SirJMD 15 Posted March 31, 2023 Posted March 31, 2023 On to the next issue! In Emby I've set the public https port to 443, and forwarded that port in my router to the local IP of Emby. At duckdns I've entered my public IP, for the subdomain emby.duckdns.com, and entered that into Emby "External domain". "Secure connection mode" set to "Handled by reverse proxy". Automatic port mapping disabled. Running "Swag" in Docker, setup with duckdns. Returns: Certificate exists; parameters unchanged; starting nginx [custom-init] No custom files found, skipping... [ls.io-init] done. Server ready I assume that means that everything went smoothly? The cert files seems to be here: I'm a bit lost at the next step: Getting the certificate working in Emby. I've tried pointing to privkey.pfx, which I thought were in the correct format, but it doesn't seem to work. Testing https://emby.duckdns.org/ doesn't work, neither does https://emby.duckdns.org/emby. I did however get http://emby.duckdns.org:8096/ to work, just to check if duckdns was working. Any help is greatly appreciated
Eigeplackter 90 Posted March 31, 2023 Posted March 31, 2023 You need to leave emby standard port (8920) settings, not 443. im your reverse proxy you have to set a route for requests source: https://emby.duckdns.org/ target <your_local_emby_ip>:8920 1
SirJMD 15 Posted April 1, 2023 Author Posted April 1, 2023 9 hours ago, Eigeplackter said: You need to leave emby standard port (8920) settings, not 443. im your reverse proxy you have to set a route for requests source: https://emby.duckdns.org/ target <your_local_emby_ip>:8920 Is that in Swag I need to set the source and target? When it doesn't work for https without that, but it does for http, is that due to the certificate?
seanbuff 1315 Posted April 1, 2023 Posted April 1, 2023 9 hours ago, SirJMD said: I'm a bit lost at the next step: Getting the certificate working in Emby. I've tried pointing to privkey.pfx, which I thought were in the correct format, but it doesn't seem to work. Since you're using SWAG as your reverse proxy, you don't need to provide Emby the certificates - that's the point of the reverse proxy and you setting the option in Emby to "Handled by reverse proxy" 1
SirJMD 15 Posted April 1, 2023 Author Posted April 1, 2023 (edited) 3 minutes ago, seanbuff said: Since you're using SWAG as your reverse proxy, you don't need to provide Emby the certificates - that's the point of the reverse proxy and you setting the option in Emby to "Handled by reverse proxy" Interesting. Then I'm stuck at some other point In nginx\site-confs\default.conf I've changed to: server_name emby.duckdns.org; And added (EmbyServer runs at 192.168.20.3) set_real_ip_from 192.168.0.0/16; real_ip_header X-Forwarded-For; Looking at "emby.subdomain.conf" in nginx it says "in emby settings, under "Advanced" change the public https port to 443, leave the local ports as is". But above recommendation were to leave it at 8920. Howcome? In that conf I've changed: server_name emby.*; set $upstream_app EmbyServer; In my router I've forwarded external 443 port to internal 8920, pointing to the EmbyServer running at 192.168.20.3. Testing at https://emby.duckdns.org/emby yields "refused to connect.". Edited April 1, 2023 by SirJMD
seanbuff 1315 Posted April 1, 2023 Posted April 1, 2023 5 minutes ago, SirJMD said: Looking at "emby.subdomain.conf" in nginx it says "in emby settings, under "Advanced" change the public https port to 443, leave the local ports as is". But above recommendation were to leave it at 8920. Howcome? In that conf I've changed: server_name emby.*; The text in the file is correct. I would leave the "Internal" ports as default, i.e: But you should change the "Public" ports to: Then in the emby.subdomain.conf file: Quote location / { include /config/nginx/proxy.conf; include /config/nginx/resolver.conf; set $upstream_app <Emby Local IP>; set $upstream_port 8096; set $upstream_proto http; proxy_pass $upstream_proto://$upstream_app:$upstream_port; Update it to the IP of Emby, or your container name if using Docker. Then in your router, you need to Port Forward both 80 and 443 to your Reverse Proxy IP and internal ports you chose
SirJMD 15 Posted April 1, 2023 Author Posted April 1, 2023 @seanbuffChanged the ports as suggested, and set set $upstream_app 192.168.20.3. In my router I've forwarded both port 80 and 443 to the nginx server's IP (192.168.20.7) - that's what you meant, right? Still getting "This site can’t be reached". I've of course restarted the docker containers after making the changes Tested http://emby.duckdns.org:8096/ and it works fine (closed that port afterwards again).
