Dickydodah! 154 Posted June 9, 2024 Posted June 9, 2024 After a very steep learning curve I followed @TXK57Emby Caddy v2 Setup with Cloudflare guide and actually got it working after a few stupid mistakes. I now have a few general questions. I signed up for a domain name from https://www.names.co.uk/ mostly because it was free for the first year  and also got a free Cloudfare account. It all seems a bit convoluted but I now get what each part is doing but I would like to simplify it if possible and get it for free as I will only be using it very rarley. Is it possible to get a free domain name such as No-IP and drop the Cloudfare part of the setup? Also am I right in thinking that the SSL cert is nothing to do with Cloudfare as caddy does all the work? i did see a comment from @pwhodgesthat you don't need Cloudfare so any help would be very appreciated.
pwhodges 2012 Posted June 9, 2024 Posted June 9, 2024 You can start with Caddy in as simple a way as you want. The thread about Caddy and Cloudflare is just that - if you want to use Cloudflare, it's a useful resource. If you don't want to use Cloudflare, then keep it simple; a basic Caddy setup is so simple that it's easy to overthink it. I laid out the basics of Caddy in this post. All you need otherwise is a domain name and knowledge of your router. Paul 1
Dickydodah! 154 Posted June 9, 2024 Author Posted June 9, 2024 I have actually read that post along with a few others. It does seem to be very simple but easy to overthink, a bit like me really Just to confirm that I have this right, the domain name is really only changing the IP address to a name for ease of use. I know it's actually the other way round but what I mean is I could just use the IP address if I had a static one so No-IP would sort that for me. I do understand the DNS is actually what does the real job of changing a name to an IP BTW. I will have a go at getting this setup with No-IP as I have another server that I can use to test.
Q-Droid 989 Posted June 9, 2024 Posted June 9, 2024 You should look into other DDNS services, I like Dynu.com. Many of the free ones and No-IP is included, require a 30-day account confirmation and limit you to one hostname. Dynu doesn't have these restrictions. Dynu also has good DDNS API support and works with multiple clients including their own. Don't let offers for free SSL sway toward or away from a DNS provider. SSL cert management is built-in to Caddy and truly set-and-forget. Â
Dickydodah! 154 Posted June 9, 2024 Author Posted June 9, 2024 (edited) I only mentioned No-IP as I have used it in the past. The 30 day renewal is a bit of a pain I agree. Dynu is one I looked at and have tried it but at the time I couldn't see how to make it work for me but now I know better. I shall experiment What plugins do you reccomend for Caddy with this sort of setup? Edited June 9, 2024 by Dickydodah!
Q-Droid 989 Posted June 9, 2024 Posted June 9, 2024 No plugins needed. Caddy can manage cert renewal automatically out of the box. For DDNS updates you can check if your router supports a list of DDNS providers or a custom one. Any machine you have running 24/7 can also run a DDNS client to keep your provider updated. All of the Caddy info you need is in those links and scattered throughout the forum. Â Â
pwhodges 2012 Posted June 9, 2024 Posted June 9, 2024 8 hours ago, Dickydodah! said: Just to confirm that I have this right, the domain name is really only changing the IP address to a name for ease of use. The domain name has three functions. One (the original) is for looking up the IP address; another is being presented to a web server to tell it which of multiple web sites that might be at that address is required; and the third is to be the link to the security certificate. And just to confirm, Caddy will by default get the certificate for you and renew it as required. You just need the name and to have both ports 80 and 443 open to it. Even though you have to have port 80 open for the certificate handling, any attempt to reach your web site (Emby in this case) on port 80 (http) will, again by default, be automatically redirected to port 443 (https). Paul
Dickydodah! 154 Posted June 9, 2024 Author Posted June 9, 2024 Thanks for that explanation, I sort of knew the uses of the domain name but you have put very well for even an old analog comms engineer like me  The clarification about Caddy has answered a niggling doubt I had. As soon as I get time I will set this up with a domain name from Dynu. I'm sure I will be back with more daft questions but thanks for the help so far.
