pir8radio 1292 Posted August 7, 2018 Share Posted August 7, 2018 (edited) I know these things are overkill.... But it's fun to try to get your server to hit a good "grade" if the grade even really means anything.. I know some of you tinkerers are like me... so here is another one to eat up hours of your day: https://observatory.mozilla.org This is more for webservers and reverse proxies, not necessarily emby specifically. Took me a bit of googleing but got mine to an A+ lol. Edited August 7, 2018 by pir8radio 1 Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted August 7, 2018 Share Posted August 7, 2018 lol well done. Link to comment Share on other sites More sharing options...
Swynol 375 Posted August 7, 2018 Share Posted August 7, 2018 bloody hell, here we go again. time to push it from a B to an A Link to comment Share on other sites More sharing options...
Swynol 375 Posted August 7, 2018 Share Posted August 7, 2018 think your going to have to share your CSP. if i lock mine down to get an A+ my sites dont load as they get blocked ha Link to comment Share on other sites More sharing options...
Abobader 2941 Posted August 8, 2018 Share Posted August 8, 2018 Nice indeed Link to comment Share on other sites More sharing options...
makarai 108 Posted August 16, 2018 Share Posted August 16, 2018 (edited) Hi hi, This is my report with haproxy instead of nginx, i guess i have to fix some stuff. However @@pir8radio, would you mind doing this again so i can check if i set all the correct headers, also can you let me know what you set for the CSP For other HAproxy users: .. outdated What i noticed is CORS differs as well Content is visible via cross-origin resource sharing (CORS) files or headers, but is restricted to specific domains Edited September 18, 2018 by makarai Link to comment Share on other sites More sharing options...
makarai 108 Posted August 17, 2018 Share Posted August 17, 2018 (edited) in the meantime i achieved also A+ and a working emby with the following front end settings: I moved all headers to the ssl frontend #...outdated Edited September 18, 2018 by makarai 1 Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted August 18, 2018 Author Share Posted August 18, 2018 (edited) Hi hi, This is my report with haproxy instead of nginx, i guess i have to fix some stuff. However @@pir8radio, would you mind doing this again so i can check if i set all the correct headers, also can you let me know what you set for the CSP For other HAproxy users: http-response set-header X-Frame-Options SAMEORIGIN http-response set-header X-XSS-Protection "1;mode=block" http-response set-header Referrer-Policy "no-referrer,same-origin,strict-origin,strict-origin-when-cross-origin" http-response set-header X-Content-Type-Options nosniff http-response set-header Strict-Transport-Security max-age=31536000;includeSubDomains;preload What i noticed is CORS differs as well Content is visible via cross-origin resource sharing (CORS) files or headers, but is restricted to specific domains Yours, looks good, I actually stole some of your settings, and combined with mine.. I now have this: same score as my initial test but hey... add_header Content-Security-Policy "default-src 'self' https://*.mydomain.net wss://*.mysomain.net https://www.gstatic.com https://www.github.com; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'sha256-bdnU7HNzra4Qmlo30dpjygO1RLIIqRVu1wcOsl0OWqU=' https://*.mydomain.net https://www.gstatic.com; img-src data: https: ; style-src 'unsafe-inline' https://*.mydomain.net" always; Edited August 18, 2018 by pir8radio 1 Link to comment Share on other sites More sharing options...
makarai 108 Posted August 18, 2018 Share Posted August 18, 2018 Thank you m8 ! Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted August 18, 2018 Author Share Posted August 18, 2018 i did just notice ios browsers not working.. apps work though.. you see the same issue? Link to comment Share on other sites More sharing options...
Swynol 375 Posted August 18, 2018 Share Posted August 18, 2018 i did just notice ios browsers not working.. apps work though.. you see the same issue? i see the same. Ios app works fine. using chrome or safari on ios the page fails to load Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted August 18, 2018 Author Share Posted August 18, 2018 and this is with the security policy on this page enabled correct? Just want to make sure im not chasing an emby issue. :-) Link to comment Share on other sites More sharing options...
Swynol 375 Posted August 18, 2018 Share Posted August 18, 2018 (edited) ye with CSP you mentioned above. if i comment it out and use my old CSP works fine. i also had to add a few other urls to the CSP to drop the amount of errors in chrome console. mainly google-analytics and googletagmanager.com Edited August 18, 2018 by Swynol Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted August 18, 2018 Author Share Posted August 18, 2018 Boo... Ill go back to what I had too, and do some more digging.. lol thx. Link to comment Share on other sites More sharing options...
chef 3745 Posted August 18, 2018 Share Posted August 18, 2018 Link to comment Share on other sites More sharing options...
