Installing SSL + HTTPS using a reverse proxy like caddy on Android

[ziomario 5]

Hello.

I want to install a reverse proxy on Android because I need to fix the error "access denied" related to the directory where I have saved the emby.pfx file.

According with this tutorial :

 

https://caddy.community/t/running-caddy-2-on-android/13993

 

I've installed caddy using termux on Android :

 

• pkg install caddy

   

 

Now I can lauch caddy using termux. At this point,according with this tutorial :

 

 

I've prepared this caddy config file (called caddyfile.txt and saved here : /storage/emulated/0/Android/data/com.emby.embyserver/files)

 

<redacted>.ns0.it {
gzip
timeouts none
proxy / 192.168.1.6:8096 {
transparent
websocket
}
}

 

 

And in termux I've launched caddy with this command :

 

$ caddy adapt -c /storage/emulated/0/Android/data/com.emby.embyserver/files/caddyfile.txt

 

but even in this case,I get the same error as before : "permission denied"

 

Quote

Error : reading input file : open /storage/emulated/0/Android/data/com.emby.embyserver/files/caddyfile.txt : permission denied

 

 

Can you suggest a path where I can save the caddyfile.txt file without getting the error : permission denied ? thanks.

 

Edited August 15, 2024 by seanbuff
removed domain for privacy

[ziomario 5]

Error : unrecognized directive: gzip

[Luke 42077]

@podonnell and @pwhodges may have some caddy tips.

 You may also want to check out this post here:

 

[ziomario 5]

I saw that site,but it has been written for Windows. I'm using Android. It is not good.

I've started a thread here :

https://caddy.community/t/installing-ssl-https-using-a-reverse-proxy-like-caddy-on-android/25182/

and I made progress,but it still does not work.

Edited August 14, 2024 by ziomario

[ziomario 5]

No one wants to help again here ?

The precise error that I get right now is :

ERROR : http log error dial tcp 192.168.1.6:8096: connect : connection refused. request remote ip 83.147.52.49 remote port 45394 client IP = 83.147.52.49 proto HTTP/1.1 method GET host <redacted>.ns0.it url gitlab-ci.yml headers user-agent go-http-client/1.1 accept encoding gzip tls resumed false version 772 cipher_suite 4867 proto server name <redacted>.ns0.it duration 0.0015 status 502 err_id 36k92p912 err_trace reverseproxy.statusError (reverseproxy go:1269)

Edited August 16, 2024 by seanbuff
removed domain for privacy

[seanbuff 1313]

42 minutes ago, ziomario said:

No one wants to help again here ?

Over in your Caddy thread you indicated the following Emby network settings:

Quote

In Network settings I chosen :

LAN networks = empty

local IP address = empty

http local port = 8096

https local port = 8920

http public port = 8096

https public port = 8920

Both your http public ports should be set to 80 and 443 respectively.

I assume you have configured your domains DNS with an A Record or CNAME that points to your public IP hosting your Caddy instance.

You should then access your Emby instance by using https://<embydomain>.zs0.it    - (no need to specify 8920, since Caddy is listening on 443)

 

Edited August 15, 2024 by seanbuff

[seanbuff 1313]

Also you said your Caddyfile has

Quote

reverse_proxy 192.168.1.7:8096

But your latest log extract mentions a different address of 192.168.1.6:8096

[ziomario 5]

I know. 1.7 becomes when I have used the wi-fi instead of ethernet. Now it returned 6 because I'm using again eth.

[seanbuff 1313]

1 minute ago, ziomario said:

I know. 1.7 becomes when I have used the wi-fi instead of ethernet. Now it returned 6 because I'm using again eth.

Well if the Emby local IP is changing, you need to make sure your Caddyfile reflects that. 

What about the other stuff I suggested above?

[ziomario 5]

Now I'm able to connect using the site : https://<redacted>.ns0.it ; finally it works. Very thanks.

Edited August 15, 2024 by seanbuff
removed domain for privacy

[seanbuff 1313]

30 minutes ago, ziomario said:

Now I'm able to connect using the site : https://<redacted>.ns0.it ; finally it works. Very thanks.

