Jump to content
MikeB111

SSL made easier with a reverse proxy

Recommended Posts

MikeB111

So I just recently posted a step-by-step guide to setting up SSL encryption with Emby using a Lets Encrypt certificate and a tool from ZeroSSL.  Here is that post.  Well, it's been working just fine, but I wanted to find a solution that would be maintenance free, meaning I don't want to have to manually renew my certificate every three months!

 

Well, here's a guide to setting up Emby with Caddy, which is a reverse proxy that automatically manages getting and renewing certificates.  Mostly this comes from other posts scattered around the forum, so I don't take any credit.  But perhaps it'll be helpful to someone to have it all in one place.  I'll try and explain a few concepts and give detailed enough directions on how to set this up that a non-expert (which is what I consider myself to be) can easily get this working.  It really is very simple, but my post will probably be pretty lengthy because I'll try and explain as I go.  I'm running on Windows, but this should work in other OS's also as all the tools are available across different platforms.

 

Reverse Proxy Basics

 

First, I think it's worth giving a little reverse proxy background.  I didn't have any idea what one was before starting this process.  Here's my layman's description.  Assuming you're home network is typical, you have one publicly routable IP address assigned to your home router by your internet provider.  Behind your home router you may have a home network with several computers, phones, tablets, printers, and other devices, each assigned a private IP address.  Traffic that stays completely inside your home network does not need to be encrypted because it is protected by your router (which is also a firewall). 

 

A reverse proxy acts as the gateway from the public internet to servers you're running on your home network.  All connections into your home network are made to the reverse proxy, and it then redirects traffic to the server on your home network.  The advantage in this case is that the reverse proxy handles SSL encryption to whatever client is connecting to it from the public internet.  But it can then redirect traffic unencrypted to your Emby server, which is safe because it's all internal to your private network.  So Emby doesn't need to know how to do encryption, because encryption is completely handled by the reverse proxy, and it is transparent to Emby. 

 

I will say that I was initially pretty intimidated by the idea of setting up my own reverse proxy.  NGINX is a very popular free reverse proxy, but looking through config files and options left me very uncomfortable, it all seemed very complicated.  I'll be presenting this guide using Caddy, which is SUPER easy to use and set up, and is also free/open source.  And it has the huge advantage of automatically managing SSL certificates.

 

Domain Name Registration

 

In order to get an SSL certificate you have to have your own domain name.  See my previous post for more detail here, I'm not going to repeat it.  I do recommend https://domains.google for your domain, it was affordable, it can easily handle Dynamic DNS for you, and it's easy to set up.

 

So for this example, let's say you registered mydomain.net.  This is what's called a second level domain (.net is the top level and mydomain is the second level).  I would also suggest that you set up a CNAME record to a subdomain like media.mydomain.net, you'll see why later.  A CNAME record just points to the same IP address as your main domain registration, so it's sorta like an alias.

 

Router Setup

 

Now, you'll need to decide which computer is going to run your Caddy reverse proxy.  I run it on the same computer that runs my Emby server.  It's also my HTPC connected to my TV.  It's always on so it works well.  Make sure it has a fixed IP address on your home network, either by making it static or by setting up a manual assignment in your router's DHCP server.  Then in your router, forward ports 80 and 443 to the computer in your home network that will be running the reverse proxy server.  Port 80 is the default for HTTP, 443 is the default for HTTPS.  You do not want to forward any other ports, don't forward 8096 or 8920.

 

Install Caddy, the reverse proxy server

 

Go download Caddy from their website, https://caddyserver.com/v1/  I'm using V1 of their server, they have a V2 in beta but I prefer the stable release.  When you go to download, you can choose plug-ins (click the "add plug-ins" link before downloading).  I'd suggest getting it with hook.service at the very bottom of the list, this lets you run Caddy as a service, I'll mention this later.

