Search the Community

I read through the SSL Made Easy tome. The original post showing instructions for ssl setup was good (although I already knew it) but the rest did nothing for me. I'd like to describe my SSL problem and hopefully get some ideas for what I'm doing wrong. I used certbot to create the privkey.pem and cert.pem files. Then I did I left the password blank. The resulting emby.p12 file looks good. I extracted the key file from it which matched the original. Then I set the network settings to... It saved with no problem. Then I rebooted the server. The address "http://<domain>:8096/" worked fine. I tried the address: "https://<domain>:8920" and got "<domain> refused to connect." I have no proxy or firewall. Others can try these URLS from outside but they will only get the login page. The log from the reboot I mentioned is attached. By an amazing coincidence the log starts at exactly midnight. Any ideas for things to try would be appreciated. embyserver (3).txt

This certificate was specifically created to use Emby through the Microsoft Edge browser over HTTPS on port 8920, eliminating the "connection is not secure" warning. It is important to note that this certificate works properly in Edge but not in Firefox. For the certificate to function correctly, it must be installed both in the Windows Certificate Manager and on the NAS where the Emby server is hosted. Note: The domain names and IPs used here are examples (, ) and must be replaced with those corresponding to your network.example.domain.lansubdomain.local.domain 1. Generate the .crt and .key files Open the Windows terminal: Launch a terminal (Command Prompt or PowerShell) and navigate to the folder where you want to generate the files. Choose the appropriate command based on your needs: For a single domain (single SAN): openssl req -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -keyout example.domain.lan.key -out example.domain.lan.crt -subj "/CN=example.domain.lan" -addext "subjectAltName=DNS:example.domain.lan" For multiple domains and IPs (multiple SANs): openssl req -x509 -newkey rsa:2048 -sha256 -days 3650 -nodes -keyout example.domain.lan.key -out example.domain.lan.crt -subj "/CN=example.domain.lan" -addext "subjectAltName=DNS:example.domain.lan,DNS:subdomain.local.domain,IP:192.168.1.xx" Verify the results: The files and will be generated in the specified folder. example.domain.lan.crt and example.domain.lan.key 2. Create the .pfx file for Emby Use the following command to merge the and files into a file: .crt + .key = .pfx openssl pkcs12 -export -out example.domain.lan.pfx -inkey example.domain.lan.key -in example.domain.lan.crt -name "example.domain.lan" Set a password for the .pfx file: You’ll be prompted to enter and confirm a password. You can leave it blank or assign one. Note: If you assign a password, remember it, as it will be required in Emby’s settings. The file will be generated in the same folder. example.domain.lan.pfx 3. Upload the .pfx file to the NAS Transfer the file: Copy the file to a folder accessible on your NAS. example.domain.lan.pfx Ensure that Emby can access the path where the file is stored. 4. Install the .crt certificate in Windows Open the .crt file directly: Double-click on the file . example.domain.lan.crt Click the Install Certificate button. Follow the installation wizard: Select Current User as the target location. Choose Place all certificates in the following store. Click Browse and select Trusted Root Certification Authorities. Click OK, then Next, and finally Finish. Confirm the installation: A confirmation message will appear asking if you want to install the certificate. Accept to complete the installation. 5. Configure Emby with the certificate Log in to Emby and navigate to Settings → Network. Locate the section Custom SSL certificate path. Enter the path to the file you uploaded to the NAS..pfx If you set a password for the file, enter it in the corresponding field. If you left it blank, leave the field empty..pfx In Secure connection mode, select: "Preferred, but not required" (this allows connections via both HTTP and HTTPS). Click Save and restart the Emby server to apply the changes. Important Notes The domain names (, ) and IP () are examples. Replace them with the actual domains and IPs of your network.example.domain.lansubdomain.local.domain192.168.1.xx If you need to include more addresses or subdomains, add them to the field when generating the certificate. For example:subjectAltName -addext "subjectAltName=DNS:example.domain.lan,DNS:subdomain.local.domain,DNS:extra.domain.com,IP:192.168.2.xx" Credits This guide was completed with the help and insights provided by @Lessajwhose expertise made this task much easier. Thank you for your support! Final Note If there's anything I missed or ways to improve this guide, I’d greatly appreciate your feedback and insights. Sharing your knowledge or suggesting adjustments would not only help refine this guide but also assist others who might face similar challenges. Feel free to share your thoughts—I'm always open to learning and improving. Thank you in advance!