Good to hear, well done.

[ziomario 5]

Its your merit. You understood where was the error. Anyway,the problems aren't gone here. Emby crashes very often. Do you want to see the log file ?

[seanbuff 1313]

1 minute ago, ziomario said:

Anyway,the problems aren't gone here. Emby crashes very often. Do you want to see the log file ?

Go ahead and create a new topic for your new issues. You can post the logs over there. Thanks.

[ziomario 5]

Hello to everyone.

Finally I've been able to configure caddy as reverse proxy for my Emby server that runs on top of Android 14.

Actually I'm able to connect to <redacted>.ns0.it on the 443 port,but on the log I see this error :

Error http handlers.reverse_proxy aborting with incomplete response upstream 192.168.1.6:8096 duration 0.19 request remote_ip  104.28.194.226 remote_port 63195 client_ip 104.28.194.226 proto HTTP/2.0 method GET host <redacted>.ns0.it uri /emby/videos/278/original.mp4?deviceid=21@api_key=40,headers dnt 1 accept-encoding identity accept video/webm.video/ogg.video/* q=0.9.application/ogg q=0.7 audio/* q=0 6,*/* q=0.5 referer https://<redacted>.ns0.it/web/index.html ; x-forward-for 104.28.194.226 sec-fetch.site same-origin Te trailers x-forwarded-proto https sec-fetch-dest video priority u=4 user-agent mozilla/5.0 x11,Linux x86_64 rv:129.0 Gecko/201001011 firefox/129.0 range bytes=0- accept-language it,it-IT,q=0.8,en-US,q=0.5,en;q=0.3" Sec-Fetch-Mode cors X-Forwarded-Host <redacted>.ns0.it tls resumed false version 772 cipher_suite 4867 proto h2 server_name <redacted>.ns0.it error writing http2 stream closed

what it means ? what's happening ? something is broken,but I don't understand what is it.

Edited August 16, 2024 by seanbuff
removed domain for privacy

[Luke 42077]

HI, that's probably normal from when the user stopped playing.

[ziomario 5]

I have a problem that I want to fix. I would like to run my caddy script as soon Android boot,but it does not work if I don't run it with sudo...

This is the scenario :

1. the script tries to run caddy without sudo :

/data/data/com.termux/files/home/.termux/boot/start-caddy :

/data/data/com.termux/files/usr/bin/termux-wake-lock
/data/data/com.termux/files/usr/bin/caddy run -c /data/data/com.termux/files/home/.termux/boot/Caddyfile 

./start-caddy 

INFO : using config from file "file" "/data/data/com.termux/files/home/.termux/boot/Caddyfile
INFO : adapted config to JSON "adapter": "caddyfile"
WARN : Caddyfile input is not formatted; run "caddy fmt --overwrite" to fix inconsistencies "adapter" ; "caddyfile" ; "file": "/data/data/com.termux/files/home/.termux/boot/Caddyfile", "line" : 2
INFO : admin admin endpoint started "address" ; "localhost:2019" , "enforce_origin" : false, "origins" : [//localhost:2019", "//[::1] 2019" , "//127.0.0.1:2019"

INFO : tls cache maintenance started background certificate maintenance "cache" : "0x400"
INFO : http auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS "server_name" : "srv0" , "https_port" : 443
INFO : http auto_https enabling automatic HTTP-HTTPS redirects "server_name": "srv0"
INFO : tls.cache.maintenance stopped background certificate maintenance "cache" : "0x400"
ERROR : loading initial config: loading new config: http app mobile start : listening on :443 listen tcp: 443 bind: permission denied

 

2. the script tries to run caddy with sudo :

/data/data/com.termux/files/home/.termux/boot/start-caddy :

/data/data/com.termux/files/usr/bin/termux-wake-lock
/data/data/com.termux/files/usr/bin/sudo caddy run -c /data/data/com.termux/files/home/.termux/boot/Caddyfile

