Spaceboy 2573 Posted June 29, 2017 Posted June 29, 2017 Hi, i have a letsencrypt cert that I am using for Emby. I primarily use my Synology DiskStation to obtain the cert as the functionality is built in. I presume this will get renewed, I had to forward port 80 to the Disk Station for this to happen, I set it in March and the expiry date is now August so not sure if it has renewed yet. Anyway I used this cert, by exporting, combining the resultant files to get a pkf file or using the resultant files depending on the service. I have it set up for Radarr, Sonarr, Emby, Headphones and the web interface for the DiskStation. I had to load the cert into the windows Microsoft management console for any of the windows programs to work, but this cert expired on Tuesday and I couldn't see any way of renewing it. in the end I manually changed everything which is a pain in the behind and not something I want to do every 60 days. How do you automatically renew SSL certs in windows? I came across this in my searches https://github.com/Lone-Coder/letsencrypt-win-simple but it seems its for Windows Server and i'm just using plain old Windows 10. I don't have anything in IIS to bind the cert to, pretty sure I don't even have IIS installed. Any ideas?
pünktchen 1409 Posted June 29, 2017 Posted June 29, 2017 I'm using Caddy Server https://caddyserver.com/ as a reverse proxy. It has buildin letsencypt renewal and is pretty simple to configure. 2
Spaceboy 2573 Posted June 29, 2017 Author Posted June 29, 2017 I'm using Caddy Server https://caddyserver.com/ as a reverse proxy. It has buildin letsencypt renewal and is pretty simple to configure.nice, thanks! I'll take a look but I'm sure there will be follow up questions!
Swynol 375 Posted June 30, 2017 Posted June 30, 2017 never heard of Caddy. might give it a go. I currently use NGINX as a reverse proxy and i have to manually renew my certs, only take a few mins. Although I would rather it be automatic
pünktchen 1409 Posted June 30, 2017 Posted June 30, 2017 Here is my Caddy config file: www.yourdomain.com { tls yourname@yourmailadress.com timeouts none proxy / localhost:8096 { websocket transparent } # Optional security headers header / { -Server Strict-Transport-Security "max-age=31536000;" Referrer-Policy "strict-origin" X-XSS-Protection "1; mode=block" X-Content-Type-Options "nosniff" X-Frame-Options "DENY" } # Optional logging log EmbyProxy.log } You need to open port 80 and 443 in your router/firewall for the letsencrypt renewal. First you should test if it's working by opening a command prompt in your Caddy installation folder and entering something like this: caddy -agree=true -conf=C:\Caddy\EmbyProxy.Caddyfile Now open a browser and enter your domain adress. You should see Emby's login page is returned as a secure site with an approved ssl cert. If all goes well, you can now either create a windows task to start Caddy at system boot or install it as a service with a tool like "NSSM":
Spaceboy 2573 Posted July 1, 2017 Author Posted July 1, 2017 so i'm going to admit that this is one area where my knowledge is really lacking. i can see using Caddy will be useful for me to renew SSL certs but i dont really understand what the wider benefits of using a reverse proxy are. currently i have all my web services running on a windows 10 PC using a dynamic dns address and port forwarding on my router to get everything to that PC. from what i can understand a reverse proxy sort of plays the same role but why is it better? i've also seen a lot of discussion of nginx (just seen how to pronounce that too!) which seems popular, possibly more complicated to install than caddy, doesnt support the renewal of SSL certs but does seem to be a requirement for some services such as Organizr, which i was looking at Even if i do go with Caddy on my windows PC how does that then affect the SSL certs renewing on my DiskStation as port 80 is already forwarded from my router to here. can you forward a port to two ip's? cheers
pünktchen 1409 Posted July 1, 2017 Posted July 1, 2017 The reverse proxy acts similar to the port forwarding rules of your router. But instead of forwarding many different ports to many different web services of your server and then calling them by http://domain.com:port, you only need to open port 80 and 443 and then you can enter your web services with something like this http://domain.com/servicename. www.yourdomain.com { tls yourname@yourmailadress.com timeouts none proxy /emby localhost:8096 { websocket transparent } proxy /anotherservice localhost:8080 { websocket transparent } } If all your web services are on the Windows pc, then there's no need to forward port 80 to your Synology! Organizr should also work with Caddy. If i read the documentation correctly, nginx is only used to forward requests to a PHP server. The same can be done with Caddy: https://caddyserver.com/docs/fastcgi 1
