Reverse Proxy SSL

[blawford]

I’m trying to figure out the best way to seamlessly access Jellyfin from my mobile devices, whether I’m at home or away. 

My setup: 
- Jellyfin is running in a Docker container on Unraid. 
- The container’s network is set to br0, and I’ve assigned it the static IP 10.0.0.6. It listens on ports 80/443. 
- I’m using Nginx Proxy Manager (NPM) in another container to handle reverse proxying. 
- I have a subdomain, media.domain.com, set up in NPM to route the traffic to Jellyfin. 
- The proxy host has a self signed SSL certificate and HTTPS is enforced. 

This setup works perfectly when I’m outside my home network. 

The problem: 
I want media.domain.com to work both at home and away, without needing to switch servers in the Jellyfin Android app. Additionally, I want traffic to route locally when I’m on my LAN, so it continues to work even if my internet is down. 

What I’ve tried: 
I set up a static DNS entry on my router to resolve media.domain.com to 10.0.0.4 (NPM), thinking this would allow my local devices to still reach JellyFin with SSL. However, when I do this I am unable to connect when using the Android app, I suspect because a SSL related issue. 

I haven't tried pointing the media.domain.com on my router to 10.0.0.6 (JellyFin) directly, but if I did this I can't see how I could use https://media.domain.com both home and away.

My question: 
What’s the best way to set this up so that I can always the same server address, whether I’m at home or away with traffic routing locally when at home? I would prefer to not use any sort of setup that would require config on client devices (VPN for example).

Would love to hear how others have solved this.

[TheDreadPirate]

Do the following

- Put Jellyfin back on port 8096. It does NOT need to be on 80 or 443. Nginx will handle those ports.
- If possible, switch Jellyfin to bridge networking and "expose" port 8096 instead of publishing it. I can't remember if unRAID allows you to do that.
- Configure Nginx Proxy Manager to listen on your domain name, set the proxy to go to protocol http, the bridge network IP for Jellyfin, on port 8096. Use the host IP if you aren't able to switch Jellyfin to "expose" instead of publish. Enable websockets, block common exploits, DO NOT enable caching. Ensure that the NPM container is publishing ports 80 and 443 or that you are using host networking.
- Setup port forwarding on your router to send port 443 external to port 443 internal to your unRAID host's IP.
- Add the container IP to Jellyfin as a "Known proxy", Dashboard > Networking. If you are using host networking for NPM, use the host's IP.
- Hopefully your router supports NAT loopback. If it does, enable it. If it doesn't, you can also add custom DNS entries (often labeled "edit hosts") so that DNS requests to your domain, while on your home network, will resolve to the local IP instead of your public IP. Either option will keep local traffic local when using your domain name.

[WoodenBleachers]

Do the following

- Put Jellyfin back on port 8096.  It does NOT need to be on 80 or 443.  Nginx will handle those ports.
- If possible, switch Jellyfin to bridge networking and "expose" port 8096 instead of publishing it.  I can't remember if unRAID allows you to do that.
- Configure Nginx Proxy Manager to listen on your domain name, set the proxy to go to protocol http, the bridge network IP for Jellyfin, on port 8096.  Use the host IP if you aren't able to switch Jellyfin to "expose" instead of publish.  Enable websockets, block common exploits, DO NOT enable caching.  Ensure that the NPM container is publishing ports 80 and 443 or that you are using host networking.
- Setup port forwarding on your router to send port 443 external to port 443 internal to your unRAID host's IP.
- Add the container IP to Jellyfin as a "Known proxy", Dashboard > Networking.  If you are using host networking for NPM, use the host's IP.
- Hopefully your router supports NAT loopback.  If it does, enable it.  If it doesn't, you can also add custom DNS entries (often labeled "edit hosts") so that DNS requests to your domain, while on your home network, will resolve to the local IP instead of your public IP.  Either option will keep local traffic local when using your domain name.

I've been trying to do something similar on TrueNAS (I know it's not the best tool for docker) and have run into an issue.  I read that Pi Hole could be used to resolve the DNS and route all traffic to nginx, and then from there control the other ports.  This would be a bit easier for me to visualize and manage, do you think this would work?  And if it does work, would it be able to work from a free dns domain like duckdns?

