NGINX Blacklist IPs and Subnets

The ideal way to blacklist is at the router or firewall level. However there is an option to whitelist or blacklist using NGINX.

I use the following site to get a list of dodgy IP's http://rules.emergingthreats.net/fwrules/emerging-Block-IPs.txt

Copy and Paste that txt file into Notepad++

We now need to change the formatting for NGINX.

In Notepad ++ press Ctrl + H - this will open the replace menu.

enter image description here

Enter the details above.

  • Find What - ^
  • Make sure to have a space after the 'DENY'.
  • Click 'Replace All'.

And then use the details below,

enter image description here

  • Find What - $
  • Replace with - ;
  • And then 'Replace All'

Save the file as blacklist.conf and save it in the NGINX Conf folder.

Finally add this to the NGINX.conf in the HTTP Block

include blacklist.conf;

Restart NGINX and now all the IPs and Subnets listed will be blocked. Anyone trying to access your server from a blocked IP will get a HTTP 403 error, Access forbidden.

NGINX Log Rotation (MS Windows)

enter image description here

By Default NGINX logs all IPs going through the reverse proxy. The log will keep growing in size.

To ease of maintainance and troubleshooting, it is advisable to get NGINX to create a new access.log everyday.

If NGINX is running on Windows this can be accomplished using a BAT file.

Create a new BAT file with the following

@echo off
SET DATE=%date%
SET DAY=%DATE:~0,2%
SET MONTH=%DATE:~3,2%
SET YEAR=%DATE:~6,4%
SET DATE_FRM=%YEAR%-%MONTH%-%DAY%


ECHO %DATE_FRM%

REM ECHO %YEAR%
REM ECHO %MONTH%
REM ECHO %DAY% 

move C:\nginx\logs\Access.log C:\nginx\logs\Old_Logs\Access_%DATE_FRM%.log
move C:\nginx\logs\Error.log C:\nginx\logs\Old_Logs\Error_%DATE_FRM%.log
call C:\nginx\nginx -p C:\nginx -s reopen

Change the Path to the path of your NGINX Log folder. Also create a new folder in the 'Logs' folder called 'Old_Logs'

Save the BAT file.

We now need to create a Scheduled Task to run this BAT file once a Day.

Create a Basic Task

enter image description here

Daily Task or Weekly depending on how often you want to create a new log.

Choose a Time for it to change logs, i chose 00:00:01 so it would create a new log after midnight.

Next select the location of the BAT file and click next until your seen the screen below.

enter image description here

Make sure to put a tick in the 'Open the properties dialog....' box and click finish.

For The Task to restart NGINX the same user has to run the Task Scheduler and the Service.

Select the correct user in 'Change User or Group' and tick the 'Run with highest privileges' box and click 'ok'.

Next run 'services.msc'

Find your NGINX Service and right click on it 'properties'.

On the 'log on' tab change it from 'Local System Account' to 'This Account' and enter the same username as you did for the Task Scheduler.

Finally click Apply and Ok. And that's it. The task will run, move the access.log to the new folder and rename it with the date. NGINX will then create a new access.log file and repeat.

NGINX & cloudflare forwarding IP

enter image description here

To get the Origin IP passed through Cloudflare to NGINX reverse proxy you need to add the following to the end of the HTTP Block.

        # Cloudflare IPs
set_real_ip_from 204.93.240.0/24;
set_real_ip_from 204.93.177.0/24;
set_real_ip_from 199.27.128.0/21;
set_real_ip_from 173.245.48.0/20;
set_real_ip_from 103.21.244.0/22;
set_real_ip_from 103.22.200.0/22;
set_real_ip_from 103.31.4.0/22;
set_real_ip_from 141.101.64.0/18;
set_real_ip_from 108.162.192.0/18;
set_real_ip_from 190.93.240.0/20;
set_real_ip_from 188.114.96.0/20;
set_real_ip_from 197.234.240.0/22;
set_real_ip_from 198.41.128.0/17;
set_real_ip_from 162.158.0.0/15;
real_ip_header     CF-Connecting-IP;

All IPs will then be logged in the access.log.

