Make connection from Stunnel look like remote connection

[justinrh 260]

I am using Stunnel as a reverse proxy for multiple services on public port 443, and use SNI to route the external traffic to the correct internal port.  To Emby, this looks like a local connection.

Is there a way I can make Emby think this is remote traffic?

[Carlo 4561]

Hi, you are going to have to set the proxy up to forward the origin IP as part of the header.  Emby will be able to use that to know the IP the client came from.  Then it will appear as a remote IP.

See if this page is any help to you:
https://www.haproxy.com/blog/preserve-source-ip-address-despite-reverse-proxies/

[justinrh 260]

That's what I thought you'd say    I'll have to dig into the Stunnel config options.  Looks like I need the 'transparent' option but I can't get it working right now.  Their documentation isn't the greatest.

[Carlo 4561]

See if this helps
https://www.stunnel.org/pipermail/stunnel-users/2012-March/003673.html

 

[justinrh 260]

Thanks for that, but "protocol = proxy" doesn't work, either, as it is specifically for HAProxy and Emby never returns the login page.  Transparent option does not function on Windows.

It is looking like there is no way to do this with Stunnel.

[Carlo 4561]

Any particular reason you need to use Stunnel vs nginx or caddy2?
If it's just for Emby these other two reverse proxies are well documented and supported here in the forum for use with Emby.

[justinrh 260]

As posted, I have multiple services.  I picked Stunnel because it is purpose-built to do just what I needed and supports SNI.  I'm not married to it though.

I've browsed nginx configs before and they looked a little hairy, comparatively speaking.  Obviously, I don't know what my config would look like.

[Carlo 4561]

Understood. I've not used it but it looks like NGINX support SNI.
http://nginx.org/en/docs/http/configuring_https_servers.html

I don't know anyone using SNI with Emby so you may be a pioneer in this regard regardless of reverse proxy used.

I tried Googling this for stunnel and the docs I've seen are older and say it needs a patch but maybe this is built in now.
The goal is to get the reverse proxy to add these two headers:
X-Real-IP
X-Forwarded-For

With those added Emby can determine the real IP (reverse proxy) as well as the client's IP.

[justinrh 260]

I ended up using Caddy.  Thanks for the suggestions.

[Carlo 4561]

Sometimes it's just easier to switch to something a bit more friendly.
Do you have everything working now?

[justinrh 260]

Yep.  Just a few lines in the caddy file and it worked.  Though, I probably could never have figured it out on my own based on their documentation.  I already had a cert, but the built-in cert generation really is amazing.

I'd still use Stunnel if it could do what I needed on Windows.

[t123thomas 63]

On 9/21/2021 at 7:45 PM, justinrh said:

I am using Stunnel as a reverse proxy for multiple services on public port 443, and use SNI to route the external traffic to the correct internal port.  To Emby, this looks like a local connection.

Is there a way I can make Emby think this is remote traffic?

@justinrh, Hope all is well, I stumbled on this old post, wondering if you are able to resolve Stunnel with multiple services ie emby and Blue iris.

I am in similar circumstance, I have emby Media and Blue Iris on windows 10 and wanted to use Stunnel but have not make any progress, I dont even know where to start from

Already I have DDNS domain and was able to use let encrypt to generate SSL certificate which renew every 90 days

So far, I don know what next to do

If you have been successful in your setting and things are working fine for your, appreciate if your can share your settings 

Peace!   

[justinrh 260]

Hi.  I was able to get it working (still with the Windows limitations) with the attached config file (a couple of years old). stunnel.conf