Jump to content

Search the Community

Showing results for tags 'SSL'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • General
    • Announcements
    • Emby Premiere Purchase/Subscription Support
    • Feature Requests
    • Tutorials and Guides
  • Emby Server
    • General/Windows
    • Android Server
    • Asustor
    • FreeBSD
    • Linux
    • NetGear ReadyNAS
    • MacOS
    • QNAP
    • Synology
    • TerraMaster NAS
    • Thecus
    • Western Digital
    • DLNA
    • Live TV
  • Emby Apps
    • Amazon Alexa
    • Android Mobile
    • Android TV / Fire TV
    • Emby Theater
    • iOS
    • Apple TV
    • Kodi
    • Raspberry Pi
    • Roku
    • Samsung Smart TV
    • Sony PlayStation
    • LG Smart TV
    • Web App
    • Windows Media Center
    • Plugins
  • Language-specific support
    • Arabic
    • Dutch
    • French
    • German
    • Italian
    • Portuguese
    • Russian
    • Spanish
    • Swedish
  • Community Contributions
    • Ember for Emby
    • Fan Art & Videos
    • Tools and Utilities
    • Web App CSS
  • Other
    • General Discussion
    • Developer API
    • Hardware
    • Media Clubs
    • Legacy Support

Blogs

  • Emby Blog

Calendars

  • Community Calendar

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

  1. Looks like my Roku TV 7117X is no longer able to connect to my remote Emby Server via SSL. SSL certificate was generated by Synology Lets Encrypt. I wanted to create this thread to make awareness and so others with same problem can find this. This all seems to be related to the Lets Encrypt certificate issues from September 30. Other clients like IOS app and Chrome browsers can successfully connect with SSL. Looking through other threads other users are reporting with same issues. No sure if there is a way to fix. TCL Roku TV Software Version: 10.0.0 Build 4209-30 Emby App Version 4.0 Build 31
  2. This guide will explain how to setup a Windows Server instance of Emby server with IIS as full transparent reverse proxy with SSL offload and auto-renewing certificates via Lets Encrypt. First, What is IIS? IIS or Internet Information Services is the web server service provided with Windows and Windows server installations. It is industry standard technology and is widely supported and regularly maintained by Microsoft. Second, What is a reverse proxy? A reverse proxy will take requests coming into your server (in this case HTTPS on port 443) and route them to a backend application (in this case Emby Server on port 8096 on the same box or another). Reverse proxies are very useful if you only have 1 public IP and multiple services you would like to run on a single port (443, for example is standard secure web traffic) or multiple servers that need to appear as one. Third, Why do I want a certificate for my site from Lets Encrypt? Well, most sites now days are secure (read they encrypt your traffic to prevent people from seeing your data), browsers these days flag sites that are not using properly signed certificate chains or run on insecure ports. If you use a self signed certificate in Emby, you may have difficulty getting things like the iOS app or Roku app to work properly outside your home. (Not sure about the rest of you, but Emby on the kid’s iPad is a life saver for long car rides). Let’s Encrypt provides free SSL certificates that are signed by certificate authorities that will be recognized on all devices and platforms. I will be using Windows Server 2019 with IIS 10 and AAR 3. All of this should work with Windows Server 2012R2 and Windows Server 2016 as well as Windows 10, however there may be some differences. You can use either stable or beta version of Emby Server, however in this guide we will use the stable version. At the time of writing, this guide will get you a full A+ rating from SSLlabs.com security test. (For comparison purposes, Facebook’s rating is a B.) In this guide we will: Install Emby Server Move Emby Server Installation to a non-user-locked location Setup a service user to run Emby Server as Configure Emby Server to run as a service Configure Windows Firewall Install IIS Install AAR Install IIS Rewrite module Configure AAR Configure IIS as a reverse proxy for Emby Configure SSL cypher suites for the server Install the Certify the Web client. Configure Certify the Web for auto-renewing SSL certificate for your domain Note: To be externally accessible, you will need to configure your route/modem to port forward 80 and 443 to your server. Pre-reqs/Assumptions: A physical server or VM running Windows Server An Internet Connection A DynDNS/No-IP URL (or similar routable dns name pointed at your router’s public IP) You have port forwarded ports 80 and 443 through your router to the machine you will use as a reverse proxy (in this guide we will use the same box for the reverse proxy and Emby server, but these can be run on different hosts). You have installed Notepad++ on the machine you will be setting up. Install Emby Server Download Emby Server Run the Installer Click Run when prompted If prompted by smart screen, click run anyway If prompted to install Visual C++ runtime, click install It will install to default location of %APPDATA%\Emby-Server. Move Emby Server to Non-User Locked Location Ensure that Emby Server is not running (right click icon in system tray if present and click Exit) Navigate to default location of %APPDATA% (%userprofille%\appdata\roaming) Right click the folder and click "cut" Navigate to C:\ (or root of the drive you wish to have Emby run from) Right click in the whitespace and paste. (if prompted to provide administrator permission, approve) Create a Service Account to run Emby as Note: Instructions show how to do this using local users and computers, you can also do this with Active Directory Users and Computers if your server is running that role. Right click on the start button (Windows flag) on the left side of the task bar Click Computer Management Expand Local Users and Groups on the left side Click Users Right click the whitespace and click new user Complete the new user dialog as shown (make sure you save whatever password you use as you will need it later, ProTip: don't re-use passwords) Click create Click close Close the computer management window Setup NSSM NSSM (Non-Sucking Service Manager) is needed to run Emby Server as a service as Emby Server does not include the nessicary components to run as a Windows service by default. Download here: