Security 101: Secure Connections

[notla49285 46]

I've read through a few comments on here and think that some kind of out of the box option would be a good idea. To those of you on your high horse saying "well, how can it be secure if somebody else manages this?" or "just get a reverse proxy, it's set and forget!" - try and see this from a non-technical point of view.

 

I'd like to think I'm semi-technical, I've managed to set up a secure connection to my server using a domain name (though it was a pain in the arse), but have absolutely no clue what nginx is or how it works. It seems like I'm expected to know. From what I can gather, it is designed for servers. I don't have a server, I have a desktop computer with Windows home edition, like most other people. I tried to follow the guide on setting this up and got lost at the first step, mainly due to downloaded files not being as they are in the guide and acronyms/terms that are beyond me.

 

The idea couldn't be any simpler, users want remote access to their media library whilst protecting their home computers and network from attackers and protecting their media libraries from snooping ISPs or other agencies. I'd like to learn, but with less attitude and more explanation.

Edited September 24, 2018 by notla49285

[afullmark 20]

I've read through a few comments on here and think that some kind of out of the box option would be a good idea. To those of you on your high horse saying "well, how can it be secure if somebody else manages this?" or "just get a reverse proxy, it's set and forget!" - try and see this from a non-technical point of view.

 

I'd like to think I'm semi-technical, I've managed to set up a secure connection to my server using a domain name (though it was a pain in the arse), but have absolutely no clue what nginx is or how it works. It seems like I'm expected to know. From what I can gather, it is designed for servers. I don't have a server, I have a desktop computer with Windows home edition, like most other people. I tried to follow the guide on setting this up and got lost at the first step, mainly due to downloaded files not being as they are in the guide and acronyms/terms that are beyond me.

 

The idea couldn't be any simpler, users want remote access to their media library whilst protecting their home computers and network from attackers and protecting their media libraries from snooping ISPs or other agencies. I'd like to learn, but with less attitude and more explanation.

 

No, I agree; it's the reason why I just put up with Plex, despite being a lifetime Emby subscriber. I think SSL should be all in-house, outofthebox. 

[Swynol 375]

I will help in anyway I can. If you want a setup like plex then you can use emby connect, it’s basically the same way plex works. You connect to a plex server using ssl then plex connects to your server un-encrypted.

 

The best approach is to use nginx. However what you want can be achieved without it. I run nginx on a device which is basically a desktop pc with a load of hard drives in, I call it server just for ease.

 

If you have your domain name setup and you can access your emby server using that, then you’ve already done the hard part.

 

Drop me a pm or reply here if you need any help.

 

 

Sent from my iPhone using Tapatalk

[/Ky 3]

cloudflare and a reverse proxy.

Thanks I have been looking at this as I would also use LetsCrypt for full encyrption from the clouflare to my server however even with this would just LetsCrypt be better solo as I've heard that with cloudflare even if you use it with LetsCrypt then the data is still sent to their server over plain text? Not sure what to do I dont like the idea of having a shared SSL cert (as was looking at the free plan) so with Letscyrpt is it better or just better just with that or with something else??

[pir8radio 1292]

I've read through a few comments on here and think that some kind of out of the box option would be a good idea. To those of you on your high horse saying "well, how can it be secure if somebody else manages this?" or "just get a reverse proxy, it's set and forget!" - try and see this from a non-technical point of view.

 

I'd like to think I'm semi-technical, I've managed to set up a secure connection to my server using a domain name (though it was a pain in the arse), but have absolutely no clue what nginx is or how it works. It seems like I'm expected to know. From what I can gather, it is designed for servers. I don't have a server, I have a desktop computer with Windows home edition, like most other people. I tried to follow the guide on setting this up and got lost at the first step, mainly due to downloaded files not being as they are in the guide and acronyms/terms that are beyond me.

 

The idea couldn't be any simpler, users want remote access to their media library whilst protecting their home computers and network from attackers and protecting their media libraries from snooping ISPs or other agencies. I'd like to learn, but with less attitude and more explanation.

 

Emby "SERVER" is what you installed right?   it works on your desktop even though its called emby server.   It's just a word, it serves up content, nginx does the same.  That doesn't mean it needs a special server computer. 

 

No, I agree; it's the reason why I just put up with Plex, despite being a lifetime Emby subscriber. I think SSL should be all in-house, outofthebox. 

