SOLVED: Accessing Jellyfin in Docker Compose using Native Caddy and DuckDNS. Can't open ports

[jellykrabbypatty]

Hello, can someone help me with this reverse proxy through caddy? 

With the help of Microsoft Copilot, I was able to have my computer: 

    Jellyfin is running locally and working. (Docker Compose yml file)

    Caddy is installed natively (not in Docker) and configured to reverse proxy Jellyfin.

    DuckDNS domain (subdomain.duckdns.org) is set up and pointing to your public IP.

    Docker Compose was used initially but is no longer needed for Caddy.

    UFW firewall is now active and allows ports 80 and 443.

However: 

    Caddy is trying to get a TLS certificate from Let’s Encrypt.

    Let’s Encrypt uses port 443 to verify your domain.

    Port 443 is not open to the outside world — this is the blocker.

What I’ve Already Done

    Verified DuckDNS is resolving correctly.

    Set up port forwarding in your Netgear router for ports 80 and 443.

    Enabled UFW and allowed those ports.

    Restarted Caddy and checked logs — it’s attempting the TLS challenge.


Does anyone have any ideas? I don't think it would be smart to say what ISP I am using. But I am using a Netgear Mesh router with 1 satellite, and have port forwarding rules for 80 to 80 with my host IP as well as 443. I read online my ISP does not block using ports. I am using their fiber modem. 

I am at a loss.

Let me know if there is any more information I can provide. 

[pxr5]

Have you run a port checker, that port 443 is open and forwarded to the device running Caddy? It has to be open for Caddy to work.

[jellykrabbypatty]

Have you run a port checker, that port 443 is open and forwarded to the device running Caddy? It has to be open for Caddy to work.

Portchecker.co says 443 and 80 are closed for external public IP address linked to duckdns. I have 443, 80, and 8096 configured to run through Linux UFW and have tested that works because 8096 was closed and none of my Jellyfin stuff was working. Now it is open and it is back to working locally. 

In Netgear router settings, I go to Advanced, Advanced Setup, Port Forwarding/PortTriggering, and have two services. 

One for HTTP with external start point 80, external end point 80, internal start port 80, and internal end port 80. I have that set for internal ip address which is my 192.168.xx.xx computer IP address (not the public facing one).

The other for HTTPS with external start point 443, external end point 443, internal start port 443 and internal end port 443. I have that set for internal ip address which is my 192.168.xx.xx computer IP address (not the public facing one).

In the Jellyfin GUI, I have "allow remote connections" checked in Networking, and everything else is left to default.  

EDIT: My Caddyfile is    

subdomain.duckdns.org {  
reverse_proxy localhost:8096
} 

EDIT EDIT: My router has a setting called VLAN / Bridge Settings, and a checkbox that says "Enable VLAN / Bridge Setup". Does that put it in bridge mode?

[jellykrabbypatty]

My best guess right now after running through it with Copilot is my ISP uses CGNAT since the internet port for my router starts with 100...so I guess I'm screwed and have to call my ISP to ask for it...unless there is another way?

[pxr5]

Have you entered the known proxies setting in jf? e.g. in mine I have 192.168.1.xx/24 which is the ip address of my device running caddy. It's under Networking in jf settings.

However as your ports seem to be closed it probably won't make a difference.

Tailscale may be an alternative.

[jellykrabbypatty]

Have you entered the known proxies setting in jf? e.g. in mine I have 192.168.1.xx/24 which is the ip address of my device running caddy. It's under Networking in jf settings.

However as your ports seem to be closed it probably won't make a difference.

Tailscale may be an alternative.

No luck unfortunately. I had heard about Tailscale. Does that only work on the receiving end if they are also using Tailscale? Can someone connect through an external Roku?

[jellykrabbypatty]

Finally got it figured out! It was my ISP. I had to call them and get them to change my router IP and now the ports are open. Now I can continue my work! Thank you @pxr5 for the assist.

[pxr5]

^Great news. Well done.