Recent searches
Search options
Any #nginx #networking #jellyfin experts having a quite saturday and willing to help me get my #selfhosted journey underway?
I've got a domain and a box with some working apps on it but I can't get #certbot to recognise my DNS and am struggling to get the #ReverseProxy working.
There's a few too many moving parts for my little brain, I'd really value a helping hand to get me up and running, please.
@thechildofroth whats going wrong with certbot? i have this same stack running on my server so maybe we can compare notes
@xandris When I try to get a certificate (either using dietpi-letsencrypt or directly from the prompt (as per the jellyfin instruction)) it tells me I don't have an A or AAAA record.
But when I do:
curl --verbose http://my.domain
it comes straight back with:
trying ip.of.router.im.looking.for
so curl seems to be finding the dns record ok
@xandris I think this may be the key to unlocking this, as without the certificates the Jellyfin provided nginx conf fails, so unless I can clear this hurdle I'm going to stay stuck
@thechildofroth @xandris You can try ‘dig @9.9.9.9 my.domain’ to have more information about the DNS information.
If you’ve got no answer, it’s definitely a DNS problem.
@rds @xandris So dig returns a seemingly sensible response (I can see my domain and my IP in there). The only concern is that I can see:
Query1, Answer1, Authority0, Additional1
Should Authority (I'm guessing this might be related to 'SOA') be 1 too?
(for any other rookies playing along 'dig' is in bind9-dnsutils on #Debian - not installed by default in #DietPi it seems)
@thechildofroth @rds i found this tool in the letsencrypt forum. what does it tell you?
@thechildofroth @rds its claiming its a private ip?
that makes it sound like its one of 192.168... or 10... or 172.16...
@thechildofroth @rds does the ip actually fall into one of those ranges in the wikipedia article?
@xandris @rds Ahh, yes. It's in the range described as:
Shared address space for communications between a service provider and its subscribers when using a carrier-grade NAT
Hmm, is there a way around that (I knew didn't have a fixed IP but I was going to use my domain providers DNS API to dynamically update the IP as required.
@thechildofroth @rds i haven't looked into dynamic dns solutions (aka dyndns) in a while. you may be able to buy a static ip for a little extra fee from your isp. last time i checked your router might be able to interface with your registrar's dyndns feature. asuswrt has such a feature. server side i found:
- ddclient (perl daemon)
- ez-ipupdate
- inadyn
- updatedd
or roll your own with just curl if your registrar gives you a url:
https://gist.github.com/gbraad/e167a509a902263ed67264f346937aae
@thechildofroth @xandris @rds @beasts
If you're having trouble getting regular certbot certificates (because that requires certbot service to talk to the computer trying to get the certificates), you can try using the certbot DNS verification for certificates (because that only needs you to prove that you control the domain name, and doesn't really talk to your servers)
https://eff-certbot.readthedocs.io/en/stable/using.html#dns-plugins
@double_a_runi @xandris @rds @beasts I've continued to chase this around today and it does appear that there's no simple way around the CGNAT address issued by my ISP. I've reached out to them to find out what options they have to circumvent it.
@thechildofroth @xandris @rds @beasts if you've gotten the certificates in order, and are now only worried about access from outside your LAN, have you considered tailscale?
@double_a_runi @xandris @rds @beasts I've just seen reference to this as I read around bypassing CGNAT. It's available as a simple install from dietpi-software so I'm going to have a play.
Any particular tips/pointers/advice gratefully received!
@double_a_runi @xandris @rds @beasts Hmm, not as obvious as I'd hoped (or I've still got errors elsewhere in my setup). I installed Tailscale, registered an account and attached my server to it, then amended my dns records to point my domain at the tailscale IP instead but currently still not getting through to Jellyfin.
@thechildofroth @double_a_runi @rds @beasts
what do you get for a `curl -kvvv` of your server url?
@xandris @double_a_runi @rds @beasts
The main of it seems to be this (which is making me wonder if I've got something wrong with my nginx setup):
<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.22.1</center>
</body>
</html>
@thechildofroth @double_a_runi @rds @beasts
er how about `curl -kvvvL` sorry
@thechildofroth @double_a_runi @rds @beasts
it looks like it's working... in the browser you don't see anything? does the browser's developer tools show any errors on the Console or Network tabs?
@xandris @double_a_runi @rds @beasts Browser request times out with nothing happening in console or network tabs of the developer console.
Is it possible I've got something wrong in the Jellyfin 'network' settings? I've got 'allow remote connections' and 'enable automatic port mapping' ticked.