seanbuff 1315 Posted April 1, 2023 Posted April 1, 2023 30 minutes ago, SirJMD said: In nginx\site-confs\default.conf I've changed to: server_name emby.duckdns.org; And added (EmbyServer runs at 192.168.20.3) set_real_ip_from 192.168.0.0/16; real_ip_header X-Forwarded-For; I would revert these changes, there's really no need to touch that file. Because SWAG can handle proxying many services, you don't want the default "server_name" to just be Emby (that's what the individual config files are for) Also, I would try follow the IbraCorp guide, it's very detailed and should have you going if you follow it from the start: https://www.youtube.com/watch?v=N7FlsvhpVGE
SirJMD 15 Posted April 1, 2023 Author Posted April 1, 2023 (edited) 49 minutes ago, seanbuff said: I would revert these changes, there's really no need to touch that file. Because SWAG can handle proxying many services, you don't want the default "server_name" to just be Emby (that's what the individual config files are for) Also, I would try follow the IbraCorp guide, it's very detailed and should have you going if you follow it from the start: https://www.youtube.com/watch?v=N7FlsvhpVGE I actually started with the IBRACORP video, it's quite good However, he uses cloudflare with his own domain, whereas I'm trying to use duckdns. So instead of "wildcard" as subdomain I used "www", and instead cloudflare in his video I used duckdns. But don't have an option for duckdnstoken in docker, I guess it was removed in a newer release? I instead added it in dns-conf/duckdns.ini. I'm not sure if I'm missing something (well, I guess since it's not working..). Thanks for the help so far, it's greatly appreciated. Edited April 1, 2023 by SirJMD
seanbuff 1315 Posted April 1, 2023 Posted April 1, 2023 I don't have any personal experience using DuckDNS, but I do have experience with SWAG - reading the LSIO doco page, you may be able to add additional parameters to support duckdnstoken, see here: https://docs.linuxserver.io/general/swag#create-container-via-duckdns-validation-with-a-wildcard-cert Presumably you can add "DUCKDNSTOKEN" as a custom variable in your UnRAID Docker config for SWAG: docker create \ --name=swag \ --cap-add=NET_ADMIN \ --net=lsio \ -e PUID=1000 \ -e PGID=1000 \ -e TZ=Europe/London \ -e URL=linuxserver-test.duckdns.org \ -e SUBDOMAINS=emby \ -e VALIDATION=duckdns \ -e DUCKDNSTOKEN=97654867496t0877648659765854 \ -p 443:443 \ -p 80:80 \ -v /home/aptalca/appdata/swag:/config \ --restart unless-stopped \ lscr.io/linuxserver/swag Your SUBDOMAIN value should be comma list of your proxied services, or just 'emby' for now (or whatever your duckdns subdomain is named) -- not sure why you have entered 'www' there. And your VALIDATION should be 'duckdns' Also, did you already revert the changes you made to your nginx\site-confs\default.conf file?
CassTG 113 Posted April 2, 2023 Posted April 2, 2023 I use swag for most things. If ur running docker containers there isn't much to do. Only thing in proxy confs folder to change is obviously copy emby conf removing sample. Then change the server name in the swag emby config to match ur domain. If u set up a custom bridge network then if swag and emby are on same network and ur emby docker is called emby swag proxies to emby without any further mods obviously set the server name and ports in emby as per the details in the config file. Port forward router to swag container and job done 1
SirJMD 15 Posted April 4, 2023 Author Posted April 4, 2023 On 4/1/2023 at 1:28 PM, seanbuff said: I don't have any personal experience using DuckDNS, but I do have experience with SWAG - reading the LSIO doco page, you may be able to add additional parameters to support duckdnstoken, see here: https://docs.linuxserver.io/general/swag#create-container-via-duckdns-validation-with-a-wildcard-cert Presumably you can add "DUCKDNSTOKEN" as a custom variable in your UnRAID Docker config for SWAG: Your SUBDOMAIN value should be comma list of your proxied services, or just 'emby' for now (or whatever your duckdns subdomain is named) -- not sure why you have entered 'www' there. And your VALIDATION should be 'duckdns' Also, did you already revert the changes you made to your nginx\site-confs\default.conf file? I tried adding adding DUCKDNSTOKEN, but it didn't change anything. I've also reverted the changes to default.conf. On 4/2/2023 at 6:51 PM, CassTG said: I use swag for most things. If ur running docker containers there isn't much to do. Only thing in proxy confs folder to change is obviously copy emby conf removing sample. Then change the server name in the swag emby config to match ur domain. If u set up a custom bridge network then if swag and emby are on same network and ur emby docker is called emby swag proxies to emby without any further mods obviously set the server name and ports in emby as per the details in the config file. Port forward router to swag container and job done EmbyServer and Swag are on the same custom br0.20 network. Emby as 192.168.20.3 and Swag as 192.168.20.7. That should be ok, right? In swag\nginx\proxy-confs\emby.subdomain.conf I've changed: server_name emby.*; set $upstream_app 192.168.20.3; Server name should be the duckdns subdomain, right? In my router (Unifi) I've forwarded from 443 and 80 to 44301 and 8001, respectively, both pointing to 192.168.20.7. In Swag I have 44301 and 8001 as well (followed the IBRACORP video). When I try to access https://emby.duckdns.org/emby, https://emby.duckdns.org:8920/emby or https://emby.duckdns.org:443/emby - get a red page with "Deceptive site ahead", and when I chose to proceed I just get "This site can’t be reached". However, http://emby.duckdns.org:8096/emby works...
