In this guide I will explain the steps I took to setup Organizr with Let’s Encrypt on unRAID, and getting A+ score on both https://securityheaders.com/ and https://www.ssllabs.com/

Preparation

Before we start you need to acquire a domain. You can do that on duckdns or any other domain service. I was using a .tech domain from get.tech and I got a very nice price by using a coupon code from the people over at level1techs

Now I’m using https://domains.google/ and I’m very happy with that.

If you have a dynamic ip-address you can setup the captinsano DDclient container and have that update your synthetic record.

Level1 ($3.99 for 1 year registration)
Level3 ($24.99 for 3 year registration)
Level110 ($49.99 for 10 year registration)

Forward your domain to your public IP address. After you’ve done that add your different ANAME/CNAME records e.g www.yourdomain.com or blog.yourdomain.com

@ = root domain (technicalramblings.com) and points to my external ip
www = sub domain
grafana = sub domain
* = wildcard (Not all providers support wildcard)
TTL: (Time to Live) How often a copy of the record stored in cache must be updated or discarded.

You can now start installing the different docker containers from the “Apps” tab in unRAID.

Installation

This guide assumes you have Community applications installed, if not check out this video from Spaceinvader One

Let’s Encrypt
  1. Container Port: 80 – Choose your desired host port. e.g 81 (You can’t set this to 80 as the unRAID web GUI uses that. )
  2. Container Port: 443 – Set this to 444 or something else (On update 6.4 unraid will use port 443 and it’s better to be ahead of time so it won’t cause any issues)
  3. Enter you email
  4. Add you domain e.g yourdomain.com
  5. Add your different sub domains e.g www,blog,plex ect
  6. Validation: Select your validation type.
  7. Container Path: /config Install the container config to your desired location. I recommend using an SSD.

Next is portforwarding. This is done on your router and you need to forward port 80 and 443 to the ports you chose in step 1 and 2. So if your servers IP is 192.168.1.2 and you have chosen that the container is on port 81, you need to forward all traffic on port 80 to port 81 on IP 192.168.1.2 And do the same for port 443.

If you’re unsure how to do this on your router check out: Portforward.com

Next go to https://yourserverip:444 or http://yourserverip:81 to check that your container has started correctly. If you now see the Nginx welcome page, the container works.
Also test if https://yourdomain.com redirects you to the nginx welcome page.

Note: TTL differs from each provider, some has a minimum 60 minutes before DNS propagates and others have 1 minute. So it might take a while before https://yourdomain.com works.

Organizr

Nothing special you need to configure. Just enter your desired container port (Must be something different than letsencrypt)

If you want to use Organizr V2 you can use the tronyx/docker-organizr-v2 repo! Just change the repo during the installation of V1 from LSIO.
Note: Don’t install it in the same appdata folder!

Setting up Nginx

(scroll down for complete example config)
This config is a combination of different configs I have found googling and getting help from the guys over at the Organizr discord 

Go to the location where you have installed the letsencrypt container. Find the nginx folder and then edit the file called “default” in the “site-conf” folder. I recommend using notepad++

Do not edit the Organizr container nginx setup

In my example config I use both sub directories (domain.com/service) and sub domains (plex.domain.com) Use what you need below, and change the IP adresses and ports to your different services.
As you can see below I use a proxy_pass for organizr.
Add

#ORGANIZR CONTAINER
location / {
proxy_pass http://192.168.1.2:8282; #Organizr IP and Port
include /config/nginx/proxy.conf;
}

in your main server block.
For custom error pages on Organizr V1 add

# Custom error pages 
error_page 400 401 402 403 404 405 408 500 502 503 504 $scheme://$server_name/error.php?error=$status;

For custom error pages on Organizr V2 add

# Custom error pages 
error_page 401 https://$server_name/?error=$status&return=$scheme://$server_name$request_uri;
error_page 400 403 404 405 408 500 502 503 504  https://$server_name/?error=$status;
Server auth (Recommended)

Server Authentication will allow you to secure any/all location blocks, only allowing authenticated Organizr users or administrators access.

