Help setting up Nginx for Emby

[sross44 431]

I've got Emby running on a Windows machine. I'm trying to move away from Cloudfare for SSL because of the updated TOS. I feel like I'm lost with Nginx though. Anyone willing to help me out via TeamViewer to get it up and running? I can either do a straight install of Nginx or run it in Docker... whatever is best. Just need some help and guidance. 

[Q-Droid 989]

Someone will recommend,  and I would agree, that if you're getting started then Caddy would be much easier and just as good.

 

[sross44 431]

4 minutes ago, Q-Droid said:

Someone will recommend,  and I would agree, that if you're getting started then Caddy would be much easier and just as good.

 

Well if that's the case then I'm definitely down for trying Caddy. Any suggestions or pointers would be highly recommended. 

[Q-Droid 989]

My last questions for the night are what do you have now with Cloudflare and what do you want to have without them? Do you plan to keep CF for domain/DNS?

 

[sross44 431]

Just now, Q-Droid said:

My last questions for the night are what do you have now with Cloudflare and what do you want to have without them? Do you plan to keep CF for domain/DNS?

 

I want to eliminate using Cloudfare since their TOS has changed and now they're saying no video. I guess this really isn't a big deal? Some don't seem to be bothered by this... others seem to be getting banned from Cloudfare lol. 

[seanbuff 1318]

1 hour ago, sross44 said:

Well if that's the case then I'm definitely down for trying Caddy. Any suggestions or pointers would be highly recommended. 

@pwhodges provides a very good guide here: https://emby.media/community/index.php?/topic/84777-caddy-v2-update-and-warning/&do=findComment&comment=879750

You basically just need to:

1. install the default Caddy v2 package
2. configure basic config file named 'Caddyfile' (see below)
3. port forward 80 and 443 in your router to your Caddy host
4. update Emby with your Public HTTP/HTTPS ports, external domain, and Secure connection mode = handled by reverse proxy
5. run Caddy

Basic Caddy config file would look like this:

{
email myname@email.com
}

media.mydomain.net {
   reverse_proxy <emby_host_ip>:8096
}

Not much else to it, see how you go and let us know if and where you get stuck.

[Q-Droid 989]

8 hours ago, sross44 said:

I want to eliminate using Cloudfare since their TOS has changed and now they're saying no video. I guess this really isn't a big deal? Some don't seem to be bothered by this... others seem to be getting banned from Cloudfare lol. 

Right. What I wanted to know was if you're using CF for application services (SSL,DDoS, etc) including DNS for your domain and if you plan to keep your domain with CF but run your own reverse proxy as a direct entry point for Emby.

You'll need to keep your domain somewhere and continue whichever IP updater you already use. The rest, as posted above, is pretty straight forward.

 

[HairyBizRat 21]

On 12/12/2022 at 11:46 PM, seanbuff said:

@pwhodges provides a very good guide here: https://emby.media/community/index.php?/topic/84777-caddy-v2-update-and-warning/&do=findComment&comment=879750

You basically just need to:

1. install the default Caddy v2 package
2. configure basic config file named 'Caddyfile' (see below)
3. port forward 80 and 443 in your router to your Caddy host
4. update Emby with your Public HTTP/HTTPS ports, external domain, and Secure connection mode = handled by reverse proxy
5. run Caddy

Basic Caddy config file would look like this:

{
email myname@email.com
}

media.mydomain.net {
   reverse_proxy <emby_host_ip>:8096
}

Not much else to it, see how you go and let us know if and where you get stuck.

When i tris this, the CMD window shows a lot of info but specially i see "could not get certificate from issue"

[guunter 49]

14 minutes ago, mjroberts said:

When i tris this, the CMD window shows a lot of info but specially i see "could not get certificate from issue"

I've never used the email syntax like in the comment. Try it without that and see if it works.

[HairyBizRat 21]

10 minutes ago, guunter said:

I've never used the email syntax like in the comment. Try it without that and see if it works.

Thanks for the reply

I removed the email and ran it again with i think the same error, see below **not i substituted my real domain name for "mydomain.com"

Looks like my Domain site ionos.ca is refusing access, do i need a username/password or something?