Setting up Cloudflare with Emby

enter image description here

enter image description here

So far I have documented different approaches to access Emby securely remotely.

This guide uses Cloudflare for DNS records of your domain name, create and maintain your SSL cert and add security to your connection.

So for anyone who doesnt know, Cloudflare acts like a middle man, or more like a big bouncer. Imagine you own a bar and you want security. You hire a bouncer and he lets your customers in but keeps the riff raff out. This is what cloudflare does it adds security to your Server, while allowing authorised people to access your server.

This guide will assume you have Emby Server already setup and working on your LAN.

Getting a Domain Name.

For this to work we need a domain name. You can get a free one from FreeNom or buy your own .com or .co.uk from a registrar such as NameCheap.

For this example I will use Freenom.

  1. Search for the domain name you want. I will use mymedia.cf

MyMedia

  1. Click Checkout. Enter your details. You will then see a button to manage domain, click that. Next click on Management Tools and Nameservers. You will see the below screen. Leave this open for now, we will come back to it.

enter image description here

CloudFlare

  • Head over to Cloudflare Create an account with Cloudflare and then add your Domain name you entered above mymedia.cf. note. when adding your site and starting the scan it might fail due to DNS propagation. Give it 5-15 mins and try again.

  • Once your Domain Name appears in Cloudflare you can click 'Continue Setup' and you will see the page below.

  • Create an 'A Record'

  • Name = emby

  • Value = your WAN IP

  • Status = make sure its an Orange cloud

cloudflare

  1. Select Free Plan

cloudflare

  1. You will now be given Nameservers. Copy the 2 name servers from Cloudflare and enter them into FreeNom. If FreeNom has 4 delete all of them and only enter the 2 from cloudflare. Should look something like the below image.

freenom

  1. It will take some time for DNS propagation before the Nameservers change to Cloudflare. In this time lets setup Emby Server and Port Forwarding on your router. Go to your Emby Server and Dashboard Manager > Advanced.

  2. Change your Public HTTP port to 80 and HTTPS port to 443. Enter your new domain name. I get emby.mymedia.cf from the CloudFlare DNS page. Emby was the name of the DNS record, so the full record is emby.mymedia.cf.

emby

  1. Save and Restart Emby.

  2. Log into your router. All routers are different. Find the section to port forward and create a new rule. Forward External port 443 to internal port 8920 and IP address of your Emby Server. You can also forward 80 to 8096, however this will mean users can connect insecurely to your Emby server.

  3. Head back to CloudFlare and click 'Recheck Nameservers' if successfull you will see a green bar, and Cloudflare Active.

cloudflare

  1. We now need to create a SSL cert for Cloudflare to connect to your Server Securely. On Cloudflare go to 'Crypto', and then 'Origin Certificates'.

enter image description here

  1. Click Create Certificate, on the next screen leave everything default and click next.

enter image description here

  1. You will now be given 2 boxes, A Certificate code and Private Key code. Copy both of them into separate notepads and Save both. Call them cert.pem and private.key respectively

enter image description here

  • Once you have your 2 files, cert.pem and private.key we need to convert it to a .pfx. Go to https://www.sslshopper.com/ssl-converter.html
  • Current type = Standard PEM
  • Type to Convert to = PFX/PKCS#12
  • PFX Password = "what ever you want"
  • Certificate File to convert = cert.pem
  • Private Key File = private.key

Click convert and you should end up with a PFX certificate.

  • Head back to Emby Server > Dashboard > Advanced.
  • Custom SSL certificate Path = your PFX file
  • Certificate Password = the one used above "what ever you want"

Save and Restart Emby

enter image description here

  1. Head back to Cloudflare > Crypto Tab You now need to change SSL from Flexible to Full. (This means users connect to Cloudflare [uses cloudflare cert] Then Cloudflare connects to your emby server using the Cert we just created). Thus A Full SSL Path from user to server.

enter image description here

  1. go to https://emby.mymedia.cf and enjoy your movies.