https://nssm.cc/download Double click downloaded zip to open it in windows explorer Navigate to /win64 folder inside zip Copy/extract 64 bit version of the file to C:\Emby-Server Setup Folder Permissions Navigate to C:\ Right click the Emby-Server folder Click Properties Click Security tab Click Advanced Click Disable Inheritance Click Convert to Explicit Select CREATOR OWNER Click Remove Select Users (special) Click Remove Click Add Enter SvcEmby in the dialog Click OK Click Full Control Click OK Click Change next to owner at the top of the box Type SvcEmby in the dialog Click OK Check the Replace owner check box Check the Replace permissions checkbox Verify the dialog window looks similar to this (computer name will be different) Click OK When prompted if you want to replace permissions click Yes Verify security tab looks like this Click OK Setup Emby as a Service using NSSM Right click the start button on the left side of the task bar Click Windows Powershell (Admin) Type: "cd C:\Emby-Server" and press enter Type ".\nssm.exe install Emby" and press enter The install service dialog will launch, fill out as follows: Application Tab Details Tab Logon Tab (note, if you are using active directory it should be: YOURDOMAIN\SvcEmby) Exit Actions Tab Click Install Service Click OK Config ure Windows Firewall Click Start Click Control Panel Click Windows Defender Firewall Click Advanced Settings on the left hand side Click Inbound Rules Click New Rule on the right hand side Click Port Click Next Type 80, 443 in the ports box Click Next Click Next Click Next Name it Web Server Ports Click Finish Install IIS (Internet Information Services) Click Start Click Server Manager Click Add Roles and Features Click next on the Before you Begin page Click Role Based install Click Next Verify you are installing on your local server Click Next Check the box for "Web Server (IIS)" When prompted to install management tools Click Add Features Click Next Under Features, click Next Click Next again to get to role services Check the boxes for all of the following role services Make sure you check the box for web sockets under Application Development, this is needed for various features of Emby to work right. Click Next Click Install Once installation completes, click close Install Web Platform Installer add-on Download from: https://www.microsoft.com/web/downloads/platform.aspx Run the Web Platform Installer add-on installer Click Install Click Finish Install AAR (Advanced Application Routing) Download from: https://www.microsoft.com/en-us/download/details.aspx?id=47333 Run the Request Router installer Click Install Install IIS Re-Write Module Click Start Click Administrative Tools Open Internet Information Services (IIS) Manager Click the name of your server on the left Double Click on the Web Platform Installer In the search box type "url rewrite" Click Add Click Install Click I Agree Click Finish Configure AAR Click Start Click Administrative Tools Open Internet Information Services (IIS) Manager Click the name of your server on the left Right Click Server Farms Click Create Server Farm Name your Server Farm Click Next Enter the IP address of the server or "localhost" Click Add Click Finish Click No in the dialog that pops up Expand your newly created Server Farm Click Proxy Configure settings as shown Click Apply Click your Server Click Application Request Routing Click Server Proxy Settings Configure settings as shown Click Apply Click Your Server Configure IIS Server Variables Click Url Re-Write Click View Server Variables Click Add Type "HTTP_ACCEPT_ENCODING" Click OK Click Add Type "HTTP_X_ORIGINAL_ACCEPT_ENCODING" Click OK Click Add Type "HTTP_X_FORWARDED_FOR" Click OK Click Add Type "HTTP_X_REAL_IP" Click OK Click Your Server Create Emby Site Expand Sites on the left hand side Right Click "Default Web Site" Highlight "Manage Website" Click Stop Right Click the white space in the Sites list Click Add Website Click the "..." button to the right of Physical Path Browse to C:\inetpub\wwwroot Click it Click Make New Folder Call it Emby Click OK Under Binding Fill in with your public host name (see dynamic dns mentioned in pre-reqs) Click OK Configure Logging Click your server Click Logging Click Select Fields Click Add Field Configure as shown Click OK Click OK Click Apply Install and Configure Certify The Web client Download From: https://certifytheweb.com Run the Certify the Web installer Click Next Click Next Click Next Click Install Click Finish Click New Certificate Click on on Contact Prompt Fill in your contact email Click Register Contact Click New Certificate again Select Emby from the sites list Name and domain will populate automatically. Click Deployment Configure as shown Complete certificate verification process Click your site in IIS manager Click Bindings Verify there is an HTTPS binding and that it looks similar to this (with your domain information) Edit Web.Config for Emby Site Click HTTP Response Headers Click Add Configure as show (we are just creating a header to get the web.config to exist, we will paste in a premed one below, so these values dont really matter) Click OK Open an Explorer window and Browse to C:\inetpub\wwwroot\Emby Right click web.config and Edit with Notepad++ Replace existing content with web.config below <?xml version="1.0" encoding="UTF-8"?> <configuration> <system.webServer> <rewrite> <rules> <clear></clear> <rule name="Redirect to https" enabled="true" patternSyntax="Wildcard" stopProcessing="true"> <match url="*" negate="false" /> <conditions logicalGrouping="MatchAny"> <add input="{HTTPS}" pattern="off" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" /> </rule> <rule name="Proxy to Emby" stopProcessing="false"> <match url="(.*)" /> <serverVariables> <set name="HTTP_X_ORIGINAL_ACCEPT_ENCODING" value="{HTTP_ACCEPT_ENCODING}" /> <set name="HTTP_ACCEPT_ENCODING" value="" /> <set name="HTTP_X_REAL_IP" value="{REMOTE_ADDR}" /> </serverVariables> <action type="Rewrite" url="http://localhost:8096/{R:1}" logRewrittenUrl="true" /> <conditions> <add input="/{R:1}" pattern=".well-known" negate="true" /> </conditions> </rule> </rules> <outboundRules> <rule name="Add Strict-Transport-Security when HTTPS" enabled="true"> <match serverVariable="RESPONSE_Strict_Transport_Security" pattern=".*" /> <conditions> <add input="{HTTPS}" pattern="on" /> </conditions> <action type="Rewrite" value="max-age=31536000; includeSubDomains; preload" /> </rule> <rule name="Proxy to Emby" preCondition="ResponseIsHtml1" enabled="true"> <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://http://localhost:8096/(.