seanbuff 1315 Posted April 4, 2023 Posted April 4, 2023 18 minutes ago, SirJMD said: EmbyServer and Swag are on the same custom br0.20 network. Emby as 192.168.20.3 and Swag as 192.168.20.7. That should be ok, right? Yes that's fine. 21 minutes ago, SirJMD said: In swag\nginx\proxy-confs\emby.subdomain.conf I've changed: server_name emby.*; Obvious question, but emby.<domain.com> is your actual subdomain yeah? Otherwise, make sure the proper name is here. 22 minutes ago, SirJMD said: set $upstream_app 192.168.20.3; if Emby and SWAG are both Dockers in bridge mode, just change this to the <containername> of Emby 23 minutes ago, SirJMD said: However, http://emby.duckdns.org:8096/emby works... Do you have a port forward rule setup for 8096 also? Because I don't know how that's working without one. Remove that if so, and make everything go thru SWAG Can you confirm that the "Domain" you have configured here in DuckDNS matches the "server_name" entry you added to your emby.subdomain.conf file? And does the "Current IP" match what you see when you go to https://www.whatismyip.com/ ?
CassTG 113 Posted April 4, 2023 Posted April 4, 2023 (edited) For the server name in the emby conf file in swag i always set the full domain i.e emby.duckdns.com. Only reason is i had an issue once using the shortened version so it just stuck with me and i use full domain. As mentioned by seanbuff if you have both swag and emby on the same custom network then you dont need to set ip address you can just use the docker container name. If you called the docker emby then you only need to enter emby here not IP I do not use duckdns as i use a cheap domain from a main domain name provider which costs a few pounds a year, which also makes dns challenges for certs so much easier using the api rather than port verification. Then forward ports to swag and let it do its thing. I run my emby in a vps in the cloud so i do not have the home network to contend with which may or may not be a factor here Edited April 4, 2023 by CassTG
SirJMD 15 Posted April 5, 2023 Author Posted April 5, 2023 19 hours ago, seanbuff said: 20 hours ago, SirJMD said: In swag\nginx\proxy-confs\emby.subdomain.conf I've changed: server_name emby.*; Obvious question, but emby.<domain.com> is your actual subdomain yeah? Otherwise, make sure the proper name is here. It's not "emby", but the config reflects the actual subdomain. 19 hours ago, seanbuff said: 20 hours ago, SirJMD said: set $upstream_app 192.168.20.3; if Emby and SWAG are both Dockers in bridge mode, just change this to the <containername> of Emby Tried that as well, no change. 19 hours ago, seanbuff said: 20 hours ago, SirJMD said: However, http://emby.duckdns.org:8096/emby works... Do you have a port forward rule setup for 8096 also? Because I don't know how that's working without one. Remove that if so, and make everything go thru SWAG Merely to test if port forwarding etc. were working, to rule that out. It has been disabled again. 19 hours ago, seanbuff said: Can you confirm that the "Domain" you have configured here in DuckDNS matches the "server_name" entry you added to your emby.subdomain.conf file? And does the "Current IP" match what you see when you go to https://www.whatismyip.com/ ? Yep, they match. Current IP matches as well, and tested with port 8096 that works but of course only with http. 15 hours ago, CassTG said: I do not use duckdns as i use a cheap domain from a main domain name provider which costs a few pounds a year, which also makes dns challenges for certs so much easier using the api rather than port verification. I might give that a shot as well. I feel like I've tried just about anything, and read 50+ guides and forum threads. Since it works on port 8096, I think the problem is somewhere with Swag.
