Jump to content

Recommended Posts

Posted (edited)

It took me a while to get Caddy v2 setup and working by itself. Then there were some struggles with getting it to work with Cloudflare. I thought I would share a guide to assist those who want to go that route.

Prerequisites:

  • Have your own domain
  • Have the DNS of your domain setup with Cloudflare
  • Have your Cloudflare API key/token "For this checkout my other article on setting up DNS updates via API"
  • Have your Emby server set with a static internal IP

Step 1: Download Caddy

Visit https://caddyserver.com/download to download your binary. You will need to add a couple plugins for this to work.

You will want to select 'caddy-dns/cloudflare' and 'kirsch33/realip'

image.png.462bb6793477fc9574b861df000ecf99.png

image.png.00517242166837aca924e9657a6fcee2.png

Review at the top that it shows "Extra features = 2' and select 'Download'

image.png.dc041a687ecb6f43f8021e8eec7a0c93.png

 

Step 2: Download NSSM from https://nssm.cc/download "We will use this to run Caddy as a service"

Step 3: Create folders for NSSM and Caddy on the root of the C:\ drive

image.png.b76ed8cb876f931071897468082d8a8c.png

Step 4: Rename the caddy binary to just caddy.exe and put it in C:\Caddy\. Extract NSSM so you just have the nssm.exe and put that in your NSSM folder.

Step 5: Create your caddyfile

image.png.24c37133b1643f181a8830dd2c95f9bc.png

The caddyfile has no extension. You can open this with your favorite text editor. I use Notepad++. Below is the a sample caddyfile.

  • The first email is the email address that you want to use to receive notifications if there are issues with the cert
  • Adjust your domain to what you are using for Emby. Either 'domain.com', 'login.domain.com' or 'emby.domain.com' etc.
  • The second email address is your email address for your Cloudflare account
  • This also sets up logging for the reverse proxy which is really handy
  • I choose to use the actual IP address of the server instead of localhost. Either will work.
{
	email email@gmail.com
}

yourdomain.com {   
	tls email@gmail.com {
        dns cloudflare 'Your Cloudflare API Key No Quotes'		
    }
	log {
		output file C:\caddy\logs\emby_access.log {
			roll true				# Rotate logs, enabled by default
			roll_size_mb 10			# Set max size X MB
			roll_gzip true			# Whether to compress rolled files
			roll_local_time true	# Use localhost time
			roll_keep 3				# Keep at most X log files
			roll_keep_days 7		# Keep log files for X days 
		}
	}
	encode gzip	
	reverse_proxy http://10.0.0.5:8096 {
        header_up X-Real-IP {remote_host}
	}	
}

If you wanted to run any of the arr's as subsites to your main reverse proxy you can add the following to your caddyfile

  • If you are running it on the same box instead of using the full domain name you would just use http://yourip:port
  • You need to login to each of the arr applications and setup the base URL
    • Login go to settings/general/base url
    • Add the correct subsite. So for Radarr you would add /movies save and restart.
{
	email email@gmail.com
}

yourdomain.com {   
	tls email@gmail.com {
        dns cloudflare 'Your Cloudflare API Key No Quotes'		
    }
	log {
		output file C:\caddy\logs\emby_access.log {
			roll true				# Rotate logs, enabled by default
			roll_size_mb 10			# Set max size X MB
			roll_gzip true			# Whether to compress rolled files
			roll_local_time true	# Use localhost time
			roll_keep 3				# Keep at most X log files
			roll_keep_days 7		# Keep log files for X days 
		}
	}
	encode gzip	
	reverse_proxy http://10.0.0.5:8096 {
        header_up X-Real-IP {remote_host}
	}
	
	reverse_proxy /movies/* https://radarr.domain.com {
		header_up Host {upstream_hostport}
		header_up X-Forwarded-Host {host}
	}
	redir /movies /movies/
	
	reverse_proxy /tv/* https://sonarr.domain.com {
		header_up Host {upstream_hostport}
		header_up X-Forwarded-Host {host}
	}
	redir /tv /tv/

	reverse_proxy /music/* https://lidarr.domain.com {
		header_up Host {upstream_hostport}
		header_up X-Forwarded-Host {host}
	}
	redir /music /music/
	
	reverse_proxy /audiobooks/* https://readarr.domain.com {
		header_up Host {upstream_hostport}
		header_up X-Forwarded-Host {host}
	}
	redir /audiobooks /audiobooks/
}

Step 6: Create a user for caddy to run as and set password. You will need this password later down when we setup the service. I'm going to use srvcaddy.

