Nginx、Caddy反代EMBY
Nginx反代
Nginx反代https
server {
# 监听IPv4和IPv6的443端口,启用SSL和HTTP/2协议
listen 443 ssl http2;
listen [::]:443 ssl http2;
# 指定服务器名称(域名)
server_name my.domain.com;
# SSL证书配置
# 指定SSL证书文件路径,用于加密HTTPS通信
ssl_certificate /root/.acme.sh/my.domain.com_ecc/fullchain.cer;
# 指定SSL证书密钥文件路径
ssl_certificate_key /root/.acme.sh/my.domain.com_ecc/my.domain.com.key;
# SSL优化配置
ssl_protocols TLSv1.2 TLSv1.3; # 启用TLS 1.2和1.3协议,禁用不安全的旧版本
ssl_ciphers HIGH:!aNULL:!MD5; # 强制使用安全加密算法
ssl_prefer_server_ciphers on; # 优先使用服务器端的加密算法
ssl_session_cache shared:SSL:10m; # 启用SSL会话缓存以提高性能
ssl_session_timeout 1d; # 设置SSL会话缓存过期时间为1天
# 安全相关的HTTP头配置
add_header Strict-Transport-Security "max-age=31536000; includeSubDomains" always; # 启用HSTS,强制所有子域名也使用HTTPS,缓存1年
add_header X-Frame-Options DENY; # 禁止页面被嵌入iframe,防止点击劫持
add_header X-Content-Type-Options nosniff; # 防止浏览器猜测文件类型
# 反向代理配置
location / {
# 将所有请求转发到后端服务器 https://proxy.domain.com:443
proxy_pass https://proxy.domain.com:443;
# 设置传递给后端的Host头信息为客户端请求的主机名
proxy_set_header Host $proxy_host;
# 设置X-Real-IP头,将客户端的真实IP传递给后端
proxy_set_header X-Real-IP $remote_addr;
# 设置X-Forwarded-For头,包含客户端的真实IP以及经过的代理IP
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
# 设置X-Forwarded-Proto头,指示原始请求的协议
proxy_set_header X-Forwarded-Proto $scheme;
# 配置代理SSL SNI(服务器名称指示)
proxy_ssl_name proxy.domain.com;
proxy_ssl_server_name on; # 启用SNI,使后端服务器根据域名提供正确的SSL证书
}
}Nginx反代http
server {
listen 80;
server_name xxx.com;#你的域名
client_max_body_size 6000M;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For '$proxy_add_x_forwarded_for';
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header Sec-WebSocket-Extensions $http_sec_websocket_extensions;
proxy_set_header Sec-WebSocket-Key $http_sec_websocket_key;
proxy_set_header Sec-WebSocket-Version $http_sec_websocket_version;
proxy_cache off;
proxy_redirect off;
proxy_buffering off;
location / {
proxy_pass http://127.0.0.1:8080;#反代域名
proxy_set_header X-Forwarded-For $remote_addr;
proxy_ssl_verify off;
proxy_http_version 1.1;
proxy_set_header Host 127.0.0.1:8080;#反代域名
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 86400;
}
}nginx反代前后端分离配置
一、
server {
listen 443 ssl http2;
# 你的域名
server_name 你的域名;
# 你的证书
ssl_certificate /etc/letsencrypt/live/你的域名/fullchain.pem;
ssl_certificate_key /etc/letsencrypt/live/你的域名/privkey.pem;
client_max_body_size 20M;
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
add_header X-Content-Type-Options "nosniff";
location / {
# 你需要反代的emby服务器域名
proxy_pass https://emby服务器的域名;
# 你需要反代的emby推流地址
proxy_redirect https://推流地址/ https://你的域名/s1/;
# 你需要反代的emby服务器主页
proxy_set_header Referer "https://emby服务器的域名/web/index.html";
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection $connection_upgrade;
proxy_set_header Host $proxy_host;
proxy_ssl_server_name on;
proxy_http_version 1.1;
}
location /s1 {
rewrite ^/s1(/.*)$ $1 break;
# 你需要反代的emby推流地址
proxy_pass https://推流地址/;
proxy_set_header Referer "https://emby服务器的域名/web/index.html";
proxy_set_header Host $proxy_host;
proxy_ssl_server_name on;
proxy_buffering off;
}
}二、