Dickydodah! 154 Posted June 14, 2024 Author Posted June 14, 2024 @pwhodgesHi, it's taken me a while to get round to trying this but I've set it up today and it works fine. I've kept my caddyfile nice and simple and I'm not even bothering with logs. This is all I've got in it; {   email xxxxx.xxxxx@gmail.com } #Emby site1.mydomain.org {   reverse_proxy http://127.0.0.1:8096 } #Emby site2.mydomain.org {   reverse_proxy http://127.0.0.1:8096 } Before I went the simple route I played around with so many settings I can't remember what they should be  What should I have (or what do you have) in the Network settings in Emby? I have no idea what the defaults are. You probably noticed that I have two sites defined pointing to the same Emby, this leads me to another question. For some reason I can't fathom, Chrome flags site1 as dangerous but site2 is fine. Site1 works fine if I ignore the warning. Any ideas?
pwhodges 2012 Posted June 14, 2024 Posted June 14, 2024 Do you mean the Google warning, or just a Chrome one? Are you accessing the sites directly, or using app.emby.media? Most of the networking page is obvious. "Read proxy headers..." should be set to "Only if...", and "Secure connection mode" to "Handled by reverse proxy". But the setting "External domain" raises the question why are you using two site names for Emby? The Emby server itself will only be using the one on the network page. Paul
Dickydodah! 154 Posted June 14, 2024 Author Posted June 14, 2024 Good point I had to check, it's a Chrome warning and I'm accessing directly via the URLs not emby Connect. The only reason I have two urls pointing to Emby is that it was an easy test. The second one will be pointed at a different port on the same machine eventually. I'm currently digging through a fair few topics mentioning the issue so it's not that uncommon. I'll get my Emby settings as you advise as well and keep digging. Or maybe choose a different domain nameÂ
Dickydodah! 154 Posted June 14, 2024 Author Posted June 14, 2024 @pwhodgesI have spent the last few hours reading about this and I think I may have stumbled across the cause and a fix. However I have no idea why only one of my domains was affected but it might be the age of them. The affected domain was a few days older than the working one. I would be interested in your opinion. Â
pwhodges 2012 Posted June 14, 2024 Posted June 14, 2024 I'm not sure that the exact trigger for the Google warnings has ever been established. It seemed to be about Google deciding that by using Emby we were trying to spoof Emby's site, so some change was made to the code that Emby provides to make this less likely. Paul
Dickydodah! 154 Posted June 14, 2024 Author Posted June 14, 2024 I read that in the thread but it seems the changes didn't really work. However I seem to have discovered something by accident. I pinged Luke and they may look into what I discovered, I suppose it all depends if it can be reproduced on other systems. At least mine is now working OK.
muzicman0 84 Posted June 14, 2024 Posted June 14, 2024 Just a quick note on Caddy. I don't believe you have to have port 80 open. I have Cox internet, and it blocks port 80. But I do have port 443 open, and it seems to work fine (or did last time I used Caddy).