It will basically show this for people that haven’t logged in / don’t have access.

For server auth add the location blocks below in your main server block. I’d recommend to use server based auth, as it’s the more secure option.

I haven’t managed to get auth to work with the letsencrypt container yet. Well I got it to partially work. I could load the Sonarr/Radarr page but when trying to use the service other than browsing the pages nothing would happen. Remember to clear your cache after you add the cookie.

UPDATE: By using the authenticatzion block below, server auth works! Thanks Fr00t!

Authentication | Server Based

For Organizr V1 add:

location /auth-admin {
internal;
proxy_pass http://192.168.1.2:8282/auth.php?admin;
proxy_set_header Content-Length "";
}

location /auth-user {
internal;
proxy_pass http://192.168.1.2:8282/auth.php?user;
proxy_set_header Content-Length "";
}

For Organizr V2 add:

location ~ /auth-(.*) {
        internal;
        proxy_pass http://192.168.1.2:8282/api/?v1/auth&group=$1;
        proxy_set_header Content-Length "";
}

In your MAIN SERVER BLOCK

To utilize the block drop “auth_request /auth-x;” within your location blocks, where x=OrgV2 group_id

 auth_request /auth-0; #=Admin
 auth_request /auth-1; #=Co-Admin 
 auth_request /auth-2; #=Super User 
 auth_request /auth-3; #=Power User 
 auth_request /auth-4; #=User 
 auth_request /auth-999; #=Guest

Remember to add the authentication block to any SUB DOMAIN BLOCK.

http://192.168.1.2:8282 is the local ip and port to Organizr

Just add auth_request /auth-admin; or  auth_request /auth-0;

  • auth-admin/auth-0 – Only allows Admins to access the block/page.
  • auth-user/auth-4 – Only allows logged in users to access the block/page.

like this for Organizr V1:

#RADARR CONTAINER
location /radarr {
auth_request /auth-admin;
proxy_pass http://192.168.1.2:7878/radarr;
include /config/nginx/proxy.conf;
}

like this for Organizr V2:

#RADARR CONTAINER
location /radarr {
auth_request /auth-0; #=Admin
proxy_pass http://192.168.1.2:7878/radarr;
include /config/nginx/proxy.conf;
}

By using server auth you will block any apps like nzb360 to be able to connect to Sonarr/Radarr. But by allowing /sonarr/api you can get around that. Read more here

Like this:

# SONARR CONTAINER API
location /sonarr/api {
proxy_pass http://192.168.1.2:8989/sonarr/api;
include /config/nginx/proxy.conf;
}
Cookie password

If you want to use cookie password add

if ($cookie_cookiePassword != "yourcookiepasswordhere") { return 401; }

in your proxy blocks.

It referes to the cookie password set in the Organizr Advanced settings, so remember to comment this out if you are not using a cookie password.

If you are going with Browser [Cookie] Authentication it’s important that the “Domain Name for Cookie” in Organizr is your top level domain e.g domain.com, and not a sub domain e.g yourdomain.duckdns.org

This will block anyone trying to to access /sonarr or plex.yourdomain.com without logging in to Organizr first.

X-Frame-Options

You also may have to comment out the X-Frame option in your nginx.conf file in the nginx folder. e.g /appdata/letsencrypt/nginx/nginx.conf

# add_header X-Frame-Options SAMEORIGIN;

Just add # before the line if you get an xframe error in console / the page doesn’t load and displays a blank page.

PHP “Hijacking”

If you have the php block that comes with the default file in you server block you may experience that Organizr will not load properly. (Homepage is blank and you can’t access settings)

This is because the php location is “hijacking” the Organizr container php. You can fix this by commenting the lines like the example below or just remove it.

