SSL made easier with a reverse proxy

[AbnrangerZay 1]

Ok, so I took your advice and went back to basics, and all is well. I can connect to my Emby server with the IP as well as the domain name. Inside Emby under networking it is configured to use the IP as suggested, which is pretty much the default setting so to speak, and using 8096. Externally, I can hit my server with the public IP as well as the domain name with 8096 appended.

 

[Transparent 2]

Hello there,

Anyone who has successfully migrated to caddy V2 care to share their caddyfile config and commands used? It would be of great help.

Thanks in advance!

[pwhodges 1529]

Well, I've contributed a number of posts about my Caddy configuration, but I won't go searching for them, because the only content of my Caddyfile which is relevant to Emby is this:

emby.cassland.org {
    reverse_proxy http://streamer.cass.dom:8096
}

Literally just that (a little simpler than the nginx configurations we see!) - there is nothing else (apart from fourteen other web sites, some of which need a couple of dozen lines), and it works fine.  Caddy is v2.4.5, but it worked just as well with earlier v2 versions.  Caddy is running on Windows Server 2019 as a service under the control of nssm.  Emby is running on Windows 10 as a service, also under the control of nssm.

Are you having a problem with getting this to work?

Paul

[Transparent 2]

1 hour ago, pwhodges said:

Are you having a problem with getting this to work?

Hi Paul, thank you for your reply I see I got the caddy file configured right however I do not know how what command lines to use to run it. The OP used:

cd c:\caddy
caddy -agree -email "myemail@email.com" -conf "c:\caddy\caddyfile.txt"

However, from reading the documentation of Caddy V2 it seems these may no longer be necessary or in any case the commands have changed.

Thank you for your help!

[pwhodges 1529]

In my case, the global section at the top of the caddyfile reads:

{
	email pwh@cassland.org
	order replace after encode
	grace_period 10s
}

Only the email address is relevant (replacing the use of the command line in Caddy 1); the "order" is specifically for use with a plugin called "replace" for modifying proxied pages before sending them on, and the "grace_period" shortens a delay I get (on Windows) when updating Caddy's configuration while running. 

The command line (specified in two parts for nssm, because the program and arguments have separate entries) is simply:

caddy run

because I have the Caddyfile in the same directory as the executable, just named "caddyfile" with no extension.

HTH (I'm off to bed now)

Paul

[Transparent 2]

9 hours ago, pwhodges said:

The command line (specified in two parts for nssm, because the program and arguments have separate entries) is simply:

caddy run

Ok wow is it really that simple? Caddy with just those few lines of code automatically reverse proxies the designated domain and automatically updates SSL certificates from Let's Encrytp every X days? If so maybe I was overthinking this just a bit (I know Caddy prides itself on being user friendly compared to nginx and others but this is really next level).

So there is no more need to give "agree" to Let's Envrypt terms of service via the -agree command? Furthermore, I had understood that caddy had in built capabilities to run as a service do you think nssm is better?

Thank you so much!

[pwhodges 1529]

Yes, it really is that simple, and in fact Caddy has even automatically fetched updates of the faulty certificates I had which were revoked by Let's Encrypt last week.  Of course, one can do more sophisticated things, but I don't feel the need for them.  And yes, "agree" is no longer needed.

The built-in command to run Caddy as a service is for Linux.  The current instructions for Windows use the WinSW service wrapper rather than nssm, but I see no need to change from the former instructions (which used nssm, which I also use for Emby anyway).  The basic difference is that WinSW uses a config file , but nssm has a setup GUI.

I'd suggest getting the reverse proxy going before thinking about CloudFlare - do you have any specific reason for wanting to use it?

Paul

[MikeB111 48]

15 hours ago, Transparent said:

Hello there,

Anyone who has successfully migrated to caddy V2 care to share their caddyfile config and commands used? It would be of great help.

Thanks in advance!

Hey, thanks for asking about caddy v2.  I updated to v2 a little while ago but forgot to post an update to this message thread.