Quote

2024/08/09 15:20:48.925 ←[34mINFO←[0m   using adjacent Caddyfile

2024/08/09 15:20:48.927 ←[34mINFO←[0m   adapted config to JSON  {"adapter": "caddyfile"}

2024/08/09 15:20:48.929 ←[33mWARN←[0m   Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies    {"adapter": "caddyfile", "file": "Caddyfile", "line": 1}

2024/08/09 15:20:48.940 ←[34mINFO←[0m   admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}

2024/08/09 15:20:48.942 ←[34mINFO←[0m   tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc00064c280"}

2024/08/09 15:20:48.942 ←[34mINFO←[0m   http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}

2024/08/09 15:20:48.943 ←[34mINFO←[0m   http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}

2024/08/09 15:20:48.944 ←[34mINFO←[0m   http    enabling HTTP/3 listener        {"addr": ":443"}

2024/08/09 15:20:48.944 ←[34mINFO←[0m   http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}

2024/08/09 15:20:48.944 ←[34mINFO←[0m   http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}

2024/08/09 15:20:48.945 ←[34mINFO←[0m   http    enabling automatic TLS certificate management   {"domains": ["mydomain.com"]}

2024/08/09 15:20:48.946 ←[34mINFO←[0m   autosaved config (load with --resume flag)      {"file": "C:\\Users\\PLEX_SERVER\\AppData\\Roaming\\Caddy\\autosave.json"}

2024/08/09 15:20:48.946 ←[34mINFO←[0m   serving initial configuration

2024/08/09 15:20:48.962 ←[34mINFO←[0m   tls.obtain      acquiring lock  {"identifier": "mydomain.com"}

2024/08/09 15:20:48.963 ←[34mINFO←[0m   [INFO][FileStorage:C:\Users\PLEX_SERVER\AppData\Roaming\Caddy] Lock for 'issue_cert_mydomain.com' is stale (created: 2024-08-09 10:51:28.3364281 -0400 EDT, last update: 2024-08-09 11:18:47.5566867 -0400 EDT); removing then retrying: C:\Users\PLEX_SERVER\AppData\Roaming\Caddy\locks\issue_cert_mydomain.com.lock

2024/08/09 15:20:48.966 ←[34mINFO←[0m   tls     storage cleaning happened too recently; skipping for now        {"storage": "FileStorage:C:\\Users\\PLEX_SERVER\\AppData\\Roaming\\Caddy", "instance": "274ef569-0dad-4625-b5e6-85665157c6c6", "try_again": "2024/08/10 15:20:48.966", "try_again_in": 86400}

2024/08/09 15:20:48.968 ←[34mINFO←[0m   tls.obtain      lock acquired   {"identifier": "mydomain.com"}

2024/08/09 15:20:48.968 ←[34mINFO←[0m   tls.obtain      obtaining certificate   {"identifier": "mydomain.com"}

2024/08/09 15:20:48.969 ←[34mINFO←[0m   tls     finished cleaning storage units

2024/08/09 15:20:48.982 ←[34mINFO←[0m   http    waiting on internal rate limiter        {"identifiers": ["mydomain.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "mydomain@gmail.com"}

2024/08/09 15:20:48.982 ←[34mINFO←[0m   http    done waiting on internal rate limiter   {"identifiers": ["mydomain.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "mydomain@gmail.com"}

2024/08/09 15:20:48.982 ←[34mINFO←[0m   http    using ACME account      {"account_id": "https://acme-v02.api.letsencrypt.org/acme/acct/1882600666", "account_contact": ["mailto:mydomain@gmail.com"]}

2024/08/09 15:20:49.635 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "mydomain.com", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}

2024/08/09 15:20:49.902 ←[34mINFO←[0m   tls     served key authentication certificate   {"server_name": "mydomain.com", "challenge": "tls-alpn-01", "remote": "23.178.112.214:35939", "distributed": false}

2024/08/09 15:20:50.704 ←[31mERROR←[0m  http.acme_client        challenge failed        {"identifier": "mydomain.com", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:tls", "title": "", "detail": "During secondary validation: 74.208.236.77: remote error: tls: internal error", "instance": "", "subproblems": []}}

2024/08/09 15:20:50.704 ←[31mERROR←[0m  http.acme_client        validating authorization        {"identifier": "mydomain.com", "problem": {"type": "urn:ietf:params:acme:error:tls", "title": "", "detail": "During secondary validation: 74.208.236.77: remote error: tls: internal error", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/1882600666/294815152066", "attempt": 1, "max_attempts": 3}

2024/08/09 15:20:52.068 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "mydomain.com", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}

2024/08/09 15:20:53.211 ←[31mERROR←[0m  http.acme_client        challenge failed        {"identifier": "mydomain.com", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2607:f1c0:100f:f000::200: Invalid response from http://mydomain.com/.well-known/acme-challenge/7sHoXh6kY71k_uPZNM5S7r77W2KyDlHg3epWdnFTY5Q: 204", "instance": "", "subproblems": []}}

