Jump to content

SSL made easier with a reverse proxy


MikeB111

Recommended Posts

Transparent
On 17/02/2022 at 01:15, Luke said:

Are you sure you used the correct remote address? that error message just means it can't reach your domain.

Hi Luke, yeah I am sure. I suspect my router (which is provided by my ISP) may be limiting the kind of traffic on port 443 maybe? Becouse I went back to basics and tried MikeB's earlier approach using ZeroSSL and the .bat technique and I have everything running smoothly know with a secure encryption (it also forces connections from 8096 to 8920).

 

It's not the best/elegant solution (I still have to reset logs 4 times a year) but I can live with that at least for now and troubleshoot why things went wrong with this method in the future.

Edited by Transparent
Link to comment
Share on other sites

pwhodges

You know you can tell Caddy to use ZeroSSL instead of Let's Encrypt, do you?

In fact ZeroSSL provides significant sponsorship to Caddy.

Paul

Link to comment
Share on other sites

muzicman0

If anyone is interested in any other features of Caddy, I am listing my config file below for something that is not Emby related.

Caddy provides a utility to hash a password, which is what I used. (from the command line, it is 'caddy.exe hash-password')

basicauth allows you to require a username and password to access whatever site it is referencing.  See above on how to specify a hashed password.  This is the one thing that I am 99.999% sure would NOT work with Emby. 

log allows you to log connections.

@allowed is a list of IP addresses or ranges that are allowed to access the server

handle tells Caddy v2 what to do with allowed traffic (in my case, reverse proxy to localhost:8090)

respond 403 is how Caddy will handle 'un-allowed' traffic (IE: it doesn't fall within the allowed specified IP range).

monitor.MyDomain.com {

basicauth / {
        muzicman0 xxxxxxxxxxxxxxxxxxxxxHASHED_PASSWORDxxxxxxxxxxxxxxxxxxxxxx
        }
    log {
    output file E:\Caddy\logs\openvpn_monitor_access.log {
        roll true                # Rotate logs, enabled by default
        roll_size_mb 10            # Set max size X MB
        roll_gzip true            # Whether to compress rolled files
        roll_local_time true    # Use localhost time
        roll_keep 3                # Keep at most X log files
        roll_keep_days 7        # Keep log files for X days 
        }
    }

    @allowed {
                remote_ip 10.3.0.0/24 2xx.xx.xx.xx/28 10.9.0.0/24
                }
    handle @allowed {
                      reverse_proxy localhost:8090
                }
    respond 403
}
Link to comment
Share on other sites

  • 8 months later...
seanbuff
1 hour ago, arrbee99 said:

If I go to Caddy, v2 and click on download there's a big list of files. Which do I pick ?

Depends on which OS you want to install it on?

Windows? Just go with the default amd64 version with "standard features"
image.png.8de4b6e94f0c4a534d3a83bbb22e6ab0.png

Link to comment
Share on other sites

arrbee99

Thanks.

Its just an application, not zipped, that you put in a folder with a caddyfile like this

{
email myemail@gmail.com
}

media.mydomain.net {
   reverse_proxy localhost:8096
}

from MikeB111.

Link to comment
Share on other sites

seanbuff
1 hour ago, arrbee99 said:

reverse_proxy localhost:8096

Yup. If Emby is running on the same host as Caddy then this is correct, otherwise use the specific IP address for your Emby Server.

Also, if you have any LG TV clients, I suggest using ZeroSSL instead of LetsEncrypt (due to the previous LE root cert that expired)
Specified by adding this line to your Caddyfile:

{
	acme_ca https://acme.zerossl.com/v2/DV90
	email myemail@address.com
}

 

Link to comment
Share on other sites

arrbee99

In the first post, for router setup, it says 'Then in your router, forward ports 80 and 443 to the computer in your home network that will be running the reverse proxy server.  Port 80 is the default for HTTP, 443 is the default for HTTPS.  You do not want to forward any other ports, don't forward 8096 or 8920.'

Does that mean something like (forward IP is address of main PC with Emby on it, same as given on Emby dashboard page) -

1520137932_Embyportforwarding443.jpg.4d7b1af3b9a419337b28d7ed6e520e5f.jpg

and similar for Port 80 ?