*)" /> <action type="Rewrite" value="http{R:1}://media.example.com/{R:2}" /> </rule> <rule name="Restore-AcceptEncoding" preCondition="NeedsRestoringAcceptEncoding"> <match serverVariable="HTTP_ACCEPT_ENCODING" pattern="^(.*)" /> <action type="Rewrite" value="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" /> </rule> <preConditions> <preCondition name="ResponseIsHtml1"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" /> </preCondition> <preCondition name="NeedsRestoringAcceptEncoding"> <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" /> </preCondition> </preConditions> </outboundRules> </rewrite> <caching enabled="false" enableKernelCache="false" /> <httpProtocol> <customHeaders> <add name="X-Frame-Options" value="SAMEORIGIN" /> <add name="X-Xss-Protection" value="1; mode=block" /> <add name="X-Content-Type-Options" value="nosniff" /> <add name="Referrer-Policy" value="same-origin" /> <add name="Feature-Policy" value="sync-xhr 'self'" /> <add name="Cache-Control" value="no-cache" /> </customHeaders> </httpProtocol> </system.webServer> </configuration> Save changes (if prompted to restart Notepad++ in admin mode allow it and then try saving again) IIS will now be properly configured as a reverse proxy for Emby. Under IIS Manager > Rewrite you should now see the following rules: Configure Server Cyphers Download here: https://www.nartac.com/Products/IISCrypto/Download (GUI version) Run the IISCrypto too Click Templates In the template drop down box, select PCI 3.2 This will disable IIS from being able to serve via SSL 2.0, 3.0; TLS 1.0 and TLS 1.1. This will leave just the industry standard TLS 1.2. Click Apply Click OK. Reboot your server. Emby Internal Settings Navigate to your server via the localhost:8096 address Click the gear in the top right corner Click Network from the list of tabs on the right Configure as shown (use your hostname in the external domain box) Conclusion Upon rebooting your computer will start IIS services and Emby server as a service. Traffic coming in on port 80 (if someone just types your url without HTTPS in their browser's address bar) will be automatically redirected to port 443 and the HTTPS:// version of your host name. Your certificate will auto-renew every so often and re-bind to the site in IIS without any interaction on your part. This allows for a server that you can for the most part setup, and forget about and just manage your Emby installation via its web ui. There are a lot of ways to set up Emby server depending on your environment and other factors. For my environment this made the most sense and since large portions of this took quite a bit of digging and research to get working just right, I figured Id make someone else's life a little easier if they were trying to do something similar. These instructions can be adapted for Windows Server 2012 R2, Windows Server 2016, Windows 8 and Windows 10. In the end browsing to your domain should look like this in the browser Additional Information for Updating When Updating your Emby installation. Simply stop the service for Emby, install like you normally would, then just cut the system folder inside the %appdata%\emby-server folder and paste it into the C:\Emby-Server folder. When prompted replace all files, then start the service again once the copy completes. Additional Information about Connecting with Emby Apps When connecting to your Emby installation remotely with Emby apps remember to prefix your domain name with https:// and use 443 for the port number. <Edit> Additional Information about changing Emby Server Title: For those users who wish to change their page title in browser (as discussed here), here is additional Web.Config information that will let you do just that! Using IIS Re-Write rules to change the page title means, you don't have to edit files to reset it every time you upgrade your Emby Server! Add these 3 rules at the bottom of the rules list, replace whole <preConditions> block too.: NOTE: Make sure you replace ALL 4 instances of NAME_OF_YOUR_SERVER with what you want your server to display in the tab bar. <rule name="RewriteTitle" preCondition="ResponseIsHtml1" enabled="true"> <match filterByTags="None" pattern="&lt;title>(.*)&lt;/title>" /> <action type="Rewrite" value="&lt;title>NAME_OF_YOUR_SERVER&lt;/title>" /> </rule> <rule name="RewriteAppHeaderJs" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="document.title=&quot;Emby&quot;" /> <action type="Rewrite" value="document.title=&quot;NAME_OF_YOUR_SERVER&quot;" /> </rule> <rule name="RewriteAppHeaderJs2" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="title.Name||&quot;Emby&quot;:&quot;Emby&quot;" /> <action type="Rewrite" value="title.Name||&quot;NAME_OF_YOUR_SERVER&quot;:&quot;NAME_OF_YOUR_SERVER&quot;" /> </rule> <preConditions> <preCondition name="ResponseIsHtml1"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" /> </preCondition> <preCondition name="ResponseIsJS"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="application/javascript|text/javascript" /> </preCondition> <preCondition name="NeedsRestoringAcceptEncoding"> <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" /> </preCondition> </preConditions> </Edit>
  3. So, i needed to enable remote connections for Emby server, and i wanted to secure it with https. I have seen quite a few guides on how to enable https on emby server, but i find this to be an easier way if you own an asus router that supports Lets Encrypt. Im not sure which models that support this, but my AC-86U did. All i did to get a hold of the ssl ceritifactes was to enable this in the WAN-DDNS section in the router, then export files like this: Then i converted the cert and key file to a pfx file with "Win64OpenSSL_Light-1_1_0L" https://slproweb.com/products/Win32OpenSSL.html and imported this in to Emby: I used this command: "openssl pkcs12 -inkey key.pem -in cert.pem -export -out output.pfx" Of course you also have to port forward the needed ports to make this work. Thats it, so if you own an ASUS router with this option you can save a lot of time, and a bonus, the router also automaticly renews the certificates. If this already has been posted i apologize, and feel free to leave comments if there are things i have missed or if this method seems like a bad idea.
  4. bflagg

