Setting up Nginx via Cloudflare on Debian to route to Emby

Firstly we need the latest version of Nginx on Debian. Now the default list doesn't actually have the latest version of Nginx so you may find that some properties are not available. So to get the latest version we need to add a new source. You can do that following the below link.

How To Install Nginx On Debian 12 - Itslinuxguide.com
Nginx on Debian can be installed by two methods one by using the default package manager and the other by using the Nginx official repository.

Next we want our requests to come through Cloudflare and hit our Nginx server but first we need to configure the Debian firewall and then we can setup Cloudflare. Going through Cloudflare means that you have added protection as the requests will be vetted from Cloudflare and your site will have an SSL certificate as well. You can follow the link below to set this up

How To Host a Website Using Cloudflare and Nginx on Ubuntu 20.04 | DigitalOcean
In this tutorial you will secure your website served by Nginx with an Origin CA certificate from Cloudflare and configure Nginx to use authenticated pull req…

After you have done this your Nginx config should be all ready to go and route to emby. Now you want to edit the Nginx config file which should be at the following path /etc/nginx/nginx.conf. Use the below command from the route directory to edit the file and paste the below in

nano /etc/nginx/nginx.conf
user www-data;
worker_processes auto;
pid /run/nginx.pid;
error_log /var/log/nginx/error.log;
include /etc/nginx/modules-enabled/*.conf;

events {
    worker_connections 8192;
    # multi_accept on;
}

http {
    ##
    # Basic Settings
    ##
    include /etc/nginx/mime.types;
    default_type application/octet-stream;
    server_names_hash_bucket_size 64;
    server_tokens off;
    sendfile off; ## Sendfile not used in a proxy environment.

    ##
    # Logging Settings
    ##

    ## The below will create a separate log file for your emby server which includes
    ## userId's and other emby specific info, handy for external log viewers.
    ## Cloudflare users will want to swap $remote_addr in first line below to $http_CF_Connecting_IP
    ## to log the real client IP address
    log_format emby '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port "$http_x_emby_authorization"';


    log_format default '$remote_addr - $remote_user [$time_local] "$request" '
    '$status $body_bytes_sent "$http_referer" '
    '"$http_user_agent" "$http_x_forwarded_for" $request_time $server_port';


    ##
    # Gzip Settings
    ##
    gzip on; ## Compresses the content to the client, speeds up client browsing.
    gzip_disable "msie6";

    gzip_comp_level 6;
    gzip_min_length 1100;
    gzip_buffers 16 8k;
    gzip_proxied any;
    gzip_types
    text/plain
    text/css
    text/js
    text/xml
    text/javascript
    application/javascript
    application/x-javascript
    application/json
    application/xml
    application/rss+xml
    image/svg+xml;

    proxy_connect_timeout 1h;
    proxy_send_timeout 1h;
    proxy_read_timeout 1h;
    tcp_nodelay on; ## Sends data as fast as it can not buffering large chunks, saves about 200ms per request.

    ## The below will force all nginx traffic to SSL, make sure all other server blocks only listen on 443
    server {
        listen 80 default_server;
        server_name _;

        return 301 https://$host$request_uri;
    }

    ## Start of actual server blocks
    server {

        listen [::]:443 ssl; ## Listens on port 443 IPv6 ssl enabled
        listen 443 ssl; ## Listens on port 443 IPv4 ssl enabled
        http2 on; ## Enables HTTP2
        proxy_buffering off; ## Sends data as fast as it can not buffering large chunks.

        server_name emby.domainname.com; ## enter your service name and domain name here example emby.domainname.com

        access_log /var/log/nginx/emby.log emby; ## Creates a log file with this name and the log info above.

        ## SSL SETTINGS ##
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.3 TLSv1.2;
        ssl_certificate /etc/ssl/cloudflare-ssl-cert/cert.pem; ## Location of your public PEM file.
        ssl_certificate_key /etc/ssl/cloudflare-ssl-cert/key.pem; ## Location of your private PEM file.
        ssl_session_cache shared:SSL:10m;
        ssl_client_certificate /etc/ssl/cloudflare-ssl-cert/cloudflare.crt;
        ssl_verify_client on;

        location ^~ /swagger {
            return 404;
        }

        location / {
            proxy_pass http://192.168.0.123:8096; ## Enter the IP and port of the backend emby server here.
            client_max_body_size 1000M; ## Allows for mobile device large photo uploads.

            proxy_hide_header X-Powered-By; ## Hides nginx server version from bad guys.
            proxy_set_header Range $http_range; ## Allows specific chunks of a file to be requested.
            proxy_set_header If-Range $http_if_range; ## Allows specific chunks of a file to be requested.
            #proxy_set_header X-Real-IP $remote_addr; ## Passes the real client IP to the backend server.
            proxy_set_header X-Real-IP $http_CF_Connecting_IP; ## if you use cloudflare un-comment this line and comment out above line.
            proxy_set_header Host $host; ## Passes the requested domain name to the backend server.
            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## Adds forwarded IP to the list of IPs that were forwarded to the backend server.

            ## ADDITIONAL SECURITY SETTINGS ##
            ## Optional settings to improve security ##
            ## add these after you have completed your testing and ssl setup ##
            ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ##
            ## See https://hstspreload.org/ read through the "Deployment Recommendations" section first!   ##
            # add_header 'Referrer-Policy' 'origin-when-cross-origin';
            # add_header Strict-Transport-Security "max-age=15552000; preload" always;
            # add_header X-Frame-Options "SAMEORIGIN" always;
            # add_header X-Content-Type-Options "nosniff" always;
            # add_header X-XSS-Protection "1; mode=block" always;

            ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client.
            proxy_http_version 1.1;
            proxy_set_header Upgrade $http_upgrade;
            proxy_set_header Connection $http_connection;
        }
    }
}

Lastly, you need to setup port forwarding on your router to route the traffic from ports 80 and 443 to the local IP address of where the Nginx server is hosted.

Useful commands

View status of Nginx Server - systemctl status nginx
Restart Nginx server - systemctl restart nginx
View version of Nginx - nginx -v
Check if the syntax is correct in the nginx config file - nginx -t