Can't Connect via https

[wex101 12]

I can connect to my server via http perfectly fine, but am unable to connect via https.  I don't know much about networks, but have been reading up a bit.  Is this an ssl issue?  And if so, is there someplace on the web I can go to learn how to get an ssl certificate?

[pir8radio 1292]

You may want to give the group some more info..  Like how are you trying to connect, internal network, or externally via the internet?  are you using the https port?   example: https://yourserver:8920   (or whatever your https port is set to)  

 

Emby comes with a built in cert that will give you a warning when browsing to it...  This cert will still encrypt your traffic but isn't third party verified, if you don't want the warning to pop up, you will need to purchase a cert from a third party.

[wex101 12]

I'm trying to connect externally through Firefox on my laptop. I can connect fine to the http address, but not the https address. I'm on the default port 8920 which has been forwarded properly.

 

Thank you for the help!

[Luke 37024]

I'm trying to connect externally through Firefox on my laptop. I can connect fine to the http address, but not the https address. I'm on the default port 8920 which has been forwarded properly.

 

Thank you for the help!

 

Can you describe exactly what you are doing? thanks.

[wex101 12]

Yes I apologize I haven't been clear! I am wanting to have my family and myself connect to my emby server externally using the https address. I am able to connect fine externally using the http address, but not with the https address. No message about security appears. The browser just returns a message that says the server is taking too long to respond and so it gives up. The 8920 port is forwarded properly, and so I was wondering if there was anything more I needed to do to get the https address working.

[Luke 37024]

if they are attempting to direct connect to your server and not getting through then it probably is an issue of port forwarding. You can test it here

 

http://www.canyouseeme.org/

[wex101 12]

Yes that is what I figured as well. I already tested the port, and checked it again. It's working fine.

 

Edit: Whelp this seems to be working now.  I'm not sure what I did to get things working, but I am glad they are.

 

A couple of questions, I feel like I remember there being an option to forward any attempt to connect to the server to the https address.  I can't seem to find that option anymore in the server settings.

 

2nd, the purpose of this is because my sister will be connecting to my server at her college.  With a self signed certificate, how secure are things in case of any snooping? What all will her school's IT department be able to see? 

Edited August 1, 2016 by wex101

[moviefan 183]

With a self signed certificate, how secure are things in case of any snooping? What all will her school's IT department be able to see? 

 

Self signed cert isn't necessarily any less secure from an encryption perspective.

 

Since the certificate cannot be verified by a third party, the potential risk is that someone could do a MITM (man-in-the-middle) attack and make her think she is connecting to your server to steal the credentials or snoop on the traffic.  This isn't going to happen.

 

The certificate warnings can be an annoyance though.

 

You can get validated certificates for free from letsencrypt.org or startssl.com.  This would allow remote users to both validate they are talking to your server, and not receive any warnings.

Edited August 1, 2016 by moviefan

[wex101 12]

Git it. Thank you for those links. And what about the university monitoring traffic? Will they be able to tell what she is viewing by snooping on the traffic?

[pir8radio 1292]

 

2nd, the purpose of this is because my sister will be connecting to my server at her college.  With a self signed certificate, how secure are things in case of any snooping? What all will her school's IT department be able to see? 

 

It depends on what the school does with their traffic...    We do transparent SSL/HTTPS interception.   More and more places are doing this, so who knows if they are or not..  She should be able to go to https://google.com and click the Lock icon in the browser, check if the cert was re-signed or is a totally different cert.  That will usually give you a hint if they are intercepting ssl traffic. She could have installed the root cert with little scary warning, then never asked/warned again..

 

Here is some material on a similar device as the one we use (note the bold text at the end):

 

 

Transparent SSL Decryption / Encryption

 

The main function of the SSL Visibility Appliance is to decrypt SSL traffic to obtain the plaintext sent within the SSL encrypted session. The plaintext information is fed to one or more attached device(s) for processing or analysis. As the plaintext data stream is repackaged as a valid TCP stream, applications that are hosted on the attached device(s) do not need to be modified to process the received plaintext stream.

 

❐ The SSL Visibility Appliance provides SSL Inspection capabilities to existing devices.

 

The collection of SSL Visibility Appliance interfaces that are used to connect to the network carrying the traffic that is being inspected and to the attached appliances that are processing the traffic is called a "segment". Depending on how the appliance is connected, and on how many attached appliances are connected, a segment may contain up to 8 interfaces. When used in Active-Inline (AI) mode or Passive-Inline (PI) mode the SSL Visibility Appliance acts as a fully transparent proxy: the Ethernet ports used to connect it to the data network do not have IP addresses, and the other devices in the network are unaware that the SSL Visibility Appliance has been installed. Unlike a non transparent proxy which requires that client machines are configured to send traffic to the IP address associated with the proxy there are no changes required to clients or other network equipment when installing the SSL Visibility Appliance.

