Novice trying to reverse proxy with caddy for Jellyfin - problems

Elroy_Paisley · August 13, 2020, 11:02am

I own a domain that is registered on Google domains. I’ve setup a subdomain through the DNS panel to forward to my.server.ip.

When I put my.google.domain into the URL bar of a browser, it gives me a SITE CANNOT BE REACHED error but it shows me the IP address of my server - so the forward is working. And caddy is working. But for some reason the URL is not taking me to the Jellyfin server.

Whitestrake · August 14, 2020, 1:55pm

Can you get us the output of:

curl -IL googledomain.example.com

Elroy_Paisley · August 14, 2020, 3:02pm

Thanks so much for your continued help with this. Here’s the output:

root@xxxxxx:~# curl -IL xxxxx.xxxx.com
HTTP/1.1 301 Moved Permanently
Location: http://xxx.xxxx.xx.xxx  (this correctly points at the IP of my VPS)
Date: Fri, 14 Aug 2020 14:58:21 GMT
Content-Type: text/html; charset=UTF-8
Server: ghs
Content-Length: 218
X-XSS-Protection: 0
X-Frame-Options: SAMEORIGIN

HTTP/1.1 200 OK
Server: Caddy
Date: Fri, 14 Aug 2020 14:58:21 GMT

To test the server, I OPENED port 8096 and tried to visit my.vps.ip:8096 and it did successfully connect to the Jellyfin server. So the server is there and working. I CLOSED 8096 again.

Is there a chance some port I need to have open is not open?

Elroy_Paisley · August 14, 2020, 3:11pm

#
# Unless the file starts with a global options block, the first
# uncommented line is always the address of your site.

http:/google.subdomain.com    {

reverse_proxy 127.0.0.1:8096

}```

Elroy_Paisley · August 15, 2020, 4:07pm

Any thoughts? Sorry to nag I’m just totally stuck here.

My domain points to my server IP. My config file points the domain at server.ip:8096. There’s a Jellyfin server up and running on that port. But when I go to the domain, it cannot connect to the site (the connection has timed out).

** I know the forward is working because the “connection has timed out” screen in my browser shows the IP of the VPS.

**I know know that caddy is running because I’ve run the ‘service status’ command I get:

caddy.service - Caddy
       Loaded: loaded (/lib/systemd/system/caddy.service; enabled; vendor preset: en
       Active: active (running) since Sat 2020-08-15 13:04:27 UTC; 3h 0min ago
         Docs: https://caddyserver.com/docs/
     Main PID: 1020 (caddy)
        Tasks: 14 (limit: 4915)
       CGroup: /system.slice/caddy.service
               └─1020 /usr/bin/caddy run --environ --config /etc/caddy/Caddyfile

    Aug 15 13:04:27 Fermi-Plex caddy[1020]: USER=caddy
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: INVOCATION_ID=fb36a0068d6f4ace85b46e2f96
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: JOURNAL_STREAM=9:16045
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: {"level":"info","ts":1597496667.9760141,
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: {"level":"info","ts":1597496667.984018,"
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: 2020/08/15 13:04:27 [INFO][cache:0xc0003
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: {"level":"info","ts":1597496667.9897885,
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: {"level":"info","ts":1597496667.992747,"
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: {"level":"info","ts":1597496667.9958575,
    Aug 15 13:04:27 Fermi-Plex caddy[1020]: {"level":"info","ts":1597496667.9958959,

** I know a Jellyfin server is working on that ip and port because if I open port 8096 and then go to the server.ip:8096, I get the login screen.

Any other troubleshooting I can do? I feel like caddy is running and the forward is working. Not sure why it’s not connecting to the server.

matt · August 16, 2020, 4:19am

You’re missing a / in your site address. Maybe?

If you’re trying to access your internal services with the public domain and public IP address from within your network it could be that your router doesn’t support hairpin NAT or doesn’t have it enabled. Mine doesn’t support it and it’s super annoying to work around but it can be done.

francislavoie · August 16, 2020, 4:48am

To clarify, this is what Matt is talking about, you only have one / here, but you need two: http://

Are you sure you have ports 80 and 443 open in your VPS firewall?

Elroy_Paisley · August 16, 2020, 11:42am

Thank you both for replying. This morning, to be 100% sure, I went and:

ufw allow 80

ufw allow 443

(curious, on a side note, why its not safe to just have the Jellyfin port open - 8096 - but it’s safe to have both 443 and 80 open?)

When I open a browser and type my.google.com into the URL bar it immediately repopulates with my.vps.ip. So I know the redirect is working. But now I just get a blank screen (not a ‘connection timed out’ error). So I am thinking I did, in fact, need to open one of those ports but it hasn’t solve the problem entirely.

I doubt this is an issue but I am also running a plex server on this same box. Nothing appears to be conflicting but I wanted to make you aware. I’m going to open a ticket with my VPS provider re: hairpin NAT - I don’t know what that means but I’m sure they do.

oh! and yes, I did have two “/” - that was a typo.

Elroy_Paisley · August 16, 2020, 11:45am

Is there something I could run from the command line that would tell me if this is/isn’t enabled?

francislavoie · August 16, 2020, 2:15pm

Because then users won’t get all their traffic encrypted, which is Caddy’s job here. Port 80 is only open so Caddy can trigger the HTTP->HTTPS redirect, and to solve the ACME HTTP challenge, which is one of the ways that Caddy can prove to Let’s Encrypt that you own the domain.

francislavoie · August 16, 2020, 8:15pm

Oh, that trailing / is important. This is telling Caddy to only match requests to /. Remove this / to have Caddy handle requests to all paths.

http://whatwhat.ga {
	reverse_proxy 127.0.0.1:8096
}

Elroy_Paisley · August 16, 2020, 8:33pm

It worked!!! Thank you so much! Okay, so this means my reverse proxy is safely in place?

Next step for me would be to setup and encrypted connection. Is there a relatively newbie friendly guide to doing that?

francislavoie · August 16, 2020, 8:34pm

Yep, just remove http:// from the front and you should be done.

Just as a note for next time; this is exactly why redacting parts of your config or modifying it before posting it on the forums is always a mistake. We went in circles a few times because we didn’t have evidence of the issue because you didn’t post your exact config.

Elroy_Paisley · August 16, 2020, 8:47pm

You’re 100% right. I’ve been concerned about security but obviously this was the right move.

Just to be clear, in my Caddy file I simply remove http:// and leave whatwhat.ga and caddy will handle everything to make it encrypted?

Elroy_Paisley · August 16, 2020, 8:52pm

francislavoie · August 16, 2020, 8:58pm

I just tried to load your site with https://whatwhat.ga and it’s working with TLS

Elroy_Paisley · August 16, 2020, 9:00pm

So it is! Wow, thank you. Possible I just tried to load it too quickly? Like, does the cert take time to populate?

francislavoie · August 16, 2020, 9:02pm

It can take a bit of time for Caddy to have the cert issued. You can watch the logs to see the progress.

Elroy_Paisley · August 17, 2020, 12:32am

Ok, thanks. This is so great, thanks for your help.

system · September 11, 2020, 7:27pm

This topic was automatically closed after 30 days. New replies are no longer allowed.