Jump to content

TLS: I must explicitly prepend the protocol (https) in order to work

tamasmx

By tamasmx
in Linux

 Share
Go to solution Solved by GrimReaper,

Recommended Posts

tamasmx

tamasmx 2

Posted
Posted

I have a dockerized emby server (emby/embyserver_arm32v7, image hash c9d9002b9846, version label  4.7.11.0). TLS works as expected provided I prepend the url with "https://". For example, https://myserver.ddns.net.I do not have any reverse proxy set up. Only ports forwarded on my router 80->8096 443->8920 for both UDP and TCP. In my Network "settings/secure connection mode" I have selected "  Required for all remote connections". "External domain" input box is filled out as requested.

I want to make this work so that when external requests (for example web browsers or SmartTV emby app) requests the FQDN without protocol ("myserver.ddns.net") then the client is redirected to https://myserver.ddns.net. Is this not supposed to work out of the box with the official docker image cited above? Shall I, say, spin up my own nginx to achieve a simple redirect when clients connect to (http://)myserver.ddns.net? Any sample nginx is much appreciated as I am not very experienced with that. Perhaps the nginx snippet bellow is the one I need? What's wrong with OP's setup? At least I don't find the example config of  @pir8radio stated anywhere.

 

Finally, I don't see any log entries about the external connection to my server. My client (cellphone on 4G cellular) just hangs (waits) after I enter the url like myserver.ddns.net. After some time it fails with timeout.

tamasmx

tamasmx 2

Posted
  • Author
Posted

Apologies but due to my impatience I wound up fabricating my own nginx configuration and exposed it to the public internet via port forwarding (listening locally on port 8080, forwarded  to external 80). Hence, my nginx.conf is the following (in case anyone else stumbles across the same question and finds this post). 

events { }
http {
 server {
  # Redirect to HTTPS
  listen 8080 default_server;
  server_name myserver.ddns.net;
  return 301 https://myserver.ddns.net$request_uri;
 }
}

And the corresponding service in my docker compose.yml 

  nginx:
    image: nginx:latest
    container_name: nginx
    volumes:
      - /path/to/my/nginx.conf:/etc/nginx/nginx.conf:ro
    ports:
      - 8080:8080
    restart: unless-stopped

I'm still curious, for the record, if this is the normal way to do the redirection.

  • Solution
GrimReaper

GrimReaper 4740

Posted
  • Solution
Posted
50 minutes ago, tamasmx said:

I want to make this work so that when external requests (for example web browsers or SmartTV emby app) requests the FQDN without protocol ("myserver.ddns.net") then the client is redirected to https://myserver.ddns.net. Is this not supposed to work out of the box with the official docker image cited above?

Don't see how would that be feasible, something needs to redirect that traffic, Emby won't do it by itself, you need Reverse Proxy (NGINX, Caddy being the most popular around these parts). Number of guides/how-to's pinned in General/Windows forum section, as well as numerous topics related. 

51 minutes ago, tamasmx said:

Shall I, say, spin up my own nginx to achieve a simple redirect when clients connect to (http://)myserver.ddns.net?

You should. 

52 minutes ago, tamasmx said:

Any sample nginx is much appreciated as I am not very experienced with that.

And Caddy:

 

54 minutes ago, tamasmx said:

At least I don't find the example config of  @pir8radio stated anywhere.

Linked above. 

GrimReaper

GrimReaper 4740

Posted
Posted
6 minutes ago, tamasmx said:

(listening locally on port 8080, forwarded  to external 80)

It's called Reverse proxy for a reason: it's actually listening externally and forwarding internally. 

Q-Droid

Q-Droid 989

Posted
Posted

I think Emby already does what the OP wants with a few requirements.

1. Remote connections enabled, secure mode required and both HTTP and HTTPS ports forwarded on the router. This allows Emby to redirect.

2. Clients enter the host value without protocol. SSL/TLS box checked on client apps with that option. (I'm not sure that all client apps can handle this one but browsers should have no problem.)

3. The remote access values are correct in the Emby server network settings.

Device and TV apps have a limitation that not all can follow HTTP redirects so they must be setup correctly and be able to reach the Emby server to at least fetch the server connection details.

 

  • Thanks 1
GrimReaper

GrimReaper 4740

Posted
Posted

You are right, haven't looked at this for a long time, looks support for that was added in last few years/early '20s? 👍

Still, I reckon RP setup would make it more resilient to potential client issues.

  • Agree 1
Q-Droid

Q-Droid 989

Posted
Posted

I agree. Everyone allowing remote access should take the time to setup an RP. 

tamasmx

tamasmx 2

Posted
  • Author
Posted

@Q-Droid Indeed as of now there is built-in support for TLS in the emby applicaion. Yet, the points listed in the post linked by @GrimReaper are (and will stay forever) true: if one handles TLS exclusively with a reverse proxy (nginx) and does not expose the application to the internet directly via ports forwarded in router 80->8096 443->8920 (but rather put nginx between the open internet and emby) then they have more control and configuration (rules) over the incoming connections from the open internet (I guess ddos or various other hacker attacks). I suppose with adequate reverse configuration skills one can set up geographical filters and even more fine grained rules on how and whom to let in to the application.

Therefore, thanks @GrimReaper, and I applied the linked nginx configuration. Now I no longer expose emby to the internet directly.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share
Go to topic listing
×
×
  • Create New...