2024/08/09 15:20:53.211 ←[31mERROR←[0m  http.acme_client        validating authorization        {"identifier": "mydomain.com", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2607:f1c0:100f:f000::200: Invalid response from http://mydomain.com/.well-known/acme-challenge/7sHoXh6kY71k_uPZNM5S7r77W2KyDlHg3epWdnFTY5Q: 204", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/1882600666/294815158646", "attempt": 2, "max_attempts": 3}

2024/08/09 15:20:53.216 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "mydomain.com", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 403 urn:ietf:params:acme:error:unauthorized - 2607:f1c0:100f:f000::200: Invalid response from http://mydomain.com/.well-known/acme-challenge/7sHoXh6kY71k_uPZNM5S7r77W2KyDlHg3epWdnFTY5Q: 204"}

2024/08/09 15:20:53.217 ←[31mERROR←[0m  tls.obtain      will retry      {"error": "[mydomain.com] Obtain: [mydomain.com] solving challenge: mydomain.com: [mydomain.com] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - 2607:f1c0:100f:f000::200: Invalid response from http://mydomain.com/.well-known/acme-challenge/7sHoXh6kY71k_uPZNM5S7r77W2KyDlHg3epWdnFTY5Q: 204 (ca=https://acme-v02.api.letsencrypt.org/directory)", "attempt": 1, "retrying_in": 60, "elapsed": 4.2492656, "max_duration": 2592000}

 

[guunter 49]

1 minute ago, mjroberts said:

Thanks for the reply

I removed the email and ran it again with i think the same error, see below **not i substituted my real domain name for "mydomain.com"

Looks like my Domain site ionos.ca is refusing access, do i need a username/password or something?

 

Can you post your CaddyFile and redact important info? I'm linux though but i'll try to see if i see something weird.

[HairyBizRat 21]

12 minutes ago, guunter said:

Can you post your CaddyFile and redact important info? I'm linux though but i'll try to see if i see something weird.

I am using the file below and i downlaoded Caddy today so the latest version that downloads as an .exe file not a zip file

 

Quote

{ email myname@email.com } media.mydomain.net { reverse_proxy <emby_host_ip>:8096 }

 

[guunter 49]

5 minutes ago, mjroberts said:

I am using the file below and i downlaoded Caddy today so the latest version that downloads as an .exe file not a zip file

 

 

That's not how it should look. It should be...

emby.domain.com {
    reverse_proxy 192.168.0.33:8096
}

Can you post the DL link you used?

 

Also did you allow Caddy through the Windows Firewall?

Edited August 9, 2024 by guunter

[HairyBizRat 21]

7 minutes ago, guunter said:

That's not how it should look. It should be...

emby.domain.com {
    reverse_proxy 192.168.0.33:8096
}

Can you post the DL link you used?

 

Also did you allow Caddy through the Windows Firewall?

Just so i am clear, if my domain is "familyserver.com" then would it be familyserver.com {   or emy.familyserver.com { ?

i downloaded from Download Caddy (caddyserver.com)

 

yes Caddy.exe is allowed through the firewall

[guunter 49]

1 minute ago, mjroberts said:

Just so i am clear, if my domain is "familyserver.com" then would it be familyserver.com {   or emy.familyserver.com { ?

i downloaded from Download Caddy (caddyserver.com)

 

yes Caddy.exe is allowed through the firewall

 

The way I have mine configured i use a subdomain. I created an A record for my website on Cloudflare for example adding "emby". I also use plex and jellyfin on my domain so i use subdomains to separate them.

[HairyBizRat 21]

4 minutes ago, guunter said:

 

The way I have mine configured i use a subdomain. I created an A record for my website on Cloudflare for example adding "emby". I also use plex and jellyfin on my domain so i use subdomains to separate them.

ok i have a domain through ionos.ca but not using a subdomain as this is the only service i'll be using it for

I have the A record updated and i can use my domain right now via http and connect to my emby server

but obviously i wants SSL

What exactly do i need to do? Is there another software or provider i need between Caddy and my Domain register?

 

I changed my file in Caddy to match yours and the output is this

 

Quote

Microsoft Windows [Version 10.0.19045.4651]

(c) Microsoft Corporation. All rights reserved.

