HOW TO: Emby remote SSL with PFSense, auto cert renewal no private domain required.

[rookies 12]

I am currently just starting out with Emby, but this is my initial solution for setting up external SSL at low or no cost and no domain ownership required.  The only cost to this solution would be hardware to run PFSense on if you don't already have something.

It's 10 "easy" steps, so lets get started.

PFSENSE: (highly recommended)

PFSense is a Commercial grade firewall with all the features and capabilities you would expect.  It is a free network firewall distribution, based on the FreeBSD operating system with a custom kernel and including third party free software packages for additional functionality.

PFSense is a Software firewall that can be deployed on a wide range of hardware solutions. You can buy an appliance directly from netgate https://pfsense.org/products/ (I run a NetGate 4200+) or you can build your own firewall utilizing hardware you have laying around or purchase: https://pfsense.org/products/#requirements

Please familiarize yourself with the setup of your Firewall and validate that the configuration is secure.  Don’t assume, PFSense will allow you to do things that typical residential firewall will not.

If you are not familiar with setting up a firewall, I would recommend you get PFSense running and build out a configuration that works for you base needs prior to doing a full switch over. This will give you some time to learn how things work and get comfortable with the interface.  PFSense has an awesome community should you need help with this step.

Prerequisites:

1)      A working PFSense Firewall configuration.    

note: You should either replace your ISP’s Router with PFSENSE or put the ISP’s Router in bridge mode to pass all traffic directly to PFSense. (this will eliminates double NAT configuration bs)

2)      A DDNS account. (this can be any free DDNS service)

3)      A DDNS domain name.  I use (xyz.DDNS.NET free domain currently)

 

The setup for Emby Hosting:

Step 0: setup dyndns  go to Services -> Dynamic DNS

 

Step 1: go to Firewall -> NAT -> Port Forwarding and Add a new rule. To forward port 8080 to your internal network firewall Address. 

Step 2: go to System -> Package Manager and install 2 package “acme” and “haproxy

 

 

Step 3: go to Services -> Acme Certificates first “Create a new Account Key” then “Register ACME account key” then click save.

 

go to certificates tab

 

For domain name put in your domain name ex xyz.ddns.net

For method use “Standalone HTTP Server” the set port to 8080.

 

For action set it to restart haproxy on cert renewal.  Then save.

Step 4:  issue a cert

 

You can verify your cert by going to System -> Certificates.

You should see the root cert:

 

And the certificate:

 

 

Step 5: re-secure port 80 since it points back into your farwall.

Go to Firewall -> Schedules  and create a schedule for mon-sun 3:15-3:30

 

 

Go to Firewall -> Rules -> wan

Find the rule created when you made the NAT rule and apply the Schedule to that rule in advanced options.

 

(note: with this schedule applied the cert can only be renewed between 3:15am and 3:30 am when the auto renew job goes off.  If you attempt to renew outside that time the firewall blocks the validation requests from letsencrypt)

 

Step 6: go to Services -> haproxy -> settings

Enable haproxy

 

Make sure dns is set further down:

 

Step 7: go to Backend and add an entry

Set to address and port of your internal Emby server.

 

Save

Step 8: go to frontend and add an entry

Port should be the external port you want to use for emby access.  I used 6701

Set type to http/https offloading

 

Set the host expression to starts with and the value to your dns name  xyz.ddns.net

 

For action set it to use backend and pick the backend you created in the previous step

 

Further down in the ssl offloading section pick the certificate you created earlier

 

Step 9 go to Firewall -> Rules -> Wan   

Add a rule to allow traffic to the haproxy front end I used port 6701 for access.

 

 

Step 10 open a browser on a device not connected to your network and go to: https://xyz.ddns.net:6700  (replace xyz.ddns.net with your domain name.)

You should get the Emby login page via a SSL connection.   I am sure there are additional step you can perform to increase security on this. but the goal is a working configuration.

done go watch a movie!

 

 

Edited September 19, 2025 by rookies
remove attachments again

[Luke 42077]

Thanks for sharing.

[pwhodges 2012]

Seems a lot more complicated than using Caddy!

Paul

[rookies 12]

Never used Caddy, but after taking a quick look at it.  Likely what I am doing is in fact more complicated to setup. 

The original 10 steps took me about 20 minutes to figure out and accomplish, it's not as complicated as it may appear, and since I have PFSense and it provides so much capability, why not use it.