Swynol 375 Posted July 1, 2017 Posted July 1, 2017 Running a reverse proxy can be more secure. For one you are only opening one or two ports on your router. You can add extra security headers, logging and additional authentication. Can also be easier to manage. Caddy seems pretty cool considering it does all the Certs and renewal for you. 1
Spaceboy 2573 Posted July 2, 2017 Author Posted July 2, 2017 The reverse proxy acts similar to the port forwarding rules of your router. But instead of forwarding many different ports to many different web services of your server and then calling them by http://domain.com:port, you only need to open port 80 and 443 and then you can enter your web services with something like this http://domain.com/servicename. www.yourdomain.com { tls yourname@yourmailadress.com timeouts none proxy /emby localhost:8096 { websocket transparent } proxy /anotherservice localhost:8080 { websocket transparent } } If all your web services are on the Windows pc, then there's no need to forward port 80 to your Synology! Organizr should also work with Caddy. If i read the documentation correctly, nginx is only used to forward requests to a PHP server. The same can be done with Caddy: https://caddyserver.com/docs/fastcgi this is true! my original thought process was that the cert on my windows pc could somehow be renewed by the cert on the synology as they were for the same url. but if i use caddy then this isnt necessary Running a reverse proxy can be more secure. For one you are only opening one or two ports on your router. You can add extra security headers, logging and additional authentication. Can also be easier to manage. Caddy seems pretty cool considering it does all the Certs and renewal for you. i understand now, so everything comes through port 443 and then the reverse proxy forwards everything as required.. cool. ok i'm going to give this a try
Spaceboy 2573 Posted July 8, 2017 Author Posted July 8, 2017 (edited) Here is my Caddy config file: www.yourdomain.com { tls yourname@yourmailadress.com timeouts none proxy / localhost:8096 { websocket transparent } # Optional security headers header / { -Server Strict-Transport-Security "max-age=31536000;" Referrer-Policy "strict-origin" X-XSS-Protection "1; mode=block" X-Content-Type-Options "nosniff" X-Frame-Options "DENY" } # Optional logging log EmbyProxy.log } You need to open port 80 and 443 in your router/firewall for the letsencrypt renewal. First you should test if it's working by opening a command prompt in your Caddy installation folder and entering something like this: caddy -agree=true -conf=C:\Caddy\EmbyProxy.Caddyfile Now open a browser and enter your domain adress. You should see Emby's login page is returned as a secure site with an approved ssl cert. If all goes well, you can now either create a windows task to start Caddy at system boot or install it as a service with a tool like "NSSM": hi, so I have this working for emby. what i'm not clear on from reading the documentation is how caddy is used for other sites? at the moment I access emby directly at mydomain.com but you mentioned being able to use mydomain.com\emby and then being able to add mydomain.com\sonar etc. how do I do this? do I need to create separate .caddyfile's for each application and load each as a service using nssm? or do I add the detail for all the applications to the one .caddyfile? I will keep looking into it myself, just reaching the limit of my understanding! thanks! edit, nevermind i really should just read your instructions... so final question i think. previously i was using the https connections to my disk station webservice and port 80 on my router was forwarded to it to enable it to renew its cert. i presume this is just not an option as you can't forward a router port to two local ip's? i can't imagine that the diskstation can use caddy in any way? so i'd be left with using https but having no cert? any other options i'm not thinking of? thanks! Edited July 8, 2017 by Spaceboy
pünktchen 1409 Posted July 8, 2017 Posted July 8, 2017 You want to access the Synology webinterface from outside your LAN? You could either proxy the requests from your Windows Caddy server to the Diskstation or you can install Caddy in a Docker container on the Synology and then proxy Emby requests to your Windows PC. 1
Spaceboy 2573 Posted July 9, 2017 Author Posted July 9, 2017 You want to access the Synology webinterface from outside your LAN? You could either proxy the requests from your Windows Caddy server to the Diskstation or you can install Caddy in a Docker container on the Synology and then proxy Emby requests to your Windows PC. i will try proxying from caddy to the disk station. sounds straight forward so everything is set up emby wise, i now access emby enternally through https://mydomain/emby. but how do i connect locally on my home network. my emby server isnt discovered by the android tv app any more and i can't see what local address i should be using. in the dashboard emby reports my wan address as mydomain:8096
pünktchen 1409 Posted July 9, 2017 Posted July 9, 2017 There shouldn't be any difference in your LAN! Maybe it's your Ombi installation.