 

You need to create a folder on your server where you will put Caddy, I used c:\Caddy.  Then unzip your installer into this folder, there is just one executable called caddy.exe.  You also need to make a text file in this folder with your caddy configuration info.  I called mine caddyfile.txt.  Here's a copy of mine, you can just copy/paste into a text file and save as caddyfile.txt.  This is the entire configuration file!

media.mydomain.net {
	gzip
	timeouts none
	proxy / 10.0.0.100:8096 {
		transparent
		websocket
	}
}

Now, in place of media.mydomain.net, you need to put your own domain name.  And in place of 10.0.0.100 you need to put the local IP address of your Emby server (which also needs to be static).  What this setup does is tell Caddy to redirect any incoming traffic to media.mydomain.net, to your emby server on port 8096.  Caddy will be listening only on port 80 (HTTP) and 443 (HTTPS), but anything that comes in on port 80 automatically gets redirected to port 443 (encrypted).  So it only accepts encrypted traffic.

 

Now you just run Caddy.  You can start a cmd window and type the command manually, but its much easier to make a batch file with the command so you can just double-click to run.  So copy the following text into notepad and save as Run_Caddy.bat, in your c:\caddy folder.

cd c:\caddy
caddy -agree -email "myemail@email.com" -conf "c:\caddy\caddyfile.txt"

Again, you need to replace myemail@email.com with your own email address.  If you didn't use c:\caddy, then make sure you replace this with your actual path.  The -agree means you agree to Lets Encrypt terms of service and the email is needed to get your automatic SSL certificates.

 

OK, if you've followed along so far, just double-click on your Run_Caddy.bat file and it'll run.  The first time you will see it go get your encryption certificates automatically, and then start your reverse proxy server for media.mydomain.net.  It will automatically renew these certificates for you also, with no intervention on your part. 

 

Of course Caddy has to be running to work, so don't close this window.  You could add a shortcut to this Batch file in your windows Startup folder so it runs automatically whenever you login.  Or later I'll mention how to run Caddy as a service so it starts automatically and runs hidden (which I like much better since it's running on my HTPC).

 

Emby Setup

 

Ok, last step.  Go to your Emby server configuration, under Network.  Keep local HTTP as 8096 and local HTTPS as 8920.  Be sure to check "Allow remote connections to this Emby server."  Change public HTTP port to 80 and public HTTPS port to 443.  Under external domain put in media.mydomain.net (substitute with your actual domain name of course).  You don't need anything for certificates.  Then for Secure Connection Mode, choose "Handled by reverse proxy."  Uncheck enable automatic port mapping, because you've already set up port forwarding in your router to your Caddy server.  That's it, you're all done.

 

Now, here's what you just did.  Emby only listens on port 8096 and 8920, which are not forwarded by your router, so you cannot bypass Caddy and directly connect to Emby from the public internet (that's good, because Emby doesn't have an encryption certificate).  When you put in the public port numbers and external domain that's just so Emby can tell your apps which port to connect to when outside of your home network.  Remember that these ports actually go to your Caddy reverse proxy, not to Emby.  The reverse proxy handles encryption and redirects the traffic to your Emby server at port 8096.  Easy!  You don't install certificates in Emby because Caddy is handling all encryption.

 

Now test it out!

 

So get on a computer outside of your home network, open a web browser, and in the address field just type media.mydomain.net.  It'll try and go to http://media.mydomain.net which connects to Caddy.  Caddy will redirect automatically to encrypted https://media.mydomain.net, and this gets automatically re-routed internally by Caddy to your Emby server.  Notice you don't need to remember or type a port number because it's using the default http and https port number to connect to Caddy.  Basically it's all transparent to your users, they just type in the domain and Emby just works!  This got major bonus points by my wife because she never could remember the port number before.

 

If you're setting up an iOS or Android app, just bypass Emby Connect, put in https://media.mydomain.net as the address, and 443 as the port number.

 

That's it.  All connections to Emby are encrypted and you can access with a much easier to remember domain name.

