TXK57 36 Posted September 29, 2021 Posted September 29, 2021 (edited) It took me a while to get Caddy v2 setup and working by itself. Then there were some struggles with getting it to work with Cloudflare. I thought I would share a guide to assist those who want to go that route. Prerequisites: Have your own domain Have the DNS of your domain setup with Cloudflare Have your Cloudflare API key/token "For this checkout my other article on setting up DNS updates via API" Have your Emby server set with a static internal IP Step 1: Download Caddy Visit https://caddyserver.com/download to download your binary. You will need to add a couple plugins for this to work. You will want to select 'caddy-dns/cloudflare' and 'kirsch33/realip' Review at the top that it shows "Extra features = 2' and select 'Download' Step 2: Download NSSM from https://nssm.cc/download "We will use this to run Caddy as a service" Step 3: Create folders for NSSM and Caddy on the root of the C:\ drive Step 4: Rename the caddy binary to just caddy.exe and put it in C:\Caddy\. Extract NSSM so you just have the nssm.exe and put that in your NSSM folder. Step 5: Create your caddyfile The caddyfile has no extension. You can open this with your favorite text editor. I use Notepad++. Below is the a sample caddyfile. The first email is the email address that you want to use to receive notifications if there are issues with the cert Adjust your domain to what you are using for Emby. Either 'domain.com', 'login.domain.com' or 'emby.domain.com' etc. The second email address is your email address for your Cloudflare account This also sets up logging for the reverse proxy which is really handy I choose to use the actual IP address of the server instead of localhost. Either will work. { email email@gmail.com } yourdomain.com { tls email@gmail.com { dns cloudflare 'Your Cloudflare API Key No Quotes' } log { output file C:\caddy\logs\emby_access.log { roll true # Rotate logs, enabled by default roll_size_mb 10 # Set max size X MB roll_gzip true # Whether to compress rolled files roll_local_time true # Use localhost time roll_keep 3 # Keep at most X log files roll_keep_days 7 # Keep log files for X days } } encode gzip reverse_proxy http://10.0.0.5:8096 { header_up X-Real-IP {remote_host} } } If you wanted to run any of the arr's as subsites to your main reverse proxy you can add the following to your caddyfile If you are running it on the same box instead of using the full domain name you would just use http://yourip:port You need to login to each of the arr applications and setup the base URL Login go to settings/general/base url Add the correct subsite. So for Radarr you would add /movies save and restart. { email email@gmail.com } yourdomain.com { tls email@gmail.com { dns cloudflare 'Your Cloudflare API Key No Quotes' } log { output file C:\caddy\logs\emby_access.log { roll true # Rotate logs, enabled by default roll_size_mb 10 # Set max size X MB roll_gzip true # Whether to compress rolled files roll_local_time true # Use localhost time roll_keep 3 # Keep at most X log files roll_keep_days 7 # Keep log files for X days } } encode gzip reverse_proxy http://10.0.0.5:8096 { header_up X-Real-IP {remote_host} } reverse_proxy /movies/* https://radarr.domain.com { header_up Host {upstream_hostport} header_up X-Forwarded-Host {host} } redir /movies /movies/ reverse_proxy /tv/* https://sonarr.domain.com { header_up Host {upstream_hostport} header_up X-Forwarded-Host {host} } redir /tv /tv/ reverse_proxy /music/* https://lidarr.domain.com { header_up Host {upstream_hostport} header_up X-Forwarded-Host {host} } redir /music /music/ reverse_proxy /audiobooks/* https://readarr.domain.com { header_up Host {upstream_hostport} header_up X-Forwarded-Host {host} } redir /audiobooks /audiobooks/ } Step 6: Create a user for caddy to run as and set password. You will need this password later down when we setup the service. I'm going to use srvcaddy. Step 7: Allow srvcaddy user to run as service You want to open up Local Security Policy Go to 'Local Policies/User Rights Assignment/Log on as a service' and add our new user srvcaddy Step 8: Add your domain under Emby network settings Login go to settings/network/external domain and add your domain name Step 9 : Launch cmd prompt as administrator Step 10: Install Caddy as a service We will need to type cd "C:\NSSM" in cmd prompt. Then you will need to type nssm install Caddy We will want to edit Log on to our service account Then select 'Install service' Now you can open up services and start caddy The first time this runs it will take a few minutes to generate your certificate on the computer. Step 11: Adjust firewall rules You now only want the local computer to talk on Emby's port 8096. All other devices you will want to have it connect via ports 80,443. Open up windows firewall Make sure all of Emby's rules are disabled Create