#location ~ \.php$ {
#fastcgi_split_path_info ^(.+\.php)(/.+)$;
# With php7-cgi alone:
#fastcgi_pass 127.0.0.1:9000;
# With php7-fpm:
#fastcgi_pass unix:/var/run/php7-fpm.sock;
#fastcgi_index index.php;
#include /etc/nginx/fastcgi_params;
#}

If you need to use the php location block in a sub directory you can just create a php.conf file and paste the contents into that file. Save it in the nginx folder and use the include syntax.

location /logarr {
root /config/www;
index index.php index.html;
include /config/nginx/php.conf;
}

Remember that on a lot of these services (Sonarr/Radarr/Ombi ect) you need to add a webroot/base URL. That means that the internal address to Sonarr is http://192.168.1.2:8989/sonarr/ instead of http://192.168.1.2:8989. Reverse proxy often won’t work without it. If the service you want to access does not have the option to add a URL base I recommend creating a sub domain or checking the developer documents/wiki.

I recommend adding one service at a time and restarting the container each time. Add>check>repeat
And remember to check the container logs of something is not working.

For Fail2ban integration check out my post here

Complete example config

################################################################################################################
#////////////////////////////////////////////////SERVER BLOCK\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\#
################################################################################################################
# REDIRECT TRAFFIC FROM www.domain.com TO https://domain.com
server {
listen 80;
listen 443 ssl http2;
server_name www.YOUR-SNOWFLAKE-DOMAIN.COM; #CHANGE THIS TO YOUR DOMAIN NAME!
return 301 https://YOUR-SNOWFLAKE-DOMAIN.com$request_uri; #CHANGE THIS TO YOUR DOMAIN NAME!
}

# REDIRECT HTTP TRAFFIC TO https://[domain.com]
server {
listen 80;
server_name YOUR-SNOWFLAKE-DOMAIN.COM; #CHANGE THIS TO YOUR DOMAIN NAME!
return 301 https://$server_name$request_uri;
}
################################################################################################################
#////////////////////////////////////////////////MAIN SERVER BLOCK\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\#
################################################################################################################

# MAIN SERVER BLOCK
server {
listen 443 ssl http2 default_server; 
server_name YOUR-SNOWFLAKE-DOMAIN.COM; #CHANGE THIS TO YOUR DOMAIN NAME!

## READ THE COMMENT ON add_header X-Frame-Options AND add_header Content-Security-Policy IF YOU USE THIS ON A SUBDOMAIN YOU WANT TO IFRAME!

## Certificates from LE container placement
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

## Strong Security recommended settings per cipherli.st
ssl_dhparam /config/nginx/dhparams.pem; # Bit value: 4096
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;

## NOTE: The add_header Content-Security-Policy won't work with duckdns since you don't own the root domain. Just buy a domain. It's cheap
## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com)

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; #SET THIS TO index IF YOU WANT GOOGLE TO INDEX YOU SITE!
add_header Content-Security-Policy "frame-ancestors https://*.$server_name https://$server_name"; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header X-Frame-Options "ALLOW-FROM https://*.$server_name" always; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header Referrer-Policy "strict-origin-when-cross-origin";
proxy_cookie_path / "/; HTTPOnly; Secure"; ##NOTE: This may cause issues with unifi. Remove HTTPOnly; or create another ssl config for unifi.
more_set_headers "Server: Classified";
more_clear_headers 'X-Powered-By';


# Custom error pages 
error_page 400 401 402 403 404 405 408 502 503 503 504 $scheme://$server_name/?error=$status;
error_log /config/log/nginx/error.log;

#AUTHORIZATION BLOCK 
location ~ /auth-(.*) {
 internal;
 proxy_pass http://192.168.1.2:8282/api/?v1/auth&group=$1;
 proxy_set_header Content-Length "";
}

# BLOCK ORGANIZR DASHBOARD FILES
location ~ /loginLog.json|chat.db|users.db|org.log|org.db|organizrLog.json|organizrLoginLog.json {
return 404;
}

#ORGANIZR CONTAINER
location / {
proxy_pass http://192.168.1.2:8282;
include /config/nginx/proxy.conf;
}
}

Here is an example config with different services.
################################################################################################################
#////////////////////////////////////////////////SERVER BLOCK\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\#
################################################################################################################