Step 7: Allow srvcaddy user to run as service

You want to open up Local Security Policy

image.png.3cc5fd8adab6ef7d3be68007b0722c0c.png

Go to 'Local Policies/User Rights Assignment/Log on as a service' and add our new user srvcaddy

image.png.2f58cf093094de21d85870342edf7977.png

Step 8: Add your domain under Emby network settings

Login go to settings/network/external domain and add your domain name

image.png

 Step 9 : Launch cmd prompt as administrator

image.png.b233a32d6971b6b006240cb1d3bfc4ad.png

Step 10: Install Caddy as a service

We will need to type cd "C:\NSSM" in cmd prompt. Then you will need to type nssm install Caddy

image.png.a9821d543434d4f3bf4fbf68b8e477f5.png

We will want to edit Log on to our service account

image.png.d81514ffaabe9d63d73f5d99cf107681.png

Then select 'Install service'

Now you can open up services and start caddy

image.png.ee2ad28b3706359530e704ae30652700.png

The first time this runs it will take a few minutes to generate your certificate on the computer.

Step 11: Adjust firewall rules

You now only want the local computer to talk on Emby's port 8096. All other devices you will want to have it connect via ports 80,443.

Open up windows firewall

image.png.49e9c23d2902a0a15592f9baeff3fc12.png

Make sure all of Emby's rules are disabled

image.png.85a1513714a5e977a6258994ebc7c484.png

Create a new rule

image.png.62a4b7d423a947171398e6985ad664ea.png

image.png.2b3c825f147ed7119fdbfae761a6de7b.png

image.png.ad62e3e05162421a0d4b9fbc4c2678dd.png

image.png.724636649d9bef48700184185acde470.png

image.png.bf62a8c17876f35f72f136850801d6ca.png

image.png.d65af00b6e90c377605d887e038e93d9.png

Step 12: Create a port forward in your router/firewall from external port 443 to your server port 443. Do to the differences in every router/firewall you will need to refer to manual or Google on this step. For even more security you can lock down only Cloudflare's IP addresses to be able to route to your server. Since we are updating the cert via API you only need port 443 open to Cloudflare. No need for port 80 to be open external.

Step 13: Create a DNS entry in your router/firewall for your server. Again do to to many differences you will need to consult your device's manual or google on how to accomplish this. You will want to create an internal record that takes your domain name for your Emby server and points it to the local IP. This way you can take advantage of local login with pin.

Step 14: Set Cloudflare's SSL/TLS Encryption

Login to Cloudflare, select your domain, and go to SSL/TLS

image.png.17b4d85200e4e44605577d319c02700a.png

You want to set this to Full/Strict

image.png.88e44ddd4bc1360a69ae8c8362adbede.png

 

That's it... you should now have a fully encrypted connection to your Emby server internal and external. You will now be connecting to your server via port 443 instead of 8096.

Hope this helps anyone struggling with setting this up.

Edited by Happy2Play
Updated at OP request
  • Like 1
  • Thanks 2
Posted

Thanks for this.  There just aren't many guides for Caddy. I am a recent caddy convert and my next step was trying to setup cloudflare.  Your guide will help immensely.

Thanks again

 

Posted
1 hour ago, KegTapper said:

Thanks for this.  There just aren't many guides for Caddy. I am a recent caddy convert and my next step was trying to setup cloudflare.  Your guide will help immensely.

Thanks again

 

Let me know if you run into any snags. My biggest issue was finding out how to write the caddyfile.

  • 3 weeks later...
Posted

been using Caddy for a while, but can't get it to work with Cloudflare.  Followed this, but it still isn't working.  I get a SSL Handshake error.

Posted

Figured it out.  Above you mentioned an API Key, which is an actual thing, but you actually meant a Token.  Once I used the same token as the powershell script, it works fine.  Thanks.

Posted
4 hours ago, muzicman0 said:

Figured it out.  Above you mentioned an API Key, which is an actual thing, but you actually meant a Token.  Once I used the same token as the powershell script, it works fine.  Thanks.

Awesome, yes I apologize for the confusion on this. They call it a Token on Cloudflare other places call it a key, but it is essentially your password for the API. I'm glad you got this working!

Posted

I was off yesterday so finally got around to setting this up. Emby works great.  I cannot get the Arrs to work. They are on the same machine and I set the base url. 

Posted
On 10/22/2021 at 8:24 AM, KegTapper said:

I was off yesterday so finally got around to setting this up. Emby works great.  I cannot get the Arrs to work. They are on the same machine and I set the base url. 

Are you trying to run it as domain.com/arr or are you trying to run it as arr.domain.com?

Would you be able to scrape your config and drop it here? I can take a look at it for you.

seanbuff
Posted
On 29/09/2021 at 10:26, TKX57 said:

I thought I would share a guide to assist those who want to go that route.

This is a great guide @TKX57 thanks for sharing.

Is it possible to fix up the missing/broken images in Step 8 and 14, just for completeness?

Posted
23 hours ago, seanbuff said:

This is a great guide @TKX57 thanks for sharing.

Is it possible to fix up the missing/broken images in Step 8 and 14, just for completeness?

I would love to but the article is locked and it will not let me edit it. Maybe an admin can unlock this for me so I can fix the broken images.

@Abobader

Posted
3 hours ago, TKX57 said:

I would love to but the article is locked and it will not let me edit it. Maybe an admin can unlock this for me so I can fix the broken images.