a new rule Step 12: Create a port forward in your router/firewall from external port 443 to your server port 443. Do to the differences in every router/firewall you will need to refer to manual or Google on this step. For even more security you can lock down only Cloudflare's IP addresses to be able to route to your server. Since we are updating the cert via API you only need port 443 open to Cloudflare. No need for port 80 to be open external. Step 13: Create a DNS entry in your router/firewall for your server. Again do to to many differences you will need to consult your device's manual or google on how to accomplish this. You will want to create an internal record that takes your domain name for your Emby server and points it to the local IP. This way you can take advantage of local login with pin. Step 14: Set Cloudflare's SSL/TLS Encryption Login to Cloudflare, select your domain, and go to SSL/TLS You want to set this to Full/Strict That's it... you should now have a fully encrypted connection to your Emby server internal and external. You will now be connecting to your server via port 443 instead of 8096. Hope this helps anyone struggling with setting this up. Edited October 29, 2021 by Happy2Play Updated at OP request 1 2
KegTapper 8 Posted September 29, 2021 Posted September 29, 2021 Thanks for this. There just aren't many guides for Caddy. I am a recent caddy convert and my next step was trying to setup cloudflare. Your guide will help immensely. Thanks again
TXK57 36 Posted September 29, 2021 Author Posted September 29, 2021 1 hour ago, KegTapper said: Thanks for this. There just aren't many guides for Caddy. I am a recent caddy convert and my next step was trying to setup cloudflare. Your guide will help immensely. Thanks again Let me know if you run into any snags. My biggest issue was finding out how to write the caddyfile.
muzicman0 65 Posted October 18, 2021 Posted October 18, 2021 been using Caddy for a while, but can't get it to work with Cloudflare. Followed this, but it still isn't working. I get a SSL Handshake error.
muzicman0 65 Posted October 18, 2021 Posted October 18, 2021 Figured it out. Above you mentioned an API Key, which is an actual thing, but you actually meant a Token. Once I used the same token as the powershell script, it works fine. Thanks.
TXK57 36 Posted October 18, 2021 Author Posted October 18, 2021 4 hours ago, muzicman0 said: Figured it out. Above you mentioned an API Key, which is an actual thing, but you actually meant a Token. Once I used the same token as the powershell script, it works fine. Thanks. Awesome, yes I apologize for the confusion on this. They call it a Token on Cloudflare other places call it a key, but it is essentially your password for the API. I'm glad you got this working!
KegTapper 8 Posted October 22, 2021 Posted October 22, 2021 I was off yesterday so finally got around to setting this up. Emby works great. I cannot get the Arrs to work. They are on the same machine and I set the base url.
TXK57 36 Posted October 26, 2021 Author Posted October 26, 2021 On 10/22/2021 at 8:24 AM, KegTapper said: I was off yesterday so finally got around to setting this up. Emby works great. I cannot get the Arrs to work. They are on the same machine and I set the base url. Are you trying to run it as domain.com/arr or are you trying to run it as arr.domain.com? Would you be able to scrape your config and drop it here? I can take a look at it for you.
seanbuff 1012 Posted October 26, 2021 Posted October 26, 2021 On 29/09/2021 at 10:26, TKX57 said: I thought I would share a guide to assist those who want to go that route. This is a great guide @TKX57 thanks for sharing. Is it possible to fix up the missing/broken images in Step 8 and 14, just for completeness?
TXK57 36 Posted October 27, 2021 Author Posted October 27, 2021 23 hours ago, seanbuff said: This is a great guide @TKX57 thanks for sharing. Is it possible to fix up the missing/broken images in Step 8 and 14, just for completeness? I would love to but the article is locked and it will not let me edit it. Maybe an admin can unlock this for me so I can fix the broken images. @Abobader
Abobader 3243 Posted October 28, 2021 Posted October 28, 2021 3 hours ago, TKX57 said: I would love to but the article is locked and it will not let me edit it. Maybe an admin can unlock this for me so I can fix the broken images. Please PM our mod's team @Happy2Play @CBers about the replacement image link and they will do it for you, thanks. 1 1
Troymz 1 Posted August 29, 2022 Posted August 29, 2022 What do you mean by Step 6: Create a user for caddy to run as and set password. What type of user?
Luke 38803 Posted August 29, 2022 Posted August 29, 2022 44 minutes ago, Troymz said: What do you mean by Step 6: Create a user for caddy to run as and set password. What type of user? Hi there, what exactly are you trying to do?