Optional Steps

  1. On Cloudflare > Crypto You can enable 'Always use HTTPS' and 'Automatic HTTPS Rewrites'. Anyone trying to browse to HTTP will be forwarded to HTTPS.

enter image description here

  1. On Cloudflare > Page Rules Add the following rules to cache your images.
URL = *mymedia.cf/emby/item/*/images/*
Cache Level = Cache Everything
Edge Cache TTL = a month

Add a Second Rule

URL = *mymedia.cf/*
Edge Cache TTL = a month

If you have a DHCP WAN IP then you will also need to do some additional steps so that Cloudflare forwards to your IP even if it changes. For this you need to use DNS-O-Matic, a Guide can be found HERE.

Emby to advertise HTTPS when on NGINX

embylogo

UPDATE - March 2018

The instructions below are now obsolete. There is now a Option within Emby Server > Advanced to automatically configure Emby to advterise itself at HTTPS when going through a Reverse Proxy.

Secure Connection mode needs to be set to 'Handled By Reverse Proxy'

enter image description here

OLD Method Below

If you run Emby behind NGINX, then you would normally Connect to NGINX with HTTPS then NGINX will forward the request over your LAN using HTTP. This prevents double de-crypt/encrypt which uses more CPU cycles.

However if you use Emby Connect or Alexa for Emby then you will probably have noticed that on the Emby Server Dashboard is displays your external connection as HTTP and using port 80, which means Alexa wont work as it requires HTTPS on port 443.

So rather than create a double de-crypt/encrypt scenario we can edit the Emby system.xml file which fakes emby into advertising its external connections on HTTPS and port 443.

First we do need to create a real .pfx cert with a password. There are 2 ways to create a SSL cert:-

  1. Zero SSL Tool Uses an automated tool.
  2. DNS Verification Uses manual TXT records on your DNS.

Once you have that. Head over to your Emby Dashboard and go to Advanced.

Change your settings like the image below Emby Settings

Public HTTP - 80
Public HTTPS - 443
External Domain - your emby subdomain
SSL Certificate - point it to your .pfx
Certificate password - your .pfx password
Require HTTPS - UNTICKED!

Save and Restart Emby.

Now head to your emby server install location. Normally on windows its C:\Users\%username%\AppData\Roaming\Emby-Server\config

open up system.xml in notepad or notepad++ and look for the line

<EnableHttps>false</EnableHttps>

change false to true

<EnableHttps>true</EnableHttps>

save and then restart emby again.

Your emby dashboard should now be advertising https:// on port 443.

SSL Config For NGINX

ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      E:\le64\Domain.crt;
ssl_certificate_key  E:\le64\Domain.key;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;


proxy_hide_header X-Powered-By;
add_header x-xss-protection 1;
proxy_hide_header X-Frame-Options;
add_header X-Content-Type-Options "nosniff"  always;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
add_header 'Referrer-Policy' 'origin';
add_header Content-Security-Policy "frame-ancestors mydomain.media www.mydomain.media update.mydomain.media blog.mydomain.media cctv.mydomain.media emby.mydomain.media guest.mydomain.media htpc.mydomain.media nzb.mydomain.media plex.mydomain.media prtg.mydomain.media smartthings.mydomain.media sonarr.mydomain.media stats.mydomain.media heat.mydomain.media home.mydomain.media unifi.mydomain.media utorrent.mydomain.media radarr.mydomain.media ombi.mydomain.media requests.mydomain.media sophos.mydomain.media;";
add_header X-Frame-Options "ALLOW-FROM https://home.mydomain.media";

NGINX Config

worker_processes  2;


events {
    worker_connections  8192;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    gzip on;
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
    text/plain
    text/css
    text/js
    text/xml
    text/javascript
    application/javascript
    application/x-javascript
    application/json
    application/xml
    application/rss+xml
    image/svg+xml;

    tcp_nodelay on;

    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
## End: Timeouts ##



## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

      return 301 https://$host$request_uri;
}   

## Organizr ##

    server {

    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name home.mydomain.media mydomain.media;

    include ssl.conf;

            location ^~ /.well-known/acme-challenge/ {
                }

            location / {
            root html\Organizr;
            index index.php index.html index.htm;
                }

            location ~ \.php$ {
            root           html\Organizr;
            fastcgi_pass   127.0.0.1:9000;
            fastcgi_index  index.php;
            fastcgi_param  SCRIPT_FILENAME  E:/NGINX/html$fastcgi_script_name;
            include        fastcgi_params;
            fastcgi_param REMOTE_ADDR $http_x_real_ip;
            }