 

For the Advanced User - Running Caddy as a Service

 

If you want, you can also run Caddy as a service, it'll start automatically with your computer even if you're not logged in, and it will be invisible, so no annoying command window always there.  If you downloaded Caddy with the hook.service plug-in then it's easy.  First open a CMD window, change to your caddy directory (cd c:\caddy) and run this command to install the service.  You have to run these commands as an administrator, so when you run CMD, right click and choose "Run as Administrator."

caddy -service install -agree -email "myemail@email.com" -conf "c:\caddyfile.txt" -log "c:\caddylog.txt"

You'll notice it's the same as what you ran before to start Caddy, but with -service install added, and with -log c:\caddylog.txt added.  If you click run, type "services" and start the Services control panel, you'll now see Caddy listed as a service but it will not be running.  Now run the command:

caddy -service start 

That's it.  In the Services control panel you'll see that the Caddy service is running.  You only have to do this once, when you reboot it'll automatically start the service again for you.  You can look at the caddylog.txt file to see the running status, and you can always check the Services control panel to verify it's running.

 

For the Advanced User - Running multiple servers

 

At my house I also have several outside security cameras hooked up to a Network Video Recorder (NVR) that I want to be able to access from outside the network.  There is a web interface to this NVR, but it only supports SSL with a self-signed certificate, so all modern browsers throw an error.  But with Caddy, I can easily add that NVR server also.  The NVR doesn't have to support encryption, because Caddy handles it all transparently.  I just added another CNAME record for cameras.mydomain.net in my domain registration and added another section to my caddyfile.txt file as follows:

media.mydomain.net {
	gzip
	timeouts none
	proxy / 10.0.0.100:8096 {
		transparent
		websocket
	}
}
cameras.mydomain.net {
	gzip
	timeouts none
	proxy / 10.0.0.110:80 {
		transparent
		websocket
	}
}

Now you can see that if I go to cameras.mydomain.net it gets redirected to my NVR on port 80 (internal IP 10.0.0.110), and if I go to media.mydomain.net it gets redirected to my Emby server (internal IP 10.0.0.100).  Pretty awesome, and now I have encryption for my NVR cameras!

 

You could do the same thing for a Plex server (if you're unfortunate enough to still need one), or any other personal server you're running on your home network that you want to access from outside with encryption and an easy-to-remember name.

 

Conclusions

 

Well, that's it.  Wow that ended up being a long post, sorry about that.  But hopefully it helps someone on the path to fully encrypted external Emby access!  If anyone notices something wrong or incomplete please reply!

 

 

 

  • Like 3

Share this post


Link to post
Share on other sites
pwhodges

Heh!  I was partway through writing a similar guide - but yours is more readable.

 

I use this setup in Windows, and will take the opportunity to mention a couple of differences.

 

My Caddyfile (the config file) is even simpler:

emby.xxxxxxxx.org {
    proxy / http://streamer.xxxx.dom:8096 
}

I don't use "gzip" as video is already compressed, so it's wasted overhead; "transparent" appears to be unnecessary in this case, too; and "websocket" is not a Windows thing.  I use the Emby computer's name as I have an internal domain - but the IP address for the machine running Emby is just as good.

 

Actually, I also like to have logs, so I have added the optional directives to define them:

emby.xxxxxxxx.org {
    proxy / http://streamer.xxxx.dom:8096    # I have an internal domain
    log .\Logs\EMaccess.log
    errors .\Logs\EMerror.log
}

Running Caddy as a service in Windows doesn't require any added plugins; the Caddy documentation has details for setting it up using nssm ("non-sucky service manager"), which I also use to run Emby as a service.

 

Paul

 

Edited by pwhodges

Share this post


Link to post
Share on other sites
MikeB111

Thanks, that's great info!  I'll go in and clean up my caddyfile.  I've got it running as a service right now with their plugin, but will probably play around with NSSM also just to see if I like it better.  I've been meaning to get Emby running as a service so that'll be a good excuse to figure it out.

 

The log and error file output is also a good idea.

 

Thanks!

Mike

Share this post


Link to post
Share on other sites
ebr

This is great stuff - thanks guys.

 

If you're running caddy on the same machine as Emby Server, then you could also just use localhost:8096, correct?