Please PM our mod's team @Happy2Play  @CBers about the replacement image link and they will do it for you, thanks.

  • Agree 1
  • Thanks 1
  • 10 months later...
Posted

What do you mean by 

Step 6: Create a user for caddy to run as and set password.

What type of user?

Posted
44 minutes ago, Troymz said:

What do you mean by 

Step 6: Create a user for caddy to run as and set password.

What type of user?

Hi there, what exactly are you trying to do?

Posted
2 hours ago, Luke said:

Hi there, what exactly are you trying to do?

I'm trying to follow this guide. I'm quite a newbie with this stuff. 

I currently have my emby server running and everything works.. but I have no protection. I'd like get this setup with caddy for ssl. @pir8radio

pwhodges
Posted
7 hours ago, Troymz said:

What do you mean by 

Step 6: Create a user for caddy to run as and set password.

What type of user?

A Windows user; the permissions that follow in the instructions are Windows permissions.  When you create a Windows service (e.g. using nssm), you have to specify the user it will run under.

Paul

pwhodges
Posted
3 hours ago, Troymz said:

I have no protection. I'd like get this setup with caddy for ssl. @pir8radio

Protection from what?  Presumably, as you're using Caddy, you already have ssl.

Paul

Posted
3 hours ago, pwhodges said:

A Windows user; the permissions that follow in the instructions are Windows permissions.  When you create a Windows service (e.g. using nssm), you have to specify the user it will run under.

Paul

Thank you. 

I'm not running Caddy yet. I'm trying to follow this guide to set it up. I currently have no SSL.

pwhodges
Posted

You don't need Cloudflare to run Caddy.  I have written about the Caddy setup in several places; here are a couple:

Paul

  • 10 months later...
redjacket69
Posted

is it necessary to enable "Allow remote connections to this Emby Server." if reverse proxy is used? disabling that will remove the domain field and stuff

  • 10 months later...
mkitchin
Posted

Thank you! I had to comment out this line

# roll_local_time true

to get it to work. Otherwise, I got this error

Error: adapting config using caddyfile: parsing caddyfile tokens for 'log': wrong argument count or unexpected line ending after 'true', at Caddyfile:14

Thank you again! This was very helpful and educating. I'm going to use Cloudflare and Caddy for some other uses as well now!

  • Like 1
mkitchin
Posted

Thanks again. This is a great guide and I enjoyed getting some experience with Caddy and Cloudflare. I have another question regarding local access. I have split DNS running so tv.mydomain.com resolves to my internal server IP on my network and externally through Cloudflare. I thought this would force local traffic to stay local when at home. It the actual video is still running through Cloudflare. This is the network traffic when watching a video from my local network. The 172 IPs are Cloudflare. My caddyfile is basic (below). Any idea how I can keep this traffic local? It is mainly for mobile device that might be local or remote. 

 

{
    email ***@gmail.com
}

tv.***.com {   
    tls ***@gmail.com {
        dns cloudflare *************************************
    }
    log {
        output file C:\caddy\logs\emby_access.log {
            roll true                # Rotate logs, enabled by default
            roll_size_mb 10            # Set max size X MB
            roll_gzip true            # Whether to compress rolled files
            # roll_local_time true        # Use localhost time
            roll_keep 3            # Keep at most X log files
            roll_keep_days 7        # Keep log files for X days 
        }
    }
    encode gzip    
    reverse_proxy http://localhost:8096 {
        header_up X-Real-IP {remote_host}
    }    
}

 

image.thumb.png.dd4cd489d3cfa66b6a34cd3670258734.png

Q-Droid
Posted

Why do you think you need to use the split DNS configuration and use the same name on both networks? Is Caddy only used for WAN access and LAN is direct to the server? Are you trying to use HTTPS on both WAN and LAN? Apps on mobile devices can already switch between LAN and WAN connections as long as the Emby network settings are correct. One of the problems with DNS these days is the advent of DoH and how some applications and possibly devices can choose to override or ignore your network settings for name resolution.

 

mkitchin
Posted
32 minutes ago, Q-Droid said:

Why do you think you need to use the split DNS configuration and use the same name on both networks? 

I didn't necessarily think I did, but I had it in place anyway. 

Quote

Is Caddy only used for WAN access and LAN is direct to the server?

If I go to tv.mydomain.com internally on port 443, Caddy is going to be what is answering. If I hit http://tv.mydomain.com:8096 directly, it should be hitting Emby directly. 

I was trying to make it so a mobile device behaves exactly the same if it is in my house or if it is remote. 

mkitchin
Posted (edited)

I think I may have figured it out. I may have just needed to update Emby to specify what external ports it was telling the client to use. I'm doing some testing. 

**I get it now. I was testing in a browser with  http://tv.mydomain.com I didn't realize the Emby apps stored a local and remote config. Now that I realize that and put in the correct port for remote access, it looks like all is good. Thank you. 

Edited by mkitchin
  • Thanks 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...