    Step by Step for SSL

    Do you have a step by step for SSL setup for EMBY?
  5. Beecon

    Security and SSL

    I want to use a sub domain of godaddy to access my emby. It shows it’s not secure when logging in externally. I like to know if the SSL provided by synology for the server also covers emby access? how do I refer to that certificate in emby?
  6. I'm trying to set up a load balancer and reverse proxy (Kemp LoadMaster) to handle all incoming connections on port 443 and distribute to my various services in the local network, and to manage SSL certs. I am completely unable to get Emby Server running on macOS to listen on HTTPS. I don't want to "allow remote connections to this Emby Server" or manage an SSL cert on the Emby instance. As you can see below, the Emby Server is not listening on https (port 8920) even though it's reporting that it is. I've tried enabling "allow remote connections" for testing with "handed be reverse proxy" but still no dice. sudo lsof | grep LISTEN | grep -i emby EmbyServe 10196 *redacted* 148u IPv6 0xe964fbfa92b187eb 0t0 TCP *:8096 (LISTEN) embytray 10197 *redacted* 4u IPv4 0xe964fbfa79f4057b 0t0 TCP localhost:8024 (LISTEN) And no, there is nothing else listening on port 8920, and I have tried changing https port to no effect. I'd really like to get this working without using EmbyConnect as I want to manage and monitor internal services through a single interface. Emby Logs: embyserver.txt.zip
  7. Im using Linux Ubuntu 16.04 64 bit and Asustor AS-604T ADM 3.2.1 This requires you do own a domain and have create a Lets Encrypt certificate! Following ports should be open: 80, 443, 8096 and 8920 1. Login to ADM web interface > Settings > Certificate Manager - Click on Export Certificate. 2. Extract certificate.zip and open the folder certifiate 3. right click in the folder - select open terminal 4. enter the command: * Please change the name of the give-me-a-name.pfx * After execution of this command you will be prompted to create a password, this is recommanded! openssl pkcs12 -export -out give-me-a-name.pfx -inkey ssl.key -in ssl.crt 5. Save the new create give-me-a-name.pfx file on your NAS in a shared folder of own choice 6. go to: http://local.ip.of.nas:8096/ 7. Go to Advanced and do the following Check that Allow remote connection to this Emby Server is marked. * add external domain name * Custon ssl certificate path (Click on the magnifier right to the text field and navigate to where the .pfx file is. * Certificate password - Add the password you entered after execution of step 4. * Secure connection mode - Set to preferred, but not required. 8. Hit save and navigate to Controlpanel > Restart - Now you should be able to access the Emby Media Server from outside.
  8. hi guys my isp has blocked port 80 and I'm unable to authorize my certificates for my ddns. for the sake of the noob users on my network it would be helpful if your apps would automatically accept self signed certificates. i understand this is not possible in web browsers but surely its possible in your apps on smart tv's and consoles etc.... i have recently had to give plex my money which i am not happy about. i dont want to stop supporting emby however if i cant use the secure connections its of no real use to me anymore.
  9. Hi i would like to know if its possible to reuse my certificate LetsEncrypt from my NAS TS-251 to connect through https ? i tried to put the path of the cert certificate but its not working. here is what i have Custom SSL certificate path: /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert error after restarting EmbyServer 2019-01-05 12:05:44.470 Info AuthenticationRepository: PRAGMA synchronous=1 2019-01-05 12:05:44.526 Error App: No private key included in SSL cert /mnt/HDA_ROOT/.config/QcloudSSLCertificate/cert/cert. 2019-01-05 12:05:44.737 Info ActivityRepository: Default journal_mode for /share/CACHEDEV1_DATA/.qpkg/EmbyServer/programdata/data/activitylog.db is wal and in my web page Secure Connection Failed The connection to xxxxxxxxxxxxxxx.myqnapcloud.com:yyyyyy was interrupted while the page was loading. The page you are trying to view cannot be shown because the authenticity of the received data could not be verified. Please contact the website owners to inform them of this problem. thanks for your help ade05fr
  10. LunchBolero