# =========================
# 前后端分离式 Emby 反代配置
# Emby 原始前端:frontend.embydomain.com
# Emby 原始后端:backend1.embydomain.com、backend2.embydomain.com、backend3.embydomain.com
# 本机发布:provider.emby.yourdomain.com
# =========================
# ======== 前端 UI 反代 ========
location / {
# === 防爬虫:拦截常见命令行工具/空 UA ===
if ($http_user_agent ~* (curl|wget|python|scrapy|bot|spider|crawler|Go-http-client)) {
return 403;
}
if ($http_user_agent = "") {
return 403;
}
# === 域名回写,将 Emby 原始后端流地址替换为 provider.emby.yourdomain.com/s*/ ===
# ⭐️ 必改下面的 backend*.embydomain.com 替换为真实后端分片域名
proxy_redirect https://backend1.embydomain.com/ https://provider.emby.yourdomain.com/s1/;
proxy_redirect https://backend2.embydomain.com/ https://provider.emby.yourdomain.com/s2/;
proxy_redirect https://backend3.embydomain.com/ https://provider.emby.yourdomain.com/s3/;
# === 将客户端请求转发到 Emby 原始前端 ===
proxy_pass https://frontend.embydomain.com; # ⭐️ 必改
# === 基本代理头 ===
proxy_set_header Host frontend.embydomain.com; # ⭐️ 必改
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-Port $server_port;
proxy_ssl_server_name on;
proxy_http_version 1.1;
# === WebSocket 控制台支持 ===
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
}
# ======== 每个分片独立 location 规则 ========
location /s1 {
if ($http_user_agent ~* (curl|wget|python|scrapy|bot|spider|crawler|Go-http-client)) {
return 403;
}
if ($http_user_agent = "") {
return 403;
}
rewrite ^/s1(/.*)?$ $1 break;
proxy_pass https://backend1.embydomain.com/; # ⭐️ 必改
proxy_set_header Host backend1.embydomain.com; # ⭐️ 必改
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
}
location /s2 {
if ($http_user_agent ~* (curl|wget|python|scrapy|bot|spider|crawler|Go-http-client)) {
return 403;
}
if ($http_user_agent = "") {
return 403;
}
rewrite ^/s2(/.*)?$ $1 break;
proxy_pass https://backend2.embydomain.com/; # ⭐️ 必改
proxy_set_header Host backend2.embydomain.com; # ⭐️ 必改
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
}
location /s3 {
if ($http_user_agent ~* (curl|wget|python|scrapy|bot|spider|crawler|Go-http-client)) {
return 403;
}
if ($http_user_agent = "") {
return 403;
}
rewrite ^/s3(/.*)?$ $1 break;
proxy_pass https://backend3.embydomain.com/; # ⭐️ 必改
proxy_set_header Host backend3.embydomain.com; # ⭐️ 必改
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_ssl_server_name on;
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_buffering off;
}
NGINX一键脚本 bash <(curl -sSL https://raw.githubusercontent.com/sakullla/nginx-reverse-emby/main/deploy.sh)
Caddy反代
Caddy反代https
your.domain.com { # 这里写你用的域名
reverse_proxy https://target.domain:443 { # 这里写反代的域名
header_up Host {upstream_hostport}
}
}caddy反代前后端分离的配置
你的域名 {
file_server
tls 邮箱
request_body {
max_size 20MB
}
header {
X-Frame-Options "SAMEORIGIN"
X-XSS-Protection "1; mode=block"
X-Content-Type-Options "nosniff"
}
handle_path /000/* {
reverse_proxy https://emby推流域名 {
header_up Host {http.reverse_proxy.upstream.hostport}
header_up Referer "https://emby服务器域名/web/index.html"
}
}
reverse_proxy https://emby服务器域名 {
header_up Host {http.reverse_proxy.upstream.hostport}
header_down Location "https://emby推流域名/(.*)$" "https://你的域名/000/$1"
}
}