External Domain and Local Redirect

[drakus72 17]

Your best bet is to use nginx as a reverse proxy and just do subdomains like emby.mydomain.com sonarr.mydomain.com, etc. Nginx will proxy non ssl & ssl requests to you internal network. 

 

Best bet is to forward port 80 & 443 to a dedicated virtual machine and run nginx on that to forward all requests for emby.domain.com --> 192.168.0.2:8096 (yes non ssl site)  sonarr.emby.com --> 192.168.0.2:8989. Let Nginx run the ssl aspect and just forward to non ssl ports internally.

 

Doing it this way will avoid all major NAT issues and is the safest and most secure way to do this.

[Swynol 375]

Yes, the In-Home (LAN) address shows as http://192.168.1.2:8096 in the dashboard. But given Luke's comment, it sounds like this local redirect is not possible unless users go through Emby Connect. @@Swynol are you saying you get the local redirect even when you login directly via your domain address (i.e. https://www.mydomain.com)?

 

When you say local redirect do you mean domain name to local address?

 

Yes on my LAN if i go to https://emby.mydomain.com it resolves to http://192.168.10.10.  It resolves to this address because my router has a static host mapping which says any traffic that is internal for https://emby.mydomain.com or sonarr.mydomain.com or plex.mydomain.com send to 192.168.10.10 which is my NGINX reverse proxy. NGINX sees https://emby.mydomain.com and knows to forward the requests to http://192.168.10.11:8096 (my emby server) its non-https because its internal on my LAN, no need to be https here.

 

Any external clients going to https://emby.mydomain.com comes into my router on 443, 443 is forwarded to my NGINX server and then does the same as above forwards to http://192.168.10.11:8096

 

 

 

Your best bet is to use nginx as a reverse proxy and just do subdomains like emby.mydomain.com sonarr.mydomain.com, etc. Nginx will proxy non ssl & ssl requests to you internal network. 

 

Best bet is to forward port 80 & 443 to a dedicated virtual machine and run nginx on that to forward all requests for emby.domain.com --> 192.168.0.2:8096 (yes non ssl site)  sonarr.emby.com --> 192.168.0.2:8989. Let Nginx run the ssl aspect and just forward to non ssl ports internally.

 

Doing it this way will avoid all major NAT issues and is the safest and most secure way to do this.

 

NGINX on its own wont help, to get domain names to resolve internally there are a few options. 

1. edit the host file on PCs - not really an option as you have to edit it on all machine on your LAN, some dont support host files

2. Run your own DNS server - easier to setup and then get your router to point all clients to the new DNS server

3. Run a proxy server with a PAC file - again mean configuring all clients to point to a proxy server

4. Using a router with NAT hairpinning/dNAT/Static-hostname-mapping (best option as all clients will automatically resolve the domain name to a local address)

 

i agree using NGINX is definitely the most secure way to do it and allowing it to do all your certs is easier. you can also run it on the same machine as emby server

Edited October 27, 2017 by Swynol

[drakus72 17]

In the emby andriod app I have mine configured for https://emby.mydmain.com port 443 works just fine from outside internal network.

 

For internal network look at my nginx config.

server {
        listen       80;
        server_name  emby.domain.net;
	rewrite ^ https://$http_host$request_uri? permanent;    # force redirect http to https
}

server {
        listen 443;
        ssl on;
        ssl_certificate /etc/nginx/ssl/domain.net.bundle.crt;
        ssl_certificate_key /etc/nginx/ssl/domain.net.key;
        server_name emby.domain.net;

	proxy_set_header Host $host;
	proxy_set_header X-Real-IP $remote_addr;
	proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
	proxy_set_header X-Forwarded-Host $host;

	add_header Strict-Transport-Security "max-age=31536000; includeSubDomains";
        server_tokens off;

	ssl_dhparam /etc/nginx/ssl/dhparam.pem;

	access_log /var/log/nginx/emby.access.log combined;
	error_log /var/log/nginx/emby.error.log info;

	proxy_max_temp_file_size 0;
        location / {
		proxy_pass http://192.168.2.200:8096;
		gzip off;
        }
}

as for internal network, use your hosts file to set you domains to internal ips.

 

EDIT: Also make sure you set in Advanced --> Hosting --> External Domain to domain.com 

Edited October 27, 2017 by drakus72

[CorpusColossus 10]

Thanks everyone for your insight. I think the solution that meets my particular set of needs is for me to host my own DNS and reverse proxy. I need to do some research and tinkering, but here is my rough plan (if more experienced eyes see anything fishy about this, I'd appreciate a heads-up):

• Serve up a dedicated DNS on my local network.
• Thinking of using a Raspberry Pi with Raspbian to host the DNS.
• Tell my router to use the Raspberry Pi for the DNS.
• Add an entry to the DNS to route traffic from mydomain.com to another Raspberry Pi serving up an NGINX reverse proxy.
• NGINX handles SSL certs and routes the traffic to the Emby server.

Hopefully, NGINX and the DNS software don't require too much in the way of compute resources. I just have so many Pis laying around I feel like this is a good use for them

 

With just one custom DNS entry, it's a little unclear to me how to get the local DNS to use a real DNS (e.g., OpenDNS) for domain requests other than mydomain.com... wish me luck!

[Swynol 375]

good plan, i think once you install your dns software onto the rpi it should be fairly straight forward