Spaceboy 2573 Posted July 11, 2017 Author Posted July 11, 2017 all sorted, i had messed with the hosting settings in Emby, being unclear what they did, put them back and everything is fine. Organizr isnt working but i'll raise this on the organizr thread
Spaceboy 2573 Posted July 11, 2017 Author Posted July 11, 2017 You want to access the Synology webinterface from outside your LAN? You could either proxy the requests from your Windows Caddy server to the Diskstation or you can install Caddy in a Docker container on the Synology and then proxy Emby requests to your Windows PC. so this would do it? proxy /diskstation 192.168.1.4:5001 at this point the diskstation doesnt need to renew its cert or it will renew it because of the proxy i've established?
pünktchen 1409 Posted July 11, 2017 Posted July 11, 2017 so this would do it? proxy /diskstation 192.168.1.4:5001 at this point the diskstation doesnt need to renew its cert or it will renew it because of the proxy i've established? Yes. 1
Spaceboy 2573 Posted July 11, 2017 Author Posted July 11, 2017 Yes. hi unfortunately this proxy /diskstation 192.168.1.4:5000 this proxy /diskstation 192.168.1.4:5001 and this proxy /diskstation diskstation:5001 dont seem to work, i just get a page from the diskstation saying the page i want cant be found. i've also heard from my remote user that they cant connect from a firetv using either http://domain/emby or https.... the port field is blank. do any of the security headers affect this? he cant log in through the browser just cannot connect to the server from the firetv. i've seen other posts on issues with firetv and reverse proxys but they all seemed to be resolved
chef 3810 Posted July 13, 2017 Posted July 13, 2017 (edited) HI guys I get an error which says "No such Site at :443" EDIT: It must take a couple seconds for everything to start working, because all of a sudden... it's working! Edited July 13, 2017 by chef
pünktchen 1409 Posted July 13, 2017 Posted July 13, 2017 hi unfortunately this proxy /diskstation 192.168.1.4:5000 this proxy /diskstation 192.168.1.4:5001 and this proxy /diskstation diskstation:5001 dont seem to work, i just get a page from the diskstation saying the page i want cant be found. i've also heard from my remote user that they cant connect from a firetv using either http://domain/emby or https.... the port field is blank. do any of the security headers affect this? he cant log in through the browser just cannot connect to the server from the firetv. i've seen other posts on issues with firetv and reverse proxys but they all seemed to be resolved The port must be 80 and no need for explizit https, just http. It's working for me on my FireTV Stick!
chef 3810 Posted July 14, 2017 Posted July 14, 2017 Can I just say that caddy is the greatest thing since sliced bread 1
Spaceboy 2573 Posted July 15, 2017 Author Posted July 15, 2017 so thanks to @punktchen and then @@Swynol i have caddy working. i'm using the caddyfile that swynol provided at the moment because we were trying to get organizr working. that is now done! so this is my current caddyfile: mydomain.com { ext .html .htm .php root /caddy/www gzip proxy /radarr localhost:7878 { transparent } proxy /sonarr localhost:8989 { transparent } proxy /emby localhost:8096 { transparent websocket } proxy /ombi localhost:3579 { transparent } proxy /headphones localhost:8181 { transparent } proxy /sabnzbd localhost:8087 { transparent websocket } } https://mydomain.com/organizr { ext .html .htm .php root /caddy/www/organizr startup /caddy/php/php-cgi -b 127.0.0.1:9000 & fastcgi / localhost:9000 php gzip } so, things that need work: security settings? punktchen provided me with some security settings for emby but i've removed these to get organizr working i want to proxy to my diskstation which is at 192.168.1.4:5000 i need to use nssm to start caddy as a service, does this need any arguments? my remote user still can't access through his fire tv. the url works now as domain:80 but apparently his password doesnt work even though it does in the web client? does this make sense?
chef 3810 Posted July 15, 2017 Posted July 15, 2017 I could easily write an exe which starts caddy and fills out any parameters needed such as "-agree=true". You could then put it in your startup folder. You want that?
Spaceboy 2573 Posted July 15, 2017 Author Posted July 15, 2017 (edited) I'm fine using NSSM to get it going, punktchen provided me with the arguments -agree=true -conf=path to .caddyfile. I know the second isn't needed as I'm now using the default caddyfile but is -agree=true still required? Edited July 15, 2017 by Spaceboy
chef 3810 Posted July 15, 2017 Posted July 15, 2017 Documentation says it is to agree to the TOS of the SSL. I figure it is important for auto renewal every 90 days. 1
Swynol 375 Posted July 15, 2017 Posted July 15, 2017 yes nssm with those arguments is fine. to work on the security we need to add a few things. now this is where i am not sure how it works in caddy. whether you can add it as a global setting or have to add each reverse proxy block individually. so like you had before notice i changed x-frame-options otherwise all your services wont work within the organizr header /emby { -Server Strict-Transport-Security "max-age=31536000;" Referrer-Policy "strict-origin" X-XSS-Protection "1; mode=block" X-Content-Type-Options "nosniff" X-Frame-Options "SAMEORIGIN" 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now