English Forums > Tutorials and FAQs

TUTORIAL Nginx + Let's Encrypt for Plex / Emby / Jellyfin 100% A+ Rating

(1/2) > >>

Here a tutorial for Nginx Proxy hosted under OPNsense with Let's Encrypt certificate
Primary testet for Plex / Emby / Jellyfin (or other services)
September 2021

Part 1 - WebGUI config

Go to System -> Settings -> Administration
TCP port: 8443 (change to what you want. don't use 80 or 443!)
HTTP Redirect: [X] Disable web GUI redirect rule (important!)

Part 2 - Install plugins

Go to System -> Firmware -> Plugins
Install plugins:

Part 3 - Create Let's Encrypt certificate

1. Go to Services -> ACME Client -> Settings -> Settings
Enable Plugin [X]
Auto Renewal [X]
HAProxy Integration [ ]

2. Go to Services -> ACME Client -> Settings -> Update Schedule
Minutes: 45
Hours: 5
Days of the week: 1

3. Go to Services -> ACME Client -> Accounts
Create a new Account
Name: MyAccount (what you want)
E-Mail Address: my@mail.tld (your mail address)
ACME CA: Let's Encrypt [default]

4. Go to Services -> ACME Client -> Automations
Create a new Automations
Name: Restart Nginx
Run Command: Restart Nginx (OPNsense plugin)

5. Go to Services -> ACME Client -> Challenge Types
Create a new Challenge Type
Name: MyChallenge
Challenge Type: HTTP-01
Or use "DNS-01" if you need DynDNS service
HTTP Service: OPNsense Web Service
IP Auto-Discovery [X]
Interface: WAN

6. Go to Services -> ACME Client -> Certificates
Create a new Certificate
Enabled [X]
Common Name: emby.mydomain.com (change to your domain name!)
LE Account: MyAccount (select created name)
Challenge Type: MyChallenge (select created name)
Auto Renewal [X]
Key Length: ec-384
OCSP Must Staple: [ ]
Automations: Restart Nginx

Now save and press the button "Issue or renew certificate", wait a minute and refresh the page
You see "Last ACME Status = OK"

Part 4 - Nginx config

1. Go to Services -> Nginx -> Configuration -> Upstream -> Upstream Server
Create a new Upstream Server
Description: Emby_Server (or what you want)
Server: (change to the local server IP hostet plex/emby or your service)
Port: 8096 (change to service port of plex/emby, recommended http not https port)
Server Priority: 1

2. Go to Services -> Nginx -> Configuration -> Upstream -> Upstream
Create a new Upstream
Description: Emby_Upstream (or what you want)
Server Entries: Emby_Server (select your Upstream-Server)
Load Balancing Algorithm: Weighted Round Robin

3. Go to Services -> Nginx -> Configuration -> HTTP(S) -> Location
Create a new Location
enable "advanced mode"
Description: Emby_Location
URL Pattern: /
Learning Mode: [X] (dont ban IPs, activate if you want)
Upstream Servers: Emby_Upstrem (select your Upstream)

Advanced Proxy Options
WebSocket Support [X]
Proxy Read Timeout: 3600
Proxy Send Timeout: 3600
Response Buffering [ ]
Request Buffering [ ]
Maximum Temporary File Size: 4096

4. Go to Services -> Nginx -> Configuration -> HTTP(S) -> Security Headers
Create a new Security Header
Description: EmbySecurityHeaders
Referrer: No Referrer
XSS Protection: Block
Don't Sniff Content Type [X]
Strict Transport Security: Time: 63072000

5. Go to Services -> Nginx -> Configuration -> HTTP(S) -> HTTP Server
Create a new HTTP Server
enable "advanced mode"
Real IP Source: X-Forwarded-For
Server Name: emby.mydomain.com (change to your domain name!)
Locations: Emby_Location (select your Location)
Maximum Body Size: 200m
TLS Certificate: emby.mydomain.com (ACME Client) (select your created domain cert)
Client CA Certificate: R3 (ACME Client)

Enable Let's Encrypt Plugin Support [X]
HTTPS Only [X]
Disable Bot Protection [X] (recommended for Plex/Emby/Jellyfin)
Advanced ACL Authentication Backend: none
Enable Sendfile [ ]
Security Header: EmbySecurityHeaders (select your Security Header)

6. Now go to Services -> Nginx -> Configuration -> General Settings
Enable nginx [X]

Part 5 - Firewall rules

1. Go to Firewall -> Aliases
Create a new Aliase
Name: Webservice_Ports
Type: Port(s)
Content: 80, 443

2. Go to Firewall -> Rules -> WAN
Create a new Rule
Action: Pass
Protocol: TCP
Source: any
Destination: WAN address
Destination port range: Webservice_Ports
Log: [X] Log packets that are handled by this rule (Logging access in FW protocol if you want)
Description: Allow Nginx-Proxy


1. Test your Site (Smartphone or other external internet connection)
2. If that works, test your certificate
Go to: https://www.ssllabs.com/ssltest/
and enter your domain. Wait until the test is finished.

Result: A+

Ideas, question or suggestions for changes? please post it :)

here is a placeholder

No real 100 % A+ rating though. Or am I mistaking?

https://forum.opnsense.org/index.php?topic=23339.0  8)


--- Quote from: TheHellSite on September 26, 2021, 08:39:49 am ---No real 100 % A+ rating though. Or am I mistaking?

https://forum.opnsense.org/index.php?topic=23339.0  8)

--- End quote ---


It doesn't matter if HAProxy or Nginx for an A+.
It's only the settings ;)

You do NOT have 100 % A+!
You have A+ okay, but only 90 % in key exchange and cipher strength since you are missing some critical key parts.  ;)

See below my SSLLabs Rating.

This is what happens when copying another persons guide without fully understanding what you are actually doing.
Of course it doesn't matter what reverse proxy someone is using, but the configuration surely matters!

Also at least give credit when copying / adopting another guide.  ::) (no offense)


[0] Message Index

[#] Next page

Go to full version