Help to configure Apache/SSL/own-domain

[vemilla 1]

I'm new at configuring Emby with my own Domain and SSL. Please help in setting up the Virtual Host and Reverse Proxy.

[Luke 42077]

Hi, have you taken a look at this?

 

[vemilla 1]

Hello Luke,

I have my ssl files already configured with my main domain in the same server vjnene.com and I have configured a new subdomain music.vjnene.com using the same ssls. Here is my virtual host config file:

<VirtualHost *:80>

   ServerName music.vjnene.com

   Redirect permanent / https://music.vjnene.com

</VirtualHost>

 

<IfModule mod_ssl.c>

<VirtualHost *:443>

        ServerName music.vjnene.com

 

        <proxy *>

        AddDefaultCharset off

        Order Allow,Deny

        Allow from all

        </proxy>

 

        ProxyRequests     Off

        ProxyPreserveHost On

 

        RewriteEngine on

        RewriteRule ^/emby$ /emby/ [R]

 

        <Location /emby>

                ProxyPass        http://localhost:8096

                ProxyPassReverse http://localhost:8096

        </Location>

 

        <Location /emby/emby>

                ProxyPass        ws://localhost:8096/emby

                ProxyPassReverse ws://localhost:8096/emby

        </Location>

 

SSLEngine on

SSLCertificateFile /etc/ssl/vjnene/vjnene.com.crt

SSLCertificateKeyFile /etc/ssl/vjnene/vjnene.com.key

SSLCertificateChainFile /etc/ssl/vjnene/vjnene.com.ca-bundle

</VirtualHost>

</IfModule>

[vemilla 1]

I believe I haven't changed the default location for emby. I don't know if this virtual host configuration was done incorrectly.

[Luke 42077]

@vemilla did you figure this out?

[Luke 42077]

@NomadCF @Painkiller8818 @toddaniels may have some Apache SSL tips.

[Painkiller88 248]

Not sure whats the exact problem so maybe tell us what exactly should happen and what you want to do.

Normally it is enough if you have a domain pointing to a server in your Network to open the port on the router and import your ssl cert to your emby server in the settings.

eg. if your emby server is 192.168.1.5 you need to open port tcp 8920 to point to 192.168.1.5

All you have to do is to call your domain:8920 and you should get to your emby server.

subdomain, reverse proxy etc, is optional but can be configured easy

Edited November 3, 2022 by Painkiller8818

[Q-Droid 989]

On 11/1/2022 at 12:37 PM, vemilla said:

I believe I haven't changed the default location for emby. I don't know if this virtual host configuration was done incorrectly.

I think you want to avoid rewrites and url path based proxy rules with Emby. Using subdomain and a location of "/" (everything) is more likely to work and remain stable across updates. 

 

[vemilla 1]

So I have been following some of your responses and I was able to configure the reverse proxy. Unfortunately, The page loads up to the logo (https://music.vjnene.com) and then freezes. This is using Safari, with Chrome it goes a bit further but still takes a long time to load and then It fails. 

[vemilla 1]

here is my virtual host config:

 

<VirtualHost *:80>

ServerName music.vjnene.com

        ProxyPreserveHost on

        ProxyRequests Off

        ProxyPass       /       http://192.168.1.240:8096/

        ProxyPassReverse        /       http://192.168.1.240:8096/

</VirtualHost>

 

<VirtualHost *:443>

    ServerName music.vjnene.com

        ProxyPreserveHost on

        ProxyRequests Off

        ProxyPass       /       https://192.168.1.240:8920/

        ProxyPassReverse        /       https://192.168.1.240:8920/

 

SSLEngine on

SSLCertificateFile /etc/ssl/music/music.vjnene.com.crt

SSLCertificateKeyFile /etc/ssl/music/music.vjnene.com_key

SSLCertificateChainFile /etc/ssl/music/music.vjnene.com.ca-bundle

</VirtualHost>

[vemilla 1]

[Painkiller88 248]

i tried to open your server using the domain in your vhost config.

opening with http://yourdomain -> nothing works
opening with https://yourdomain -> gives me 503 service error

opening with http://yourdomain:8096 -> works for me and gets me to the login page after a few seconds after seeing the logo

opening with https://yourdomain:8920 -> nothing works

So i checked your open ports:

80 -> is closed (not a problem)
443 -> is open but is not your emby port
8096 -> is open -> this is why i can connect using normal http
8920 -> is closed -> this is what you wanna open to get a secure connection to your server

So open the ports 8920 and point it to your emby server, and check if it is working.


If it is still not working:
I also think there is a problem with your vhost config for *443

try replacing https with http, i know you wanna have the secure connection here but i checked a apache sample config for this and i saw, in both configs 80 and 443 for proxy_pass they use http

source:
https://www.digitalocean.com/community/tutorials/how-to-use-apache-http-server-as-reverse-proxy-using-mod_proxy-extension

if this is working try to close the 8920 port because normally with a reverse proxy you shouldn't need to open all the ports.

So as you can see, there are many ways to reach your goal, just try them and choose what you like the most.