# REDIRECT TRAFFIC FROM www.domain.com TO https://domain.com
server {
listen 80;
listen 443 ssl http2;
server_name www.YOUR-SNOWFLAKE-DOMAIN.COM; #CHANGE THIS TO YOUR DOMAIN NAME!
return 301 https://YOUR-SNOWFLAKE-DOMAIN.com$request_uri; #CHANGE THIS TO YOUR DOMAIN NAME!
}

# REDIRECT HTTP TRAFFIC TO https://[domain.com]
server {
listen 80;
server_name YOUR-SNOWFLAKE-DOMAIN.COM; #CHANGE THIS TO YOUR DOMAIN NAME!
return 301 https://$server_name$request_uri;
}
################################################################################################################
#////////////////////////////////////////////////MAIN SERVER BLOCK\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\#
################################################################################################################

# MAIN SERVER BLOCK
server {
listen 443 ssl http2 default_server; 
server_name YOUR-SNOWFLAKE-DOMAIN.COM; #CHANGE THIS TO YOUR DOMAIN NAME!

## READ THE COMMENT ON add_header X-Frame-Options AND add_header Content-Security-Policy IF YOU USE THIS ON A SUBDOMAIN YOU WANT TO IFRAME!

## Certificates from LE container placement
ssl_certificate /config/keys/letsencrypt/fullchain.pem;
ssl_certificate_key /config/keys/letsencrypt/privkey.pem;

## Strong Security recommended settings per cipherli.st
ssl_dhparam /config/nginx/dhparams.pem; # Bit value: 4096
ssl_ciphers ECDHE-RSA-AES256-GCM-SHA512:DHE-RSA-AES256-GCM-SHA512:ECDHE-RSA-AES256-GCM-SHA384:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384;
ssl_ecdh_curve secp384r1; # Requires nginx >= 1.1.0
ssl_session_timeout  10m;

## NOTE: The add_header Content-Security-Policy won't work with duckdns since you don't own the root domain. Just buy a domain. It's cheap
## Settings to add strong security profile (A+ on securityheaders.io/ssllabs.com)

add_header Strict-Transport-Security "max-age=63072000; includeSubDomains; preload";
add_header X-Content-Type-Options nosniff;
add_header X-XSS-Protection "1; mode=block";
add_header X-Robots-Tag none; #SET THIS TO index IF YOU WANT GOOGLE TO INDEX YOU SITE!
add_header Content-Security-Policy "frame-ancestors https://*.$server_name https://$server_name"; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header X-Frame-Options "ALLOW-FROM https://*.$server_name" always; ## Use *.domain.com, not *.sub.domain.com (*.$server_name) when using this on a sub-domain that you want to iframe!
add_header Referrer-Policy "strict-origin-when-cross-origin";
proxy_cookie_path / "/; HTTPOnly; Secure"; ##NOTE: This may cause issues with unifi. Remove HTTPOnly; or create another ssl config for unifi.
more_set_headers "Server: Classified";
more_clear_headers 'X-Powered-By';


# Custom error pages 
error_page 400 401 402 403 404 405 408 502 503 503 504 $scheme://$server_name/?error=$status;
error_log /config/log/nginx/error.log;

#AUTHORIZATION BLOCK 
location ~ /auth-(.*) {
 internal;
 proxy_pass http://192.168.1.2:8282/api/?v1/auth&group=$1;
 proxy_set_header Content-Length "";
}

# BLOCK ORGANIZR DASHBOARD FILES
location ~ /loginLog.json|chat.db|users.db|org.log|org.db|organizrLog.json|organizrLoginLog.json {
return 404;
}

#ORGANIZR CONTAINER
location / {
proxy_pass http://192.168.1.2:8282;
include /config/nginx/proxy.conf;
}

################################################################################################################
#////////////////////////////////////////////////SUBDIRECTORIES\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\#
################################################################################################################

