Jump to content

direct internal routing with public url possible?


plessers@gmail.com
 Share

Recommended Posts

plessers@gmail.com

Hello,

Yesterday I noticed on my router that my there was a lot of “internet” traffic. I was surprised about this, but after some testing and sniffing, I saw that my Client PC was accessing my server at the “outside” of the router (see routing on image). No real consumption of my bandwidth at my he ISP side, but  still, all traffic is passed through the router...

 

This means also

  • Single Point of failure
  • Bandwidth of router is shared by all clients. I have a Gb-router, but this can be a problem with older routers
  • Monitoring of bandwidth at router is not representative anymore and all my graphs are messed up. Monitoring figures don't match information I see at my ISP

56dabdc33d5b3_5032016114611.png

 

I used to work with Plex, and they have a very clever setup for this:
(for more information, see https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/)

On my router:
Dnsmasq -> Custom configuration ->

rebind-domain-ok=/plex.direct/
local-ttl=1

 

 

I tried to change my router to

rebind-domain-ok=/plex.direct/tv.emby.media/app.emby.media/
local-ttl=1

 

 

but this didn’t help.

 

So my question here is: is it possible to configure my EMBY-server in the same was as my PLEX-server so that my clients have a direct connection to my server instead of going to the public url? Oh, and I only want to use one url for my browsers, i.e. http://tv.emby.media/#!/plugins/defaultskin/home.html...

 

 

Thanx in advance,

Bart

 

 

 

 

 

Link to comment
Share on other sites

Koleckai Silvestri

I don't have this problem and connect directly to my server's internal IP of 10.0.0.4. Maybe this is an issue if you use Emby Connect. I don't use Emby Connect.

Link to comment
Share on other sites

It's supposed to do that already with connect by first testing your local address for connectivity, however if by chance you entered a manual address then it will always do that.

 

the dnsmasq method you mentioned is interesting too, so if you can get a prototype of that working, we can look into it.

Link to comment
Share on other sites

I just setup a DNS entry in my DNS server for all my stuff that way everything get's routed properly internally and externally as needed.

  • Like 1
Link to comment
Share on other sites

plessers@gmail.com

@luke: the problem is, when I go to the new web interface at http://tv.emby.media/index.html, I'mI in a kind of a loop:

- I get a PIN

-  on another browser window, I go to https://emby.media/pin.html, login and enter that PIN

- in the first window, I'm redirected to http://tv.emby.media/index.html#!/startup/selectserver.html,but my server is NOT displayed:

56e0991353e8b_9032016224323.png

 

- If I select Emby Connect, I'm goint to first step of this procedure...

- if I select "new server", I have to add my server manually

 

Here I have to choose between public name, or internal IP-adres. 

 

Is this a bug?

 

I was expecting that -after accepting the PIN- my server was resolved automatically, and if on the same network, the internal IP was used.

 

bart

Link to comment
Share on other sites

I do something similar to @@JeremyFr79, but what I do is set up a cname in DNSmasq on my router so that the public address points to the local address within my network. Here's an example configuration line:

 

cname=public.domain.example,machinename.lan

 

All local clients are automatically routed directly to the local server address.

Link to comment
Share on other sites

  • 1 year later...
plessers@gmail.com

Hello to everybody,

 

I have to come back on this.

 

@@Luke suggested me in another topic to try the interface on "https://tv.emby.media/".

Till now, I was experimenting locally to my embyserver, but if I want to use "https://tv.emby.media/",the above problem still rises.

 

All network trafic is send trough my router twice (uploading AND downloading). 

If I use fiddler, I see all my trafic going to https://mydomain:8920

 

This could be done smarter:

- let emby detect if server and client are on same subnet

- if this is the case, let server give local IP as sources instead of public dns name

 

This is something that that other medaserver Plex does:

- if I go to http://app.plex.tv/web/app#

- and if I fiddle my network traffic, I see

- connections are made to https://xxx-xxx-xxx-xxxx.69948de6a51145a5be0623b766969880.plex.direct:32400, where

 xxx-xxx-xxx-xxx is my local IP of my server

- my router is configured so that:

          rebind-domain-ok=/plex.direct/
          local-ttl=1

- so if I ping from my client to to 192-168-4-11.69948de6a51145a5be0623b766969880.plex.direct

  I get response from 192.168.4.11 (IP address of my local server)

 

So no network traffic passes my router.

 

 

I this something that can be considered on emby?

 

Kind regards,

Bart

 

 

 

Link to comment
Share on other sites

When you use tv.emby.media it will connect locally when possible. Try the http version.