I have spent alot of time trying to make Emby secure with https and I have now hit a brick wall. My knowledge on this topic is zero, so im hoping with some guidance I can get this working. OS: Windows Port Forward: 443 Domain: YES SSL: Lets Encrypt via Win-Acme (No passphrase) Reverse Proxy: NGINX Most of the infomation is taken from https://emby.media/community/index.php?/topic/44757-setting-up-ssl-for-emby-wip/#comment-419091 Where I have hit a brick wall is when i try and start NGINX. It fails to start and nothing shows in the logs. Below is my nginx.conf, Thanks in advance. worker_processes 2; events { worker_connections 8192; } http { include mime.types; default_type application/octet-stream; server_tokens off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## ## Default Listening ## server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri; } ##EMBY Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate C:\\nginx-1.26.2\conf\SSL\mydomain.com-crt.pem; ssl_certificate_key C:\\nginx-1.26.2\conf\SSL\mydomain.com-key.pem; ssl_session_cache shared:SSL:10m; ssl_prefer_server_ciphers on; ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; proxy_hide_header X-Powered-By; add_header X-Xss-Protection "1; mode=block" always; add_header X-Content-Type-Options "nosniff" always; add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header 'Referrer-Policy' 'no-referrer'; add_header Content-Security-Policy "frame-ancestors mydomain.com; emby.mydomain.com; location / { proxy_pass http://192.xxx.xxx.xxx:8096; proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } }

I Have a Domain Name from DYNU and I have been using it for several years with no problems. I bought a Single Domain SSL Certificate from them the other day and have not had any luck getting it to work with EMBY. I downloaded the Certificate files from DYNU and placed the folder with all the files in the EMBY Server system directory. I then pointed EMBY to the .pfx file. See my Emby Network Setup in attached images. The .pfx file that was generated by DYNU does not have a password. My Dashboard shows an https link I have opened port 8920 (and port 443) on my router, but when I configure and attempt to access the site using https, (port 8920 or 443) I get 'Can't Reach This Page' error. I get that regardless if I try to access locally, remotely, with Domain name or IP. I have disabled My Anti-Virus Firewall and Windows Firewall with the same result. I also created a .pfx with a password and tried pointing EMBY to that and it did not work. I have restarted EMBY after each change. A TTL Text Record for my Domain was automatically created when DYNU generated my SSL. My http still works fine, local and remote. I'm at a loss. Is there some step I am missing or something else I need to do? Help. embyserver.txt

Hi ich hab einen Emby Server auf meinem DS218+ laufen und würde ihn endlich gerne von außerhalb erreichbar machen und auch mit SSL. Mein Syno ist bereits von außen über eine Synology DDNS erreichbar, wie auch die VS, die ja durch den Emby Server ersetzt werden soll. Doch leider kann ich trotz sämtlichen Tutorials den Emby nicht mal über HTTP über meine Domain von außerhalb oder auch innerhalb erreichen.. Getestet hab ich dies mit der aktuellen Androide-App von Emby (Außerhalb wie auch innerhalb des eigenen Netzes). Zudem kann ich aus irgendeinem Grund den Zertifikatspfad auch nicht angeben, bzw. der Emby Server akzeptiert den Pfad nicht, egal wie ich ihn schreibe. Und über die Lupe verschwindet jedes Mal die Ordnerstruktur, sobald ich in einen zweiten Ordner gehe.. (Siehe Bilder) Oder benötige ich damit dies überhaupt funktioniert Emby Primere???? Bin langsam ziemlich ratlos.. embyserver.txt

I've seen guides for end users to setup secure access to Emby, however this might be more readily adopted if Emby could automatically handle the certificate installation. I found Kestrel/.NET implementation called LettuceEncrypt that might be a good basis to start with.

I recently migrated my server from a Windows machine to a Mac mini. I have everything back to how I want it, except for my ability to allow remote connections while I have my VPN (Private Internet Access) running. On my Windows machine, I would use the Split Tunnel to bypass the VPN. Unfortunately, Mac OS seems to have an issue with split tunneling which stops all internet traffic when enabled (a real bummer). So now I am trying to use Port Forwarding as a way to allow connections through my VPN, though I am admittedly not very knowledge about this. I have searched these forums and read numerous threads about this topic, but I have still come away empty-handed. Perhaps someone can look at my specific situation and give me tailored guidance (and perhaps this may serve someone else in the future who faces a similar setup). To begin: I have SSL setup and can allow access to my server via https://mydomain.com. I have forwarded the ports on my router (Google Nest) to allow connections from port 8920 and 443 (as well as 8096 and 80 non-secured ports). When I turn on my VPN with Port-Forwarding enabled, PIA has reserved port 47853, as well as the new IP address of 456.456.456.456. What do I do with this port number and/or VPN IP? On the Emby Network tab I see the local and public https ports are set to 8920. Does one of these change? Or do they stay the same and I need to add a new Port Forwarding rule for 47583? And if I need to add a new rule to my router, do I forward 47583 to 47583 or do I forward 47583 to 8920? Lastly, since I am using SSL and I have my DNS record setup (in Google Domains) to direct mydomain.com to 123.123.123.123 (my ISP assigned IP address), do I also need to update this record so it points to 456.456.456.456 (the VPN IP address when the application is enabled)? (For all intents and purposes, we can treat my ISP IP address as static, technically it is dynamic, but I have a pretty good handle on that part of the process, so I don't want to get caught up in questions away from my main topic regarding the port-forwarding.) If anyone can give me the exact steps of what I need to do, I would very much appreciate it. These forums have been very helpful in the past and I hope to be able to contribute to them in meaningful ways in the future. Thank you.