 

 

Emby has SSL out of the box.  Weather you paid more for emby premier and emby bought the SSL cert on your behalf (similar to plex) or you pay a little less for emby and just buy the cert yourself (embys model), you don't NEED nginx or any of that stuff, you just enable ssl in emby.   "Advanced/Secure Connection Mode"  

Edited September 24, 2018 by pir8radio

[Luke 37054]

@@pir8radio, there is no more self signed cert. It just causes too much troubleshooting with devices that reject self signed certs.

[pir8radio 1292]

@@pir8radio, there is no more self signed cert. It just causes too much troubleshooting with devices that reject self signed certs.

 

Ah... Well I'll fix my previous post. 

[notla49285 46]

Emby "SERVER" is what you installed right?   it works on your desktop even though its called emby server.   It's just a word, it serves up content, nginx does the same.  That doesn't mean it needs a special server computer. 

 

What I was getting at is that a lot of peoples' setups are running on Windows Server with IIS services and alike running. I don't have this.

 

Will be messaging Swynol at some point for guidance on nginx.

[pir8radio 1292]

What I was getting at is that a lot of peoples' setups are running on Windows Server with IIS services and alike running. I don't have this.

 

Will be messaging Swynol at some point for guidance on nginx.

 

Yea i know, and i was just saying you don't need that setup.  I run a "server"  using regular windows 10..  Nginx is pretty easy..  I think you will like it.

[vaise 304]

Then nginx provides benefits if you have more than just emby you wish to protect on your 'servers, PC's, network' or whatever.

If you ONLY have emby, then go the direct ssl model to that (lots on that here)

If you have lots of other stuff (I am finding more and more), then just one open port on your router, and ssl to nginx will redirect to all your other stuff you may have on the backend's. 

I am lucky as nginx/letsencrypt was just a few clicks to get working on unraid - which I moved to and away from windows about 3 months ago.  Never looked back and loving it.

[cryzis 7]

Has anyone attempted a setup that utilizes ZeroTier networking? I am thinking this might be a really good option for exposing emby externally but still maintaining secure control over who can access it.

[ian78 3]

Recently switching from plex I too would like a simple 1 click solution as well

[User Name 0]

Wow!  Just read this whole thread. What a BUMMER.  I was all pumped up to use Emby because all the good things I've heard.  I can read English but all this computer stuff is completely foreign to me. Sure Plex might not be perfect but for someone who knows nothing about setting all this stuff up you guys talk about would be toatlly impossible for me.  Better to have something with Plex rather than nothing with Emby.  Give me one-click protection (even if not the best) rather than nothing and I'll come back and look at Emby. 

[lorac 100]

I believe if you go through emby connect there's some basic protection that way.

 

If you follow the guide it's not too complex. Just remember that you're not on your own! There's almost always someone willing to help if you have questions.

 

I admit that if you've just come to emby, saw this thread it could seem somewhat daunting.

 

Sent from my ONEPLUS A6003 using Tapatalk

[User Name 0]

I believe if you go through emby connect there's some basic protection that way.

 

If you follow the guide it's not too complex. Just remember that you're not on your own! There's almost always someone willing to help if you have questions.

 

I admit that if you've just come to emby, saw this thread it could seem somewhat daunting.

 

Sent from my ONEPLUS A6003 using Tapatalk

 

All I've been reading is that Emby Connect is designed to make your outside connection to the server easier.  Nothing about security added.  Maybe I'm wrong (6 month old articles) and EmbyConnect has been updated to include at least SOME security???

[Luke 37054]

We may look at providing SSL certs in the future. thanks.

[lorac 100]

From what I've read on these forums how Plex does security really isn't different from Emby connect.

 

I'm sure emby will eventually get some type of SSL built in but it seems the dev's have bigger priorities for now.

 

Sent from my ONEPLUS A6003 using Tapatalk

[Jdiesel 1114]

Back when Emby was able to generate a self signed cert it was very easy to get things setup without having mess around with things. You enabled HTTP in Emby which would generate a self signed cert and enable it. To get around the problem of apps not accepting the self signed cert you could create a free CloudFlare account and point it to your server. Cloudflare will issue a signed certificate that works with all apps and also have the benefit of obfuscating your server IP.

