Hello all,
So I am in the process of securing my sevrer with SSL. Currently I have everything configured with letsencrypt and works. My only problem I seem to have is Emby. It works and it forwards http to https, the cert is good and everything works and loads but it is horribly slow. Not going through Nginx (straight ip+ssl port) it works just as expected except obviously an invalid cert from missing domain. So the problem has to lie within Nginx and/or the reverse proxy. Any help would be greatly appreciated and am wondering if anyone else has been having any issues like this.
Here is my reverse proxy(replaced my domain with DOMAIN), I am not using the default but a file in site-confs named emby
##EMBY Server##
server {
listen 443 ssl;
server_name emby.DOMAIN.cc;
root /config/www;
index index.html index.htm index.php;
ssl_dhparam /config/nginx/dhparams.pem;
###SSL Certificates
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;
ssl_session_timeout 30m;
ssl_session_cache shared:SSL:50m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_prefer_server_ciphers on;
ssl_ciphers 'ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-GCM-SHA384:DHE-RSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA:ECDHE-ECDSA-AES128-SHA:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA:ECDHE-ECDSA-AES256-SHA:DHE-RSA-AES128-SHA256:DHE-RSA-AES128-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES256-SHA:!aNULL:!eNULL:!EXPORT:!DES:!RC4:!MD5:!PSK:!aECDH:!EDH-DSS-DES-CBC3-SHA:!EDH-RSA-DES-CBC3-SHA:!KRB5-DES-CBC3-SHA';
proxy_hide_header X-Powered-By;
add_header X-Xss-Protection "1; mode=block" always;
add_header X-Content-Type-Options "nosniff" always;
add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header 'Referrer-Policy' 'no-referrer';
add_header Content-Security-Policy "frame-ancestors DOMAIN.cc emby.DOMAIN.cc;";
proxy_hide_header X-Powered-By;
proxy_set_header Range $http_range;
proxy_set_header If-Range $http_if_range;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header Host $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
location / {
proxy_pass https://192.168.1.2:8446/;
}
}
Here is my default in case that matters, it points to heimdall docker to hold all my links to all installed dockers and apps.
## Version 2018/01/29 - Changelog: https://github.com/linuxserver/docker-letsencrypt/commits/master/root/defaults/default
# listening on port 80 disabled by default, remove the "#" signs to enable
# redirect all traffic to https
server {
listen 80;
server_name _;
return 301 https://$host$request_uri;
}
# main server block
server {
listen 443 ssl default_server;
root /config/www;
index index.html index.htm index.php;
server_name _;
# all ssl related config moved to ssl.conf
include /config/nginx/ssl.conf;
client_max_body_size 0;
location / {
proxy_pass https://192.168.1.2:8445/;
proxy_max_temp_file_size 2048m;
include /config/nginx/proxy.conf;
}
}