Hello, I'm unable to get SSL to work on my Emby server, I've been able to remote connect on http with no problems but would rather be using TLS. Currently have Emby running on Windows 10, Appropriate ports are open on router. Certificate .PFX created with Certify The Web & exported through IIS. Attached screenshots + log from Emby below, Appreciate any help embyserver.txt

Looks like my Roku TV 7117X is no longer able to connect to my remote Emby Server via SSL. SSL certificate was generated by Synology Lets Encrypt. I wanted to create this thread to make awareness and so others with same problem can find this. This all seems to be related to the Lets Encrypt certificate issues from September 30. Other clients like IOS app and Chrome browsers can successfully connect with SSL. Looking through other threads other users are reporting with same issues. No sure if there is a way to fix. TCL Roku TV Software Version: 10.0.0 Build 4209-30 Emby App Version 4.0 Build 31

I want to use a sub domain of godaddy to access my emby. It shows it’s not secure when logging in externally. I like to know if the SSL provided by synology for the server also covers emby access? how do I refer to that certificate in emby?

Hello all, If you want to simplify ssl connexion and don't care anymore to renew every 3 months your SSL certificate for emby, you can use reverse proxy like this (i already try to generate it automatically via crontab but i never success to make it work correctly.) Prerequisite : 1 - create the reverse proxy locally on your nas and not remotely 2 - be with adm 4.0, i already try to make it work with 3.5.2 but not working Go to reverse proxy menu and click on add, and fill it like this, fill your own domain name and choose the port that you want. You can use ez connect or declare your redirection directly on your router then click "next" Fill like below and clck on "test connexion" now you have your Emby reverse proxy active and working Under emby network options you can choose this option "managed by a reverse proxy" That's all.

I'm trying to set up a load balancer and reverse proxy (Kemp LoadMaster) to handle all incoming connections on port 443 and distribute to my various services in the local network, and to manage SSL certs. I am completely unable to get Emby Server running on macOS to listen on HTTPS. I don't want to "allow remote connections to this Emby Server" or manage an SSL cert on the Emby instance. As you can see below, the Emby Server is not listening on https (port 8920) even though it's reporting that it is. I've tried enabling "allow remote connections" for testing with "handed be reverse proxy" but still no dice. sudo lsof | grep LISTEN | grep -i emby EmbyServe 10196 *redacted* 148u IPv6 0xe964fbfa92b187eb 0t0 TCP *:8096 (LISTEN) embytray 10197 *redacted* 4u IPv4 0xe964fbfa79f4057b 0t0 TCP localhost:8024 (LISTEN) And no, there is nothing else listening on port 8920, and I have tried changing https port to no effect. I'd really like to get this working without using EmbyConnect as I want to manage and monitor internal services through a single interface. Emby Logs: embyserver.txt.zip

hi guys my isp has blocked port 80 and I'm unable to authorize my certificates for my ddns. for the sake of the noob users on my network it would be helpful if your apps would automatically accept self signed certificates. i understand this is not possible in web browsers but surely its possible in your apps on smart tv's and consoles etc.... i have recently had to give plex my money which i am not happy about. i dont want to stop supporting emby however if i cant use the secure connections its of no real use to me anymore.