Link to comment
Share on other sites

seanbuff
4 minutes ago, arrbee99 said:

Does that mean something like (forward IP is address of main PC with Emby on it, same as given on Emby dashboard page)

'Forward IP' should be the PC with Caddy on it. If Emby is also on the same host, even easier as you just use 'localhost:8096' in your Caddyfile
 

5 minutes ago, arrbee99 said:

and similar for Port 80 ?

Yes, same for both

Link to comment
Share on other sites

arrbee99

So yes they'll be on the same PC, and I use localhost:8096 in Caddyfile, but don't I still need to do that on the router (if what I showed was correct) ?

Link to comment
Share on other sites

seanbuff
20 minutes ago, arrbee99 said:

but don't I still need to do that on the router (if what I showed was correct)

Yes you do, and yes it's correct. I was simply clarifying the point that you are forwarding to Caddy, not Emby itself. But as they're on the same host, you're all good to go 👍🏽

Edited by seanbuff
Link to comment
Share on other sites

arrbee99

Thanks for the info.

If you're not sick of the sight of me, may I also enquire, does the caddyfile have a particular format ? I'm not sure if its actually 'caddy', 'caddyfile', a txt file, or has no extension, or...

Link to comment
Share on other sites

seanbuff
3 minutes ago, arrbee99 said:

I'm not sure if its actually 'caddy', 'caddyfile', a txt file, or has no extension, or...

Caddyfile (no extension)

image.png.1347d4b461dbcb744d564945ea30d1d3.png

Link to comment
Share on other sites

seanbuff
16 minutes ago, arrbee99 said:

I have this -

all good, don't think the name of the exe matters

edit: although I do remember renaming mine to 'caddy.exe' for simplicity, but never tested without. So YMMV.

Edited by seanbuff
more info
  • Thanks 1
Link to comment
Share on other sites

pwhodges

In the control panel where you fill in the values for your domain name, the most likely things to fill in are the IP address records (types A for IPv4 and AAAA for IPv6); if you are just setting up a single name for the sole purpose of accessing Emby, that's all you'll need to do.  Another option in the same control panel will be to set up a CNAME record saying "make this name represent the same address(es) as that name", which is something you'll only do if you know you want to do it.

tl/dr - Don't overthink it.

Paul

Edited by pwhodges
Link to comment
Share on other sites

rbjtech

A CNAME is typically just a DNS alias of an A Record.

so lets say your A Record was 'arrbee99-this-is-a-long-name.mydomain.net'

It's a bit of a handful to use - so you could create a CNAME dns entry called 'emby.mydomain.net' and that simply points to the A record.  You can have more than one CNAME if you wish.

 

Link to comment
Share on other sites

  • 3 months later...
PeteGul

Hi

I have set up Caddy server reverse proxy, and set to use ZeroSSL. Works like a charm, but not on an Apple TV.

I changed from standard ssl to ZeroSSL, because I think that would help. But did not. Isn't this strange, webplayer, Android player but no AppleTV works..

Link to comment
Share on other sites

rbjtech
1 hour ago, pettergulbra said:

Hi

I have set up Caddy server reverse proxy, and set to use ZeroSSL. Works like a charm, but not on an Apple TV.

I changed from standard ssl to ZeroSSL, because I think that would help. But did not. Isn't this strange, webplayer, Android player but no AppleTV works..

Fancy that - Apple not conforming with industry standards ... 🤪

I believe the vast majority of the 'free' SSL providers will be using Lets Encrypt in one way or another - so I would be very surprised if Apple had an issue with their root cert.

using something like ssllabs.com (SSL Server Test (Powered by Qualys SSL Labs)) - if you check your reverse proxy, does it all check out ok (must use https/443) ?

Edited by rbjtech
Link to comment
Share on other sites

seanbuff
2 hours ago, pettergulbra said:

I have set up Caddy server reverse proxy, and set to use ZeroSSL. Works like a charm, but not on an Apple TV.

FWIW, I also use Caddy with ZeroSSL (for LG TV issues) and I have multiple remote Apple TVs that can connect without issue.

  • Like 1
Link to comment
Share on other sites

rbjtech
15 minutes ago, seanbuff said:

FWIW, I also use Caddy with ZeroSSL (for LG TV issues) and I have multiple remote Apple TVs that can connect without issue.

Thanks,  as I suspected, it's likely the RP configuration rather than Apple rejecting the cert.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...