 

C:\Windows\system32>cd\

 

C:\>cd caddy

 

C:\Caddy>caddy run

2024/08/09 15:59:11.379 ←[34mINFO←[0m   using adjacent Caddyfile

2024/08/09 15:59:11.381 ←[34mINFO←[0m   adapted config to JSON  {"adapter": "caddyfile"}

2024/08/09 15:59:11.381 ←[33mWARN←[0m   Caddyfile input is not formatted; run 'caddy fmt --overwrite' to fix inconsistencies    {"adapter": "caddyfile", "file": "Caddyfile", "line": 1}

2024/08/09 15:59:11.390 ←[34mINFO←[0m   admin   admin endpoint started  {"address": "localhost:2019", "enforce_origin": false, "origins": ["//localhost:2019", "//[::1]:2019", "//127.0.0.1:2019"]}

2024/08/09 15:59:11.390 ←[34mINFO←[0m   http.auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443}

2024/08/09 15:59:11.390 ←[34mINFO←[0m   tls.cache.maintenance   started background certificate maintenance      {"cache": "0xc0006f7780"}

2024/08/09 15:59:11.390 ←[34mINFO←[0m   http.auto_https enabling automatic HTTP->HTTPS redirects        {"server_name": "srv0"}

2024/08/09 15:59:11.391 ←[34mINFO←[0m   http    enabling HTTP/3 listener        {"addr": ":443"}

2024/08/09 15:59:11.392 ←[34mINFO←[0m   http.log        server running  {"name": "srv0", "protocols": ["h1", "h2", "h3"]}

2024/08/09 15:59:11.392 ←[34mINFO←[0m   http.log        server running  {"name": "remaining_auto_https_redirects", "protocols": ["h1", "h2", "h3"]}

2024/08/09 15:59:11.392 ←[34mINFO←[0m   http    enabling automatic TLS certificate management   {"domains": ["mydomainname.com"]}

2024/08/09 15:59:11.393 ←[34mINFO←[0m   autosaved config (load with --resume flag)      {"file": "C:\\Users\\PLEX_SERVER\\AppData\\Roaming\\Caddy\\autosave.json"}

2024/08/09 15:59:11.393 ←[34mINFO←[0m   serving initial configuration

2024/08/09 15:59:11.395 ←[34mINFO←[0m   tls     storage cleaning happened too recently; skipping for now        {"storage": "FileStorage:C:\\Users\\PLEX_SERVER\\AppData\\Roaming\\Caddy", "instance": "274ef569-0dad-4625-b5e6-85665157c6c6", "try_again": "2024/08/10 15:59:11.395", "try_again_in": 86400}

2024/08/09 15:59:11.403 ←[34mINFO←[0m   tls     finished cleaning storage units

2024/08/09 15:59:11.404 ←[34mINFO←[0m   tls.obtain      acquiring lock  {"identifier": "mydomainname.com"}

2024/08/09 15:59:11.407 ←[34mINFO←[0m   [INFO][FileStorage:C:\Users\PLEX_SERVER\AppData\Roaming\Caddy] Lock for 'issue_cert_mydomainname.com' is stale (created: 2024-08-09 11:28:39.1295226 -0400 EDT, last update: 2024-08-09 11:35:45.2853222 -0400 EDT); removing then retrying: C:\Users\PLEX_SERVER\AppData\Roaming\Caddy\locks\issue_cert_mydomainname.com.lock

2024/08/09 15:59:11.411 ←[34mINFO←[0m   tls.obtain      lock acquired   {"identifier": "mydomainname.com"}

2024/08/09 15:59:11.412 ←[34mINFO←[0m   tls.obtain      obtaining certificate   {"identifier": "mydomainname.com"}

2024/08/09 15:59:11.415 ←[34mINFO←[0m   http    waiting on internal rate limiter        {"identifiers": ["mydomainname.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "mydomainname@gmail.com"}

2024/08/09 15:59:11.415 ←[34mINFO←[0m   http    done waiting on internal rate limiter   {"identifiers": ["mydomainname.com"], "ca": "https://acme-v02.api.letsencrypt.org/directory", "account": "mydomainname@gmail.com"}

2024/08/09 15:59:11.417 ←[34mINFO←[0m   http    using ACME account      {"account_id": "https://acme-v02.api.letsencrypt.org/acme/acct/1882600666", "account_contact": ["mailto:mydomainname@gmail.com"]}

2024/08/09 15:59:12.018 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "mydomainname.com", "challenge_type": "tls-alpn-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}

2024/08/09 15:59:12.449 ←[31mERROR←[0m  http.acme_client        challenge failed        {"identifier": "mydomainname.com", "challenge_type": "tls-alpn-01", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "74.208.236.77: Error getting validation data", "instance": "", "subproblems": []}}

2024/08/09 15:59:12.449 ←[31mERROR←[0m  http.acme_client        validating authorization        {"identifier": "mydomainname.com", "problem": {"type": "urn:ietf:params:acme:error:connection", "title": "", "detail": "74.208.236.77: Error getting validation data", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/1882600666/294822127216", "attempt": 1, "max_attempts": 3}