This guide will explain how to setup a Windows Server instance of Emby server with IIS as full transparent reverse proxy with SSL offload and auto-renewing certificates via Lets Encrypt. First, What is IIS? IIS or Internet Information Services is the web server service provided with Windows and Windows server installations. It is industry standard technology and is widely supported and regularly maintained by Microsoft. Second, What is a reverse proxy? A reverse proxy will take requests coming into your server (in this case HTTPS on port 443) and route them to a backend application (in this case Emby Server on port 8096 on the same box or another). Reverse proxies are very useful if you only have 1 public IP and multiple services you would like to run on a single port (443, for example is standard secure web traffic) or multiple servers that need to appear as one. Third, Why do I want a certificate for my site from Lets Encrypt? Well, most sites now days are secure (read they encrypt your traffic to prevent people from seeing your data), browsers these days flag sites that are not using properly signed certificate chains or run on insecure ports. If you use a self signed certificate in Emby, you may have difficulty getting things like the iOS app or Roku app to work properly outside your home. (Not sure about the rest of you, but Emby on the kid’s iPad is a life saver for long car rides). Let’s Encrypt provides free SSL certificates that are signed by certificate authorities that will be recognized on all devices and platforms. I will be using Windows Server 2019 with IIS 10 and AAR 3. All of this should work with Windows Server 2012R2 and Windows Server 2016 as well as Windows 10, however there may be some differences. You can use either stable or beta version of Emby Server, however in this guide we will use the stable version. At the time of writing, this guide will get you a full A+ rating from SSLlabs.com security test. (For comparison purposes, Facebook’s rating is a B.) In this guide we will: Install Emby Server Move Emby Server Installation to a non-user-locked location Setup a service user to run Emby Server as Configure Emby Server to run as a service Configure Windows Firewall Install IIS Install AAR Install IIS Rewrite module Configure AAR Configure IIS as a reverse proxy for Emby Configure SSL cypher suites for the server Install the Certify the Web client. Configure Certify the Web for auto-renewing SSL certificate for your domain Note: To be externally accessible, you will need to configure your route/modem to port forward 80 and 443 to your server. Pre-reqs/Assumptions: A physical server or VM running Windows Server An Internet Connection A DynDNS/No-IP URL (or similar routable dns name pointed at your router’s public IP) You have port forwarded ports 80 and 443 through your router to the machine you will use as a reverse proxy (in this guide we will use the same box for the reverse proxy and Emby server, but these can be run on different hosts). You have installed Notepad++ on the machine you will be setting up. Install Emby Server Download Emby Server Run the Installer Click Run when prompted If prompted by smart screen, click run anyway If prompted to install Visual C++ runtime, click install It will install to default location of %APPDATA%\Emby-Server. Move Emby Server to Non-User Locked Location Ensure that Emby Server is not running (right click icon in system tray if present and click Exit) Navigate to default location of %APPDATA% (%userprofille%\appdata\roaming) Right click the folder and click "cut" Navigate to C:\ (or root of the drive you wish to have Emby run from) Right click in the whitespace and paste. (if prompted to provide administrator permission, approve) Create a Service Account to run Emby as Note: Instructions show how to do this using local users and computers, you can also do this with Active Directory Users and Computers if your server is running that role. Right click on the start button (Windows flag) on the left side of the task bar Click Computer Management Expand Local Users and Groups on the left side Click Users Right click the whitespace and click new user Complete the new user dialog as shown (make sure you save whatever password you use as you will need it later, ProTip: don't re-use passwords) Click create Click close Close the computer management window Setup NSSM NSSM (Non-Sucking Service Manager) is needed to run Emby Server as a service as Emby Server does not include the nessicary components to run as a Windows service by default. Download here: https://nssm.cc/download Double click downloaded zip to open it in windows explorer Navigate to /win64 folder inside zip Copy/extract 64 bit version of the file to C:\Emby-Server Setup Folder Permissions Navigate to C:\ Right click the Emby-Server folder Click Properties Click Security tab Click Advanced Click Disable Inheritance Click Convert to Explicit Select CREATOR OWNER Click Remove Select Users (special) Click Remove Click Add Enter SvcEmby in the dialog Click OK Click Full Control Click OK Click Change next to owner at the top of the box Type SvcEmby in the dialog Click OK Check the Replace owner check box Check the Replace permissions checkbox Verify the dialog window looks similar to this (computer name will be different) Click OK When prompted if you want to replace permissions click Yes Verify security tab looks like this Click OK Setup Emby as a Service using NSSM Right click the start button on the left side of the task bar Click Windows Powershell (Admin) Type: "cd C:\Emby-Server" and press enter Type ".\nssm.exe install Emby" and press enter The install service dialog will launch, fill out as follows: Application Tab Details Tab Logon Tab (note, if you are using active directory it should be: YOURDOMAIN\SvcEmby) Exit Actions Tab Click Install Service Click OK Config ure Windows Firewall Click Start Click Control Panel Click Windows Defender Firewall Click Advanced Settings on the left hand side Click Inbound Rules Click New Rule on the right hand side Click Port Click Next Type 80, 443 in the ports box Click Next Click Next Click Next Name it Web Server Ports Click Finish Install IIS (Internet Information Services) Click Start Click Server Manager Click Add Roles and Features Click next on the Before you Begin page Click Role Based install Click Next Verify you are installing on your local server Click Next Check the box for "Web Server (IIS)" When prompted to install management tools Click Add Features Click Next Under Features, click Next Click Next again to get to role services Check the boxes for all of the following role services Make sure you check the box for web sockets under Application Development, this is needed for various features of Emby to work right. Click Next Click Install Once installation completes, click close Install Web Platform Installer add-on Download from: https://www.microsoft.com/web/downloads/platform.aspx Run the Web Platform Installer add-on installer Click Install Click Finish Install AAR (Advanced Application Routing) Download from: https://www.microsoft.com/en-us/download/details.aspx?id=47333 Run the Request Router installer Click Install Install IIS Re-Write Module Click Start Click Administrative Tools Open Internet Information Services (IIS) Manager Click the name of your server on the left Double Click on the Web Platform Installer In the search box type "url rewrite" Click Add Click Install Click I Agree Click Finish Configure AAR Click Start Click Administrative Tools Open Internet Information Services (IIS) Manager Click the name of your server on the left Right Click Server Farms Click Create Server Farm Name your Server Farm Click Next Enter the IP address of the server or "localhost" Click Add Click Finish Click No in the dialog that pops up Expand your newly created Server Farm Click Proxy Configure settings as shown Click Apply Click your Server Click Application Request Routing Click Server Proxy Settings Configure settings as shown Click Apply Click Your Server Configure IIS Server Variables Click Url Re-Write Click View Server