Reverse Proxy for Media Server with Multiple Custom Subdomains

My goal is navigate to http://.mydomain dot com or https://.mydomain dot com and be redirected to https://*.mydomain.com, which is pointing to the server inside my network hosting my media services, where * are the various services that point to various ports on the same server as listed below:

  • emby → serverIP:8096
  • nzbget → serverIP:6789
  • sonarr → serverIP:8989
  • radarr → serverIP:7878

What I have is listed below:

  • A script on my server that updates the IPv4 address of the server every 5 minutes (as a scheduled task in Windows 10) to the A record in Google Domains, where mydomain dot com is registered (listed as dynamic DNS under synthetic records). TTL is 1m and the Name is ‘@’.
  • A CNAME record for www that redirects to mydomain dot com.
  • Router external ports 80 and 443 forwarded to serverIP:80 and serverIP:443, respectively.
  • The following caddyfile, which I realize is not correct (thus this post):

emby.mydomain dot com {
proxy /emby serverIP:8096 {
websocket
transparent
}
}

When I navigate to mydomain dot com externally, I get redirected to mydomain dot com/1.1.16/login.html and am able to login to my router. Navigating to emby.mydomain dot com obviously leads to an “ERR_NAME_NOT_RESOLVED”.

I’ve tried multiple iterations of my caddyfile without success, so am starting with a bare bones file, knowing that it’s wrong.

I’m a civil engineer, meaning intuitively I’m a chimpanzee with computers, but can usually figure things out when given clear direction.

I’m hoping I didn’t miss any critical element to help me figure this out, and appreciate any help anyone can provide (and please don’t laugh too much at my incompetence :slight_smile:).

Cheers!

Hi @matthewcaley, welcome to the Caddy community.

Unless you’ve configured Caddy to proxy to your router, step 1 is to fix this. This implies that your router is serving its own web page on its external IP instead of forwarding those ports.

You need a CNAME for the emby subdomain that points to the bare domain (which you’ve said has an A record and gets updated by your DDNS) - just like the www CNAME you mentioned.

You’ll need additional CNAMEs for every service you want to proxy from a different subdomain.

Once those two are fixed and you’ve got traffic getting to Caddy for the domains you want, we’ll start looking at the redirections and proxies.

I had a feeling this was not correct. I’m not sure what you mean by configuring Caddy to my router; I posted the entirety of my Caddyfile. Is it possible that my router is reserving ports 80/443 for itself? I definitely have them forwarded, I think? (see below):

I’ve added CNAMEs for every service that point to mydomain dot com.

Your router has a web interface. That web interface is a service, just like emby, nzbget, sonarr, radarr, and Caddy can proxy to it just like it can proxy to those other services, e.g. proxy / <router IP>. Not usually done, though (it’s best to keep router web access limited to the private network).

It helps to think in terms of packet flow. The packets come in from the internet, they reach the router. They need to keep flowing to Caddy so that Caddy can respond to them.

But if you haven’t configured Caddy to proxy your router’s web page, how is it possible that the router’s web interface is responding to those packets? Answer: It shouldn’t. The router must not be sending those packets onwards to Caddy; it must be keeping them.

That will need to be resolved - naturally, Caddy can’t do anything meaningful if no traffic reaches it.

So how do I resolve that? Should I configure Caddy to use different ports? If so, how do I do that in the Caddyfile? In that case, I’d change the port forwarding to match those ports.

The ideal resolution is to fix your router so that it doesn’t “steal” traffic on these ports. Some routers… don’t play nice, so this might not be possible with your current equipment.

A less-than-ideal solution would be to use non-standard HTTP(S) ports externally. Since LetsEncrypt requires standard ports be externally available for HTTP-01 and TLS-ALPN-01 challenges, you won’t be able to use these (you’ll have to use the DNS challenge). You’ll also then need to add the correct port number to the URL when browsing to your site.

Is there a way to verify in windows what is happening?

As in, confirm exactly where the packets are(n’t) going?

You can do packet captures, it’ll show whether traffic is coming in on ports 80 and 443 or not. You’d have to look up some guides on using Wireshark, or a similar program, though.

You’d need to run the packet capture on the host running Caddy to check that. You can also run a packet capture on the router itself, which would tell you more, but again, the router might not be capable of that function.

Alright, so I think the ports are now forwarded correctly.

When I navigate to https://emby.mydomain dot com, the security certificate appears to valid, but I get a 404 Not Found.

Navigating to https://emby.mydomain.com/emby works, but how do I get it to work without the /emby? Current Caddyfile:

emby.mydomain dot com {
proxy /emby serverIP:8096 {
websocket
transparent
}
}
nzbget.mydomain dot com {
proxy /nzbget serverIP:6789 {
websocket
transparent
}
}
movies.mydomain dot com {
proxy /movies serverIP:7878 {
websocket
transparent
}
}
tvshows.mydomain dot com {
proxy /tvshows serverIP:8989 {
websocket
transparent
}
}

I’m an idiot…so both of these work now that I changed “/emby” to just “/”, but sonarr and radarr are not working, meaning caddy.exe gets stuck activating privacy features when I have them in the Caddyfile. Wasn’t an issue when I called them movies and tvshows, but they weren’t rendering properly when I did that.

Latest Caddyfile:

emby.mydomain dot com {
proxy / serverIP:8096 {
websocket
transparent
}
}
nzbget.mydomain dot com {
proxy / serverIP:6789 {
websocket
transparent
}
}

Any ideas, @Whitestrake?

It could be that there’s a soon-to-be-stale lock in your storage; check $HOME/.caddy/locks and delete anything for those names. (This happens if Caddy is closed during an ACME operation)

Sorry, you’re going to have to break this one down for me… Where am I looking? In C:/caddy where I have caddy.exe and my Caddyfile? I don’t see anything resembling locks…

You said they were working fine when you used /movies and /tvshows?

Try keeping the proxy / but navigating manually to the /movies subdirectory. I expect you’ve configured Sonarr and Radarr with Base URLs. If navigating manually works, go into the apps’ individual settings and reset the Base URLs to /.

Nevermind, I found it…and it works now!

I didn’t have any base URLs configured, @matt’s solution worked.

Ahh, of course! I saw the “not rendering properly” and skipped over the rest of your post, I think… heh. Glad to hear you’re up and running, then.

Hello @matthewcaley matthewcaley
A question, i have some of same configuration as of you. Did you have also own SSL certificate installed on the web servers. I am planning to install Caddy to only serve the 443 port to my servers from outside but do not act caddy as a ssl or lets encrypt certificat creation. Is that possible when i have own an SSL certificat working on my web servers?

Do i also need Cname creation on the web domain page or something like that? Can you please describe how it is now really working with your configuration, that should be so helpful for me and maybe for another ones… thank you so much advance!!

This topic was automatically closed 90 days after the last reply. New replies are no longer allowed.