    unable to use https on qnap ts-251b

    hello, i've been using emby for a little while on my QNAP TS-251B, but recently noticed that my devices (browsers, an nvidia shield) only connect via unsecured http on the default port 8096. when trying to bring up the page (from within my lan) on the default https port of 8920, chrome gives me ERR_CONNECTION_REFUSED. in Emby Configuration > Server > Network, i do see that the port number is indeed set to 8920. however, when i run nmap against the device to scan for open ports, 8920 appears closed. i'm using Emby server version 4.5.4.0
  11. Inspired by this article on how to host a website using cloudflare and nginx, i intend to do the same for my emby server. Like swynol, i have nginx server and emby server running on the very same machine which i station on my local home network. My OS however is ubuntu instead of windows. Ive tried both swynol's and lukecarrier's github codes, no avail, it wont redirect to the emby server no matter what. My nginx server was indeed running as both ports 80 and 443 are opened as tested by canyouseeme.org. It just wont redirect whenever i go to https://emby.mydomainname.com I dont even know where should i put the code, of the guides online, some say /etc/nginx/conf.d/mydomain.com, some say /etc/nginx/sites-available/mydomain.com with /etc/nginx/sites-enabled linked to earlier. I highly suspect that the code is the culprit. sudo nginx -t show no error, systemctl status nginx operational Shed some light anyone? Appreciate it. Update 16/12/2020 Here's my nginx code where I put under sites-available and then linked to sites-enabled via ln -s server { listen [::]:80; ## Listens on port 80 IPv6 listen 80; ## Listens on port 80 IPv4 listen [::]:443 ssl http2; ## Listens on port 443 IPv6 with http2 and ssl enabled listen 443 ssl http2; ## Listens on port 443 IPv4 with http2 and ssl enabled proxy_buffering off; ## Sends data as fast as it can not buffering large chunks. server_name emby.mydomainname.com; ## enter your service name and domain name here access_log /var/log/nginx/embyaccess.log; ## Creates a log file with this name and the log info above. ## SSL SETTINGS ## ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate /etc/ssl/mydomainname/cert.pem; ## Location of your public ssl_certificate_key /etc/ssl/mydomainname/key.pem; ## Location of your private PEM file. ssl_client_certificate /etc/ssl/mydomainname/cloudflare.crt; ##Authenticated Origin Pulls ssl_verify_client on; ##Authenticated Origin Pulls ssl_session_cache shared:SSL:10m; location ^~ /swagger { ## Disables access to swagger interface return 404; } location / { proxy_pass http://localhost:8096; ## Enter the IP here proxy_hide_header X-Powered-By; ## Hides nginx server version from bad guys. proxy_set_header Range $http_range; ## Allows specific chunks of a file to be requested. proxy_set_header If-Range $http_if_range; ## Allows specific chunks of a file to be requested. #proxy_set_header X-Real-IP $remote_addr; ## Passes the real client IP to the backend server. proxy_set_header X-Real-IP $http_CF_Connecting_IP; ## if you use cloudflare un-comment this line and comment out above line. proxy_set_header Host $host; ## Passes the requested domain name to the backend server. proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; ## Adds forwarded IP to the list of IPs that were forwarded to the backend server. ## ADDITIONAL SECURITY SETTINGS ## ## Optional settings to improve security ## ## add these after you have completed your testing and ssl setup ## ## NOTICE: For the Strict-Transport-Security setting below, I would recommend ramping up to this value ## ## See https://hstspreload.org/ read through the "Deployment Recommendations" section first! ## add_header 'Referrer-Policy' 'origin-when-cross-origin'; add_header Strict-Transport-Security "max-age=15552000; preload" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Content-Type-Options "nosniff" always; add_header X-XSS-Protection "1; mode=block" always; ## WEBSOCKET SETTINGS ## Used to pass two way real time info to and from emby and the client. proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection $http_connection; } } Big thanks to @pir8radio for the configuration, my configuration is based on his. Setting up authenticated origin pulls is optional, here's where I download the cert. https://support.cloudflare.com/hc/en-us/articles/204899617-Authenticated-Origin-Pulls#section6
  12. blim5001