Variables Click Add Type "HTTP_ACCEPT_ENCODING" Click OK Click Add Type "HTTP_X_ORIGINAL_ACCEPT_ENCODING" Click OK Click Add Type "HTTP_X_FORWARDED_FOR" Click OK Click Add Type "HTTP_X_REAL_IP" Click OK Click Your Server Create Emby Site Expand Sites on the left hand side Right Click "Default Web Site" Highlight "Manage Website" Click Stop Right Click the white space in the Sites list Click Add Website Click the "..." button to the right of Physical Path Browse to C:\inetpub\wwwroot Click it Click Make New Folder Call it Emby Click OK Under Binding Fill in with your public host name (see dynamic dns mentioned in pre-reqs) Click OK Configure Logging Click your server Click Logging Click Select Fields Click Add Field Configure as shown Click OK Click OK Click Apply Install and Configure Certify The Web client Download From: https://certifytheweb.com Run the Certify the Web installer Click Next Click Next Click Next Click Install Click Finish Click New Certificate Click on on Contact Prompt Fill in your contact email Click Register Contact Click New Certificate again Select Emby from the sites list Name and domain will populate automatically. Click Deployment Configure as shown Complete certificate verification process Click your site in IIS manager Click Bindings Verify there is an HTTPS binding and that it looks similar to this (with your domain information) Edit Web.Config for Emby Site Click HTTP Response Headers Click Add Configure as show (we are just creating a header to get the web.config to exist, we will paste in a premed one below, so these values dont really matter) Click OK Open an Explorer window and Browse to C:\inetpub\wwwroot\Emby Right click web.config and Edit with Notepad++ Replace existing content with web.config below <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rules> <clear></clear> <rule name="Redirect to https" enabled="true" patternSyntax="Wildcard" stopProcessing="true"> <match url="*" negate="false" /> <conditions logicalGrouping="MatchAny"> <add input="{HTTPS}" pattern="off" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" /> </rule> <rule name="Proxy to Emby" stopProcessing="false"> <match url="(.*)" /> <serverVariables> <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" /> <set name="HTTP_ACCEPT_ENCODING" value="" /> <set name="HTTP_X_REAL_IP" value="{REMOTE_ADDR}" /> </serverVariables> <action type="Rewrite" url="http://localhost:8096/{R:1}" logRewrittenUrl="true" /> <conditions> <add input="/{R:1}" pattern=".well-known" negate="true" /> </conditions> </rule> </rules> <outboundRules> <rule name="Add Strict-Transport-Security when HTTPS" enabled="true"> <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" /> <conditions> <add input="{HTTPS}" pattern="on" /> </conditions> <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" /> </rule> <rule name="Proxy to Emby" preCondition="ResponseIsHtml1" enabled="true"> <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://http://localhost:8096/(.*)" /> <action type="Rewrite" value="http{R:1}://media.example.com/{R:2}" /> </rule> <rule name="Restore-AcceptEncoding" preCondition="NeedsRestoringAcceptEncoding"> <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" /> <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" /> </rule> <preConditions> <preCondition name="ResponseIsHtml1"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" /> </preCondition> <preCondition name="NeedsRestoringAcceptEncoding"> <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" /> </preCondition> </preConditions> </outboundRules> </rewrite> <caching enabled="false" enableKernelCache="false" /> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> <add name="X-Xss-Protection" value="1; mode=block" /> <add name="X-Content-Type-Options" value="nosniff" /> <add name="Referrer-Policy" value="same-origin" /> <add name="Feature-Policy" value="sync-xhr 'self'" /> <add name="Cache-Control" value="no-cache" /> </customHeaders> </httpProtocol> </system.webServer> </configuration> Save changes (if prompted to restart Notepad++ in admin mode allow it and then try saving again) IIS will now be properly configured as a reverse proxy for Emby. Under IIS Manager > Rewrite you should now see the following rules: Configure Server Cyphers Download here: https://www.nartac.com/Products/IISCrypto/Download (GUI version) Run the IISCrypto too Click Templates In the template drop down box, select PCI 3.2 This will disable IIS from being able to serve via SSL 2.0, 3.0; TLS 1.0 and TLS 1.1. This will leave just the industry standard TLS 1.2. Click Apply Click OK. Reboot your server. Emby Internal Settings Navigate to your server via the localhost:8096 address Click the gear in the top right corner Click Network from the list of tabs on the right Configure as shown (use your hostname in the external domain box) Conclusion Upon rebooting your computer will start IIS services and Emby server as a service. Traffic coming in on port 80 (if someone just types your url without HTTPS in their browser's address bar) will be automatically redirected to port 443 and the HTTPS:// version of your host name. Your certificate will auto-renew every so often and re-bind to the site in IIS without any interaction on your part. This allows for a server that you can for the most part setup, and forget about and just manage your Emby installation via its web ui. There are a lot of ways to set up Emby server depending on your environment and other factors. For my environment this made the most sense and since large portions of this took quite a bit of digging and research to get working just right, I figured Id make someone else's life a little easier if they were trying to do something similar. These instructions can be adapted for Windows Server 2012 R2, Windows Server 2016, Windows 8 and Windows 10. In the end browsing to your domain should look like this in the browser Additional Information for Updating When Updating your Emby installation. Simply stop the service for Emby, install like you normally would, then just cut the system folder inside the %appdata%\emby-server folder and paste it into the C:\Emby-Server folder. When prompted replace all files, then start the service again once the copy completes. Additional Information about Connecting with Emby Apps When connecting to your Emby installation remotely with Emby apps remember to prefix your domain name with https:// and use 443 for the port number. <Edit> Additional Information about changing Emby Server Title: For those users who wish to change their page title in browser (as discussed here), here is additional Web.Config information that will let you do just that! Using IIS Re-Write rules to change the page title means, you don't have to edit files to reset it every time you upgrade your Emby Server! Add these 3 rules at the bottom of the rules list, replace whole <preConditions> block too.: NOTE: Make sure you replace ALL 4 instances of NAME_OF_YOUR_SERVER with what you want your server to display in the tab bar. <rule name="RewriteTitle" preCondition="ResponseIsHtml1" enabled="true"> <match filterByTags="None" pattern="&lt;title>(.*)&lt;/title>" /> <action type="Rewrite" value="&lt;title>NAME_OF_YOUR_SERVER&lt;/title>" /> </rule> <rule name="RewriteAppHeaderJs" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="document.title=&quot;Emby&quot;" /> <action type="Rewrite" value="document.title=&quot;NAME_OF_YOUR_SERVER&quot;" /> </rule> <rule name="RewriteAppHeaderJs2" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="title.Name||&quot;Emby&quot;:&quot;Emby&quot;" /> <action type="Rewrite" value="title.Name||&quot;NAME_OF_YOUR_SERVER&quot;:&quot;NAME_OF_YOUR_SERVER&quot;" /> </rule> <preConditions> <preCondition name="ResponseIsHtml1"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" /> </preCondition> <preCondition name="ResponseIsJS"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="application/javascript|text/javascript" /> </preCondition> <preCondition name="NeedsRestoringAcceptEncoding"> <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" /> </preCondition> </preConditions> </Edit>