}



##EMBY Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name emby.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass http://127.0.0.1:8096;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering off;
        }
                location ^~ /.well-known/acme-challenge/ {
}


}

##Sophos UTM##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name sophos.mydomain.media; 

       include ssl.conf;

     location / {
        proxy_pass https://192.168.10.8:4444;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
                        location ^~ /.well-known/acme-challenge/ {
}

}


##Sonarr Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name sonarr.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass http://127.0.0.1:8989;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
                        location ^~ /.well-known/acme-challenge/ {
}
}

##Radarr Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name radarr.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass http://127.0.0.1:7878;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
}
        location ^~ /.well-known/acme-challenge/ {
}
}

##NZB Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name nzb.mydomain.media; 

    include ssl.conf;

        location / {
        proxy_pass http://127.0.0.1:6792;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
}
        location ^~ /.well-known/acme-challenge/ {
}
}



##Plex Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name plex.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass http://127.0.0.1:32400;  
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_buffering off;
        }
        location ^~ /.well-known/acme-challenge/ {
}
}

##Unifi Server##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name unifi.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass https://127.0.0.1:8443;  

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
    location /inform/ {
        proxy_pass https://127.0.0.1:8080;  

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
        location ^~ /.well-known/acme-challenge/ {
}
}

##Unifi Guest Portal##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name guest.mydomain.media; 

include ssl.conf;

     location / {
        proxy_pass https://127.0.0.1:8843;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        proxy_hide_header X-Powered-By;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        add_header Content-Security-Policy "frame-ancestors mydomain.media www.mydomain.media update.mydomain.media blog.mydomain.media cctv.mydomain.media emby.mydomain.media guest.mydomain.media htpc.mydomain.media nzb.mydomain.media plex.mydomain.media prtg.mydomain.media smartthings.mydomain.media sonarr.mydomain.media stats.mydomain.media heat.mydomain.media home.mydomain.media unifi.mydomain.media utorrent.mydomain.media radarr.mydomain.media ombi.mydomain.media requests.mydomain.media sophos.mydomain.media;";

    }
     location /ws/ {
                        proxy_pass https://127.0.0.1:8843/ws/;
                        proxy_http_version 1.1;
                        proxy_set_header Upgrade $http_upgrade;
                        proxy_set_header Connection "upgrade";
                        add_header X-Xss-Protection "1; mode=block" always;
                        add_header X-Content-Type-Options "nosniff" always;
                        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
                        add_header X-Frame-Options "SAMEORIGIN" always;
                        add_header 'Referrer-Policy' 'no-referrer';
                        add_header Content-Security-Policy "frame-ancestors mydomain.media www.mydomain.media update.mydomain.media blog.mydomain.media cctv.mydomain.media emby.mydomain.media guest.mydomain.media htpc.mydomain.media nzb.mydomain.media plex.mydomain.media prtg.mydomain.media smartthings.mydomain.media sonarr.mydomain.media stats.mydomain.media heat.mydomain.media home.mydomain.media unifi.mydomain.media utorrent.mydomain.media radarr.mydomain.media ombi.mydomain.media requests.mydomain.media sophos.mydomain.media;";
                    }
        location ^~ /.well-known/acme-challenge/ {
}
}



##CCTV Server##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name cctv.mydomain.media; 

        ssl_session_timeout 30m;
ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
ssl_certificate      E:\le64\Domain.crt;
ssl_certificate_key  E:\le64\Domain.key;
ssl_session_cache shared:SSL:10m;
ssl_prefer_server_ciphers on;
ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;


     location / {
        proxy_pass http://192.168.60.10:8099;  
        ##proxy_pass http://192.168.60.10:8099/ui3beta/ui3.htm; ##
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_http_version 1.1;
        proxy_set_header Connection "";
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
                 }
        location ^~ /.well-known/acme-challenge/ {
}
}