Swynol 375 Posted August 18, 2018 Share Posted August 18, 2018 Boo... Ill go back to what I had too, and do some more digging.. lol thx. looks like all browsers failed to work with me. all the apps worked fine. Could some one help me with CSP? Apparently I only get a B+ because of it ye looks like there is an issue atm trying to get an A or A+ breaks emby. so best stick with a B+ for now. nothing wrong with a B+ most huge commercial sites out there dont get near a B 1 Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted August 18, 2018 Author Share Posted August 18, 2018 I dont have a mac to use the native ios debugging options. :-( Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted August 18, 2018 Author Share Posted August 18, 2018 looks like all browsers failed to work with me. all the apps worked fine. ye looks like there is an issue atm trying to get an A or A+ breaks emby. so best stick with a B+ for now. nothing wrong with a B+ most huge commercial sites out there dont get near a B when you say all browsers, do you mean on ios? or PC too? I think all ios browsers use the underlying safari goodies to make them work.. But if you mean on PC too then im corn fused.... Link to comment Share on other sites More sharing options...
chef 3745 Posted August 18, 2018 Share Posted August 18, 2018 Oh! I did it! A+ and no issues with my users connecting and streaming content! 1 Link to comment Share on other sites More sharing options...
makarai 108 Posted August 18, 2018 Share Posted August 18, 2018 I dont have a mac to use the native ios debugging options. :-( I dont have a mac to test either, if someone has a mac and the policies that we posted, just open chrome hit f12 go to network and check what is red post a screenshot or comment on it. Link to comment Share on other sites More sharing options...
makarai 108 Posted August 18, 2018 Share Posted August 18, 2018 Boo... Ill go back to what I had too, and do some more digging.. lol thx. can you post what you used before so i can spare me the digging Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted August 19, 2018 Author Share Posted August 19, 2018 (edited) Well I figured it out, This is the CSP I'm using but i had to do a work around. My work around will only work for nginx users that have the "sub_filter" module baked into their copy of nginx. @@Luke will need to make a change for us to be able to fully secure emby with a content security policy. Luke skip to the bottom. If you are unable to edit the emby index.html or use sub_filter you will have to allow inline scripts, which defeats the purpose of the CSP. add_header Content-Security-Policy "default-src 'self' https://*.mydomain.net wss://*.mydomain.net https://www.gstatic.com https://www.github.com; base-uri 'none'; form-action 'self'; frame-ancestors 'self'; object-src 'none'; script-src 'nonce-4AEemGb0xJptoIGFP3Nd' https://*.mydomain.net https://www.gstatic.com; img-src data: https: ; style-src 'unsafe-inline' https://*.mydomain.net" always; But the above wont work unless you either use an nginx sub_filter (shown below), edit the emby index html, or luke adds a nonce to his inline script at the bottom of index.html. This inline script can't be hashed because it changes with every version, so in order to get it to load it has to have a non changing nonce added to it. I was able to add this on the fly with nginx, it actually rewrites the html from: <script>window.dashboardVersion='3.6.0.2';</script> TO: <script nonce="4AEemGb0xJptoIGFP3Nd">window.dashboardVersion='3.6.0.2';</script> The nginx subfilter line: what this does is takes emby's script (ignoring the version number) and rewrites it on the fly to the second set of quotes. Adding the nonce so the CSP can then allow this script to run on the client side. sub_filter '<script>window.dashboardVersion=' '<script nonce="4AEemGb0xJptoIGFP3Nd">window.dashboardVersion='; Now with a nonce assigned to the inline script, i can add it to my CSP and allow this script to run. Luke any way you can either remove this inline script and reference a js file or just add a static nonce to your script tag like above? "nonce="4AEemGb0xJptoIGFP3Nd" this minor change will allow you to secure emby with CSP later anyway, and won't affect current users. I think just putting that one line of script into a dashboard.js and bring it into the index file that way would be easy too. Edited August 19, 2018 by pir8radio 1 Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted August 19, 2018 Author Share Posted August 19, 2018 another option is to hash that line of script and put the hash in your CSP, but you will have to rehash it for every emby version as you upgrade. Use this site to create a hash: https://report-uri.com/home/hash/ the script you will ne to hash is at the bottom of the index.html when you view source. <script>window.dashboardVersion='X.X.X.X';</script> Link to comment Share on other sites More sharing options...
makarai 108 Posted August 20, 2018 Share Posted August 20, 2018 (edited) Thanks for the update @@pir8radio I hope @@Luke will look into it Edited August 20, 2018 by makarai Link to comment Share on other sites More sharing options...
Spaceboy 2492 Posted August 21, 2018 Share Posted August 21, 2018 I got my domain to a B+ following the advice here, thanks! And also adding me support for the changes to be made in emby to allow us to achieve full marks 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now