2024/08/09 15:59:13.686 ←[34mINFO←[0m   http.acme_client        trying to solve challenge       {"identifier": "mydomainname.com", "challenge_type": "http-01", "ca": "https://acme-v02.api.letsencrypt.org/directory"}

2024/08/09 15:59:14.147 ←[31mERROR←[0m  http.acme_client        challenge failed        {"identifier": "mydomainname.com", "challenge_type": "http-01", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2607:f1c0:100f:f000::200: Invalid response from http://mydomainname.com/.well-known/acme-challenge/aW1Gx8WPoEAXSn566KU5jTyNdxZjUguGydyOZd9VbtY: 204", "instance": "", "subproblems": []}}

2024/08/09 15:59:14.147 ←[31mERROR←[0m  http.acme_client        validating authorization        {"identifier": "mydomainname.com", "problem": {"type": "urn:ietf:params:acme:error:unauthorized", "title": "", "detail": "2607:f1c0:100f:f000::200: Invalid response from http://mydomainname.com/.well-known/acme-challenge/aW1Gx8WPoEAXSn566KU5jTyNdxZjUguGydyOZd9VbtY: 204", "instance": "", "subproblems": []}, "order": "https://acme-v02.api.letsencrypt.org/acme/order/1882600666/294822132086", "attempt": 2, "max_attempts": 3}

2024/08/09 15:59:14.152 ←[31mERROR←[0m  tls.obtain      could not get certificate from issuer   {"identifier": "mydomainname.com", "issuer": "acme-v02.api.letsencrypt.org-directory", "error": "HTTP 403 urn:ietf:params:acme:error:unauthorized - 2607:f1c0:100f:f000::200: Invalid response from http://mydomainname.com/.well-known/acme-challenge/aW1Gx8WPoEAXSn566KU5jTyNdxZjUguGydyOZd9VbtY: 204"}

2024/08/09 15:59:14.153 ←[31mERROR←[0m  tls.obtain      will retry      {"error": "[mydomainname.com] Obtain: [mydomainname.com] solving challenge: mydomainname.com: [mydomainname.com] authorization failed: HTTP 403 urn:ietf:params:acme:error:unauthorized - 2607:f1c0:100f:f000::200: Invalid response from http://mydomainname.com/.well-known/acme-challenge/aW1Gx8WPoEAXSn566KU5jTyNdxZjUguGydyOZd9VbtY: 204 (ca=https://acme-v02.api.letsencrypt.org/directory)", "attempt": 1, "retrying_in": 60, "elapsed": 2.7409079, "max_duration": 2592000}

 

[guunter 49]

5 minutes ago, mjroberts said:

ok i have a domain through ionos.ca but not using a subdomain as this is the only service i'll be using it for

I have the A record updated and i can use my domain right now via http and connect to my emby server

but obviously i wants SSL

What exactly do i need to do? Is there another software or provider i need between Caddy and my Domain register?

 

I changed my file in Caddy to match yours and the output is this

 

 

 

It should all be done automatically. So you're saying if you do https://domain.com you get a 443 error?

[HairyBizRat 21]

2 minutes ago, guunter said:

 

It should all be done automatically. So you're saying if you do https://domain.com you get a 443 error?

I have to use http://www.mydomainname.com:8096/ and i can access emby

if i try to use SSL i try http://www.mydomainname.com:8920/ and i get 

The connection for this site is not secure mydomainname.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

 

[guunter 49]

4 minutes ago, mjroberts said:

I have to use http://www.mydomainname.com:8096/ and i can access emby

if i try to use SSL i try http://www.mydomainname.com:8920/ and i get 

The connection for this site is not secure mydomainname.com sent an invalid response.
ERR_SSL_PROTOCOL_ERROR

 

If you're properly reverse proxied you do not need the ports. It should be https://mydomain.com . port 8920 is only if upload your own cert to emby. Does your site work without adding the ports at all?

[HairyBizRat 21]

2 minutes ago, guunter said:

If you're properly reverse proxied you do not need the ports. It should be https://mydomain.com . port 8920 is only if upload your own cert to emby. Does your site work without adding the ports at all?

No, it only works with ports

[guunter 49]

Just now, mjroberts said:

No, it only works with ports

On your router did you by chance port forward 8096 and 8920?

When you use a reverse proxy the only port you want open on your router is port 443. That way only port 443 is exposed to the world and the reverse proxy will handle the internal ports and serve them all as 443 externally.