./start-caddy

INFO : using config from file "file" "/data/data/com.termux/files/home/.termux/boot/Caddyfile
INFO : adapted config to JSON "adapter": "caddyfile"
WARN : Caddyfile input is not formatted; run "caddy fmt --overwrite" to fix inconsistencies "adapter" ; "caddyfile" ; "file": "/data/data/com.termux/files/home/.termux/boot/Caddyfile", "line" : 2
INFO : admin admin endpoint started "address" ; "localhost:2019" , "enforce_origin" : false, "origins" : [//localhost:2019", "//[::1] 2019" , "//127.0.0.1:2019"
INFO : http auto_https server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS "server_name" : "srv0" , "https_port" : 443
INFO : http auto_https enabling automatic HTTP-HTTPS redirects "server_name": "srv0"
INFO : tls.cache.maintenance started background certificate maintenance "cache" : "0x400"
INFO : http enabling HTTP/3 listener addr 443
INFO : http log server running "name" ; "srv0" ; "protocols" ; [h1 ; h2 ; h3]
INFO : http log server running "name" ; "remaining_auto_https_redirects" ; "protocols" [h1,h2,h3]
INFO : http enabling automatic TLS certificate management "domains" "ziomario.ns0.it"
INFO : autosaved config (load with --resume flag) "file": "/data/data/com.termux/files/home/.suroot/.config/caddy/autosave.json"
INFO : serving initial configuration
INFO : tls storage cleaning happened too recently; skipping for now "storage": "FileStorage: /data/data/com.termux/files/home/.suroot/caddy" , "instance": "312 bla bla" , "try_again" : "2024/08/17 10:04" , "try_again_in" : 86399
INFO : tls finished cleaning storage units

 

in both cases,it is not executed when Android starts,but the version that contains sudo is executed after Android started,by opening termux and writing : ./start-caddy.

Edited August 16, 2024 by ziomario

[Q-Droid 989]

You don't need to run Caddy on port 443 on your host. It can run on 4443, 8443, 10443, etc. then on your router forward WAN 443 to the LAN port your choose for Caddy. If you make this change then Caddy doesn't have to run as a privileged user.

 

 

[ziomario 5]

Please give a look at this comment :

 

 

@seanbuff told me to choose

 

http public port = 80

https public port = 443

 

So,is that wrong ? can I choose 4443 as https public port ? and then I open this port on the router instead of 443 ? Is that correct ?

 

[Q-Droid 989]

No, the public ports don't change. My suggestion was to only change the ports in use by Caddy. Emby public and private and router public ports stay the same. 

Binding to port numbers below 1024 needs elevated privileges and why it works with sudo. If you change port range for Caddy that removes the need for elevated privs unless they're still needed for file access on Android. 

 

[ziomario 5]

I don't know where to change the port used by Caddy. The only place where I used 443 is on the Emby configuration. Actually the only port that I have defined for Caddy is the 8096 used inside the Caddyfile as follows :

 

 reverse_proxy 192.168.1.6:8096

 

Edited August 16, 2024 by ziomario

[pwhodges 2012]

You add the ports to the site name in your caddyfile:

Instead of :

       my.site {
          ....
       }

use:

      my.site:8080, my.site:8443 {
          ....
       }

And in your router forward incoming connections arriving for ports 80 andd 443 to 8080 and 8443 respectively.  The settings in Emby remain unchanged because connections will be made to the router, not directly to Caddy.

Paul

[Q-Droid 989]

Another way is to use the global options http_port and https_port to override the Caddy defaults. 

[pwhodges 2012]

Ah, thanks, forgot that - it would be the tidier solution.

Paul

[ziomario 5]

like this ?
 

ziomario.ns0.it:8080, ziomario.ns0.it:8443 {
          encode
          reverse_proxy 192.168.1.6:8096
       } 

 

it does not work. The error is : listening on port 80 : bind permission denied.

[ziomario 5]

7 minutes ago, Q-Droid said:

Another way is to use the global options http_port and https_port to override the Caddy defaults. 

 

I have no idea about how to do this. Can you write an example of how the Caddyfile should be ? thanks.