Troymz 1 Posted August 29, 2022 Posted August 29, 2022 2 hours ago, Luke said: Hi there, what exactly are you trying to do? I'm trying to follow this guide. I'm quite a newbie with this stuff. I currently have my emby server running and everything works.. but I have no protection. I'd like get this setup with caddy for ssl. @pir8radio
pwhodges 1742 Posted August 29, 2022 Posted August 29, 2022 7 hours ago, Troymz said: What do you mean by Step 6: Create a user for caddy to run as and set password. What type of user? A Windows user; the permissions that follow in the instructions are Windows permissions. When you create a Windows service (e.g. using nssm), you have to specify the user it will run under. Paul
pwhodges 1742 Posted August 29, 2022 Posted August 29, 2022 3 hours ago, Troymz said: I have no protection. I'd like get this setup with caddy for ssl. @pir8radio Protection from what? Presumably, as you're using Caddy, you already have ssl. Paul
Troymz 1 Posted August 29, 2022 Posted August 29, 2022 3 hours ago, pwhodges said: A Windows user; the permissions that follow in the instructions are Windows permissions. When you create a Windows service (e.g. using nssm), you have to specify the user it will run under. Paul Thank you. I'm not running Caddy yet. I'm trying to follow this guide to set it up. I currently have no SSL.
pwhodges 1742 Posted August 29, 2022 Posted August 29, 2022 You don't need Cloudflare to run Caddy. I have written about the Caddy setup in several places; here are a couple: Paul
redjacket69 4 Posted June 30, 2023 Posted June 30, 2023 is it necessary to enable "Allow remote connections to this Emby Server." if reverse proxy is used? disabling that will remove the domain field and stuff
rbjtech 4806 Posted June 30, 2023 Posted June 30, 2023 1 hour ago, redjacket69 said: is it necessary to enable "Allow remote connections to this Emby Server." if reverse proxy is used? disabling that will remove the domain field and stuff see - https://emby.media/community/index.php?/topic/93074-how-to-emby-with-nginx-with-windows-specific-tips-and-csp-options/&do=findComment&comment=1262954
mkitchin 2 Posted May 14, 2024 Posted May 14, 2024 Thank you! I had to comment out this line # roll_local_time true to get it to work. Otherwise, I got this error Error: adapting config using caddyfile: parsing caddyfile tokens for 'log': wrong argument count or unexpected line ending after 'true', at Caddyfile:14 Thank you again! This was very helpful and educating. I'm going to use Cloudflare and Caddy for some other uses as well now! 1
mkitchin 2 Posted May 18, 2024 Posted May 18, 2024 Thanks again. This is a great guide and I enjoyed getting some experience with Caddy and Cloudflare. I have another question regarding local access. I have split DNS running so tv.mydomain.com resolves to my internal server IP on my network and externally through Cloudflare. I thought this would force local traffic to stay local when at home. It the actual video is still running through Cloudflare. This is the network traffic when watching a video from my local network. The 172 IPs are Cloudflare. My caddyfile is basic (below). Any idea how I can keep this traffic local? It is mainly for mobile device that might be local or remote. { email ***@gmail.com } tv.***.com { tls ***@gmail.com { dns cloudflare ************************************* } log { output file C:\caddy\logs\emby_access.log { roll true # Rotate logs, enabled by default roll_size_mb 10 # Set max size X MB roll_gzip true # Whether to compress rolled files # roll_local_time true # Use localhost time roll_keep 3 # Keep at most X log files roll_keep_days 7 # Keep log files for X days } } encode gzip reverse_proxy http://localhost:8096 { header_up X-Real-IP {remote_host} } }
Q-Droid 827 Posted May 18, 2024 Posted May 18, 2024 Why do you think you need to use the split DNS configuration and use the same name on both networks? Is Caddy only used for WAN access and LAN is direct to the server? Are you trying to use HTTPS on both WAN and LAN? Apps on mobile devices can already switch between LAN and WAN connections as long as the Emby network settings are correct. One of the problems with DNS these days is the advent of DoH and how some applications and possibly devices can choose to override or ignore your network settings for name resolution.
mkitchin 2 Posted May 18, 2024 Posted May 18, 2024 32 minutes ago, Q-Droid said: Why do you think you need to use the split DNS configuration and use the same name on both networks? I didn't necessarily think I did, but I had it in place anyway. Quote Is Caddy only used for WAN access and LAN is direct to the server? If I go to tv.mydomain.com internally on port 443, Caddy is going to be what is answering. If I hit http://tv.mydomain.com:8096 directly, it should be hitting Emby directly. I was trying to make it so a mobile device behaves exactly the same if it is in my house or if it is remote.
mkitchin 2 Posted May 18, 2024 Posted May 18, 2024 (edited) I think I may have figured it out. I may have just needed to update Emby to specify what external ports it was telling the client to use. I'm doing some testing. **I get it now. I was testing in a browser with http://tv.mydomain.com I didn't realize the Emby apps stored a local and remote config. Now that I realize that and put in the correct port for remote access, it looks like all is good. Thank you. Edited May 18, 2024 by mkitchin 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now