Jump to content

Best Practice for a Secure Emby Installation


jon_

Recommended Posts

darkassassin07

Adding cloudflare infront of your existing proxy setup adds a little bit of extra security imo. It will filter out at least some of the malicious traffic while providing some handy features + statistics that you dont have to manage yourself.

 

In the end you will have to look through what cloudflare has to offer and see if you want to bother with it.

 

From my short experience with it, I haven't found any real downside yet and getting setup with it was really simple compaired to something like nginx.

 

 

 

 

 

 

As far as re-directing traffic from your ip to your domain goes, in yoyr nginx config:

 

You could have two seprate server blocks one being the 'default_server' where the server name doesn't really matter and the other being your emby server with the server name set to your domain name.

In the default server have a single location '/' that returns a 301 redirect to your domain name.

 

Any traffic that comes in without using the correct domain name (direct ip access, a different domain, etc) should redirect to the correct domain name.

 

 

Im out of time so I cant spin up an example config, but I can post an example after work if you like.

Link to comment
Share on other sites

neik

Thank you for all the information, @@darkassassin07.

 

Im out of time so I cant spin up an example config, but I can post an example after work if you like.

 

Me and probably others as well would very much appreciate it. Thanks!

Link to comment
Share on other sites

darkassassin07

Alright, I have made a quick example for you. It's not a full config, you will want to adapt it to your existing setup ofc.

 

Small disclaimer, I am by no means a professional. I'm barely better than a total noob and have only been detailing my own experience from myself learning and setting this up recently.

 

 

 

You will want to replace every instance of 'emby.mydomain.example' with your own domain name. The 'emby.' part isn't important you can use just a base domain if you like.

http {
   server {
        #requests sent to port 8920 that dont match a server name elsewhere will be processed here because of default_server
        listen 8920 ssl default_server;
 
        #redirect non-https requests which would normaly get a 497 http error in this server block to the correct url
        error_page 497 https://emby.mydomain.example:8920;
 
        #redirect all https requests to the correct url
        location / {
            return 301 https://emby.mydomain.example:8920;
        }
    }
    server {
        #requests sent to port 8920 that used emby.mydomain.example to get there will be processed here
        server_name emby.mydomain.example;
        listen 8920 ssl;
        error_page 497 https://emby.mydomain.example:8920;

        # this is where your actual proxy to emby goes
        #location / {
        #proxy_pass http://[your emby server ip or localhost]:8096/;
        # http://  from nginx to emby is all thats nessesary as long as they are both on the same lan/machine
        #}
    }
}
 
This should do what you were asking about, however it's not super necessary. If you were to remove the top server block altogether and make the actual proxy the default_server emby would function exactly the same, the only difference is the url the user sees in the browser stays as the one they typed in instead of automatically changing to your domain. Edited by darkassassin07
  • Like 1
Link to comment
Share on other sites

darkassassin07

Personally, I have my default_server always return a 401 (not authorized), then have my actual named emby proxy server block function as normal.

 

Myself and anyone I would be giving access to will always be typing in the actual domain name, not hunting down the IP address and connecting with that or any other method really. Pretty much any traffic that would be accessing my server by any means other than the correct domain has no buisness being there, thus a 'not authorized' response.

 

 

 

To get that functionality with the above config, just change line 11 from 'return 301 etc....' to 'return 401;', and remove line 7 altogether.

  • Like 2
Link to comment
Share on other sites

  • 3 months later...
crusher11

Personally, I have my default_server always return a 401 (not authorized), then have my actual named emby proxy server block function as normal.

 

Myself and anyone I would be giving access to will always be typing in the actual domain name, not hunting down the IP address and connecting with that or any other method really. Pretty much any traffic that would be accessing my server by any means other than the correct domain has no buisness being there, thus a 'not authorized' response.

 

 

 

To get that functionality with the above config, just change line 11 from 'return 301 etc....' to 'return 401;', and remove line 7 altogether.

I've got the following in my setup:

## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
	  return 301 https://$host$request_uri;
}
##EMBY Server##
	
	server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name subdomain.domain.com; 

What would I need to do to set up your 401 response? What's the 301 response doing in this case? Yours above clearly redirects to a domain, but this one is using some sort of variable.

Link to comment
Share on other sites

darkassassin07

The 301 response in your config is telling traffic that comes in on port 80 using http to instead try the same request, but send it to port 443 and use https.

