Reverse proxy not working for HTTPS

[pitops 1]

Hi,

I have been reading the forums for hours but can't get HTTPS to work.

I have a DDNS synology.me domain with lets encrypt certificate

I have setup reverse proxy like so (domain masked for obvious reasons)

 

I have setup emby like below (domain masked for obvious reasons)

I opened the ports 80/443 on my router and can access port 80 but not port 443.

Also firewall allows both 80/443

Any clues?

[KMBanana 84]

Since you are sending to the localhost 8096 you want to use http for the destination instead of https.  Source protocol should remain as https.

Should be https/443/encrypted from internet to your reverse proxy, and then http/8096/unencrypted between reverse proxy and emby.  

I haven't used Synology personally but pretty sure the above should work.  

[Luke 37064]

@pitops please let us know if the above advice helps. Thanks.

[pitops 1]

Thanks @KMBanana that might have been a mistake at the time of screenshot but i tried with both, still not working. 

[Luke 37064]

Perhaps try it without https first to see how that compares. Thanks.

[pitops 1]

@Luke without HTTPS it works

[chef 3745]

Might be helpful, not sure.

But with my reverse proxy (using caddy) I have to use the actual IP of the machine 192.168.x.xxx instead of localhost.

It might not be anything helpful, but you never know.

[pitops 1]

@chef thanks for the suggestion, sadly doesn't do anything different. Can you point me to a guide/resource on doing it with caddy?

 

[chef 3745]

34 minutes ago, pitops said:

@chef thanks for the suggestion, sadly doesn't do anything different. Can you point me to a guide/resource on doing it with caddy?

 

Well, I use caddy version 1, which doesn't seem to be supported any longer.

They changed their app quite substantially.

There is also nginx, which is also a great product which can reverse proxy your connections.

There is an awesome nginx thread here on the community tracker that explains how to set it up.

 

For caddy server v2, you could take at look at their site.  They do have a step by step.

 

Does your Ddns have all the 'a' type records setup to connect back yo your IP with https?

[hCloud 0]

Late to the party, but did you get a cert from Let's Encrypt?  And if so, did you assign it to that domain name?

In Ctrl Panel > Security > Certificate you need to either create the certificate, or assign it to the domain name you entered into the reverse proxy menu.  From here, click on Settings:

In that drop down, select the certificate you created that matches the service and that should get things working (in theory).

If you're using port 443 to route traffic to the localhost, you have to make sure port 443 is open on your router.  If it's closed, outside web traffic will be blocked and nothing you do in DSM will fix that.  If you don't know how to do that, google your router model and "set up port forwarding."  Set internal & external port forward to 443 and tcp/udp.

[pitops 1]

Hey I have done all the above. I checked port 80 and it works on my router, same way i configured 443 so i don't know what gives...

[unisoft 272]

On 11/07/2022 at 21:41, pitops said:

Hi,

I have been reading the forums for hours but can't get HTTPS to work.

I have a DDNS synology.me domain with lets encrypt certificate

I have setup reverse proxy like so (domain masked for obvious reasons)

 

I have setup emby like below (domain masked for obvious reasons)

I opened the ports 80/443 on my router and can access port 80 but not port 443.

Also firewall allows both 80/443

Any clues?

You have WHITELIST selected but no IP addresses in it to allow?

On Synology, the reverse proxy will be nginx unless changed.

You are basically taking a domain and redirecting through your router using port forwarding to your NAS as which will server http and the reverse proxy will serve out https assuming the cert is correct and assigned to Emby (instead of default synology cert) and a Synology firewall rule allows the port traffic. On your LAN network it would usually still be http.

You shouldn't need the automatic port option if you have already defined a port forwarding rule on your router. Where your domain name server is hosted you will need an A record to redirect to the WAN IP address of your router. Your DDNS is probably already pointing at it though, but its one to check.

 

Edited August 18, 2022 by unisoft

[hCloud 0]

4 hours ago, pitops said:

Hey I have done all the above. I checked port 80 and it works on my router, same way i configured 443 so i don't know what gives...

Have you created an 'A record' with your domain provider?  I've used Namecheap in the past and forgot to mention that you have to create this too.  You need to create the A record using a wildcard (the '@' symbol) and then a record for every subdomain you want to use:.  You'll put the wildcard and subdomain names under the 'host' field and your external IP under the 'value' field.

 

I believe there's more than one way to create a domain record, but that's the way I've done it and it works great for me on my Synology.

I hope that helps!

[heffeque 39]

Just as a heads up, I have HTTPS on exterior reverse proxying into HTTP on interior for Emby.

HTTPS exterior into HTTPS interior works fine with the rest of apps I have on the server.

Edit: if it helps, I'm actually using subdomains for every app. All subdomains have 443 exterior, but point into the relevant port of the interior, and the certificates are assigned to the relevant subdomains (separate certificates for separate subdomains).

Edited August 18, 2022 by heffeque

[Luke 37064]

@pitops has this helped?