The way I see it, pi hole would route my *.mydomain.duckdns.org exposure to nginx, subverting my router's dns entirely. Nginx would then manage the actual routing. Pardon for any improper terminology, but I am relatively new to networking. This stuff is a bit of a beast.

[TheDreadPirate]

You don't necessarily need a pihole to have custom DNS entries.  A lot of routers allow you to do this.  Unless you have a super super super locked down ISP provided router.

In that case, yes, you would need a pihole.

Without a custom DNS entry, when you type in your domain your domain will reach our to your ISP DNS (or Cloudflare or Google DNS, etc) to try to figure out what the IP address is.  Adding a custom DNS entry in your router or pihole just cuts out that latter step since your router/pihole has an "answer" for that DNS request.

Having a pihole or your router respond to DNS requests with your server's LAN IP is no different than an external DNS resolver.  Try not to overthink it.

Again, piholes just for DNS is not necessary for a lot of users.  If you want to setup a pihole for its other functionality, ad blocker, etc., go for it.  But if you only want DNS functionality, check whether your router already allows you to add custom DNS entries.

An example from my router.

   
   

[WoodenBleachers]

Thank you @TheDreadPirate.  Sadly, I'm afraid my router does not have DNS built-in as this is what the interface looks like:
I have a netgear nighthawk though, so I assumed it was a decent router and not something locked by my ISP.

On that note, it seems that the pihole is still important.  My current issue is now how to expose these ports.  My understanding is that by port forwarding 80 and 443 to the ports nginx is running on within my docker container, I am redirecting traffic on those ports to nginx.  However, pihole cannot see traffic from the outside, but still needs to see incoming traffic.  How can I make my pihole "see" the incoming data?

[WoodenBleachers]

A small update, I did manage to set the DNS within the PiHole software so that my grabbing of service.somedomain is redirected. I am still unable to set the reverse proxy however. Once this whole install is complete, I'll think I'll do a writeup so that if anyone else runs into this in the future they'll be able to resolve it.

For the proxy, I have forwarded 80 and 443 within my router to the server running the proxy, in this case nginx proxy manager. Try as I might, I cannot get the SSL cert (it returns an error and I can't find the log file) and also cannot see the simple http only proxy. Not sure if this is a ports issue or a docker issue, or what to do next.

[TheDreadPirate]

I used to run a Netgear R7000 (Nighthawk AC1700) for a long time with FreshTomato. When I was still running the stock firmware, I'm pretty sure it had custom DNS functionality. But that was before I started self-hosting stuff.

Is the container running Nginx Proxy Manager running in host networking mode or bridge networking? Regardless, both ports 80 and 443 need to be open on the HOST firewall. Port 80 is used during the certificate request process.

If this is a Debian or Ubuntu based distro, "sudo ufw allow 80" and "sudo ufw allow 443" would open the firewall. But UFW would need to be enabled if it isn't already.

[WoodenBleachers]

I used to run a Netgear R7000 (Nighthawk AC1700) for a long time with FreshTomato.  When I was still running the stock firmware, I'm pretty sure it had custom DNS functionality.  But that was before I started self-hosting stuff.

Is the container running Nginx Proxy Manager running in host networking mode or bridge networking?  Regardless, both ports 80 and 443 need to be open on the HOST firewall.  Port 80 is used during the certificate request process.

If this is a Debian or Ubuntu based distro, "sudo ufw allow 80" and "sudo ufw allow 443" would open the firewall.  But UFW would need to be enabled if it isn't already.

I did have 80 and 443 open.  I found out though, although it was never documented or stated anywhere in the guides I had seen, that I am behind a CGNAT.  Because of this, I ended up just using a tunnel setup.  I went with cloudflare instead of tailscale funnel because the funnel is still in beta and was not configurable via a GUI.  I know it's probably a small grievance, but for $5 I figured it was that or Tylenol lol.

Thank you for your help, I'll likely do a writeup soon so that if anyone else encounters the exact same problems they'll have a solution.