##Heating##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name heat.mydomain.media; 

    include ssl.conf;

     location / {
        proxy_pass http://192.168.80.9:80;  

    proxy_set_header Range $http_range;
    proxy_set_header If-Range $http_if_range;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header Host $host;
    proxy_http_version 1.1;
    proxy_set_header Connection "";
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
        location ^~ /.well-known/acme-challenge/ {
}
}

##uTorrent##

    server {
        listen [::]:443 ssl;
        listen 443 ssl;
        server_name utorrent.mydomain.media; 

            include ssl.conf;

    location / {
        proxy_pass http://127.0.0.1:7070/;

        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";  
        proxy_redirect  off;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_pass_header Set-Cookie;
        proxy_pass_header P3P;
        }
    location ^~ /.well-known/acme-challenge/ {
}

}


#PRTG Stats Map##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name stats.mydomain.media; 

            include ssl.conf;

  location / {
        proxy_pass http://127.0.0.1:8081;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        }

      location /public/stats {
        proxy_pass http://127.0.0.1:8081/public/mapshow.htm?id=2069&mapid=1;
    }
      location /public/status {
        proxy_pass http://127.0.0.1:8081/public/mapshow.htm?id=2155&mapid=1EC016F4-43DC-44FD-A4F1-E10033FBD0CB;
    }
    location /public/topology {
        proxy_pass http://127.0.0.1:8081/public/mapshow.htm?id=2283&mapid=73F695B6-6CDE-4CD5-BB34-BD40DCD6192D;
    }

    ##HDD TEMPs##
    location /hdd/ {
        proxy_pass http://127.0.0.1:8929/status;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    }
        location ^~ /.well-known/acme-challenge/ {
}

    ##NGINX Status##
    location /nginx_status {
        # Turn on stats
        stub_status on;
        access_log   off;
   }

}

##Webpage##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name www.mydomain.media; 

            include ssl.conf;

    location / {
         root   html\AwelSwynol;
            index  index.html index.htm;

            proxy_set_header Range $http_range;
            proxy_set_header If-Range $http_if_range;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }
                    location ^~ /.well-known/acme-challenge/ {
}


}

## Blog ##

    server {

    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name blog.mydomain.media;

    index index.php;

        include ssl.conf;

        location ^~ /.well-known/acme-challenge/ {

}

        location ~ /config/ {
        root html\Blog;
        deny all;
            }

        location / {
        root html\Blog;
        try_files $uri $uri/ /index.php?$args;
            }

        location ~ \.php$ {
        root html\Blog;
        fastcgi_pass   127.0.0.1:9000;
        fastcgi_index  index.php;
        fastcgi_param  SCRIPT_FILENAME   E:/NGINX/html$fastcgi_script_name;
        include        fastcgi_params;
        fastcgi_param REMOTE_ADDR $http_x_real_ip;
  }

}


##HA-Bridge##

    server {
        listen [::]:443 ssl;
        listen 443 ssl;
        server_name smartthings.mydomain.media; 

            include ssl.conf;

            location / {
        proxy_pass http://192.168.10.10:82;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }
                location ^~ /.well-known/acme-challenge/ {
}
        }

##Ombi##

    server {
        listen [::]:443 ssl;
        listen 443 ssl;
        server_name ombi.mydomain.media;

        include ssl.conf;

            location / {
        proxy_pass http://127.0.0.1:5000;

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header X-Forwarded-Host $server_name;
        proxy_set_header X-Forwarded-Ssl on;
        proxy_read_timeout  90;
        proxy_redirect http:/127.0.0.1:5000 https://$host;
        proxy_set_header X-Forwarded-Proto $scheme;
        }
                location ^~ /.well-known/acme-challenge/ {
}

        }

#404 ERROR##

    server {
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name update.mydomain.media requests.mydomain.media esxi.mydomain.media; 

            include ssl.conf;

    location ^~ /.well-known/acme-challenge/ {
}

    location / {
            index  50x.html 50x.htm;

            proxy_set_header Range $http_range;
            proxy_set_header If-Range $http_if_range;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            }
}


}

NGINX Reverse Proxy

enter image description here

This is a guide on how to install NGINX for Windows and add extra security to it.