Caddy was super easy, caddy v2 is even easier.  Here is my entire caddyfile

{
email myemail@gmail.com
}

media.mydomain.net {
   reverse_proxy localhost:8096
}

Of course replace myemail@gmail.com with your actual email and media.mydomain.net with your actual domain.  I use localhost because I'm running caddy on the same computer that I run Emby server.  But that's it, super easy!

Then start caddy with just the command "caddy run".

I do use nssm to start caddy as a service, I like that it removes the taskbar button so that caddy can't as easily be closed, and I know it's running all the time.  Of course there is a lot more you can do with caddy but I like that you don't have to, this is all you need to run a fully encrypted connection to your Emby server.  And in my experience it is completely maintenance free, I set it up months ago and haven't thought about it since, it just always works.

[KegTapper 7]

Caddy v2 was so easy to setup. I read a ton of posts until I came across the config pwhodges posted. There is a post with a simple batch script that runs the caddyfile after reboot.

Edited February 7, 2022 by KegTapper

[chef 3745]

I'm still stuck on caddy v1.

It is working fine, but obviously it would be cool to upgrade.

I ask Matt Holt (the creator of caddy) if it was cool if I created an emby plugin that set up (or added too an existing caddy file) automatically. He said it was a good idea.

But, although it was supposed to super simple, I wasn't able to upgrade.

I though it was because I had certs for my domain registered already with caddy v1... Maybe... Dunno.

I should really try again though.

 

[Transparent 2]

3 hours ago, pwhodges said:

I'd suggest getting the reverse proxy going before thinking about CloudFlare - do you have any specific reason for wanting to use it?

Hi Paul I had no intention of using CloudFlare what did I say that made you think so? if it was this "I know Caddy prides itself on being user friendly compared to nginx and others but this is really next level" I only meant to say that Caddy is a on a whole other level of ease of use and simplicity not that I intended to use CloudFlare (sorry for the confusion).

 

3 hours ago, pwhodges said:

The built-in command to run Caddy as a service is for Linux. The current instructions for Windows use the WinSW service wrapper rather than nssm, but I see no need to change from the former instructions (which used nssm, which I also use for Emby anyway).  The basic difference is that WinSW uses a config file , but nssm has a setup GUI.

I have seen many use NSSM however, on their site they warn certain releases are unstable and can blue screen your PC so tbh I got a little scared lol what stable version do you suggest works best for Win10?

3 hours ago, MikeB111 said:

Hey, thanks for asking about caddy v2.  I updated to v2 a little while ago but forgot to post an update to this message thread.

Caddy was super easy, caddy v2 is even easier.  Here is my entire caddyfile

{
email myemail@gmail.com
}

media.mydomain.net {
   reverse_proxy localhost:8096
}

Of course replace myemail@gmail.com with your actual email and media.mydomain.net with your actual domain.  I use localhost because I'm running caddy on the same computer that I run Emby server.  But that's it, super easy!

Then start caddy with just the command "caddy run".

Hey Mike thanks a lot for your reply, I am pretty amazed by the simplicity of all of this I read the documentation of Caddy v2 and tbh did not believe them qhen they said it was that simple. Thank you sharing your config also!

2 hours ago, chef said:

I'm still stuck on caddy v1.

It is working fine, but obviously it would be cool to upgrade.

I ask Matt Holt (the creator of caddy) if it was cool if I created an emby plugin that set up (or added too an existing caddy file) automatically. He said it was a good idea.

But, although it was supposed to super simple, I wasn't able to upgrade.

I though it was because I had certs for my domain registered already with caddy v1... Maybe... Dunno.

I should really try again though.

 

Hey Chef, That would be awesome! I mean the support here has always been tremendous but I think new users would really appreciate something ultra simple and straight forward which added security without much tinkering. Personally I like the challenge given my diverse background it gives me a chance to learn stuff but not everybody wants to spend their time on forums figuring out what goes where. Plus I think it would be something no other media library provides to their users. Thanks for the input in any case!