SirJMD 15 Posted April 5, 2023 Author Posted April 5, 2023 The log from emby seems to show that an attempt is being made, but ends with "This site can’t be reached" anyway. I can't see any faults in the log, and code 200 and 204 would suggest it were succesful, right? embyserver.txt
seanbuff 1315 Posted April 5, 2023 Posted April 5, 2023 Is your ISP possibly blocking something, do you get success on both ports 80 and 443 here: https://canyouseeme.org/ ? 1
SirJMD 15 Posted April 5, 2023 Author Posted April 5, 2023 (edited) 52 minutes ago, seanbuff said: Is your ISP possibly blocking something, do you get success on both ports 80 and 443 here: https://canyouseeme.org/ ? That's a really good point! I have public IP, but my ISP might still block specific ports. Neither of those two ports seem to be open.. 8096 however is fine. I then tried forwarding external 8920 to internal 44301, and now at https://emby.duckdns.org:8920/emby I get "Welcome to your SWAG instance"! Progress! Why it doesn't connect to Emby, I don't know. But major step forward I'd say! Edited April 5, 2023 by SirJMD 44301, not 443
seanbuff 1315 Posted April 5, 2023 Posted April 5, 2023 6 minutes ago, SirJMD said: Why it doesn't connect to Emby, I don't know. Because you haven't told it to. Emby is only listening to 8096 and 8920 internally - SWAG is the one listening publicly on 80/443 but those are blocked so you opened 8920 to SWAG instead. I would look at seeing if your ISP can make an exception for 80/443 otherwise you will need to use other ports, but you'll always have to specify a port externally and adjust Emby's public ports accordingly. 1
SirJMD 15 Posted April 5, 2023 Author Posted April 5, 2023 4 minutes ago, seanbuff said: Because you haven't told it to. Emby is only listening to 8096 and 8920 internally - SWAG is the one listening publicly on 80/443 but those are blocked so you opened 8920 to SWAG instead. I would look at seeing if your ISP can make an exception for 80/443 otherwise you will need to use other ports, but you'll always have to specify a port externally and adjust Emby's public ports accordingly. I hope my stupid question is okay, but I thought it worked like this: Router public 8920 to 44301 internal --> Swag listens for 44301 and with emby.subdomain.conf uses upstream_app (192.168.20.3), upstream_port (8096) and upstream_proto (http) --> Emby local port 8096. Is that not the case?
CassTG 113 Posted April 5, 2023 Posted April 5, 2023 (edited) Not sure who isp is but not sure why port 443 would be blocked. When i have tested locally an emby server for tweaks i did it this way to test the setup Emby Docker Swag Docker Adguard Home Docker or VM Setup domain as normal who ever you use lets say emby.sirjmd.com Setup Swag Proxy Conf as before - server name use the full name i.e emby.sirjmd.com Both on same network and use container name rather than ip address, nothing else to be changed Presuming Swag has the certificates and emby is setup correctly so domain name entered server side and public port 443 Now setup either an Adguardhome docker or even easier a vm, if a docker container then put it on host network so it gets an ip from your router Setup adguard home which is easy enough takes a few minutes Goto the filters menu and dns rewrites menu Add a new entry with the following Domain Name is - emby.sirjmd.com (add yours) Ip Address is the swag docker IP address i.e 192.168.1.200 Click save or okay Now in your router (or you can just set it locally on Windows / Linux to test) set your DNS resolver to point to adguard home IP address (if the router make sure you disconnect and reconnect the ethernet or wifi for the pc to get the new dns settings) Now we can Test the internal Setup: The route should be this if setup correctly Enter domain emby.sirjmd.com on Pc with Dns pointing to Adguard > Adguard will see that domain as a rewrite and send the PC to Swag > Swag should see domain request on port 443 and forward to Emby Docker on its internal port > Emby docker should see domain name and serve page via https If this is successful you know the actual docker setup is correct, so you go up the chain one to see where in the chain it is failing, so next step would be port forwarding. With regards to your duckdns, i presume as i dont use it that your router will constantly update the domain record with the current IP if it is not static via ddns? i.e your domain is resolving to your current home IP Edited April 5, 2023 by CassTG
SirJMD 15 Posted April 5, 2023 Author Posted April 5, 2023 33 minutes ago, CassTG said: Enter domain emby.sirjmd.com on Pc with Dns pointing to Adguard > Adguard will see that domain as a rewrite and send the PC to Swag > Swag should see domain request on port 443 and forward to Emby Docker on its internal port > Emby docker should see domain name and serve page via https I tried changing ports back and fort, and now both port 80 and 443 reports as open on https://canyouseeme.org/. I don't get it. I'm suspecting my ISP's shitty coax modem. Testing https://mysubdomain.duckdns.org/, or any subfolder of that URL, still sends me to Swag's welcome page. I've set the server_name as the full URL as you suggested. Gonna look into your test method with adguard. 1
SirJMD 15 Posted April 6, 2023 Author Posted April 6, 2023 So I gave up on duckdns and went ahead and bought a domain, using cloudflare. With port forwarding from 80 til 8001 and 443 to 44301 it wouldn't work. Changing it to 80->80 and 443->443 it now works. I don't understand why it doesn't work with 8001 and 44301, but at least now it works! So a combination of duckdns and the ports were causing the issues. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now