Ever want to get an A security rating for your website. Then look no further

enter image description here

Pre-Requisites

Your own Domain name A Trust certificate in either .crt or .pem format A Private.key to go with the certificate Access to your router for port forwarding Either a DDNS or have an A Record for WAN IP.

If you havent got a Trusted Certificate you can use my guide Easy Let's Encrypt Certificate to get a free one.

This guide assumes you have either setup a DDNS or have an A record setup to point your Domain Name to your WAN IP. If you dont have this setup go here.

Step 1 - Port Forwarding

Every router is different and rather than try to describe how to do this on all the different brands I will simplify it so it is more relevant to all routers.

  • Log into your router
  • Head over to port forwarding
  • Create a new rule to forward port 443 and port 80 to the machine that NGINX will be running on.

Step 2 - Installing NGINX

Head over to NGINX-Win and download the latest version of NGINX for Windows. As of writing this guide the latest version is 1.13.1.1 Violet.

NGINX

Extract the .zip folder somewhere easy to find. for my example I will extract it to C:\NGINX\ Open up the config folder C:\NGINX\configNGINX Open up notepad (I recommend Notepad++) and copy the following into it.

Worker_processes  2;

events {
    worker_connections  8192;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    gzip on;
    gzip_disable "msie6";
    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;

         tcp_nodelay on;

    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
 ## End: Timeouts ##

This is some default code to let NGINX know what to do. For security i added

server_tokens off;

This prevents outsiders looking up what version of NGINX the server is running. This prevent version weaknesses being easily exploited.

After the part above copy in this code

## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
 return 301 https://$host$request_uri;
}

This part makes NGINX listen on port 80 and any traffic it receives on port 80 (HTTP) it redirects to port 443 (HTTPS). It forces the connection to use a secure connection. listen [::]:80 is only required if you have users connecting on IPv6 addresses.

The next part is to configure NGINX to forward the traffic it receives to the correct location. Copy the code below into the same notepad.

##Server Block##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name mysite.com; 

Anything with # in front of it means that its a note or a disabled configuration.

From the code above change mysite.com to what ever your sub-domain name is. listen 443 ssl http2; means that NGINX listens on port 443 and uses the http2 protocol.

Next we look at adding our beefed up security into the config.

        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_certificate      SSL/cert.pem;
        ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;

Most of the above is to do with the ciphers to create the secure connection. ssl_protocols lists in order the protocols to use. TLSv1.2 is the most secure. These have replaced SSL which are now obsolete. In the very near future TLSv1.3 will make all the other versions of TLS obsolete. Preferred ciphers just list in the order of the ciphers used to create the secure connection.

So from the above we need to edit the following

ssl_certificate      SSL/cert.pem;
ssl_certificate_key  SSL/private.key;

This is the location of our cert.pem and private.key. I have them located in my NGINX folder in the following location C:\NGINX\config\SSLNGINX To find out how to create the Certs please use the guide Easy Let's Encrypt Certificates At the bottom it describes how to create .pem certs.

        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors mysite.com emby.mysite.com;";

Most of the above is to do with the headers in html. They add extra security to the connection.

X-Xss-Protection - sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is "X-XSS-Protection: 1; mode=block".

#

X-content-type-options - stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".

#

Strict-Transport-Security - is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.

#

X-Frame - tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.

#

Referrer Policy - is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.

#

Content-Security-Policy - is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. Analyse this policy in more detail.

Next part we need to change from the above is

add_header Content-Security-Policy "frame-ancestors mysite.com emby.mysite.com;";

Change mysite.com emby.mysite.com to your Domain names. Also you need to add in here ALL your other sub domains that NGINX will manage. for example mysite.com emby.mysite.com sonarr.mysite.com

The next block is the location block, add this to your notepad.

         location / {
            proxy_pass http://127.0.0.1:*PORT;  

            proxy_set_header Range $http_range;
            proxy_set_header If-Range $http_if_range;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            }
    }
}

The location block tells NGINX what to do when it received data and where to forward it to. It is also required for web sockets to work.

