Back

@thechildofroth @xandris @rds @beasts if you've gotten the certificates in order, and are now only worried about access from outside your LAN, have you considered tailscale?

@double_a_runi @xandris @rds @beasts I've just seen reference to this as I read around bypassing CGNAT. It's available as a simple install from dietpi-software so I'm going to have a play.

Any particular tips/pointers/advice gratefully received!

@double_a_runi @xandris @rds @beasts Hmm, not as obvious as I'd hoped (or I've still got errors elsewhere in my setup). I installed Tailscale, registered an account and attached my server to it, then amended my dns records to point my domain at the tailscale IP instead but currently still not getting through to Jellyfin.

@thechildofroth @double_a_runi @rds @beasts

what do you get for a `curl -kvvv` of your server url?

@xandris @double_a_runi @rds @beasts

The main of it seems to be this (which is making me wonder if I've got something wrong with my nginx setup):

<html>
<head><title>301 Moved Permanently</title></head>
<body>
<center><h1>301 Moved Permanently</h1></center>
<hr><center>nginx/1.22.1</center>
</body>
</html>

@thechildofroth @double_a_runi @rds @beasts

er how about `curl -kvvvL` sorry

@xandris @double_a_runi @rds @beasts

https://pastebin.com/5hUCLVPD

@thechildofroth @double_a_runi @rds @beasts

it looks like it's working... in the browser you don't see anything? does the browser's developer tools show any errors on the Console or Network tabs?

@xandris @double_a_runi @rds @beasts Browser request times out with nothing happening in console or network tabs of the developer console.

Is it possible I've got something wrong in the Jellyfin 'network' settings? I've got 'allow remote connections' and 'enable automatic port mapping' ticked.

@thechildofroth @double_a_runi @rds @beasts

are you running curl and the browser from the same machine?

try this:

1. open a new tab
2. open the developer tools
3. switch to the network tab
4. check the box to "persist logs" (it might be hidden in a menu, click the gear icon or "…" icon if you don't see it
5. in the address bar, type the full url including protocol (https://)
6. in the Network tab, compare the first request to your curl command. is anything different?
7. right-click on the first command and choose "copy as cURL" and paste that into your terminal. what happens?

@xandris @double_a_runi @rds @beasts No, I'm using a browser on my laptop, but I'm running curl in the terminal (logged in over SSH) to my server box.

When I switched on 'persist logs' and freshly typed in the whole address I just got the same result or a timeout.

@thechildofroth @double_a_runi @rds @beasts

ah sorry your curl log above has your ip addresses and dns name. dns still points to a CGNAT address which is why you still have this different behavior for local vs remote connections

@xandris @double_a_runi @rds @beasts Yeah, I just clocked that, although that address is the one that tailscale assigned me (not my ISP) - maybe tailscale isn't the answer?

@thechildofroth @double_a_runi @rds @beasts

so ive never used tailscale but it looks like the main usecase is a vpn, so a private network you can attach devices to. it works like a local network no matter where on the internet the devices are. if your laptop were on your tailscale network it would have access to your server using that 100.x.y.z address

this main use case doesn't imply access from the internet to your server, but skimming their docs suggests a tailscale funnel will do this:

https://tailscale.com/kb/1223/funnel

@xandris @double_a_runi @rds @beasts That makes sense, thanks for clarifying. I can see the use of that but it's not quite what I was aiming for with my self-hosting odyssey, I just I'll just have to wait for my ISP to get back to me and hopefully get a proper IP address from them.

@thechildofroth @double_a_runi @rds @beasts

do you have a ipv6 address from your isp? that ought to be unique and routable

@xandris @double_a_runi @rds @beasts Sadly not (that I can see) although they talked up rolling it out in '23 https://www.ispreview.co.uk/index.php/2023/08/uk-broadband-isp-octaplus-confirms-ipv6-readiness.html

@thechildofroth @double_a_runi @rds @beasts mine too lol what's the holdup‽ might be something you have to opt in to and configure your router to use

@xandris @double_a_runi @rds @beasts I've upgraded to a fixed IP (very speedy response from Octaplus tbf). I also asked about IPV6 apparently it's in place for PPOE customers and being rolled out to DHCP (I assume I'm one of the latter)

Anyway, things are failing with a whole new set of errors, so that's some sort of progress! Certbot is working more as expected, but when I cURL the server I get an 'empty reply'

@thechildofroth @xandris @rds @beasts if you have a fixed IP, and certbot is working (via the regular non DNS challenge), then I'm confused.
If certbot is working via the DNS challenge, then I would look at firewall and/or port forwarding

@double_a_runi @xandris @rds @beasts One (potentially dumb) quesiton. Is it sufficient to generate a certificate for the top-level of my domain, of do I have to generate separate certs for each subdomain?

@thechildofroth @xandris @rds @beasts you need to tell the certificate what domains it is valid for. You can put an explicit list in there, eg, `domain.tld, subdomain1.domain.tld, subdomain2.domain.tld`, but then it would be valid for only those 3 targets.

Alternatively, you can use a "wildcard" domain (*.domain.tld), but this will require DNS challenge from certbot, while the first alternative works via the "regular" method.

@double_a_runi @xandris @rds @beasts Thanks, and (related) is it better to have CNAME DNS records for the subdomains or should they all have their own A records?

@thechildofroth @xandris @rds @beasts I don't think it matters on a technical level. I like to have my domain have its own A / AAAA record, and all the subdomains are CNAMEs to the domain, so that if I ever have to update the actual IP address, I only have to do it in one place.

@double_a_runi @xandris @rds @beasts It working! Thanks so much for all the help.

Now to work out why the sub-domain I'd set up for Jellyfin is the only one that resolves to the Nginx default index page, whist my TLD and all the other subs I've created CNAMES for (in anticipation of adding more selfhosted services to this box) all take me to jellyfin!

@thechildofroth @double_a_runi @rds @beasts

just a little primer; when starting the tls connection, the browser sends a server name indicator (SNI), a string containing the hostname from the address bar. whatever that is should match the server_name directive in the server { } block for jellyfin

@xandris @double_a_runi @rds @beasts I can see all the subdomains I registered in there. I suspect my misunderstanding is that I I've somehow made them all aliases of each other (rather than distinct domains)?

(although that doesn't explain why the jellyfin.domain one is the only one that resolves to the default nginx page, but all the others open jellyfin)

jellyfin.domain is the only thing that's stated in the conf that's linked in to site-enabled (and that's the only file in that folder)

@thechildofroth @double_a_runi @rds @beasts

i could take a gander at your (redcated) config

`nginx -T | sed 's/secret-stuff/redacted' > redacted-config`

and put that on pastebin. or something like that

@xandris @thechildofroth @rds @beasts

I'd just like to point out that 's/secret-stuff/redacted/` doesn't automatically redact your config. It just changes the string `secret-stuff` to `redacted` in your config file. Obvious, yes, but lets be triple sure, lest you paste something unexpected on the internet.