Share this post


Link to post
Share on other sites
MikeB111

Yes, that's another great improvement.  If running Emby on the same server as Caddy, your caddyfile.txt can point to localhost:8096 instead of 10.0.0.100:8096 (or whatever your actual IP is).  I just made a few modifications to my caddyfile.txt based on these suggestions (added logs, removed gzip, removed timeouts, changed to localhost) and it all works great.

Share this post


Link to post
Share on other sites
deecemobile

Is the certificate that Caddy generates self-signed? Or who is the CA? Will browsers trust it? This is much more efficient than renewing certs every 3 months so I will probably give it a try.

Share this post


Link to post
Share on other sites
pwhodges

Caddy does not "generate" certificates - it gets and updates them automatically from Let's Encrypt, whose certificates are recognised by all modern browsers.  Let's Encrypt's own compatibility information is here.

 

Paul

Share this post


Link to post
Share on other sites
MikeB111

Caddy uses Lets Encrypt for its certificate, so yes, browsers will trust it with no warning message.

 

Caddy is more than just a reverse proxy, it is also a web server.  Because of this, it can automatically renew the Lets Encrypt certificate using the web page verification method instead of the TXT record approach.  That's how it is able to acquire and renew the certificate automatically, without any user action required.  Now, I'm not using it to host any web pages, I'm just using the reverse proxy function.  It only creates and hosts the verification file for the instant needed to renew with Lets Encrypt and then in my case at least it no longer acts as a web server.  But because it has that capability it can work seamlessly with Lets Encrypt.

 

So yes, once you have it set up it is completely maintenance free.

Share this post


Link to post
Share on other sites
deecemobile

Thanks guys!

Share this post


Link to post
Share on other sites
cptlores

I don't use "gzip" as video is already compressed, so it's wasted overhead; "transparent" appears to be unnecessary in this case, too; and "websocket" is not a Windows thing. 

 

 

 

You need websocket and transparent to maintain some of the WEB UI functionality in Emby, like for example <Active Devices> in the dashboard showing live update of playback counters etc.

  • Like 1

Share this post


Link to post
Share on other sites
pwhodges

Active devices show up on my dashboard just fine.  Why do you think I should be missing them?

 

Paul

Share this post


Link to post
Share on other sites
deecemobile

So I tried this and I am having a few issues

1 - the initial command below shows a series of "unable to deactivate authorization" messages and then the window closes.

cd c:\caddy
caddy -agree -email "myemail@somewhere.com" -conf "c:\caddy\caddyconfig.txt"

2 - If I run this batch file a second time after the initial run it, it shows this 5 times - "2020/01/27 21:11:45 [iNFO] [mydomain] acme: Obtaining bundled SAN certificate"

then this:

"failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url:"

 

then closes.

 

3 - I also tried registering the service using the exact commands provided and it registered but it will not start at all.

 

Sooooo I am not sure what is wrong here since I have followed the commands exactly and only substituted my values.

 

If I launch caddy.exe manually the cmd window remains open. But if I use the batch file I created above the window closes and the server will not allow remote connections.

 

Any ideas would be appreciated. The only thing I can think of is that I already have a certificate through Let's Encrypt that I manually created and renew every 3 months. Could that be the culprit?

Edited by deecemobile

Share this post


Link to post
Share on other sites
Cefn Canol

Hi Many thanks for the post , all is working ok! .... to get it running as a service i had to use the below arrangement. Caddy now starts on re-boot.

caddy -service install -agree -email "myemail@email.com" -conf "c:\caddy\caddyfile.txt" -log "c:\caddy\caddylog.txt"
Edited by Cefn Canol

Share this post


Link to post
Share on other sites
jordy

So I tried this and I am having a few issues

1 - the initial command below shows a series of "unable to deactivate authorization" messages and then the window closes.

cd c:\caddy
caddy -agree -email "myemail@somewhere.com" -conf "c:\caddy\caddyconfig.txt"

2 - If I run this batch file a second time after the initial run it, it shows this 5 times - "2020/01/27 21:11:45 [iNFO] [mydomain] acme: Obtaining bundled SAN certificate"

then this:

"failed to obtain certificate: acme: error: 429 :: POST :: https://acme-v02.api.letsencrypt.org/acme/new-order :: urn:ietf:params:acme:error:rateLimited :: Error creating new order :: too many failed authorizations recently: see https://letsencrypt.org/docs/rate-limits/, url:"

 

then closes.