Link to comment
Share on other sites

plessers@gmail.com

Hi Luke,

 

Just did the test:

- connect to http://tv.emby.media

- login with emby connect

- added my server http://mydomain:8098 (I'm running on a different port)

- logged in to my server with local account and pass

 

If I snif my network traffic, all requests are done to http://mydomain, wich means the PUBLIC side of my router. Thus traffic passing trough router and back again.

592c31901e5f8_20170529163323.png

 

 

This can easily be seen on the router itself: when playing a movie, traffic is taken into account, so network traffic is following my "green path" (see original picture)

 

Kind regards,

Bart

Link to comment
Share on other sites

And I just tested as well - no problem found, worked as expected.

 

The point being, it will always try to connect to the local lan address that is listed on the emby server dashboard. It will only switch to remote if that fails, or if you originally connected by manually entering a specific address. if you did a manual address then it will always use that particular value.

Link to comment
Share on other sites

plessers@gmail.com

Hi Luke,

 

I don't understand that.

What am I doing wrong?

Here are my settings:

592c80e3f0280_20170529221041.png

 

 

As I said before, here are the steps connecting to http://tv.emby.media from an internal client (on same network segment as server)

 

connect to http://tv.emby.media

592c84d8f3935_20170529222216.png

 

 

logon with emby connect account

592c84efa2b35_20170529222235.png

 

 

add server

 

592c850eb8720_20170529222258.png

 

 

enter public domainname and port

 

 

592c85307c0a9_20170529222328.png

 

 

logon with local account:

592c854cc8f9c_20170529222348.png

 

 

 

592c856f82928_20170529222412.png

 

 

 

enter libraries:

 

592c8596ebd80_20170529222453.png

 

 

 

however, on my client:

 

592c869ad8c47_20170529222513.png

 

so I can't see any traffic going to my server directly....

 

What am I doing wrong?

 

Sincerely

Bart

Link to comment
Share on other sites

Yes, you must have manually entered an ip address during the connection process, in which case that is always the first address used.

Link to comment
Share on other sites

plessers@gmail.com

Hello Luke,

 

I don't get this.

 

On my home PC on local network

- logged in with emby connect user

- I removed server from my server list

- added server again with local IP

 

Connected to other PC on external network

- logged in with same emby connect user

- NO servers are listed

 

so how can I connect to my server from an external PC?

From what I know right now:

- I can add my server based on local IP -> it's working on local subnet and streaming is done peer-to-peer

OR

- I can add server based on public DNS name --> it's working on local subnet AND external subnet, but streaming is done, based on public DNS name. So again: networkflow according to my original picture.

 

Can you confirm this?

 

Kind regards,

Bart

Edited by plessers@gmail.com
Link to comment
Share on other sites

I would use Emby Connect. The server is probably not listed anymore due to you removing it.

Link to comment
Share on other sites

plessers@gmail.com

Luke,

can you elaborate this a little bit more?

 

I AM using Emby Connect, and added the server with it's IP address.

Also: logging on from another PC with Emby Connect, does NOT list my server at all...

 

Maybe there is something wrong with Emby Connect? Or with my profile?

 

Bart

Link to comment
Share on other sites

I AM using Emby Connect, and added the server with it's IP address.

 

If you are manually adding a server by IP you are not using Emby Connect.

 

Try re-linking the user in the server dashboard or recreating it if it is a guest.

  • Like 1
Link to comment
Share on other sites

plessers@gmail.com

Indeed,

 

what happened:

- I added a new user to my server(s)

- made this user admin (because admin sees all libraries, me as "normal" user only want to see few of them)

- I forgot to add the admin email adress to it's profile

--> things went wrong here

 

- so using Emby connect, I had to add the server manually

- and of course connection was made by the url added

 

However:

- after using Emby connect correctly (thus email user configured at server, invitement accepted)

- I had to clear all my caches of my browser. Somehow, settings were cached and even after using Emby Connect, I still was using the public domain name

- I started incognito session --> local IP was used

- I cleard all caches --> everything works as designed now: using local IP's on local subnet, using public domain name on wan.

 

thanx all for your patience and support,

much appreciated!

 

Bart

 

 

Just one suggestion: in the whole discussion above, I was confused and NOT using Emby Connect, although I followed the procedure on screen (see above), witch clearly indicates : to use Emby Connect, visit https://emby.media/pin and enter pincode. So by doing this, I thought I was using connect, but clearly not. My mistake, but I guess some other user may also be in this situation...

Link to comment
Share on other sites

i use a static-hostname on my router which points to my internal IP. so for example emby.mydomain.com. If i am internal it goes to 192.168.10.10:8096. if i am external i have a cname with my registrar which points it to my DDNS.

Link to comment
Share on other sites

plessers@gmail.com

@swynol: this would be a solution if all my public services were running on same server. internally, but I have some other servers with different IP's, but with same public name...

