Reverse Proxy, Dashboard in-home lan access

[sfatula 207]

When using a reverse proxy, the dashboard is wrong. It shows the in-home lan access, and it does not match the reverse proxy DNS name and port. With a reverse proxy, typically you use a DNS name. So, I enter than in network->local ip address, but then it resolves it and that is wrong. Worse, the port is also wrong, while emby is 8096, it's 443 for the reverse proxy. 

So, my question is, is there a way to have Emby display and use the reverse proxy access address. In my case, in-home lan access should show https://emby-tv.mydomain.tld:443

The same applies to the external access url, while I can make the rest of it correct, not the port, it display the public IP port, not the reverse proxy port. 

[ebr 16185]

Hi.  Yes.  This is what the network settings page is for.

[Lessaj 467]

I think what they're asking is how to make "In-Home (LAN) access" show the same thing as "Remote (WAN) access" so that the reverse proxy is used for all connections. I'm not aware of a way to do this for In-Home (LAN) access, I also use a reverse proxy on my internal network and I just put in a firewall rule to block all traffic directly to my server on port 8096/8920 so devices are forced to use the reverse proxy and I have a DNS entry that returns the internal reverse proxy IP rather than it resolving to the external address.

[sfatula 207]

2 hours ago, Lessaj said:

I think what they're asking is how to make "In-Home (LAN) access" show the same thing as "Remote (WAN) access" so that the reverse proxy is used for all connections. 

Exactly what I am asking. Couldn't find a way. But even the remote is wrong as I can't specify the proxy port number. I can only specify the Emby port number. 

Edited June 22, 2024 by sfatula

[darkassassin07 652]

To specify the remote address, with connections handled by a reverse proxy; you'll need to set three settings in the network tab:

 

Public https port number: 443 (or the port your proxy listens on)

External Domain: your.domain.here

Secure Connection Mode: Handled by reverse proxy

 

This should set the 'remote (wan) access' address in the dashboard to: https://your.domain.here

(the :443 part isn't shown unless you use a different port from 443, as it's the default https port.)

Edited June 22, 2024 by darkassassin07

[pwhodges 2012]

And if your router doesn't do hairpinning, you'd need an internal DNS.

Paul

[sfatula 207]

12 minutes ago, darkassassin07 said:

To specify the remote address, with connections handled by a reverse proxy; you'll need to set three settings in the network tab:

 

Public https port number: 443 (or the port your proxy listens on)

External Domain: your.domain.here

Secure Connection Mode: Handled by reverse proxy

But none of that fixes the internal Emby address. Proxy already works. I don't need an internal DNS, works fine locally and remotely. Just wanting the dashboard to be correct. But you're right, Emby doesn't show the 443 but ok with that as that's default https port anyway. 

Edited June 22, 2024 by sfatula

[darkassassin07 652]

You don't change the internal address, you can only change the remote address.

 

Clients are handed both addresses listed in the dashboard; they will try the lan address first, then the wan address if that didn't work.

 

If you want clients to always use your domain name; you just set firewall rules to only allow the proxy to reach the emby ports (8096/8920). Then clients will only be able to use the wan address in the dash.

You then use either local dns to return your lan ip to lan clients using your domain, or nat hairpinning.

[sfatula 207]

You can absolutely change the internal address, it's set in local ip address. But that's only part of the equation, and it doesn't let you put in a DNS name (and keep it). 

I don't need ANY advice on DNS, it works fine, the proxy works fine, all is well. It's just the field on the dashboard that gets advertised it appears cannot be correctly set. 

[Luke 42080]

Quote

You can absolutely change the internal address, it's set in local ip address. But that's only part of the equation, and it doesn't let you put in a DNS name (and keep it). 

Correct. It only accepts an ip address.

[darkassassin07 652]

Technically you can change the internal address yes, but only to a different ip. This is for when you are running Emby in for example a docker container where the network interface emby binds to isn't necessarily the one exposed to the actual network.

 

You do not and can not set it to a domain.

You can only use the methods I have described; ie prevent clients reaching the lan address in the dash, and handle routing based on dns or nat hairpinning.

[Q-Droid 989]

12 hours ago, sfatula said:

You can absolutely change the internal address, it's set in local ip address. But that's only part of the equation, and it doesn't let you put in a DNS name (and keep it). 

I don't need ANY advice on DNS, it works fine, the proxy works fine, all is well. It's just the field on the dashboard that gets advertised it appears cannot be correctly set. 

Have you tried setting a bogus "LAN networks" subnet entry so that all local connections are seen as remote? Combined with an unreachable internal IP then apps should not try to connect using it and always go the proxy route.