    Emby ssl ports not working

    So this is a bit wierd, emby on my nas was all working fine over https until this google outage this morning. (Why this should make a difference, no idea, but it's the only thing that has changed) Now it does not seem to be working. I have tried the default port (8920) and the one I want to use: (9920) And it does not seem to be listening on either of these ports. If I run a port checker on my local network the port does not appear to be listening (and fwiw I see no mention of the https port in the start up logs) I have disabled the firewall on the nas, but it has made no difference. I have rebooted the nas and reinstalled emby, again these made no difference The 9920 port is listed in my config file I have to admit I am confused. Before I would see these lines: 2020-12-04 19:36:21.263 Info App: Adding HttpListener prefix http://+:8196/ 2020-12-04 19:36:21.263 Info App: Adding HttpListener prefix https://+:9920/ But now I only see: 2020-12-14 13:26:52.310 Info App: Adding HttpListener prefix http://+:8196/ the second line is missing...
  13. Ok this is going to be a long post. In this thread I will show you 2 different ways in which I setup a HTTPS connection to my emby server. Both ways require a certificate which again I will show you how i got mine using Lets Encrypt on Windows. I will break the posts up into Sections. Part.1 - Setting up a DDNS (Dynamic DNS host) Only require if you ISP IP is dynamic i.e. changes. Part.1.A - Setting Up DDNS using your own Domain Name Part.2 - Getting a Domain Name (Optional but looks fancier) Part.3 - Getting a SSL Cert from Lets Encrypt the easy way. Part 3a - Using LE.exe to get Certificates (recommended) Part.4 - Setting up HTTPS by changing default port to 443 Part.5 - Setting up HTTPS using reverse proxy
  14. NB: This script only supports debian O/S, and debian based distributions (ubuntu etc). The script requires systemctl and apt which is present in all newer distributions. This script will probably not work as intended on Debian below v7 and Ubuntu below 14. A while back I created a script that will: Check if Apache and/or Nginx is running, and if running stop them. Disable UFW (firewall). Flush iptables. Check if certbot is installed, and if not, install it. Check if certificate is located in the emby directory, and if found, delete it. Ask for your FQDN of your emby server. Create a new certificate that's valid for 90 days. Convert the certificate to PFX and copy it to your emby directory. Ask for your emby group and user and change permissions of the PFX to the specified user (default is emby). Re-enable UFW (firewall). Re-enable Apache and/or Nginx (if it was stopped). Restart the Emby system service. After you have downloaded and placed the script on your server, you must unzip it and give the script execution permission. To do that, run the command: unzip embycert.zip && chmod +x embycert.sh This script should be run every 3 months to keep your certificate up-to-date. This script MUST be run as root with either SU or SUDO. SUDO is not native in Debian, and I would recommend to run this script it as root. NB: After installation, you must define the path to the certificate (under Network tab) which is: /var/lib/emby/emby.pfx and then again manually restart the emby server system service. Remember, if the FQDN is not typed correctly, the installation will fail, so be sure to spell it correctly, and make sure that the A record is valid and working. embycert.sh
  15. Hello Emby community! So today I decided to give Emby a try in order to maybe replace Plex that I have been using for years. So far, I loved almost everything about Emby (maybe not the fact that we can't change the green accent in the AndroidTV app, but that's a story for another day ). I have one question though, for which I couldnt seem to find precise info. I run all my services from a machine in my house, which runs OpenMediaVault (i.e. Debian). I use Docker for most of the services, with bridge mode for their network interface. I also have, among those services, an Nginx container that serves as a reverse-proxy, so I can access my services more easily. The OpenMediaVault web interface proposes the option to connect using a self-signed SSL certificate, which I decided to use when I set it all up. I then re-used this same SSL certificate for all my other reverse-proxies, by mounting the certificate files as read-only into the Nginx container, so that I only had one exception to add to my browsers in order to reach all my services like so: https://servicename.hostname.lan So far, so good, as I only access these services from my home lan, and since I used Plex until now, I never had to mess with secure remote access: since the connection is routed through their servers, it was an easy setup with no configuration on my side (only authorizing the default Plex port for outgoing connections in my machine's iptables as well as ESTABLISHED,RELATED incoming connections, then once it was connected I had nothing more to do for their servers to detect my machine, not even setting port redirection on my router or allowing anything through my router's firewall). But now, I'd like to switch to Emby, and here's my question: am I not able to allow secure remote access if I don't have a domain name pointing to my home router's IP? What else could I do? I can post the nginx configs (with purged personal info) if needed. Many thanks in advance!
