Unraid - emby server - unable to get https started

[nodiaque 62]

Hello everyone,

I have a new unraid server with Emby server 4.6.7.0 and when I set the certificate and everything in the network tab, restart the emby server, the dashboard still only show http, not https (and https port doesn't answer if I try to connect).

What am I doing wrong?

Thank you!

[nodiaque 62]

OK, I found the problem. for anyone else that would have the same problem. I'm using SWAG to generate my certificate, and sometime, it moved them to another location and create symlink. Emby doesn't like symlink so what I did is create a userscript that copy my certificate to another location with dereference, thus no more symlink. And there you go, this cert work perfectly.

[CassTG 113]

14 hours ago, nodiaque said:

OK, I found the problem. for anyone else that would have the same problem. I'm using SWAG to generate my certificate, and sometime, it moved them to another location and create symlink. Emby doesn't like symlink so what I did is create a userscript that copy my certificate to another location with dereference, thus no more symlink. And there you go, this cert work perfectly.

Just a question if you are using swag proxy docker like i do, why do you need to copy the certs into emby, it works without doing that and explains what to do it in the proxy-confs folder for the emby subdomain

[nodiaque 62]

I'm unsure what you mean. Swag for me retrieve a cert and put it in its share folder. It can do something else? I'm not using any proxy. Emby need to have a certs in the settings and it can't read the certs from the swag container unless I either copy or mount it. For my use case, I mount it. 

[nodiaque 62]

ok so I decided to look at swag, saw it's also a reverse proxy (never used that). With unraid, port 443 and 80 are already used by the unraid webui, so I must use another port and forward to it. This is no problem on the router level and when I'll access it from the outside, but what about from the inside? When I do local resolution, I don't go over the internet, I go straight to the server ip.

[CassTG 113]

Been a while since i used Unraid, but i also had swag running there and believe i set the unraid gui to something else port wise. I did similar to you in that i let swag get the certs then used a cronjob to copy it to Unraids cert folder, that way i would access unraid https just not on 443.

Swag does all the proxying then for the dockers and if using port forward you only need to forward 443 to ya machine to access numerous dockers /apps.

Reference Local Lan use you dont need to use https (media and server local) so you would sign into emby using local lan port info i guess.

However i also use adguard (pihole does similar) and they allow for local dns resolving, so i put in my domain names for locally hosted stuff and set the Ip to the docker machine and job done domain and ssl working nicely (i dont do this for emby as mines remote)

[nodiaque 62]

I just tried that. Using swag, it generated at first a top level certificat for duckdns. tried using the emby conf, it work. But then, since I'm using local dns, I tried from inside and that's where it doesn't work. Reason is it tried to go on port 443, while my emby server is on another port, and since it redirect to 443 on my unraid server (which is used by the webui and not swag), it doesn't work. Once I remove my local dns redirection and it goes from the internet, it now hit the port forwarding, go to swag then emby. This work well from the internet.

Problem is I use it a lot from the intranet, and I don't want all my traffic to go out to the internet just for that. That's why I did a cname and a dns entry in my pihole so it redirect everything directly to my unraid server. But then, that's where problem start because port 443 is used by the webgui, so it doesn't reach SWAG like the firewall port redirection does. Because of that, I must use the emby port directly, which lead me to a no answer if I didn't install a certificate directly in emby.

since I only use emby from the internet and no other service (except some game server that aren't using reverse proxy anyway), I don't really mind. I use a vpn to access my server when I'm outside so it's not a big problem.

All my docker are using a custom bridge, because of that, I cannot put a local dns entry directly to them since they all share unraid ip. I could give them a seperate IP each, this is a todo list once I setup pfsense in the future with vlan. This would solved the issue about port being already used and have swag do the redirection for everybody.

But thanks on the info, I learned about reverse proxy today!

[CassTG 113]

Fair enough, i was just wondering at first thats all, i like to be nosey, not much else going on on a sunday lol

The way i had it setup (inc local jellyfin and plex servers as a test but also bitwarden, photoprism nextcloud etc) was:

• Swag set to get all the subdomains i need (i never put top level set that to false)
• Swag gets certs
• If swag and all dockers are on a custom network then swag works via docker name. So if docker name is emby, then set it below
• Emby setup as per the note at the top of the emby proxy-conf (only need to put in the subdomain you want to use here located in server block and make sure docker container name matches the above, no need to set IP'S as swag does it via container name if on custom bridge as per spaceinvaders guide)
• Add subdomain to Pihole, lets say emby.duckdns.org
• If Emby ports are setup as per the note at the top you would have the following

1. Local ports set to 8096 and 8920 respectively i.e no change
2. Public Https port set to 443
3. Allow remote ticked
4. external domain = whatever you called it i.e emby proxy-conf

So with Pihole set to route internally that domain to the unraid IP, if Unraid webui is set to a different port lets say 8443, then emby would connect through the proxy via subdomain as it would if you vpn'd to your home network

I run all my homelab dockers this way with dns entries, and the only one allowed out is the Nextcloud docker, which links to my servers documentserver to give office editing capabilities, but the firewall only allows mys servers IP in on that port, they all appear ssl locally and like you can ipsec in to act as native local network

 

 

Edited December 5, 2021 by CassTG