 

3 - I also tried registering the service using the exact commands provided and it registered but it will not start at all.

 

Sooooo I am not sure what is wrong here since I have followed the commands exactly and only substituted my values.

 

If I launch caddy.exe manually the cmd window remains open. But if I use the batch file I created above the window closes and the server will not allow remote connections.

 

Any ideas would be appreciated. The only thing I can think of is that I already have a certificate through Let's Encrypt that I manually created and renew every 3 months. Could that be the culprit?

Hey, I had this problem for a couple of days before realizing that the IP address on my domain was not correct. One thing I learned was that you cannot set this up whilst running a VPN. If you have one, turn it off then run your IP updater - if it's DDClient like in these instructions simply turn off the DDClient service and then turn it back on should be enough to update it. Then go to your domain page and check that the IP address is now correct If your not sure what it is, use "what is my ip" AFTER you turn off the VPN or check you router. After you have got this set you can run Caddy again and it should grab your certificate. Good Luck!

If you are using Windows & Google Domains set up your DDClient.conf like this (not sure about linux) :

 

protocol=dyndns2

 

use=web

 

server=domains.google.com

 

ssl=yes

 

login=<From Google Domain Dynamic DNS Login Credentials>

 

password=<From Google Domain Dynamic DNS Login Credentials>

 

<your Domain name here> eg mydomain.com

Edited by jordy

Share this post


Link to post
Share on other sites
deecemobile

Hey, I had this problem for a couple of days before realizing that the IP address on my domain was not correct. One thing I learned was that you cannot set this up whilst running a VPN. If you have one, turn it off then run your IP updater - if it's DDClient like in these instructions simply turn off the DDClient service and then turn it back on should be enough to update it. Then go to your domain page and check that the IP address is now correct If your not sure what it is, use "what is my ip" AFTER you turn off the VPN or check you router. After you have got this set you can run Caddy again and it should grab your certificate. Good Luck!

If you are using Windows & Google Domains set up your DDClient.conf like this (not sure about linux) :

 

protocol=dyndns2

 

use=web

 

server=domains.google.com

 

ssl=yes

 

login=<From Google Domain Dynamic DNS Login Credentials>

 

password=<From Google Domain Dynamic DNS Login Credentials>

 

<your Domain name here> eg mydomain.com

 

My setup is a bit different. Godaddy CNAME record for my domain points to my NO-IP hostname (not an IP). NO-IP gets the updated IP from my router which has their ddns client built in. So I can't really get the IP wrong anywhere because I don't have to enter it anywhere.I don't have a vpn setup either. I will have to keep playing around I guess. Thanks

Share this post


Link to post
Share on other sites
MikeB111

You can definitely have a certificate that you've manually installed at the same time as Caddy gets one automatically (my situation was the same, worked no problem).

 

The error message you're getting says you're hitting the Lets Encrypt rate limit.  They allow 50 certificates per registered domain per week, and only allow 5 failed validations per account per hostname per hour.  Is it possible you hit the failed validations limit while you were testing things?  Once you hit one of their limits they will no longer issue anything.

 

Also, make sure you have set up your router to forward ports 80 and 443 to the computer running Caddy.  Needs port 80 to validate the certificate.

 

Other than that I don't have any ideas...  hope you get it working!

Share this post


Link to post
Share on other sites
jordy

My setup is a bit different. Godaddy CNAME record for my domain points to my NO-IP hostname (not an IP). NO-IP gets the updated IP from my router which has their ddns client built in. So I can't really get the IP wrong anywhere because I don't have to enter it anywhere.I don't have a vpn setup either. I will have to keep playing around I guess. Thanks

Yeah, I was using No-IP but the pain was renewing it every 30 days... :) So I decided to use DDClient in lieu and not have to worry about that anymore. Good Luck :)

Share this post


Link to post
Share on other sites
Wavecrest

If anyone in here is interested, I managed to find a workaround to the particular problem I was experiencing without having to mess about with security certificates.