1) I have WG tunnels so all devices(phones, IPads and laptops) automatically connect to my network as soon as they make an external connection to the internet. so all my devices have full protection and filtering at all times. 

2) I have DNS filtering capability to keep my devices clean of ADs and prevent access to malware sites etc. (and beyond that capability I also run Pi-hole)

3) I have selective outbound traffic routing through VPN tunnels for internet browsing. 

4) Probably more important, I have a lot of control over who can see that I even have open ports.

The ability to block all request to the server based on almost any criteria you can think of.  For instance I block all request that do not originate from north America. Then if they make it past that I block any request that initiates from Azure, AWS or GCP. Then if they make it past that I have multiple ANS's blocked to get rid of the pesky scanners and bad actors .

I get maybe 2 or 3 connection attempts a day not related to my traffic that actually make it to a backend port successfully.

5) I have control over what leaves my network as well, what devices can talk to on a device by device basis.

 

So yes, I agree!  It is absolutely more complicated than using Caddy! 

 

 

 

 

Edited September 20, 2025 by rookies

[Clackdor 109]

@rookiesI also use HAProxy on PFSense as my first reverse proxy (although I have a dedicated VM setup for it and it's only acting as a HAProxy appliance) I do have a couple of extra tips that I didn't see mentioned in your write-up though.

1. In the frontend configuration for HAProxy you'll want to make sure you check the box for "Use "forwardfor" option". This will add the X-Forwarded-For header to packets before sending them to emby. This makes it so that Emby will see the real client IP that is making the connection rather than the IP of PFSense/HAProxy. This is needed if you expect bandwidth limits and whatnot to work for remote connections.

2. Also in the frontend configuration you can add the following in the field next to the "Advanced certificate specific ssl options":  alpn h2,http/1.1

This will enable HTTP/2 on the frontend, so all  connections should use HTTP/2 between the client and HAProxy. It will fall back to http/1.1 if for whatever reason HTTP/2 isn't supported by the client. Also worth noting that if you enabled HTTPS within emby as well, the HAProxy backend can communicate with emby via HTTP/2 so the connection will be HTTP/2 throughout. Most other reverse proxies only support http/1.1 when making backend connections to servers. 

 

Edited September 20, 2025 by Clackdor

[rookies 12]

57 minutes ago, Clackdor said:

@rookiesI also use HAProxy on PFSense as my first reverse proxy (although I have a dedicated VM setup for it and it's only acting as a HAProxy appliance) I do have a couple of extra tips that I didn't see mentioned in your write-up though.

1. In the frontend configuration for HAProxy you'll want to make sure you check the box for "Use "forwardfor" option". This will add the X-Forwarded-For header to packets before sending them to emby. This makes it so that Emby will see the real client IP that is making the connection rather than the IP of PFSense/HAProxy. This is needed if you expect bandwidth limits and whatnot to work for remote connections.

2. Also in the frontend configuration you can add the following in the field next to the "Advanced certificate specific ssl options":  alpn h2,http/1.1

This will enable HTTP/2 on the frontend, so all  connections should use HTTP/2 between the client and HAProxy. It will fall back to http/1.1 if for whatever reason HTTP/2 isn't supported by the client. Also worth noting that if you enabled HTTPS within emby as well, the HAProxy backend can communicate with emby via HTTP/2 so the connection will be HTTP/2 throughout. Most other reverse proxies only support http/1.1 when making backend connections to servers. 

 

That is awesome, thanks for the heads up.  I haven't actually put this into use in any real way.  would have definitely hit the x-forward snag and had to figure it out and fix it.

[Clackdor 109]

12 minutes ago, rookies said:

That is awesome, thanks for the heads up.  I haven't actually put this into use in any real way.  would have definitely hit the x-forward snag and had to figure it out and fix it.

Glad to help. HAProxy is very powerful and kind of pupose-built for proxying and load balancing. I've been using PFSense for over 15 years on and off at this point. Even though I'm currently using Sophos instead of PFSense as my main router/firewall I opted to setup the PFSense VM just for HAProxy since I was already comfortable with it. As far as I'm aware the HAProxy package in PFsense (maybe OPNSense too?) is the only way to get a webgui for HAProxy configuration that isn't tied to some expensive enterprise tool.