hello, i've been using emby for a little while on my QNAP TS-251B, but recently noticed that my devices (browsers, an nvidia shield) only connect via unsecured http on the default port 8096. when trying to bring up the page (from within my lan) on the default https port of 8920, chrome gives me ERR_CONNECTION_REFUSED. in Emby Configuration > Server > Network, i do see that the port number is indeed set to 8920. however, when i run nmap against the device to scan for open ports, 8920 appears closed. i'm using Emby server version 4.5.4.0

So this is a bit wierd, emby on my nas was all working fine over https until this google outage this morning. (Why this should make a difference, no idea, but it's the only thing that has changed) Now it does not seem to be working. I have tried the default port (8920) and the one I want to use: (9920) And it does not seem to be listening on either of these ports. If I run a port checker on my local network the port does not appear to be listening (and fwiw I see no mention of the https port in the start up logs) I have disabled the firewall on the nas, but it has made no difference. I have rebooted the nas and reinstalled emby, again these made no difference The 9920 port is listed in my config file I have to admit I am confused. Before I would see these lines: 2020-12-04 19:36:21.263 Info App: Adding HttpListener prefix http://+:8196/ 2020-12-04 19:36:21.263 Info App: Adding HttpListener prefix https://+:9920/ But now I only see: 2020-12-14 13:26:52.310 Info App: Adding HttpListener prefix http://+:8196/ the second line is missing...