  16. This started to happen 7 days ago. I am running no fancy plugins and the server version 3.2.27.0 (I know it is not the latest but it works) has served me well. Attached is the log as well as a picture from the Dashboard. I searched the forum and it looks like that there is a problem with the SSL connection. No idea what I need to do on my side. But any updates through the Dashboard seems to be impossible. Please advise. O2G server-63655498727.txt
  17. I'm not sure if this is where I should be posting, Emby is on server 2019 but the majority of issues and posibly all of them exist outside of the server. I have been trying to make the move from Plex to Emby for a decent while now. I hate a lot of changes Plex is making and Emby has a lot of things I like WAY more. However, I am stuck when it comes to trying to setup SSL and none of the guides I have found are complete enough to actually help. The last guide I tried to follow was this one, https://mythofechelon.co.uk/blog/2017/01/01/lets-encrypt-emby-server-and-windows the only deviation I believe exists is instead of being a 'namecheap' domain it is a godaddy domain because thats what i have access to as a free test (friend's and is letting me test/borrow it) I follow it to the T but at the Certify step when you click 'request certificate' it fails. I strongly feel there is something missing from the guide in the form of a prep on the domain side. At the beginning it simply says you need a domain, it doesn't say anything about a way to prep it to be able to generate and accept a cert. Is a cert from let's encrypt supposed to be added to the domain? From everything I have been seeing it appears to add a cert to the domain would require the domain to have 'web hosting'. Is it a requirement that everyone seems to consistently leave out of their guides? Other guides say I need to have DNS on my server and for a Cname to be created on the domain to point to my DNS. This guide doesn't have that at all though, I guess what I am basically saying is im completely lost. What I have, duckdns on my emby server with it set up and working to point duckdns address to my IP. port forwarding on my router for port 80 to the Emby server IIS installed on the Emby Server (currently has configuration set up as outlined in the guide above) Emby installed on the Emby server (I have made 0 changes to this) Certify installed on the Emby server access to a go-daddy domain (does not have anything set up) I don't care if it uses all of the above or not. Its just a statement of what exactly I have done. My question is, with what on earth should I be doing to try and get this to work? if there a particular guide you believe i should follow instead of trying to work through the one I have above please let me know. Also, please dont assume anything has been done that hasn't been explicitly ask for in the guide (except the presence of duckdns) from the guide above because there isn't.
  18. https://support.emby.media/support/solutions/articles/44001159601-hosting-settings is where I ended up when searching for help on entering new SSL certificate. However, the dashboard now has a 'Network' node which is were I found the relevant information; the help should probably be updated.
  19. Hi all, I am having an issue whereby I am unable to connect to my Emby Server remotely when using a domain. I have a SSL certificate that is correctly associated with the domain and works as it should. I have port forward setup on my router, and as a test I have used the external IP of my router as the external domain and this worked correctly and allowed me to access remotely. I've taken a log to show that it accepts the connection via the external IP as the external domain. If you require any further information please let me know. Thanks, Michael
  20. Hello, I install Emby server on Raspberry pi 4 with Dietpi distro. I have also installed there Nextcloud as my NAS server. There's very easy way to install SSL certificate for Nextcloud. I make a domain myserver.ddns.net on NO-IP website, install certbot and run letsencrypt from dietpi-software. Now I want to add SSL for my Emby Server. I see there's tutorial but I don't know nothing about certificates and don't want to brake something. @@pir8radio @@Swynol Can somebody tell me do I have to make another domain with ddns? There's also information on the tutorial beginning to kill all process on port 80. When I enable https for nextcloud I delete rule for port forwarding on my router for port 80 but when I make command: `netstat -nlp | grep :80` ``` tcp 0 0 0.0.0.0:8080 0.0.0.0:* LISTEN 1191/kodi.bin_v8 tcp 0 0 0.0.0.0:80 0.0.0.0:* LISTEN 1032/lighttpd tcp6 0 0 :::8096 :::* LISTEN 26999/EmbyServer tcp6 0 0 :::8080 :::* LISTEN 1191/kodi.bin_v8 tcp6 0 0 :::80 :::* LISTEN 1032/lighttpd ``` Regards Przemek
  21. hugo0814