[pwhodges 1529]

20 minutes ago, Transparent said:

Hi Paul I had no intention of using CloudFlare what did I say that made you think so?

I have seen many use NSSM however, on their site they warn certain releases are unstable and can blue screen your PC so tbh I got a little scared lol what stable version do you suggest works best for Win10?

CloudFlare - mixed up with another thread, I guess.

I have never had a problem with any version of nssm.  The versions I have in use are 2.24 and 2.25, and they are stable on both Windows 10 and Windows Server 2019 (but also WS2016 and WS2012 before that).  Version 2.24 was released in 2014, and 2.25 is a beta from 2017 - the lack of later updates is a clear indication of faultless stability, I'd say; both those versions are linked on their download page.

Paul

[Transparent 2]

Ok so I got a domain and set up Caddy and it runs fine however, I can only getting HTTPS from the computer caddy and emby are both running on, for every other computer (even on local LAN) trying to connect to my domain tells me that the "site could not be reach" any ideas at to what the problem might be?

[pwhodges 1529]

Since Caddy is setting up https, access from the Internet and network to its port 80 (which Let's Encrypt uses for verification) must be OK.  But have you opened port 443 in the computer's firewall?

Paul

[Transparent 2]

1 hour ago, pwhodges said:

Since Caddy is setting up https, access from the Internet and network to its port 80 (which Let's Encrypt uses for verification) must be OK.  But have you opened port 443 in the computer's firewall?

Paul

Hi Paul thanks once again. Both ports 80 and 443 are open I have verified this via various sites so that can’t be the problem.  
 

I get this error when connecting from another pc:

my domain.com ’s server IP address could not be found.

[pwhodges 1529]

Presumably your domain name is defined to have the external address of your router, and you have setup port forwarding in the router to connect it to the server (Caddy won't work otherwise); have you verified that you can connect to Emby from outside your network?

If you use the domain name with external address inside your network, that relies on the router being prepared to accept an internal connection as if it was external, and to pass it through your port-forwarding setup to reach the correct machine.  This is called loopback or hair-pinning, and not all routers do it, and some need it enabling in their settings.

If that's not working or possible, you can get over it by running your own DNS server inside the network (and specifying it in the DHCP setup in your router) which gives out the internal address for the server and goes to the Internet for all other queries.  Or you can reserve the https connection using the domain name and going through Caddy for external use, while connecting to Emby internally using it's own local IP address and its own ports (not Caddy's) - this would be an http connection normally, but that's not an issue for internal use.

The DNS server method means you can program portable devices using the server name, and the correct address will be used internally or externally without having to select different server details.

Paul

[Transparent 2]

16 minutes ago, pwhodges said:

Presumably your domain name is defined to have the external address of your router, and you have setup port forwarding in the router to connect it to the server (Caddy won't work otherwise); have you verified that you can connect to Emby from outside your network?

If you use the domain name with external address inside your network, that relies on the router being prepared to accept an internal connection as if it was external, and to pass it through your port-forwarding setup to reach the correct machine.  This is called loopback or hair-pinning, and not all routers do it, and some need it enabling in their settings.

If that's not working or possible, you can get over it by running your own DNS server inside the network (and specifying it in the DHCP setup in your router) which gives out the internal address for the server and goes to the Internet for all other queries.  Or you can reserve the https connection using the domain name and going through Caddy for external use, while connecting to Emby internally using it's own local IP address and its own ports (not Caddy's) - this would be an http connection normally, but that's not an issue for internal use.

The DNS server method means you can program portable devices using the server name, and the correct address will be used internally or externally without having to select different server details.

Paul

Hi Paul,

no I already tried and cannot reach Emby from outside my network (tried the Emby app on my iPhone using 5G)

[pwhodges 1529]

You should go through the Emby Connectivity guidance here, and let us know which steps work, and which fail.  It might also help to show us your Caddy config and your router's port forwarding settings.

You said Caddy is working - how do you know?