Edit the proxy_pass and point it to the location of your Service that you are running. If it is running on the same machine as NGINX you can leave it as http://127.0.0.1:PORT. If its running on another machine you will need to know the IP. http://192.168.1.10:PORT etc.

    location / {
    proxy_pass http://127.0.0.1:*PORT;  

The whole config should now look like this.

worker_processes  2;

events {
    worker_connections  8192;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    gzip on;
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
    text/plain
    text/css
    text/js
    text/xml
    text/javascript
    application/javascript
    application/x-javascript
    application/json
    application/xml
    application/rss+xml
    image/svg+xml;

    tcp_nodelay on;

    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
## End: Timeouts ##



## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;


      return 301 https://$host$request_uri;
}   

##Server Block##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name mysite.com; 

        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_certificate      SSL/cert.pem;
        ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;


        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors mysite.com emby.mysite.com;";


     location / {
        proxy_pass http://127.0.0.1:*PORT;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }


}
}

Save the notepad as nginx.config in the following location C:\NGINX\config

Step 3 - Set NGINX as a Windows Service

To get NGINX to start with Windows we need to donwload an application called NSSM (Non-sucking service manager). Download it and extract it. You will have a choice to use win32 or win64 version. Choice the version that relates to your Windows installation. Copy the nssm.exe to C:\Windows\System32

Open up a command prompt (Run as administrator) type the following

nssm install NGINX

It will now display this

NGINX

Fill in the Path to the NGINX.exe and the Startup Directory as above.

Click ok

enter image description here

Open up Service.msc and find the NGINX Service we just installed.

Right click and Start.

enter image description here

To Test, we can navigate to emby.mysite.com and it should bring up your Emby Server!

If you have any problems drop a comment below. I will also be creating a Troubleshooting NGINX post soon.

Emby Server HTTPS (Reverse Proxy)

enter image description here

There are 2 ways to connect to your Emby server using HTTPS.

This Guide is for setting up Emby behind a reverse proxy such as NGINX or Apache. For the purposes of this guide it will follow Installing and configuring NGINX on a Windows based machine.

For a basic HTTPS connection to Emby please see the Direct Connection (Simple) Guide 'HERE'.

Pre-Requisites

  • Emby Server installed and running
  • Your own Domain name
  • A Trust certificate in either .crt or .pem format
  • A Private.key to go with the certificate
  • Access to your router for port forwarding
  • Either a DDNS or have an A Record for WAN IP.

If you havent got a Trusted Certificate you can use my guide Easy Let's Encrypt Certificate to get a free one.

This guide assumes you have either setup a DDNS or have an A record setup to point your Domain Name to your WAN IP. If you dont have this setup go here.

Step 1 - Port Forwarding

Every router is different and rather than try to describe how to do this on all the different brands I will simplify it so it is more relevant to all routers.

  • Log into your router
  • Head over to port forwarding
  • Create a new rule to forward port 443 and port 80 to the machine that NGINX will be running on.

Step 2 - Installing NGINX

Head over to NGINX-Win and download the latest version of NGINX for Windows. As of writing this guide the latest version is 1.13.1.1 Violet.

NGINX

Extract the .zip folder somewhere easy to find. for my example I will extract it to C:\NGINX\ Open up the config folder C:\NGINX\configNGINX Open up notepad (I recommend Notepad++) and copy the following into it.

Worker_processes  2;

events {
    worker_connections  8192;
}

http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    gzip on;
    gzip_disable "msie6";
    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
        text/plain
        text/css
        text/js
        text/xml
        text/javascript
        application/javascript
        application/x-javascript
        application/json
        application/xml
        application/rss+xml
        image/svg+xml;

         tcp_nodelay on;

    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
 ## End: Timeouts ##

This is some default code to let NGINX know what to do.

After the part above copy in this code

## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
 return 301 https://$host$request_uri;
}

This part makes NGINX listen on port 80 and any traffic it receives on port 80 (HTTP) it redirects to port 443 (HTTPS). It forces the connection to use a secure connection.

The next part is to configure NGINX to forward the traffic it receives for Emby to the correct location. Copy the code below into the same notepad.

