Skip to content
This repository has been archived by the owner on Feb 17, 2023. It is now read-only.

Latest commit

 

History

History
229 lines (197 loc) · 8.13 KB

ombi.md

File metadata and controls

229 lines (197 loc) · 8.13 KB

Ombi

Application notes

Official Proxy Documentation

There are 2 different versions of the app. Please be aware that there are some differences between the versions in the configs. Specifically "The url rewrite is required after version 3.0.2517."

NOTE: Some users have noticed issues with the rewrite being placed AFTER the location block and have been successful when placing it before the location block. If you experience issues with the rewrite below the location, try switching it.

Block Details Supported Notes
authentication Yes It is suggested to use the built-in Plex based authentication.
sub-directory Yes Using V3, so it does include a rewrite as well.
sub-domain Yes Rewrite may not be required. Need validation here.
base URL Yes Be sure to set the Base URL in Ombi
iFrame Yes No need for extra headers or plugins to allow iFrame

Location Directive

location /<baseurl>/ {
  proxy_pass  http://<hostname>:5000/; ## Default <port> is 5000, adjust if necessary
  proxy_cache_bypass $http_upgrade;
  proxy_set_header Connection keep-alive;
  proxy_set_header Upgrade $http_upgrade;
  proxy_set_header X-Forwarded-Host $server_name;
  proxy_set_header X-Forwarded-Ssl on;

  # Basic Proxy Config
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_set_header X-Forwarded-Proto $scheme;
  proxy_http_version 1.1;
  proxy_no_cache $cookie_session;
}

## Required for Ombi 3.0.2517+
    if ($http_referer ~* /<baseurl>/) {
              rewrite ^/dist/([0-9\d*]).js /<baseurl>/dist/$1.js last;
      }

Sub-Directory Configuration

Expand for Code

ombi.conf

## Main server block to redirect traffic from HTTP to HTTPS
server {
  listen 80;
  server_name <fqdn>;
  return 301 https://$host$request_uri;
}

## Main server block for HTTPS
server {
  listen 443 ssl;
  server_name <fqdn>;

  root /config/www;
  index index.html index.htm index.php;
  include /config/nginx/ssl.conf ## Using a single include for all SSL related items

  location /<baseurl>/ {
    proxy_pass  http://<hostname>:5000/; ## Default <port> is 5000, adjust if necessary
    include /config/nginx/proxy.conf; ## Using a single include file for commonly used settings
    proxy_cache_bypass $http_upgrade;
    proxy_set_header Connection keep-alive;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header X-Forwarded-Host $server_name;
    proxy_set_header X-Forwarded-Ssl on;
  }
## Required for Ombi 3.0.2517+
    if ($http_referer ~* /<baseurl>/) {
              rewrite ^/dist/([0-9\d*]).js /<baseurl>/dist/$1.js last;
      }

proxy.conf

client_max_body_size 10m;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

ssl.conf

## Certificates from LE container placement
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

## Strong Security recommended settings per cipherli.st
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;

## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header Content-Security-Policy "frame-ancestors https://*.<fqdn> https://<fqdn>"; ## Use *.domain.com, not *.sub.domain.com
add_header X-Frame-Options "ALLOW-FROM https://*.<fqdn>" always; ## Use *.domain.com, not *.sub.domain.com
add_header Referrer-Policy "strict-origin";
proxy_cookie_path / "/; HTTPOnly; Secure";
more_set_headers "Server: Classified";
more_clear_headers 'X-Powered-By';

Sub-Domain Configuration

Expand for Code

ombi.conf

## Main server block to redirect traffic from HTTP to HTTPS
server {
  listen 80;
  server_name <fqdn>;
  return 301 https://$host$request_uri;
}

## Main server block for HTTPS
server {
  listen 443 ssl;
  server_name <fqdn>;

  root /config/www;
  index index.html index.htm index.php;
  include /config/nginx/ssl.conf ## Using a single include for all SSL related items

  location / {
    proxy_pass  http://<hostname>:5000/; ## Default <port> is 5000, adjust if necessary
    include /config/nginx/proxy.conf; ## Using a single include file for commonly used settings
    proxy_cache_bypass $http_upgrade;
    proxy_set_header Connection keep-alive;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header X-Forwarded-Host $server_name;
    proxy_set_header X-Forwarded-Ssl on;
  }
## Required for Ombi 3.0.2517+
    if ($http_referer ~* /) {
              rewrite ^/dist/([0-9\d*]).js /dist/$1.js last;
      }

proxy.conf

client_max_body_size 10m;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_redirect  http://  $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;

ssl.conf

## Certificates from LE container placement
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

## Strong Security recommended settings per cipherli.st
ssl_dhparam /config/nginx/dhparams.pem;
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;

## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com)
add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none;
add_header Content-Security-Policy "frame-ancestors https://*.<fqdn> https://<fqdn>"; ## Use *.domain.com, not *.sub.domain.com
add_header X-Frame-Options "ALLOW-FROM https://*.<fqdn>" always; ## Use *.domain.com, not *.sub.domain.com
add_header Referrer-Policy "strict-origin";
proxy_cookie_path / "/; HTTPOnly; Secure";
more_set_headers "Server: Classified";
more_clear_headers 'X-Powered-By';