@thechildofroth @double_a_runi @rds @beasts
are you running curl and the browser from the same machine?
try this:
1. open a new tab
2. open the developer tools
3. switch to the network tab
4. check the box to "persist logs" (it might be hidden in a menu, click the gear icon or "…" icon if you don't see it
5. in the address bar, type the full url including protocol (https://)
6. in the Network tab, compare the first request to your curl command. is anything different?
7. right-click on the first command and choose "copy as cURL" and paste that into your terminal. what happens?
@xandris @double_a_runi @rds @beasts No, I'm using a browser on my laptop, but I'm running curl in the terminal (logged in over SSH) to my server box.
When I switched on 'persist logs' and freshly typed in the whole address I just got the same result or a timeout.
@thechildofroth @double_a_runi @rds @beasts
local connections (server to itself) will usually have fewer issues. is there any way you can run curl from the laptop?
@thechildofroth @double_a_runi @rds @beasts
ah sorry your curl log above has your ip addresses and dns name. dns still points to a CGNAT address which is why you still have this different behavior for local vs remote connections
@xandris @double_a_runi @rds @beasts Yeah, I just clocked that, although that address is the one that tailscale assigned me (not my ISP) - maybe tailscale isn't the answer?
@thechildofroth @double_a_runi @rds @beasts
so ive never used tailscale but it looks like the main usecase is a vpn, so a private network you can attach devices to. it works like a local network no matter where on the internet the devices are. if your laptop were on your tailscale network it would have access to your server using that 100.x.y.z address
this main use case doesn't imply access from the internet to your server, but skimming their docs suggests a tailscale funnel will do this:
@xandris @double_a_runi @rds @beasts That makes sense, thanks for clarifying. I can see the use of that but it's not quite what I was aiming for with my self-hosting odyssey, I just I'll just have to wait for my ISP to get back to me and hopefully get a proper IP address from them.
@thechildofroth @xandris @rds @beasts sorry that I dropped the keyword and disappeared. Yes, tailsacle is like a "build your own LAN" over the internet. Your server needs to have tailscale installed and configured, and all of your clients need to have tailscale installed and configured, and then these devices can talk to each other as if there was no NAT.
@thechildofroth @double_a_runi @rds @beasts
failing that the cloudflare thing should work. that was my backup plan if my isp didn't pony up an ip
@thechildofroth @double_a_runi @rds @beasts
do you have a ipv6 address from your isp? that ought to be unique and routable
@xandris @double_a_runi @rds @beasts Sadly not (that I can see) although they talked up rolling it out in '23 https://www.ispreview.co.uk/index.php/2023/08/uk-broadband-isp-octaplus-confirms-ipv6-readiness.html
@thechildofroth @double_a_runi @rds @beasts mine too lol what's the holdup‽ might be something you have to opt in to and configure your router to use
@xandris @double_a_runi @rds @beasts I've upgraded to a fixed IP (very speedy response from Octaplus tbf). I also asked about IPV6 apparently it's in place for PPOE customers and being rolled out to DHCP (I assume I'm one of the latter)
Anyway, things are failing with a whole new set of errors, so that's some sort of progress! Certbot is working more as expected, but when I cURL the server I get an 'empty reply'
@thechildofroth @xandris @rds @beasts if you have a fixed IP, and certbot is working (via the regular non DNS challenge), then I'm confused.
If certbot is working via the DNS challenge, then I would look at firewall and/or port forwarding
@double_a_runi @xandris @rds @beasts I've jiggered and poked so many things along the way it can't be helping, I'm just in the process of purging certbot nginx etc and reinstalling them fresh and working through the official configuration guides from scratch. Hopefully (with a 'real' IP it's as easy as it's claimed to be!
@double_a_runi @xandris @rds @beasts One (potentially dumb) quesiton. Is it sufficient to generate a certificate for the top-level of my domain, of do I have to generate separate certs for each subdomain?
@thechildofroth @xandris @rds @beasts you need to tell the certificate what domains it is valid for. You can put an explicit list in there, eg, `domain.tld, subdomain1.domain.tld, subdomain2.domain.tld`, but then it would be valid for only those 3 targets.
Alternatively, you can use a "wildcard" domain (*.domain.tld), but this will require DNS challenge from certbot, while the first alternative works via the "regular" method.
@double_a_runi @xandris @rds @beasts Thanks, and (related) is it better to have CNAME DNS records for the subdomains or should they all have their own A records?