 

 

Emby Server <--https (self signed)--> CloudFlare <--https (signed)--> Emby Clients

 

No need to generate your own certs, renew them, convert them to a pfx, setup your own reverse proxy, or really know anything about it.

Edited January 20, 2019 by Jdiesel

[Carlo 4330]

Not sure how I missed this thread previously but I just read through it to get caught up.

What I like about the way I've just implemented my VPN service, is that yes, if someone got the proxy address, they can access my server. But...they don't get my WAN IP, and I can easily change the proxy. I'm not looking to make it impregnable, just make it harder.

I'm eventually going to use pfsense and then openvpn will also be used on top of the VPN service. But for now, this will work.

Doofus are you still doing it this way?  What VPN service/software are you using?

 

I disagree with this statement.

 

I work with MANY fortune 500 and fortune 100 clients on their security.

 

I do not know of a SINGLE enterprise who is using "multiple firewalls from different vendors" at their perimeter unless you are talking about a dual vendor strategy from procurement.

I do a lot of work with fortune 50-500 companies and they all use multi-vendor hardware so that a single exploit can't expose them. Often several layers deep.

 

Everyone always say plex just works, I’m getting tired of saying it doesn’t. It only encrypts the login (same as emby connect). Your traffic after the initial login is all over http and ws.

 

I will help in anyway I can. If you want a setup like plex then you can use emby connect, it’s basically the same way plex works. You connect to a plex server using ssl then plex connects to your server un-encrypted.

This is not the case.  Each and every Plex server get's it's own cert.  If you have Plex set to require secure transactions then the whole chain is encrypted just as you would think.  Plex.tv is not in the middle unless it uses a relay connection.  It's used sort of like a DDNS to find your server and also as the username/password authentication since Plex does not store passwords on the local server (which sucks). But once the authentication is done the client talks directly to the server.

 

Plex doesn't need to "man in the middle" because they already hold all the authentication username and passwords (terrible).

 

What we really want IMHO is something similar to Plex in that it helps you get a dedicated cert for your server but leaves all authentication up to the server itself without being involved in this AT ALL.  It can act as the front man to find your server if you have a dynamic IP just as any other DDNS service can presently do. Do that and Emby will be much easier to use via SSL and only a button or two clicks away. Easier said then done of course.

 

Here's a decent blog entry that explain how Plex is doing it: https://blog.filippo.io/how-plex-is-doing-https-for-all-its-users/

 

What Plex does is OK but since they ARE the authentication facility EVERYONE is always at their mercy and when they have an outage it messes EVERYTHING up.  They have far to many outages that are caused by them or Internet routing glitches that get in the way.  So in a nutshell their authentication method sucks but the SSL implementation itself is fine. 

 

The SUPER SCARY part of the Plex implementation is that a single data breach (they had them before) can/has exposed all client records to the internet and made all servers vulnerable until all users changed their passwords (never happens).  In Emby land if one server (yours or mine) was somehow exposed/breached it only affects a few users of that particular server and not EVERY Emby server on the planet. We as the admin of said server can force each user we share with to change passwords or even account names if needed as WE control authentication on our own servers (much better).  Emby's approach in this regard is so much better!

 

Plex can also expose a server on the Internet if it hasn't been "claimed" (admin hasn't linked it to their plex.tv account) and this essentially gives the world admin rights to the server.  What would be helpful from a security standpoint in Emby is to NOT ALLOW a server to be exposed to the Internet if all user accounts don't have passwords set.  No password, no remote access, period type thing.

[pir8radio 1292]

Wow!  Just read this whole thread. What a BUMMER.  I was all pumped up to use Emby because all the good things I've heard.  I can read English but all this computer stuff is completely foreign to me. Sure Plex might not be perfect but for someone who knows nothing about setting all this stuff up you guys talk about would be toatlly impossible for me.  Better to have something with Plex rather than nothing with Emby.  Give me one-click protection (even if not the best) rather than nothing and I'll come back and look at Emby. 

 

Yea, same here I dont understand all of that locksmith stuff...  Easy Lock, done better than no lock.....   

(sorry couldn't resist)

Edited January 21, 2019 by pir8radio

[User Name 0]

Yea, same here I dont understand all of that locksmith stuff...  Easy Lock, done better than no lock.....   