pwhodges 2012 Posted June 15, 2024 Posted June 15, 2024 Caddy uses port 80 for the default automated certificate set up and renewal protocol; with it closed these will fail. To use it without port 80 open you need to set up name verification directly with your registrar using the appropriate Caddy plug-in. Paul
muzicman0 84 Posted June 15, 2024 Posted June 15, 2024 13 hours ago, pwhodges said: Caddy uses port 80 for the default automated certificate set up and renewal protocol; with it closed these will fail. To use it without port 80 open you need to set up name verification directly with your registrar using the appropriate Caddy plug-in. Paul So I just tested this and only forwarded port 443, and it worked. BUT, then I tried explicitly using http, and it still redirected to https, which was confusing me. I did some research, and I have a setting in Cloudflare to "Always use HTTPS", which will redirect any traffic from http to https. The only thing I can figure is that that setting is allowing Caddy to successfully grab a cert, even though I have port 80 blocked. I didn't try turning the feature off in Cloudflare, but at a minimum it might help someone else to know that it can be done only over port 443 and Caddy.Â
pwhodges 2012 Posted June 15, 2024 Posted June 15, 2024 By default Caddy redirects automatically from http/80 to https/443; though if Cloudflare is doing the same, then that's not needed.. I checked Caddy's requirements for getting certificates automatically, and although the method I knew about (requiring port 80) is still the default first choice, if it fails there is now also an alternative method which it can use over port 443 without port 80 when the first method fails. So your observation is correct. Paul
muzicman0 84 Posted June 15, 2024 Posted June 15, 2024 1 minute ago, pwhodges said: By default Caddy redirects automatically from http/80 to https/443; though if Cloudflare is doing the same, then that's not needed.. I checked Caddy's requirements for getting certificates automatically, and although the method I knew about (requiring port 80) is still the default first choice, if it fails there is now also an alternative method which it can use over port 443 without port 80 when the first method fails. So your observation is correct. Paul I knew about the caddy redirect, however, since port 80 is neither forwarded or open at the ISP, the redirect was confusing! It should have never even hit the Caddy server to redirect. But the Cloudflare setting for sure explains that away. It is good to know that Caddy can work over port 443 even outside of Cloudflare though.
TeamB 2438 Posted June 15, 2024 Posted June 15, 2024 15 hours ago, pwhodges said: Caddy uses port 80 for the default automated certificate set up and renewal protocol; with it closed these will fail. To use it without port 80 open you need to set up name verification directly with your registrar using the appropriate Caddy plug-in. Paul I dont use standard ports and found this setting that should use a none standard HTTP for the check  { http_port 8964 }  2 hours ago, pwhodges said: I checked Caddy's requirements for getting certificates automatically, and although the method I knew about (requiring port 80) is still the default first choice, if it fails there is now also an alternative method which it can use over port 443 without port 80 when the first method fails. So your observation is correct. if this is true I might not even need to above, do you have a link.
muzicman0 84 Posted June 16, 2024 Posted June 16, 2024 I'm assuming it is the TLS-ALPN Challenge listed here: Â https://caddyserver.com/docs/automatic-https#acme-challenges
Dickydodah! 154 Posted July 4, 2024 Author Posted July 4, 2024 Not exactly a Caddy or Emby question but I hope you guys may have some ideas. My caddy setup is working great but If I use the external URL from within my LAN the traffic hairpins out to the internet and then back into my network which is not the best scenario. My router only supports DDNS settings from certain providers so unless I change my provider that's not an option. I know that on Windows I can modify the Hosts file but I really want to do this on Android phones. The options I have thought of so far are; 1. use two different URLs for external and internal (current messy setup) 2. Change to another DDNS provider that's supported in my router (easy but I like the current URL) 3. run my own DNS server on the network (a bit OTT for this scenario) Any ideas?
rbjtech 5284 Posted July 4, 2024 Posted July 4, 2024 (edited) Why do you think hairpinning is not the best scenerio ?  It should not actually go 'out' to the internet, it just gets routed/NAT'd internally (on the router) directly to the LAN - that's what's meant by hairpinning.  If it's really going 'out' to your ISP and then back in again - then the hairpinning is not setup correctly .. Edited July 4, 2024 by rbjtech 1
Q-Droid 989 Posted July 4, 2024 Posted July 4, 2024 As @rbjtech posted it should stop at your router interface so no traffic is leaving. However, remote access rules apply when you connect this way: landing page, bitrate limits, detection, etc. Local DNS is the solution but not really OTT. With Pi-hole, dnsmasq and others you're not only running a local caching DNS resolver but can add whole LAN filtering to block ads, trackers and malicious sites for all devices without having to install extra software or apps to each individual one. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now