Apply and Ok. And that's it. The task will run, move the access.log to the new folder and rename it with the date. NGINX will then create a new access.log file and repeat.

NGINX & cloudflare forwarding IP

enter image description here

To get the Origin IP passed through Cloudflare to NGINX reverse proxy you need to add the following to the end of the HTTP Block.

        # Cloudflare IPs
real_ip_header     CF-Connecting-IP;

All IPs will then be logged in the access.log.

Win10 Pro to Win10 Ent Upgrade

enter image description here Upgrading from a Pro version of Windows to Enterprise has never been easier than it is with Windows 10.

Recently our licencing changed and we had to move from Pro to Ent.

  1. Type 'changepk.exe' into run
  2. Run as Administrator
  3. Enter the Enterprise Licence Key

enter image description here 4. Done!

Yes its as simple as that, not formatting, uninstalling or driver changes.

Mailgun & Cloudflare

enter image description here enter image description here

You own a domain name and you use Cloudflare to proxy your websites, services or something else and now you want to have an email address with your new shiny domain name. Cloudflare doesnt support mail forwarding, some registrars have their own forwarding system but if you use Cloudflare then we need to look at Mailgun.

  1. Sign up for a free account at Mailgun.
  2. Add your domainname to Mailgun enter image description here
  3. Once added you need to verify you own the domain and setup the relevent records. Head over to Cloudflare and create the records, they will look similar to the below image. enter image description here This is what you will end up with. (Make sure the email CNAME status is the grey cloud!) enter image description here
  4. Head back to Mailgun. You will need to give the Records we created above some time to propogated across the internet. You can check this by clicking 'Check DNS Records Now' enter image description here
  5. Creating Routes. In Mailgun we need to specify routes or email addresses. This will define the recipient email and the action to take.

enter image description here

You can create a number of routes or you can create a 'catch all' or both. Priority is like rules, It will match the lowest priority first (lowest number), so if you set a 'catch all' rule set a high number priority e.g. 100. That way it will attempt to match everything else first.

  1. Finally in Mailgun we also need to validated our personal email address, hotmail, gmail or whatever. Head into Account Settings and then Authorised Recipients. Add your email address which will send a link to your email which you need to validate.

enter image description here

Once the DNS settings have been updated and you have validated your email you should now be able to receive any emails sent to * which will appear in your hotmail or gmail account.

Cloudflare and DNS-O-Matic

enter image description here

Following on from the CloudFlare with Emby post. HERE

If your ISP issues you with a DHCP WAN IP then you need something to update Cloudflare with your WAN IP when it changes.

The simplest way to do this is with DNS-O-Matic. Unlike many other DDNS services DNS-O-Matic works as a middle man for many DDNS and other services.

  1. Head over to DNS-O-Matic and create and account
  2. Add a services and choose Cloudflare from the list.
  3. Add the following details into the boxes.
email = your Cloudflare username (usually the email address)
API Token = On the Overview page on Cloudflare use the Global API token
Hostname = Your A record name from Cloudflare for example
Domain = your top level domain
  1. We now need to setup a way for our router to update DNS-O-Matic. I use a Unifi USG as my router and it requires the following details
Service = dyndns
Hostname =
username = DNS-O-Matic email address
password = DNS-O-Matic password
server =

DNS-O-Matci also offer a small program which can run on your LAN and update the details automatically.

Setting up Cloudflare with Emby

enter image description here

enter image description here

So far I have documented different approaches to access Emby securely remotely.

This guide uses Cloudflare for DNS records of your domain name, create and maintain your SSL cert and add security to your connection.

So for anyone who doesnt know, Cloudflare acts like a middle man, or more like a big bouncer. Imagine you own a bar and you want security. You hire a bouncer and he lets your customers in but keeps the riff raff out. This is what cloudflare does it adds security to your Server, while allowing authorised people to access your server.

This guide will assume you have Emby Server already setup and working on your LAN.

Getting a Domain Name.

For this to work we need a domain name. You can get a free one from FreeNom or buy your own .com or from a registrar such as NameCheap.

For this example I will use Freenom.

  1. Search for the domain name you want. I will use


  1. Click Checkout. Enter your details. You will then see a button to manage domain, click that. Next click on Management Tools and Nameservers. You will see the below screen. Leave this open for now, we will come back to it.

enter image description here


  • Head over to Cloudflare Create an account with Cloudflare and then add your Domain name you entered above note. when adding your site and starting the scan it might fail due to DNS propagation. Give it 5-15 mins and try again.

  • Once your Domain Name appears in Cloudflare you can click 'Continue Setup' and you will see the page below.

  • Create an 'A Record'

  • Name = emby

  • Value = your WAN IP

  • Status = make sure its an Orange cloud


  1. Select Free Plan


  1. You will now be given Nameservers. Copy the 2 name servers from Cloudflare and enter them into FreeNom. If FreeNom has 4 delete all of them and only enter the 2 from cloudflare. Should look something like the below image.


  1. It will take some time for DNS propagation before the Nameservers change to Cloudflare. In this time lets setup Emby Server and Port Forwarding on your router. Go to your Emby Server and Dashboard Manager > Advanced.

  2. Change your Public HTTP port to 80 and HTTPS port to 443. Enter your new domain name. I get from the CloudFlare DNS page. Emby was the name of the DNS record, so the full record is


  1. Save and Restart Emby.

  2. Log into your router. All routers are different. Find the section to port forward and create a new rule. Forward External port 443 to internal port 8920 and IP address of your Emby Server. You can also forward 80 to 8096, however this will mean users can connect insecurely to your Emby server.

  3. Head back to CloudFlare and click 'Recheck Nameservers' if successfull you will see a green bar, and Cloudflare Active.


  1. We now need to create a SSL cert for Cloudflare to connect to your Server Securely. On Cloudflare go to 'Crypto', and then 'Origin Certificates'.

enter image description here

  1. Click Create Certificate, on the next screen leave everything default and click next.

enter image description here

  1. You will now be given 2 boxes, A Certificate code and Private Key code. Copy both of them into separate notepads and Save both. Call them cert.pem and private.key respectively

enter image description here

  • Once you have your 2 files, cert.pem and private.key we need to convert it to a .pfx. Go to
  • Current type = Standard PEM
  • Type to Convert to = PFX/PKCS#12
  • PFX Password = "what ever you want"
  • Certificate File to convert = cert.pem
  • Private Key File = private.key

Click convert and you should end up with a PFX certificate.

  • Head back to Emby Server > Dashboard > Advanced.
  • Custom SSL certificate Path = your PFX file
  • Certificate Password = the one used above "what ever you want"

Save and Restart Emby

enter image description here

  1. Head back to Cloudflare > Crypto Tab You now need to change SSL from Flexible to Full. (This means users connect to Cloudflare [uses cloudflare cert] Then Cloudflare connects to your emby server using the Cert we just created). Thus A Full SSL Path from user to server.

enter image description here

  1. go to and enjoy your movies.

Optional Steps

  1. On Cloudflare > Crypto You can enable 'Always use HTTPS' and 'Automatic HTTPS Rewrites'. Anyone trying to browse to HTTP will be forwarded to HTTPS.

enter image description here

  1. On Cloudflare > Page Rules Add the following rules to cache your images.
URL = **/images/*
Cache Level = Cache Everything
Edge Cache TTL = a month

Add a Second Rule

URL = **
Edge Cache TTL = a month

If you have a DHCP WAN IP then you will also need to do some additional steps so that Cloudflare forwards to your IP even if it changes. For this you need to use DNS-O-Matic, a Guide can be found HERE.