(sorry couldn't resist)

 

No I'm sorry I couldn't resist reaching out to find out a bit more about the security of Emby vs. Plex.  I do value security but have no idea how all this stuff works.  This is a 12 page thread and the following I don't have a clue what each one means:

 

"SSL Certificate"

"Let’s Encrypt"

“resolves points to your imm address”

“configure proxies and domains”

“forward port 8920”

“Statically IP addressing the server”

“Set up a DHCP reserved IP address in the router's DHCP configuration”

“Configure a public DNS”

“Setup a DDNS client”

“Purchase an SSL certificate from a trusted public CA”

“RapidSSL is really cheap”

“seen comodo work”

“setup an Acme client”

“Create a CSR on the Emby server.”

“Upload the CSR to the CA”

“Possibly convert it to a PFX file.”

“You want the traffic encrypted”

“without forced HTTPS connections”

 

And those were taken from just the first page of the 12! 

 

Always try to read as much as I can in a forum before asking a question. But then I don't get something (in this case almost all of it) and I reach out for help and it always bites me in the A$$.  Someone always has to reach out and make me wish I never participated.  I was reading great things about Emby and how great the community is.  Thought this would work for me but I guess not. I've learned that both Plex and Emby appaently both suck unless your a "master" at setting up Emby corecctly.  Not being a master at anything computer related ( especially security), looks like I'll need to now pass on streaming any live tv.  I also learned to really avoid asking questions.

 

[Guest asrequested]

Not sure how I missed this thread previously but I just read through it to get caught up.

Doofus are you still doing it this way?  What VPN service/software are you using?

 

Yes, but I've now implemented it at the router level, which is pfsense. And I use TorGuard.

 

Guide to using it

[pir8radio 1292]

 

Yea, same here I dont understand all of that locksmith stuff... Easy Lock, done better than no lock.....

(sorry couldn't resist)

 

No I'm sorry I couldn't resist reaching out to find out a bit more about the security of Emby vs. Plex. I do value security but have no idea how all this stuff works. This is a 12 page thread and the following I don't have a clue what each one means:

 

"SSL Certificate"

"Let’s Encrypt"

“resolves points to your imm address”

“configure proxies and domains”

“forward port 8920”

“Statically IP addressing the server”

“Set up a DHCP reserved IP address in the router's DHCP configuration”

“Configure a public DNS”

“Setup a DDNS client”

“Purchase an SSL certificate from a trusted public CA”

“RapidSSL is really cheap”

“seen comodo work”

“setup an Acme client”

“Create a CSR on the Emby server.”

“Upload the CSR to the CA”

“Possibly convert it to a PFX file.”

“You want the traffic encrypted”

“without forced HTTPS connections”

 

And those were taken from just the first page of the 12!

 

Always try to read as much as I can in a forum before asking a question. But then I don't get something (in this case almost all of it) and I reach out for help and it always bites me in the A$$. Someone always has to reach out and make me wish I never participated. I was reading great things about Emby and how great the community is. Thought this would work for me but I guess not. I've learned that both Plex and Emby appaently both suck unless your a "master" at setting up Emby corecctly. Not being a master at anything computer related ( especially security), looks like I'll need to now pass on streaming any live tv. I also learned to really avoid asking questions.

 

Nonsense ask all the questions you want. If you couldn’t tell, I was joking. We were not all born with this knowledge. We learned from each other on this forum and a lot of googleing. Like any project you want to take on yourself it takes some learning first to do it right.

 

 

Sent from my iPhone using Tapatalk

[rbjtech 4255]

.. the problem with 'learning on the job' is you inevitable make some rookie 'mistakes' and while 'it works', in the world of cyber security, opens you up to a world of pain and potential danger to your and others private life if not done correctly.

 

With the free SSL facilities from somebody like  'Lets Encrypt', my view is Emby should look into this as a service - as offering non-secured HTTP access with the click of a button is irresponsible imo.

[Carlo 4330]

Yes, but I've now implemented it at the router level, which is pfsense. And I use TorGuard.

 

Guide to using it

The problem with TorGuard is that you really don't have any security except from your ISP.  You have a "tunnel" from your home to a server sitting in a data center and that's it.  It's not an end-to-end VPN solution.  You're only encrypted partially. 

 

Basically you've only moved the attack vector from your router to the VPN Server.

 

Does that make sense?