# PLEX SUB DIR
# Check the comment in the bottom of this page for the include /config/nginx/plex.conf
location /plex/ {
auth_request /auth-4;
proxy_pass http://192.168.1.2:32400;
include /config/nginx/plex.conf;
}
if ($http_referer ~* /plex/) {
rewrite ^/web/(.*) /plex/web/$1? redirect;
}

#PLEXPY CONTAINER
#Do NOT check "Enable HTTP Proxy" in PlexPy
#Oh And yourdomain.com/plexpy/auth is the address..
location /plexpy {
auth_request /auth-4;
proxy_pass http://192.168.1.2:8181;
include /config/nginx/proxy.conf;
proxy_bind $server_addr;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Ssl on;
} 

# PLEXPY ALLOW API FOR MOBILE APP
#location /plexpy/api {
#auth_request /auth-4;
#proxy_pass http://192.168.1.2:8181/plexpy/api;
#include /config/nginx/proxy.conf;
#proxy_bind $server_addr;
#proxy_set_header X-Forwarded-Host $server_name;
#proxy_set_header X-Forwarded-Ssl on; 
#}

#RADARR CONTAINER
location /radarr {
auth_request /auth-0;
proxy_pass http://192.168.1.2:7878/radarr;
include /config/nginx/proxy.conf;
}

# RADARR ALLOW API FOR MOBILE APPS
#location /radarr/api {
#proxy_pass http://192.168.1.2:7878/radarr/api;
#include /config/nginx/proxy.conf; 
#}

#SONARR CONTAINER
location /sonarr {
auth_request /auth-0;
proxy_pass http://192.168.1.2:8989/sonarr;
include /config/nginx/proxy.conf;
}

# SONARR ALLOW API FOR MOBILE APPS
#location /sonarr/api {
#auth_request /auth-0;
#proxy_pass http://192.168.1.2:8989/sonarr/api;
#include /config/nginx/proxy.conf;
#}

# JACKETT redirect
location /jackett {
return 301 /jackett/;
}
#JACKETT CONTAINER
location /jackett/ {
auth_request /auth-0;
proxy_pass http://192.168.1.2:9117/;
include /config/nginx/proxy.conf;
} 

# DELUGE CONTAINER
location /deluge {
auth_request /auth-0;
proxy_pass http://192.168.1.2:8113/;
proxy_set_header X-Deluge-Base "/deluge/";
include /config/nginx/proxy.conf;
add_header X-Frame-Options SAMEORIGIN;
}

#NETDATA 301 REDIRECT
location /netdata {
return 301 /netdata/;
}

#NETDATA CONTAINER
location ~ /netdata/(?<ndpath>.*) {
auth_request /auth-4;
proxy_set_header X-Forwarded-Host $host;
proxy_set_header X-Forwarded-Server $host;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_pass http://192.168.1.2:19999/$ndpath$is_args$args;
proxy_http_version 1.1;
proxy_pass_request_headers on;
proxy_set_header Connection “keep-alive”;
proxy_store off;
}

#OMBI CONTAINER
location /ombi {
auth_request /auth-4;
proxy_pass http://192.168.1.2:3579/ombi;
include /config/nginx/proxy.conf;
}

#OMBIV3 CONTAINER
location /ombi/ {
 auth_request /auth-4;
 proxy_pass http://192.168.1.2:5000;
 proxy_set_header Host $host;
 proxy_set_header X-Forwarded-Host $server_name;
 proxy_set_header X-Real-IP $remote_addr;
 proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
 proxy_set_header X-Forwarded-Ssl on;
 proxy_set_header X-Forwarded-Proto $scheme;
 proxy_read_timeout 90;
 proxy_redirect http://192.168.1.2:5000 https://$host;
}


# SABNZBD REDIRECT
location /sabnzbd {
return 301 /sabnzbd/;
}

# SABNZBD CONTAINER
location /sabnzbd {
auth_request /auth-0;
proxy_pass http://192.168.1.2:8383/sabnzbd;
include /config/nginx/proxy.conf;
}