Inspired by this article on how to host a website using cloudflare and nginx, i intend to do the same for my emby server. Like swynol, i have nginx server and emby server running on the very same machine which i station on my local home network. My OS however is ubuntu instead of windows. Ive tried both swynol's and lukecarrier's github codes, no avail, it wont redirect to the emby server no matter what. My nginx server was indeed running as both ports 80 and 443 are opened as tested by canyouseeme.org. It just wont redirect whenever i go to https://emby.mydomainname.com I dont even know where should i put the code, of the guides online, some say /etc/nginx/conf.d/mydomain.com, some say /etc/nginx/sites-available/mydomain.com with /etc/nginx/sites-enabled linked to earlier. I highly suspect that the code is the culprit. sudo nginx -t show no error, systemctl status nginx operational Shed some light anyone? Appreciate it. Update 16/12/2020 Here's my nginx code where I put under sites-available and then linked to sites-enabled via ln -s server { listen [::]:80; ## Listens on port 80 IPv6 listen 80; ## Listens on port 80 IPv4 listen [::]:443 ssl http2; ## Listens on port 443 IPv6 with http2 and ssl enabled listen 443 ssl http2; ## Listens on port 443 IPv4 with http2 and ssl enabled proxy_buffering off; ## Sends data as fast as it can not buffering large chunks. server_name emby.mydomainname.com; ## enter your service name and domain name here access_log /var/log/nginx/embyaccess.log; ## Creates a log file with this name and the log info above. ## SSL SETTINGS ## ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate /etc/ssl/mydomainname/cert.pem; ## Location of your public ssl_certificate_key /etc/ssl/mydomainname/key.pem; ## Location of your private PEM file. ssl_client_certificate /etc/ssl/mydomainname/cloudflare.crt; ##Authenticated Origin Pulls ssl_verify_client on; ##Authenticated Origin Pulls ssl_session_cache shared:SSL:10m; location ^~ /swagger { ## Disables access to swagger interface return 404; } location / { proxy_pass http://localhost:8096; ## Enter the IP here proxy_hide_header X-Powered-By; ## Hides nginx server version from bad guys. proxy_set_header Range $http_range; ## Allows specific chunks of a file to be requested. proxy_set_header If-Range $http_if_range; ## Allows specific chunks of a file to be requested. #proxy_set_header X-Real-IP $remote_addr; ## Passes the real client IP to the backend server. proxy_set_header X-Real-IP $http_CF_Connecting_IP; ## if you use cloudflare un-comment this line and comment out above line. proxy_set_header Host $host; ## Passes the requested domain name to the backend server. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## Adds forwarded IP to the list of IPs that were forwarded to the backend server. ## ADDITIONAL SECURITY SETTINGS ## ## Optional settings to improve security ## ## add these after you have completed your testing and ssl setup ## ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ## ## See https://hstspreload.org/ read through the "Deployment Recommendations" section first! ## add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header Strict-Transport-Security "max-age=15552000; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client. proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; } } Big thanks to @pir8radio for the configuration, my configuration is based on his. Setting up authenticated origin pulls is optional, here's where I download the cert. https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls#section6

Hello Emby community! So today I decided to give Emby a try in order to maybe replace Plex that I have been using for years. So far, I loved almost everything about Emby (maybe not the fact that we can't change the green accent in the AndroidTV app, but that's a story for another day ). I have one question though, for which I couldnt seem to find precise info. I run all my services from a machine in my house, which runs OpenMediaVault (i.e. Debian). I use Docker for most of the services, with bridge mode for their network interface. I also have, among those services, an Nginx container that serves as a reverse-proxy, so I can access my services more easily. The OpenMediaVault web interface proposes the option to connect using a self-signed SSL certificate, which I decided to use when I set it all up. I then re-used this same SSL certificate for all my other reverse-proxies, by mounting the certificate files as read-only into the Nginx container, so that I only had one exception to add to my browsers in order to reach all my services like so: https://servicename.hostname.lan So far, so good, as I only access these services from my home lan, and since I used Plex until now, I never had to mess with secure remote access: since the connection is routed through their servers, it was an easy setup with no configuration on my side (only authorizing the default Plex port for outgoing connections in my machine's iptables as well as ESTABLISHED,RELATED incoming connections, then once it was connected I had nothing more to do for their servers to detect my machine, not even setting port redirection on my router or allowing anything through my router's firewall). But now, I'd like to switch to Emby, and here's my question: am I not able to allow secure remote access if I don't have a domain name pointing to my home router's IP? What else could I do? I can post the nginx configs (with purged personal info) if needed. Many thanks in advance!

I'm not sure if this is where I should be posting, Emby is on server 2019 but the majority of issues and posibly all of them exist outside of the server. I have been trying to make the move from Plex to Emby for a decent while now. I hate a lot of changes Plex is making and Emby has a lot of things I like WAY more. However, I am stuck when it comes to trying to setup SSL and none of the guides I have found are complete enough to actually help. The last guide I tried to follow was this one, https://mythofechelon.co.uk/blog/2017/01/01/lets-encrypt-emby-server-and-windows the only deviation I believe exists is instead of being a 'namecheap' domain it is a godaddy domain because thats what i have access to as a free test (friend's and is letting me test/borrow it) I follow it to the T but at the Certify step when you click 'request certificate' it fails. I strongly feel there is something missing from the guide in the form of a prep on the domain side. At the beginning it simply says you need a domain, it doesn't say anything about a way to prep it to be able to generate and accept a cert. Is a cert from let's encrypt supposed to be added to the domain? From everything I have been seeing it appears to add a cert to the domain would require the domain to have 'web hosting'. Is it a requirement that everyone seems to consistently leave out of their guides? Other guides say I need to have DNS on my server and for a Cname to be created on the domain to point to my DNS. This guide doesn't have that at all though, I guess what I am basically saying is im completely lost. What I have, duckdns on my emby server with it set up and working to point duckdns address to my IP. port forwarding on my router for port 80 to the Emby server IIS installed on the Emby Server (currently has configuration set up as outlined in the guide above) Emby installed on the Emby server (I have made 0 changes to this) Certify installed on the Emby server access to a go-daddy domain (does not have anything set up) I don't care if it uses all of the above or not. Its just a statement of what exactly I have done. My question is, with what on earth should I be doing to try and get this to work? if there a particular guide you believe i should follow instead of trying to work through the one I have above please let me know. Also, please dont assume anything has been done that hasn't been explicitly ask for in the guide (except the presence of duckdns) from the guide above because there isn't.