[pitops 1]

I don't have my own domain, its a domain that is provided by synology. Not sure where I can add an A record and the likes?

[heffeque 39]

I'm using Synology domain too. I'm using a sub-sub-domain for Emby I guess.

emby.xyz.synology.me

Edited August 27, 2022 by heffeque

[halvdan 4]

I'm using reverse proxy with synology.me domain. With a couple of sub domains including emby.

Works fine

It' been a while since I set it up, but I remember I had to make a wildcard certificate in DSM to get it working. Not sure if that's relevant or helpful in this case, but still.

[pitops 1]

Hey all, so after some back and forth and redoing stuff it is now working. I don't exactly know what was wrong but nonetheless thank you all for the help!

Edited September 8, 2022 by pitops

[Temperdu 0]

I've not been able to setup things with a subdomain-type reverse proxy, despite many efforts. For many other docker containers, I have successfully setup subdomain proxies such as radarr.xxx.synology.me, sonarr.xxx.synology.me, lidarr.xxx.synology.me, jackett.xxx.synology.me, dsm.xxx.synology.me and others, but the exact same way doesn't work for an emby.xxx.synology.me.

So I had to fall back on a port-type reverse proxy and it works :  xxx.synology.me:8098 (need a 8098->8920 port forwarding on the routeur). If it helps, let me post screen captures here for configuration. They are in french but you shall guess the idea.

If somebody did succeed with subdomain, please let us know and post similar screen captures.

@Luke : this reverse proxy thing is a PITA and is difficult to avoid with a Synology because the Let's Encrypt certificates are not permanent and need manual conversion to PKCS #12. If Emby was able to directly read certificates as they are strored on a Synology (probably in .var/something), then it would be easier because the built-in SSL would become an option.

@cayars

[heffeque 39]

Out of curiosity... does Step H help you?

https://mariushosting.com/synology-how-to-install-emby-without-docker/

[Temperdu 0]

Thanks fot the link. Despite my Docker intall, I've followed the end part about reverse proxy without sucees. Previously, I didn't setup the WebSocket thing so I was helpful but unfortunately... it didn't work.

[Carlo 4330]

On 9/26/2022 at 4:40 AM, Temperdu said:

I've not been able to setup things with a subdomain-type reverse proxy, despite many efforts. For many other docker containers, I have successfully setup subdomain proxies such as radarr.xxx.synology.me, sonarr.xxx.synology.me, lidarr.xxx.synology.me, jackett.xxx.synology.me, dsm.xxx.synology.me and others, but the exact same way doesn't work for an emby.xxx.synology.me.

So I had to fall back on a port-type reverse proxy and it works :  xxx.synology.me:8098 (need a 8098->8920 port forwarding on the routeur). If it helps, let me post screen captures here for configuration. They are in french but you shall guess the idea.

If somebody did succeed with subdomain, please let us know and post similar screen captures.

@Luke : this reverse proxy thing is a PITA and is difficult to avoid with a Synology because the Let's Encrypt certificates are not permanent and need manual conversion to PKCS #12. If Emby was able to directly read certificates as they are strored on a Synology (probably in .var/something), then it would be easier because the built-in SSL would become an option.

@cayars

emby.xxx.synology.me could work but you should avoid using the Synology proxy with Emby. It doesn't support the features you need, nor allow you control over it.

It's typically far better to have your own domain, not tied to a specific hardware device or company.  To do this properly for best freedom and use, use a domain your register that is yours such as "domain.ext" then you can setup Traefik Reverse Proxy (or similar other proxy) for "emby.domain.ext", "dsm.domain.ext",etc. You can still run this on Synology but could move it to it's own machine as well (dedicated Pi for example) if you wanted. I would make sure the proxy has it's own internal IP address so all traffic can be opened if needed on a firewall and to make sure no other proxies hijack the traffic.  I like running reverse and forward proxies on a dedicated machine.  A Raspberry Pi for example can redirect the traffic back to the Synology but if down could automatically redirect to a backup server running on a notebook or similar. Traefik can do the same for dns and dhcp as well rerouting packets during maintenance or just putting up an error message when the host is not available.  You can do some advanced things with it as well if linked with some other security tools such as redirecting some traffic to other internet hosts or back at the ip itself (hackers). In the case of multiple hacks from different IPs you can sit in the middle pointing A's traffic to host B and B's traffic to host A.

Traefik Reverse Proxy can use a wildcard cert for all traffic on that domain or can be configured to fetch a new cert automatically with any new subdomain it answers for.  If the subdomain matches a DNS entry on the network it will self setup the destination IP, fetch a cert and install it, setup communication to the destination IP using the same inbound ports. If you have multiple IPs for the host record it can split traffic between them or setup one as primary and one as secondary.  Traefik Reverse Proxy can seem a little harder then other proxies but it has so many cool unique features that it's worth learning. It's typically the default proxy used on mesh type setups with dynamic vms or containers such as docker swarm and especially Kubernetes