[How-To] Emby Server on Windows Server with IIS as Reverse Proxy with Automatic Certificate Renewal

[Turbofiero 4]

1 hour ago, drashna said:

A couple of thingsI've noticed.  I have IIS10 (Server 2022), and I've found a few settings that remove the need for IISCrypt, at least on this version.

1. The server farm isn't needed, and adds additional complexity/issues. 
2. under the binding for the site, you can disable "legacy TLS", eg, v1.0, and 1.1.  
3. The advanced settings have HSTS configuration, removing the need for both the "force SSL" and "HSTS" url rewrite rules.

These may not be available depending on the version of IIS used.  But less is more, IMO.  And this only gets you an A rating, because some of the cyphers are still available, I think.    However, I don't like using IISCrypt, as it can cause issues and has for me both in the past and currently (broke RD Gateway on my server)

The option to disable legacy tls isnt present on Server 2019/build 17763 and older.... also by the way... the comment directly above your initial comment contains a working config for the browser title rewrite

Also, I've found the advanced config's "direct to https" option is inconsistent sometimes, url rewrite on the other hand works 100% of the time

I think theres a reason for the server farm too... so you can change the ARR settings (timeout), this probably prevents issues

[drashna 46]

6 hours ago, Turbofiero said:

The option to disable legacy tls isnt present on Server 2019/build 17763 and older

I'm not surprised that it's not on older builds.  Sadly.   Though it was worth noting, none the less.

6 hours ago, Turbofiero said:

comment directly above your initial comment contains a working config for the browser title rewrite

Yeah, I ran into some weird issues with conflicting rules causing a bunch of issues for me.  Got it all sorted out, and working, including the titles.  Thanks!

Just need to see if I can apply the same to the logos.

6 hours ago, Turbofiero said:

Also, I've found the advanced config's "direct to https" option is inconsistent sometimes, url rewrite on the other hand works 100% of the time

That's ... concerning, but hopefully is something that behaves better on the newer version.   

6 hours ago, Turbofiero said:

I think theres a reason for the server farm too... so you can change the ARR settings (timeout), this probably prevents issues

As for the server farm, I've been using url rewriting with IIS for years, and have never needed the farm config.  The ARR settings can be set independently of it, and work just fine. 

and when I say for years, I mean, I used to have a guide on my personal site from 2017 with instructions on how to enable it for subsonic, and forced SSL, that worked just fine.  Emby required additional configuration above and beyond the basics.   And I'm running it *without* the farm, and it seems to be just fine.  

However, it is something I am curious about. 

[Turbofiero 4]

2 hours ago, drashna said:

Just need to see if I can apply the same to the logos.

 The ARR settings can be set independently of it, and work just fine. 

Afraid to say too much as the Emby devs don't like people changing them , but look here, you may find what youre looking for

C:\Emby Server\system\dashboard-ui\modules\themes

C:\Emby Server\system\dashboard-ui

C:\Emby Server\system\dashboard-ui\images

But ya good point, I too am curious of the farm

[drashna 46]

3 hours ago, Turbofiero said:

Afraid to say too much as the Emby devs don't like people changing them , but look here, you may find what youre looking for

Yeah, I kind of wish they had a white label option.  

3 hours ago, Turbofiero said:

But ya good point, I too am curious of the farm

IIRC, there aren't any options/functionality that are explicitly needed by the server farm configuration.  

[drashna 46]

On 4/28/2022 at 2:51 PM, drashna said:

IIRC, there aren't any options/functionality that are explicitly needed by the server farm configuration.  

Been running this for a while now, and yeah, the server farm setup isn't needed, at all.

[TheITJedi 29]

7 hours ago, drashna said:

Been running this for a while now, and yeah, the server farm setup isn't needed, at all.

It was easy way to get UI bits for AAR cache, rather than having users dive into more obscure settings. Technically you don’t need it, you can set setting in IIS manually. However, for people less technical in nature, was easier explained with GUI.
 

Realistically I could (and likely will when time allows) build a PowerShell script to build whole thing. 

[skooogis 7]

I wish to learn IIS like you guys..

How have you gotten to learn all this stuff? Learn by doing or courses?

[TheITJedi 29]

8 hours ago, skooogis said:

I wish to learn IIS like you guys..

How have you gotten to learn all this stuff? Learn by doing or courses?

Man, I self-taught in high school and have been a Systems/Server/Network engineer for 20 years. Now days there are YouTube tutorials for everything and all kinds of online guides. 

[drashna 46]

On 5/23/2022 at 5:38 PM, TheITJedi said:

It was easy way to get UI bits for AAR cache, rather than having users dive into more obscure settings. Technically you don’t need it, you can set setting in IIS manually. However, for people less technical in nature, was easier explained with GUI.

To clarify what I mean: 

You do need the AAR bit, but you don't need to create the server farm part. 

[TheITJedi 29]

3 minutes ago, drashna said:

To clarify what I mean: 

You do need the AAR bit, but you don't need to create the server farm part. 

Yes.  You have to have AAR… but server farm was easy way to show setting, for people to change, rather than trying to walk through obscure menus and system files. 
 