NB: This script only supports debian O/S, and debian based distributions (ubuntu etc). The script requires systemctl and apt which is present in all newer distributions. This script will probably not work as intended on Debian below v7 and Ubuntu below 14. A while back I created a script that will: Check if Apache and/or Nginx is running, and if running stop them. Disable UFW (firewall). Flush iptables. Check if certbot is installed, and if not, install it. Check if certificate is located in the emby directory, and if found, delete it. Ask for your FQDN of your emby server. Create a new certificate that's valid for 90 days. Convert the certificate to PFX and copy it to your emby directory. Ask for your emby group and user and change permissions of the PFX to the specified user (default is emby). Re-enable UFW (firewall). Re-enable Apache and/or Nginx (if it was stopped). Restart the Emby system service. After you have downloaded and placed the script on your server, you must unzip it and give the script execution permission. To do that, run the command: unzip embycert.zip && chmod +x embycert.sh This script should be run every 3 months to keep your certificate up-to-date. This script MUST be run as root with either SU or SUDO. SUDO is not native in Debian, and I would recommend to run this script it as root. NB: After installation, you must define the path to the certificate (under Network tab) which is: /var/lib/emby/emby.pfx and then again manually restart the emby server system service. Remember, if the FQDN is not typed correctly, the installation will fail, so be sure to spell it correctly, and make sure that the A record is valid and working. embycert.sh

https://support.emby.media/support/solutions/articles/44001159601-hosting-settings is where I ended up when searching for help on entering new SSL certificate. However, the dashboard now has a 'Network' node which is were I found the relevant information; the help should probably be updated.

Hello, I install Emby server on Raspberry pi 4 with Dietpi distro. I have also installed there Nextcloud as my NAS server. There's very easy way to install SSL certificate for Nextcloud. I make a domain myserver.ddns.net on NO-IP website, install certbot and run letsencrypt from dietpi-software. Now I want to add SSL for my Emby Server. I see there's tutorial but I don't know nothing about certificates and don't want to brake something. @@pir8radio @@Swynol Can somebody tell me do I have to make another domain with ddns? There's also information on the tutorial beginning to kill all process on port 80. When I enable https for nextcloud I delete rule for port forwarding on my router for port 80 but when I make command: `netstat -nlp | grep :80` ``` tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1191/kodi.bin_v8 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1032/lighttpd tcp6 0 0 :::8096 :::* LISTEN 26999/EmbyServer tcp6 0 0 :::8080 :::* LISTEN 1191/kodi.bin_v8 tcp6 0 0 :::80 :::* LISTEN 1032/lighttpd ``` Regards Przemek

Hey! So I just finished the SSL certificate and all connections are secure BUT only when I enter my Dynamic DNS address. Not when I visit using the "app.emby.media" site on my iPhone, it shows "Not Secure". Included some pictures to show my configuration.

Good morning everyone. First I'd like to say how incredible this platform is, and express what a kick ass job you all are doing. Miles beyond my previous Plex setup, more streamlined, and just incredible. I was wondering if someone could point me in the direction of a configuration file, or process for restricting which SSL/TLS connection configurations are accepted by the Emby web server. A review of accepted connections is showing the server accepting TLSv1.0 which is insecure, TLSv1.1 which is coming up on phase out this year, and a mix of insecure/anonymous ciphers. I would like to restrict the server from accepting connections using these configurations, but am having trouble locating any form of proper configuration file within my qnap directories (Granted qnap CLI is not the best). I am aware of the potential issue with disabling these items and that it could cause issues with certain devices, but I would rather lock this down since it will be open to the net. Thanks for any assistance. Keep up the good work! Edit: Almost forgot. I'm running version 4.3.1.0 on a Qnap TS-451 on firmware 4.4.1.1146.

Hi all, I am having an issue whereby I am unable to connect to my Emby Server remotely when using a domain. I have a SSL certificate that is correctly associated with the domain and works as it should. I have port forward setup on my router, and as a test I have used the external IP of my router as the external domain and this worked correctly and allowed me to access remotely. I've taken a log to show that it accepts the connection via the external IP as the external domain. If you require any further information please let me know. Thanks, Michael