##EMBY Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name emby.mysite.com; 

Anything with # in front of it means that its a note or a disabled configuration.

From the code above change emby.mysite.com to what ever your sub-domain name is.

Next we look at adding our beefed up security into the config.

        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_certificate      SSL/cert.pem;
        ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;


        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors mysite.com emby.mysite.com;";

Without going into too much detail for this guide, the above section tells NGINX what encryption ciphers to use, the location of our certs and adds some extra security measures to the html headers.

So from the above we need to edit the following

ssl_certificate      SSL/cert.pem;
ssl_certificate_key  SSL/private.key;

This is the location of our cert.pem and private.key. I have them located in my NGINX folder in the following location C:\NGINX\config\SSLNGINX To find out how to create the Certs please use the guide Easy Let's Encrypt Certificates At the bottom it describes how to create .pem certs.

Next part we need to change from the above is

add_header Content-Security-Policy "frame-ancestors mysite.com emby.mysite.com;";

Change mysite.com emby.mysite.com to your Domain names. Also you need to add in here ALL your other sub domains that NGINX will manage. for example mysite.com emby.mysite.com sonarr.mysite.com

The next block is the location block, add this to your notepad.

         location / {
            proxy_pass http://127.0.0.1:8096;  

            proxy_set_header Range $http_range;
            proxy_set_header If-Range $http_if_range;
            proxy_set_header X-Real-IP $remote_addr;
            proxy_set_header Host $host;
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection "upgrade";
            }
    }
}

The location block tells NGINX what to do when it received data and where to forward it to. It is also required for web sockets to work.

Edit the proxy_pass and point it to the location of your Emby Server. If it is running on the same machine as NGINX you can leave it as http://127.0.0.1:8096. If its running on another machine you will need to know the IP. http://192.168.1.10:8096 etc.

    location / {
    proxy_pass http://127.0.0.1:8096;  

The whole config should now look like this.

worker_processes  2;

events {
    worker_connections  8192;
}


http {
    include       mime.types;
    default_type  application/octet-stream;
    server_tokens off;

    gzip on;
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
    text/plain
    text/css
    text/js
    text/xml
    text/javascript
    application/javascript
    application/x-javascript
    application/json
    application/xml
    application/rss+xml
    image/svg+xml;

    tcp_nodelay on;

    sendfile        off;

    server_names_hash_bucket_size 128;
    map_hash_bucket_size 64;

## Start: Timeouts ##
    client_body_timeout   10;
    client_header_timeout 10;
    keepalive_timeout     30;
    send_timeout          10;
    keepalive_requests    10;
## End: Timeouts ##



## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;


      return 301 https://$host$request_uri;
}   

##EMBY Server##

    server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name emby.mysite.com; 

        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_certificate      SSL/cert.pem;
        ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;
        ssl_prefer_server_ciphers on;
        ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5;


        add_header X-Xss-Protection "1; mode=block" always;
        add_header X-Content-Type-Options "nosniff" always;
        add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
        add_header X-Frame-Options "SAMEORIGIN" always;
        proxy_hide_header X-Powered-By;
        add_header 'Referrer-Policy' 'no-referrer';
        add_header Content-Security-Policy "frame-ancestors mysite.com emby.mysite.com;";


     location / {
        proxy_pass http://127.0.0.1:8096;  

        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }


}
}

Save the notepad as nginx.config in the following location C:\NGINX\config

Step 3 - Set NGINX as a Windows Service

To get NGINX to start with Windows we need to donwload an application called NSSM (Non-sucking service manager). Download it and extract it. You will have a choice to use win32 or win64 version. Choice the version that relates to your Windows installation. Copy the nssm.exe to C:\Windows\System32

Open up a command prompt (Run as administrator) type the following

nssm install NGINX

It will now display this

NGINX

Fill in the Path to the NGINX.exe and the Startup Directory as above.

Click ok

enter image description here

Open up Service.msc and find the NGINX Service we just installed.

Right click and Start.

enter image description here

To Test, we can navigate to emby.mysite.com and it should bring up your Emby Server!

If you have any problems drop a comment below. I will also be creating a Troubleshooting NGINX post soon.