 

To add the 401 I mentioned, add another server block like this one:

 

server {
    listen [::]:443 ssl http2 default_server;
    listen 443 ssl http2 default_server;
    return 401;
}
(and be sure you dont have 'default_server' in any of the other servers blocks that listen on port 443, the one on port 80 is fine)

 

Any request to port 443 https, that doesn't specify a hostname matching another server blocks 'server_name' will be handled by this one. This server block simply returns 401 to everything.

 

 

 

Once this is configured, you must use the domain name to connect. Trying to connect using just the ip of the server even if you ignore the ssl error will give you a 401 response.

Edited by darkassassin07
  • Like 1
Link to comment
Share on other sites

crusher11

Hmm. Gave it a go and I'm getting timeout errors on all addresses now. From Cloudflare if I go via my domain, from my browser if I try the IP with either port.

Link to comment
Share on other sites

darkassassin07

So if I do that and someone tries the IP through port 80, it'll reroute to port 443 and throw the 401?

It should yes. Bit if someone tried the correct domain name through port 80, they should properly get redirected to your emby server.

 

 

If you post your whole config, I can take a look and see where things may be going wrong.

 

Getting a timeout error instead of a 401 tells me nginx probably failed to start due to a faulty config. But that's just speculation. Anything in nginx/logs/error.log?

Edited by darkassassin07
Link to comment
Share on other sites

crusher11

Per the error log, no SSL certificate is defined for the "listen...ssl" directive in the server block you told me to paste.

 

Here's the relevant part of my config:

## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;
	  return 301 https://$host$request_uri;
}
server {
    listen [::]:443 ssl http2 default_server;
    listen 443 ssl http2 default_server;
    return 401;
}
##EMBY Server##
	
	server {
    listen [::]:443 ssl http2;
    listen 443 ssl http2;
    server_name subdomain.domain.com; 
	
        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
	ssl_certificate      SSL/cert.pem;
	ssl_certificate_key  SSL/private.key;
        ssl_session_cache shared:SSL:10m;

Do I need to paste the certificate bits from the Emby Server block into the Default block?

Link to comment
Share on other sites

fizzyade

5) Don't run remote access on standard ports. Most online vulnerability scanners and/or hacking scripts look for services on standard ports - 80, 443, 8096 etc. In general, you can pick any port you like for the remote access port - anything between 1024 and 65535. If you pick a random port it makes it a lot less likely that you will show up on sites like Shodan which are one of the ways bad guys look for systems to attack.

 

I’d argue that this is “security by obscurity”, this is only generally a problem if you’re using insecure passwords like “password”.

 

Otherwise all you’re really doing is removing noise from log files. You should be using unique strong passwords that are never reused anywhere else, use bitwarden, lastpass, keepass, 1password or your other favourite password manager to generate and store secure passwords.

 

When the standard passwords don’t work they’ll move on to the next ip to attack. If you’re really worried about brute forcing, then use fail2ban, you shouldnt be getting the password wrong because its stored in a password manager, so if you’re getting repeated failures then fail2ban will take care of that.

 

Always generate long and random passwords and never reuse them,

 

I run untangle as my firewall and it has IPS/IDS turned on, I see quite a few attempts each day from trying various exploits to port scans, but I’ve never felt the need to enable IPS, I just find it amusing to look at the logs.

Link to comment
Share on other sites

Per the error log, no SSL certificate is defined for the "listen...ssl" directive in the server block you told me to paste.


Do I need to paste the certificate bits from the Emby Server block into the Default block?

 

Yes, you will.

 

If you are using cloudflare or similar the return 401 action *may* get called all of the time - because your client connects to cloudflare by domain name, and then cloudflare probably connects to your machine via IP. If you find that cloudflare suddenly stops working you may need to disable this. 

Link to comment
Share on other sites

darkassassin07

Per the error log, no SSL certificate is defined for the "listen...ssl" directive in the server block you told me to paste.

 

Here's the relevant part of my config:

Do I need to paste the certificate bits from the Emby Server block into the Default block?

Yup, thats exactly your issue. You can either copy all your 'ssl_' lines from your emby server block to the new one, or just move the originals outside the emby server block so you have:

 

http{
   ssl_certificate.......
   ssl_certificate_key.... 
   ssl_etc.... 

   server{
      #server block
   }

   server{
      #server block
   }
}
Edited by darkassassin07
Link to comment
Share on other sites

darkassassin07

If you are using cloudflare or similar the return 401 action *may* get called all of the time - because your client connects to cloudflare by domain name, and then cloudflare probably connects to your machine via IP. If you find that cloudflare suddenly stops working you may need to disable this.

This isn't true. Cloudflare passes the hostname the client used to connect and correctly accesses the intended server block. (I have this running myself behind cloudflare)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...