Share this post


Link to post
Share on other sites
SuperMinecraftKid

If your server is running windows, it is even simpler using IIS, although I don't know how secure that is compared to caddy.

Share this post


Link to post
Share on other sites
muzicman0
Posted (edited)

I think my ISP blocks port 443, is there a way around that?  I currently have a cert on my Emby server, but looking to the future, this may be a good plan.

 

EDIT: I just looked at Cox's list of blocked ports and 443 isn't listed, only 80, so I may be OK.

EDIT2: Although with port 80 blocked, I am unsure how Caddy will validate the domain name...

Edited by muzicman0

Share this post


Link to post
Share on other sites
AviatorBimmer
Posted (edited)

If your server is running windows, it is even simpler using IIS, although I don't know how secure that is compared to caddy.

 

@@SuperMinecraftKid

 

Have you gotten Emby to work properly using IIS and reverse proxy? I found a tutorial that explained everything in detail on how to install IIS, configure it, obtain and install a SSL certificate and configure Sonarr/Radarr/Jackett, which I have all 3 working perfectly in HTTPS mode.

 

The only problem I'm having is I can't get Emby to work.

 

Here is that tutorial in case anyone needs it:

 

https://medium.com/@jettjackson/setting-up-a-https-reverse-proxy-with-iis-for-radarr-and-sonarr-a381fbdb5396

 

I get a 502 error when I try to access Emby. I'm guessing the URL Rewrite I have for Emby (basically the same as for Radarr/Sonarr/Jackett) needs more tweaking but I haven't got a clue.

Edited by AviatorBimmer

Share this post


Link to post
Share on other sites
chef

@@SuperMinecraftKid

 

Have you gotten Emby to work properly using IIS and reverse proxy? I found a tutorial that explained everything in detail on how to install IIS, configure it, obtain and install a SSL certificate and configure Sonarr/Radarr/Jackett, which I have all 3 working perfectly in HTTPS mode.

 

The only problem I'm having is I can't get Emby to work.

 

Here is that tutorial in case anyone needs it:

 

https://medium.com/@jettjackson/setting-up-a-https-reverse-proxy-with-iis-for-radarr-and-sonarr-a381fbdb5396

 

I get a 502 error when I try to access Emby. I'm guessing the URL Rewrite I have for Emby (basically the same as for Radarr/Sonarr/Jackett) needs more tweaking but I haven't got a clue.

I would not bother with IIS, follow the directions in the first post if this thread. You'll have https connection to your Emby server through your domain with a free certificate.

 

I've been using caddy for years and it's very easy to use.

Share this post


Link to post
Share on other sites
AviatorBimmer

I would not bother with IIS, follow the directions in the first post if this thread. You'll have https connection to your Emby server through your domain with a free certificate.

 

I've been using caddy for years and it's very easy to use.

Actually, I just got Nginx going and now Emby/Radarr/Sonarr/Jackett are running perfectly in both local and remote HTTPS!

 

Never saw Emby load up so fast on my phone while on a LTE signal.

 

Nginx is really the way to go!

 

 

Sent from my iPhone using Tapatalk

  • Like 1

Share this post


Link to post
Share on other sites
jachin99
Posted (edited)

I'm having some trouble with this also.  I'm on cox as well, but I'm not sure if I haven't setup DDNS correctly or what.  I followed the instructions for setting up a dynamic dns record but at no point during those instructions did I see anything about telling google what my public IP address is.  I never got the email from lets encrypt so I'm wondering if I can do that manually or how I can troubleshoot things.  

Edited by jachin99

Share this post


Link to post
Share on other sites
muzicman0

You know, I never got the email, but it does appear to be working for me. My remote connections say they are secured when I log on. Did you set up a client that tells Google DNS what your public IP is? I use my router, but previously to that I used my qnap Nas. I'm sure there are also independent applications. Can you reach your server from outside your home network?

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...