# NZBGET CONTAINER
location /nzbget {
auth_request /auth-0;
proxy_pass http://192.168.1.2:6789;
include /config/nginx/proxy.conf;
} 
}

################################################################################################################
#////////////////////////////////////////////////SUBDOMAINS\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\#
################################################################################################################

#PLEX SERVER 
server {
listen 443 ssl http2;
server_name plex plex.domain.com;

location /error/ {
alias /www/errorpages/;
internal;
}

location / {

proxy_redirect off;
proxy_buffering off;
proxy_hide_header X-Frame-Options;

# Spoof the request as coming from ourselves since otherwise Plex will block access, e.g. logging:
# "Request came in with unrecognized domain / IP 'tv.example.com' in header Referer; treating as non-local"
proxy_set_header Host $server_addr;
proxy_set_header Referer $server_addr;
proxy_set_header Origin $server_addr;

proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Plex-Client-Identifier $http_x_plex_client_identifier;
proxy_set_header Cookie $http_cookie;

## Required for Websockets
proxy_http_version 1.1;
proxy_set_header Upgrade $http_upgrade;
proxy_set_header Connection "upgrade";
proxy_read_timeout 36000s; # Timeout after 10 hours

proxy_next_upstream error timeout invalid_header http_500 http_502 http_503 http_504;

#if ($cookie_cookiePassword != "yourcookiepasswordhere") { return 401; }
proxy_pass http://192.168.1.2:32400;
}
}

#GRAV BLOG SITE
server {
listen 80; 
listen 443 ssl http2;
server_name blog.domain.com;

root /config/www/grav/;
index index.html index.php;

location /error/ {
alias /www/errorpages/;
internal;
}

location / {
try_files $uri $uri/ /index.php?_url=$uri&$query_string;
}

location ~ \.php$ {
fastcgi_split_path_info ^(.+\.php)(/.+)$;
# With php7-cgi alone:
fastcgi_pass 127.0.0.1:9000;
# With php7-fpm:
#fastcgi_pass unix:/var/run/php7-fpm.sock;
fastcgi_index index.php;
include /etc/nginx/fastcgi_params;
}

fastcgi_buffer_size 4K;
fastcgi_buffers 64 4k; 
}

}

This is the content of the plex.conf file in the plex sub directory block. I’m lazy and just used the one from the Organizr Plex SSO wiki. As you can see there are a lot of duplicates in plex.conf and proxy.conf.

client_max_body_size 10m;
client_body_buffer_size 128k;
proxy_buffers 32 4k;
proxy_hide_header X-Frame-Options;
proxy_http_version 1.1;
proxy_read_timeout 240;
proxy_redirect http:// $scheme://;
proxy_send_timeout 240;
proxy_set_header Connection "upgrade";
proxy_set_header Host $host;
#proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Host $server_name;
proxy_set_header X-Forwarded-Proto https;
proxy_set_header X-Forwarded-Ssl on;
proxy_set_header Upgrade $http_upgrade;
send_timeout 5m;

proxy.conf contents:

client_max_body_size 0;
client_body_buffer_size 128k;

#Timeout if the real server is dead
proxy_next_upstream error timeout invalid_header http_500 http_502 http_503;

# Advanced Proxy Config
send_timeout 5m;
proxy_read_timeout 240;
proxy_send_timeout 240;
proxy_connect_timeout 240;

# Basic Proxy Config
proxy_set_header Host $host:$server_port;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto https;
proxy_redirect http:// $scheme://;
proxy_http_version 1.1;
proxy_set_header Connection "";
proxy_cache_bypass $cookie_session;
proxy_no_cache $cookie_session;
proxy_buffers 32 4k;
proxy_headers_hash_max_size 51200;
proxy_headers_hash_bucket_size 6400;

See: https://github.com/causefx/Organizr/wiki/Plex-SSO

Here is my current Nginx config: https://github.com/gilbN/Nostromo/tree/master/Server/nginx I have split everything into different .conf files and use theincludesyntax to link everything together.

For fast and great support, check out our Organizr discord! It doesn’t even have to be Organizr related 😉