Edited August 1, 2016 by pir8radio

[wex101 12]

Freaky. Thank you for that. So potentially using SSL doesn't do jack squat to keep what she is doing private. That's disappointing!

[pir8radio 1292]

Freaky. Thank you for that. So potentially using SSL doesn't do jack squat to keep what she is doing private. That's disappointing!

 

That's assuming they even inspect their SSL...  But I have been reading more and more schools are doing it for "student safety"...  It will probably become a privacy issue in schools, but in business land, they own the network and anything passing over it.     Just have her get an ipad with cellular lol.   If they have a guest network they can't expect college kids to not do this kind of stuff..     

Edited August 1, 2016 by pir8radio

[wex101 12]

You all have been extremely helpful, thank you so much. This has been extremely educational. What exactly do they see if they inspect? She'd maybe be comfortable risking her own Internet privileges if she knew my info was secure. Obviously they'd probably have no interest in reporting to my isp, but with the potential there that'd deter her. And if so, is there an easy way to anonymize myself? I subscribe to PIA but that doesn't seem to play well with Emby.

[pir8radio 1292]

I know at my work we inspect traffic for people leaking sensitive information files/emails/personal email from work PC's etc.  (outbound), as well as malware/viruses (inbound)...   We also log normal internet browsing stats...   Chances are they would see she was streaming video, what format, what bit-rate and all of that good stuff, just not what the actual video is or was called.  Emby hashes the stream names so they are not super obvious to pick out of a log.   I wouldn't worry about it...   Just normal watching movies on your server wont look any stranger than netflix.  In a dorm or college setting, I would venture to say that your sister would never hit their radar, I'm sure there are way worse things going in and out of that network from the rest of the students...         If you are still paranoid you could pay for a VPN service, you would connect to the net through that VPN and she would use that IP to connect to your emby.  But there is a monthly cost for a good fast VPN.. I like using ExpressVPN great speeds on most of their servers.    But I think its an overkill in your case, unless you plan on posting your server info on the dorm bulletin board....  

Edited August 2, 2016 by pir8radio

[wex101 12]

ExpressVPN looks great, I'm actually going to strongly consider moving from PIA to them.  The extra cost seems like it may be worth it.  Do they have some sort of referral program I can send your name in to if I sign up?

 

Also, just because I've always been curious, is that what my isp sees as well then when I'm sharing out externally?  As in, because of the way Emby hashes out the streams they can't easily make out what video I'm uploading?  I know they have absolutely no interest in what I'm doing, as long as I pay the bill each month... I've just always wondered.  Also, does a VPN do anything in that regard in terms of keeping my business private from my ISP?

[pir8radio 1292]

I explained the above in kind of basic terms.. lol    BUT.... to keep this post from heading south... I will say VPN's come in handy for downloading stuff, and will mask what you do from your ISP....  Streaming to a hand full of family probably wont hit the radar....  Don't abuse things....

 

On a side note, almost ALL ISP terms of service/usage for residential, will say you are not allowed to run a "server" of any kind on their connection...  So just having emby running and accessible via the internet is against the vast majority of ISP rules.... But most people don't ever get even a warning, because they are not abusing or over doing it.... Even though the ISP can take one look at logs and see people have been accessing your IP on a specific port.. Don't give them reason to look into the logs. Don't abuse things.. lol 

 

Here is what comcast has to say about emby:

 

 

I. Prohibited Uses and Activities

• use or run dedicated, stand-alone equipment or servers from the Premises that provide network content or any other services to anyone outside of your Premises local area network (“Premises LAN”), also commonly referred to as public services or servers. Examples of prohibited equipment and servers include, but are not limited to, email, web hosting, file sharing, and proxy services and servers.

 

 

@@wex101 If you end up going with ExpressVPN here is the referral info, gets us both 30 days free...

http://www.expressrefer.com/refer-a-friend/30-days-free/?referrer_id=9253122&utm_campaign=referrals&utm_medium=copy_link&utm_source=referral_dashboard

Edited August 2, 2016 by pir8radio

[wex101 12]

Thank you pir8radio for all the help on this!  I've done a lot of reading and educating myself on network lingo, acronyms, etc...  I managed to enable the telnet console on my netgear router, forward some ports in conjunction with airvpn which I am now a member of, and have a dynamic dns set up routed through a port and ip from airvpn that is connected to my servers https address.  Even if there was little to no risk, I just never liked the idea of my family accidentally accessing my server on a wifi connection where I would prefer they didn't.  This makes me feel much better, and the cost of the vpn service (only $5 a month) is well worth the piece of mind.  Thank you for being so patient with me!

 

I ended up going with airvpn simply because they had the closer servers to where I live, and I like the desktop utility.

Edited August 2, 2016 by wex101