INFO: try accessing your remote address from your phone outside of the wifi, some modems does not allow you a loopback to access the public ip from inside the network.

I hope i could help a little bit
 

Edited November 7, 2022 by Painkiller8818

[Q-Droid 989]

The public ports in Emby network settings need to match your virtual host ports and the WAN side ports. The local ports are fine.

The https proxy pass should be referencing the http port. Actually both of the proxy sections in the virtual host should be referencing the http port unless you setup a certificate in Emby AND tell Apache to not validate the cert. If you really want to have end-to-end encryption it is doable but more complex, usually not needed.

Emby should be configured to Secure Connection Mode - Handled by reverse proxy. Without a certificate setup in Emby it won't listen on 8920.

 

[vemilla 1]

Q-Droid,

 

This is what I have now:

        ProxyPreserveHost on

        ProxyRequests Off

        ProxyPass       /       http://192.168.1.240:8096/

        ProxyPassReverse        /       http://192.168.1.240:8096/

</VirtualHost>

 

<VirtualHost *:443>

    ServerName music.vjnene.com

        ProxyPreserveHost on

        ProxyRequests Off

        ProxyPass       /       https://192.168.1.240:8096/

        ProxyPassReverse        /       https://192.168.1.240:8096/

 

SSLEngine on

SSLCertificateFile /etc/ssl/music/music.vjnene.com.crt

SSLCertificateKeyFile /etc/ssl/music/music.vjnene.com_key

SSLCertificateChainFile /etc/ssl/music/music.vjnene.com.ca-bundle

 

</VirtualHost>

But still not working

[Q-Droid 989]

Port 8096 is http, not https.

Can you post the emby server log and apache log? You can mask the sensitive info though you've been posting your actual domain here...

Make sure you are forwarding the right ports. As @Painkiller8818 posted your http (8096) port is open and responding. The others are not and if using the reverse proxy you should only have port 443 open and maybe 80 if you want unencrypted access.

 

[vemilla 1]

Q-Droid

 

I have try opening my port 8920 on my server by doing sudo ufw allow 8920/tcp and I have even opened it in my router firewall just for testing purposes. when I check if the port is open it says is closed. Don't know what I'm doing wrong?

[Q-Droid 989]

logs

[vemilla 1]

I'm new at this, where can I find emby logs and what apache logs do you need?

 

[vemilla 1]

embyserver-2.txt

[Happy2Play 9780]

You have a certificate issue and your server is only listening in http/8096 but probably do to cert issue.

The certificate data cannot be read with the provided password, the password may be incorrect.

But the other network gods would have to assist further.

[Luke 42077]

12 minutes ago, Happy2Play said:

You have a certificate issue and your server is only listening in http/8096 but probably do to cert issue.

The certificate data cannot be read with the provided password, the password may be incorrect.

But the other network gods would have to assist further.

Yes that sounds right.

[vemilla 1]

I have recreated the pkcs #12 pfx file reload it to my server. changed the user ownership to emby:emby w/ 644. 

[vemilla 1]

Latest logs

embyserver-3.txt

[vemilla 1]

AH00558: apache2: Could not reliably determine the server's fully qualified domain name, using 127.0.1.1. Set the 'ServerName' directive globally to suppress this message

PHP Warning:  Module "mbstring" is already loaded in Unknown on line 0

[Mon Nov 07 20:38:47.251843 2022] [mpm_prefork:notice] [pid 958] AH00163: Apache/2.4.52 (Ubuntu) OpenSSL/3.0.2 configured -- resuming normal operations

[Mon Nov 07 20:38:47.251855 2022] [core:notice] [pid 958] AH00094: Command line: '/usr/sbin/apache2'

[Mon Nov 07 20:40:37.421544 2022] [core:error] [pid 43971] [remote 192.168.1.240:8096] AH01961:  failed to enable ssl support [Hint: if using mod_ssl, see SSLProxyEngine]

[Mon Nov 07 20:40:37.421583 2022] [proxy:error] [pid 43971] AH00961: https: failed to enable ssl support for 192.168.1.240:8096 (192.168.1.240)

[Mon Nov 07 20:44:56.707253 2022] [core:error] [pid 43972] [remote 192.168.1.240:8096] AH01961:  failed to enable ssl support [Hint: if using mod_ssl, see SSLProxyEngine]

[Mon Nov 07 20:44:56.707291 2022] [proxy:error] [pid 43972] AH00961: https: failed to enable ssl support for 192.168.1.240:8096 (192.168.1.240)

[Q-Droid 989]

Now it's listening on 8920 so you're past the pfx problem. Your server should be responding on port 8920 internally and if your port forwarding is right then you should be able to access remotely using your domain.

You won't get SSL support on port 8096 as it's the http port. If you didn't change the proxypass directive from https to http it's likely why you get this error.

Now, are you using Apache for a reason, as in you already use it for other things? If this is something new to you and you're trying Apache because you came across some examples online then I would recommend trying Caddy instead. It is orders of magnitude easier to implement. But even Nginx will have more useful Emby specific examples available.