 

anyway, thanx for response!

B

Link to comment
Share on other sites

@swynol: this would be a solution if all my public services were running on same server. internally, but I have some other servers with different IP's, but with same public name...

 

anyway, thanx for response!

B

 

i have many public services on my lan. 

 

for example internally -

emby.mydomain.com  --> 192.168.10.10

sophos.mydomain.com --> 192.168.10.9

etc

 

then externally

emby.mydomain.com --> CNAME to DDNS --> DDNS AAA record to my WAN IP port 443 ---> NGINX reverse proxy --> 192.168.10.10

sophos.mydomain.com --> CNAME to DDNS --> DDNS AAA Record to my WAN IP port 443 --> NGINS reverse proxy --> 192.168.10.9

 

i have another 10-15 services on my LAN which i can access Internally using the same URL as external however it doesnt get routed externally. 

Link to comment
Share on other sites

plessers@gmail.com

yep, but in my setup: everything is routed to https://MyOneAndOnlyPublicDomainName:xyz. Depending on port, a reverse proxy is forwarding requests to different internal IP's. So this is a bit more difficult to use a HOST file of diff.DINS for the routing internally. But you're right, maybe I should use starting different DNS names...

Link to comment
Share on other sites

yep, but in my setup: everything is routed to https://MyOneAndOnlyPublicDomainName:xyz. Depending on port, a reverse proxy is forwarding requests to different internal IP's. So this is a bit more difficult to use a HOST file of diff.DINS for the routing internally. But you're right, maybe I should use starting different DNS names...

 

The reason for reverse proxy, is in your case say you have 10 "services" running you have 10 ports on your firewall open, and that's 10 security risks.   With nginx or some other reverse proxy, you usually open http and https (80 & 443) then you just give your services names either like    service1.domain.com   or domain.com/service1 The second is harder to setup and maintain in my opinion.   The back-end services will still be using the ports you assigned them so you can switch back easily or run nginx and the way you are doing it today side by side as a test.     service1.domain.com:80---->nginx--->service1:8374    and so on.

  • Like 1
Link to comment
Share on other sites

plessers@gmail.com

@@Swynol, @@pir8radio,

 

thanx for input.

This was a project that I had been postponed for a long time, but with your feedback, I spended some time to it.

Glad I did.

So for now:

- running tomato software on a ASUS-RT-N18U router

- port forwarding 80 to IP of router

593c010798045_20170610162149.png

 

NGINX is currently running on router

NGINX HTTP Section Custom configuration

 

593bffae898a3_20170610161625.png

Custom settings:

server {
    listen 80;
    server_name app1.mydomain.org;
    location / {
        proxy_pass http://InternalIP-App1:80/;
    }
}


server {
    listen 80;
    server_name app2.mydomain.org;
    location / {
        proxy_pass http://InternalIP-App2:80/;
    }
}


server {
    listen 80;
    server_name app3.mydomain.org;
    location / {
        proxy_pass http://InternalIP-App3:32400/;
    }
}


server {
    listen 80;
    server_name app4.mydomain.org;
    location / {
        proxy_pass http://InternalIP-App4:8096/;
    }
}

Everythings works smoothly now and I can access my services over http with their own app-subdomain.

 

 

 

 

I am planning to do this also with https, but currently struggling with certificates

I have a config running (cert.pem and cert.key are internally generated on the router if you enable admin over https, see also http://blog.nguyenvq.com/blog/tag/reverse-proxy/ )

server {
   listen 443;
   ssl on;
   ssl_certificate  /tmp/etc/cert.pem;
   ssl_certificate_key  /tmp/etc/key.pem;

   ssl_session_timeout  5m;
   ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
   ssl_prefer_server_ciphers on;
   ssl_ciphers "EECDH+ECDSA+AESGCM EECDH+aRSA+AESGCM EECDH+ECDSA+SHA384 EECDH+ECDSA+SHA256 EECDH+aRSA+SHA384 EECDH+aRSA+SHA256 EECDH+aRSA+RC4 EECDH EDH+aRSA RC4 !aNULL !eNULL !LOW !3DES !MD5 !EXP !PSK !SRP !DSS";

location / {
     proxy_pass http://InternalIP:32400;
     proxy_redirect http://InternalIP:32400/ $scheme://$host:$server_port/;
   }
}

This works, but you get an certificate error of course.

I have certificates (Let's Encrypt) for all my app subdomains, but still need to covert them from *.pfx to *.cert/key.pem

 

Anybody experience with that?

 

Another question: can you do the same thing with https as with http? Listen on SAME port (443) for different domains and different certificates? How should my config look like?

Can I do this:

593c0396a5c49_20170610163344.png

 

Is this possible?

 

Kind regards,

Bart

  • Like 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...