Paul

[Transparent 2]

41 minutes ago, pwhodges said:

You should go through the Emby Connectivity guidance here, and let us know which steps work, and which fail.  It might also help to show us your Caddy config and your router's port forwarding settings.

You said Caddy is working - how do you know?

Paul

I will upload all the configs soon.

I say caddy is working becouse when I click on mydomain.com:443 in Emby it opens up a https page with the login for users. Also caddy in the CLI at the end it states

”certificate successfully obtained”

”releasing lock”

both with my domain as an identifier

[pwhodges 1529]

I'm not sure what you mean by "I click on mydomain.com:443 in Emby". 

Caddy can only get a certificate if communication to it on the relevant ports is possible from outside your network - that's what Let's Encrypt requires to do its checks.  So if Caddy is accessible from outside, and Emby is accessible through Caddy, you should be able to access Emby from outside.

Can you, from elsewhere on your network, still connect using http to your Emby machine as: <local ip address>:8096 ?

Have you, on the server's network settings page, specified your domain name and selected that you are using a proxy for secure connection?

Paul

[Transparent 2]

1 hour ago, pwhodges said:

I'm not sure what you mean by "I click on mydomain.com:443 in Emby". 

Sorry I mean that in the Emby Server dashboard, having filled in correctly the "Network" section (which is exactly like yours in the screenshot except for the domain name of course), if i click on Remote (WAN) access: mydomainname.com:443 it opens up a HTTPS page (with the lock and all) with logins for all users, this happens also in incognito mode and other browsers on the same PC.

Quote

Can you, from elsewhere on your network, still connect using http to your Emby machine as: <local ip address>:8096

Yes I can.

My caddyfile is like below:

{
email xxxxxxxxxx@gmail.com
}

xxxx.xxxxxxxxxx.org {
   reverse_proxy localhost:8096
}

Caddy.exe is in a folder named Caddy in C:\\ (See attacched image for CLI run)

I have also read the connectivity guide lines your linked:

1. I can reach emby on all home network apps and PCs (either via their native app or via IPv4:8096)

2. I can open emby in HTTP and HTTPS on the PC which is also the Emby Server

3. Any and all connections from outside my network fail to connect to the server

Ports I assume are correctly opened since both port 80 and 443 are registered as open on furthermore no other ports are forwaded in the router since I removed port 8096 forwarding when I tried today to get HTTPS working as per instructions in the OP (I also had already done exceptions in the firewall):

Open Port Check Tool - Test Port Forwarding on Your Router (yougetsignal.com)

Open Port Check Tool -- Verify Port Forwarding on Your Router (canyouseeme.org)

 

I have a static IP (I had no problem connecting to external users over HTTP in the past) and the domain was bought by google and is set as follows in DNS:

Host Name: xxx.xxxx.org

Type: AAAA

TTL: 3600 seconds

Data: my IPv6 adress

in Website I have:

xxx.xxxxx.org forwards to my IPv6 adress allowing both HTTP and HTTPS

 

I am in no way an expert of this stuff but my impression is how I configured my domain in Google Domains which is causing problems.

PS: I have also triple-checked that domain's spelling, IP adresses and email are all written correctly

Edited February 12, 2022 by Transparent
Post Scriptum

[pwhodges 1529]

Is "Website" which is forwarding to your address something that is set up in Google Domains, because it sounds fishy to me?  Though if you have an AAAA record, maybe it shouldn't matter.

Paul

[Transparent 2]

37 minutes ago, pwhodges said:

Is "Website" which is forwarding to your address something that is set up in Google Domains, because it sounds fishy to me?  Though if you have an AAAA record, maybe it shouldn't matter.

Paul

Yeah it's one of the tabs in google domains

[Transparent 2]

So small update I have HTTPS working on my home network on all devices but when I try to connect over cellular (i.e. from and external network) I get this error in the browser "ERR_NAME_NOT_RESOLVED". Any ideas?

Edited February 16, 2022 by Transparent

[Luke 37061]

Are you sure you used the correct remote address? that error message just means it can't reach your domain.