@thechildofroth @xandris @rds @beasts I don't think it matters on a technical level. I like to have my domain have its own A / AAAA record, and all the subdomains are CNAMEs to the domain, so that if I ever have to update the actual IP address, I only have to do it in one place.
@double_a_runi @xandris @rds @beasts It working! Thanks so much for all the help.
Now to work out why the sub-domain I'd set up for Jellyfin is the only one that resolves to the Nginx default index page, whist my TLD and all the other subs I've created CNAMES for (in anticipation of adding more selfhosted services to this box) all take me to jellyfin!
@thechildofroth @double_a_runi @rds @beasts
wonderful! enjoy your new streaming server!
that last issue sounds like something is wrong with the server_name directives. you could `nginx -T | less` and see if the whole resolved config makes sense
@xandris @double_a_runi @rds @beasts Does the name / location of Letsencrypt cert make any difference? I registered a whole bunch of subdomains in a comma separated list, but I can only see one (with the name of the TLD) in /live/ so that's the one I have referenced in SSL section and in Jellyfin itself.
@thechildofroth @xandris @rds @beasts no, the name/path of the certificate doesn't matter. It does look like server_name directive be the most likely culprit here.
@thechildofroth @double_a_runi @rds @beasts
you can `openssl x509 -noout -text < /path/to/cert` to inspect it for the right names (look in the extensions for SubjectAlternativeName) but that would only affect whether you get a lock icon in the browser
@thechildofroth @double_a_runi @rds @beasts
just a little primer; when starting the tls connection, the browser sends a server name indicator (SNI), a string containing the hostname from the address bar. whatever that is should match the server_name directive in the server { } block for jellyfin
@xandris @double_a_runi @rds @beasts I can see all the subdomains I registered in there. I suspect my misunderstanding is that I I've somehow made them all aliases of each other (rather than distinct domains)?
(although that doesn't explain why the jellyfin.domain one is the only one that resolves to the default nginx page, but all the others open jellyfin)
jellyfin.domain is the only thing that's stated in the conf that's linked in to site-enabled (and that's the only file in that folder)
@thechildofroth @double_a_runi @rds @beasts
keep in mind the browser only uses dns to find the servers address. after that, nginx routing is based on sni and path mainly. if you can get to the server at all your dns setup is good enough
@thechildofroth @xandris @rds @beasts so, how nginx works is, that it maps a domain name to what to serve to that domain name. but it also has a "catch all" configuration, given by the `default` directive. so you can have something like
`listen 80 default_server;`
and then, no matter what the domain name is, it will go to that server. But this is just a fallback, if your domain matches any other config, that will be used. (part 1)
@double_a_runi @xandris @rds @beasts I thought I had a handle on this, that's why 'default' only exists (as a back up) in sites-available, I removed it from site-enabled so the only thing in there is the jellyfin config and that's as per what's described in the instructions here: https://jellyfin.org/docs/general/networking/nginx/
@thechildofroth @xandris @rds @beasts
The nginx config is a bunch of moving parts dynamically combined into one huge rulebook for the server. It doesn't care about the names of the server config files (in particular, it means the file called `default`has nothing to do with the default directive). What `nginx -T` does, is show you the result of all this dynamic magic. Its the "source of truth" for what nginx thinks the config should be.
@thechildofroth @xandris @rds @beasts
So, what I guess is happening in your case, is that you have somewhere set your jellyfin server to be default. And elsewhere, you have a server block which has `server_name jellyfin.subdomain;`. So, just for that one domain, you get something different than the catch all (part 2)
@thechildofroth @xandris @rds @beasts
It doesn't matter how many config files you have. It is best practice to break out each server block into one file, but its not required. So, it is possible you have two separate server blocks in your one file. But nginx is where you should be focusing your attention. We could probably help more if we could see the config file.
@thechildofroth @double_a_runi @rds @beasts
i could take a gander at your (redcated) config
`nginx -T | sed 's/secret-stuff/redacted' > redacted-config`
and put that on pastebin. or something like that
@xandris @thechildofroth @rds @beasts
I'd just like to point out that 's/secret-stuff/redacted/` doesn't automatically redact your config. It just changes the string `secret-stuff` to `redacted` in your config file. Obvious, yes, but lets be triple sure, lest you paste something unexpected on the internet.
@double_a_runi @thechildofroth @rds @beasts
ya please go over it in an editor first and find and replace identifying info
@thechildofroth @double_a_runi @rds @beasts
here's someone in your situation and how they used cloudflare tunnel to overcome cg-nat
https://www.ismoothstar.com/2024/12/04/self-hosting-on-homelab-behind-cgnat/