 

Edited June 14, 2022 by TheITJedi

[Kapzy 1]

I finally got around to following this today and it looks like the WebPI platform is being shut down in December:
IIS Team Blog - Web Platform Installer - End of support and sunsetting the product/application feed

• June 1st ,2021 - Updates to the Web Application Gallery catalog ended.  In an emergency, we will make security updates for applications or remove them as needed
• July 1st, 2022 - Product support via Microsoft Support Services officially ends.  WebPI is classified as a tool in the Microsoft support lexicon and requires a 12 month notification before support is ended
• July 1st, 2022 - Product updates to the Product catalog will end.  The feed will be locked and no changes will be made
• December 31st, 2022 - The WebPI feed will be removed from the servers and the product installers will be pulled from the Microsoft download center

[Kapzy 1]

1 hour ago, Kapzy said:

I finally got around to following this today and it looks like the WebPI platform is being shut down in December:
IIS Team Blog - Web Platform Installer - End of support and sunsetting the product/application feed

• June 1st ,2021 - Updates to the Web Application Gallery catalog ended.  In an emergency, we will make security updates for applications or remove them as needed
• July 1st, 2022 - Product support via Microsoft Support Services officially ends.  WebPI is classified as a tool in the Microsoft support lexicon and requires a 12 month notification before support is ended
• July 1st, 2022 - Product updates to the Product catalog will end.  The feed will be locked and no changes will be made
• December 31st, 2022 - The WebPI feed will be removed from the servers and the product installers will be pulled from the Microsoft download center

For some reason I can't figure out how to edit my own post, but it looks like you can also get the URL Rewrite module here:
https://www.iis.net/downloads/microsoft/url-rewrite

[greenman427 0]

This guide is amazing, thank you so much!! I tried a couple different routes and this worked much better than the others with the instructions provided. This is exactly what I was looking for and you explained everything very well. Let me know how I can buy you a coffee! haha. 

Edited December 11, 2022 by greenman427
update

[Turbofiero 4]

A neat trick for shorter urls, redirect to /web/ via IIS then rewrite /web/ to /web/index.html, place these rules directly above the proxy to emby

Got the idea from a Jellyfin nginx config

 

                <rule name="Redirect" enabled="true" stopProcessing="true">
                    <match url="^$|web/index.html" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="Redirect" url="web/" redirectType="Temporary" />
                </rule>
                <rule name="web">
                    <match url="web/$" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false" />
                    <action type="Rewrite" url="web/index.html" />
                </rule>

 

[noemi_karole 0]

 amazing guide , thank you so much!! . This is exactly what I was looking for and you explained everything very well. 

[Nathanael 4]

On 4/22/2022 at 11:10 PM, Turbofiero said:

I had it under a subdirectory, worked fine, you may need to change the "Proxy to Emby" rule to include the subdirectory though

Can i ask how you did this? What do i need to change to the rule in IIS?

[gutterdone26 7]

Hi guys, thanks for the tutorial! I'm stuck on the Certify Certificate Manager though. I attached a screenshot showing the part I keep failing. Can you let me know exactly how my router should be setup? Right now I have a port forward of 80 to 8096 and also 443 to 8920 to my Emby machine. I also have firewall settings allowing inbound and outbound on all four of those ports. But, for some reason I can't get past this part so any advice would be appreciated. Thanks!

[gutterdone26 7]

Nevermind, I found my mistake. It was the way I had the port forwarding in my router. Everything is working now.

[KiraCreedeth 1]

Hey, how do I update emby? I have followed exactly this tutorial for setup.

[pwhodges 1529]

What update do you mean? and what tutorial?  If your server is showing an update on the dashboard, then a restart should be sufficient.

Paul

[KiraCreedeth 1]

I meant updating emby version, I am running as a service with install location moved to root of C drive as in this tutorial.

[pwhodges 1529]

Download the new version from github, stop the service, copy the "system" directory from the 7z zip file to replace the old one, restart the service.  Takes about a minute - I do it regularly (as I run betas) :).

Paul

[TheITJedi 29]

@KiraCreedeth
 

Here, try this, Its the script I wrote to update my Emby Server.

Its a PowerShell script (just needs default Windows PowerShell 5.1 included in 2016+).

Requires you have x64 7Zip installed at C:\Program Files\7Zip\

Use -EmbyRoot to specify Emby install path (default is C:\Emby-Server)

Use -ServiceName to specify Emby service name (default is EmbyServer)

Use -Beta to use beta channel instead of stable.

For detailed help, use:  Get-Help -Name .\Update-EmbyServer.ps1 -Full

If you create a Mods folder inside your EmbyRoot, it will copy anything found in that folder to the EmbyRoot folder. (Ie :  C:\Emby-Server\Mods) for auto-updating modified files described:

On 4/28/2022 at 1:45 PM, Turbofiero said:

Afraid to say too much as the Emby devs don't like people changing them , but look here, you may find what youre looking for

C:\Emby Server\system\dashboard-ui\modules\themes

C:\Emby Server\system\dashboard-ui

C:\Emby Server\system\dashboard-ui\images

Update-EmbyServer.ps1

Edited May 27, 2023 by TheITJedi

[TheITJedi 29]

At some point I plan to build a PowerShell script that will do the full setup presented in this guide for Windows servers. Life has been super busy lately and haven't had time to work on it. 

[mit3gt 6]

This is a great guide.  I am having some issues though.  I am following the instructions and I am stuck at the web platform installer.  It appears to have been retired.  Is there a workaround for this?  I am running  Windows Server Essentials 2019.  Any help would be appreciated.  Thanks!