    Non secure connection

    Hey! So I just finished the SSL certificate and all connections are secure BUT only when I enter my Dynamic DNS address. Not when I visit using the "app.emby.media" site on my iPhone, it shows "Not Secure". Included some pictures to show my configuration.
  22. cyphershadow

    Need a nudge in the correct direction

    Good morning everyone. First I'd like to say how incredible this platform is, and express what a kick ass job you all are doing. Miles beyond my previous Plex setup, more streamlined, and just incredible. I was wondering if someone could point me in the direction of a configuration file, or process for restricting which SSL/TLS connection configurations are accepted by the Emby web server. A review of accepted connections is showing the server accepting TLSv1.0 which is insecure, TLSv1.1 which is coming up on phase out this year, and a mix of insecure/anonymous ciphers. I would like to restrict the server from accepting connections using these configurations, but am having trouble locating any form of proper configuration file within my qnap directories (Granted qnap CLI is not the best). I am aware of the potential issue with disabling these items and that it could cause issues with certain devices, but I would rather lock this down since it will be open to the net. Thanks for any assistance. Keep up the good work! Edit: Almost forgot. I'm running version 4.3.1.0 on a Qnap TS-451 on firmware 4.4.1.1146.
  23. centuryx476

    IIS Reverse Proxy

    Hello, I was able to successfully configure windows IIS as a reverse proxy using URL re-write and AAR. I also enabled SSL offloading so I can put my Let's Encrypt cert in IIS and manage it through there as well as control the level of SSL Ciphers that IIS can use. Emby comes up perfectly and works.. Right up until you click play on a movie. The playback seems to take forever to load, it eventually does but then another issue comes up. The CPU on the server jumps to 99% and it never stops. From what I can tell of the logs it is doing a Remux of the file and then playing it which is causing the CPU to run hot. I was playing "The Fifth Element" as a test and when I viewed the stats for nerds it states that the "media bitrate exceeds limit" which I find odd as the movies overall bitrate is just 12/Mb. As a test I then disabled the reverse proxy and used the built in emby way of encrypting the server. I passed the .pfx12 file and its password and changed the port to 443 and did another test with the same movie and it played perfectly. It loaded instantly and the CPU stayed at around 1% usage. Could it be the SSL offloading that is causing this ? Could it be IIS itself ? Is there specific things I need to change within IIS in order for this to work correctly ? Has anyone here been able to successfully get an IIS reverse proxy with SSL offloading to work with emby ? Let me know Thank You
  24. riothamus

    Apache Proxy Frontend for Emby

    I have had a few people ask me to explain how I set up my Apache server to forward to my Emby server. Here is a breakdown of how mine is set up should anyone else wish to try this. This is just my way of doing this (yeah, I know, Nginx exists but I have always been an Apache user). Note that I use RPM based distributions, and my frontend Apache server is running on Fedora Server Edition (so that I can have the http/2 goodness). My instructions will emphasize this type of Linux distribution, so you will need to read up on how your particular flavor of Linux handles Apache installations. First off, here is an overview of my network. Everyone's network is different, but this is what I have set up: edge firewall -> wireless ap/firewall -> apache server -> media server (where the media files are actually stored) On my firewalls, I only have ports 80 and 443 tcp opened up, and they forward to my Apache server. No other ports are exposed to the Internet. My Emby server is not configured with SSL. All SSL is terminated at my Apache server. This way, I can use one SSL certificate to encrypt any web services that I run on my network, without trying to get a certificate for each individual server installation. Anything that comes in on port 80 automatically gets forced over to port 443 (this is done by my Apache server itself). I am also using HTTP/2 which has helped with the various web services that my Apache frontend is exposing to the web. Also, all of my internal servers are running host-based firewalls. There is nothing wrong with security in depth here, and I have personally not heard a valid reason to not run a host-based firewall for your networking services. I use https://letsencrypt.org/ for my SSL certificate. It's free, and their tools are awesome. If you use their services, please donate to them as they are providing a valuable service to practically every community. I also have my own domain name set up and registered, with a dynamic IP from my ISP. There are a plethora of services that will let you register your dynamic IP for a domain name, so search around for the one that suits you best. Personally, I am using Google Domains for mine. My firewall assists in keeping my latest IP registered for my domain. This is extremely handy for mobile devices and family members who wish to use my Emby server remotely. Here are the general steps I would recommend to someone setting this up for themselves: Use an edge firewall. The extra protection is worth it. Use your edge firewall to keep track of your public IP, and use whatever agent that your dynamic DNS provider provides to keep your latest IP registered for your domain. I do not recommend doing this from your Apache server, as your Apache server should be further into your network and protected by your other firewall(s). Set up an SSL certificate for your domain. Again, LetsEncrypt is pretty awesome. Install Apache on a server that can handle a fair amount of network traffic. If you are using LetsEncrypt, set up the agent to keep up with your SSL certificate on this server. dnf groupinstall "Web Server" dnf install mod_http2 Configure your Apache server. On a Fedora, CentOS, RHEL system create a file called /etc/httpd/conf.d/00_yourdomain.conf (the two zeroes are there to make sure that your domain file is loaded first). Here are snippets of my configuration (cleaned up a bit for, you know, security): <VirtualHost *:80> Protocols h2c http/1.1 # Send everything over to https instead, best practice over mod_rewrite ServerName example.com Redirect / https://example.com/ </VirtualHost> <VirtualHost _default_:443> # Enable http/2 Protocols h2 http/1.1 <IfModule http2_module> LogLevel http2:info </IfModule> SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:ECDHE-RSA-AES128-SHA:DH-RSA-AES128-GCM-SHA256:AES256+EDH:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-GCM-SHA256:DHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-RSA-AES128-SHA256:ECDHE-RSA-AES256-SHA:DHE-RSA-AES256-SHA256:DHE-RSA-AES128-SHA256:DHE-RSA-AES256-SHA:DHE-RSA-AES128-SHA:ECDHE-RSA-DES-CBC3-SHA:EDH-RSA-DES-CBC3-SHA:AES256-GCM-SHA384:AES128-GCM-SHA256:AES256-SHA256:AES128-SHA256:AES256-SHA:AES128-SHA:DES-CBC3-SHA:HIGH:!aNULL:!eNULL:!EXPORT:!DES:!MD5:!PSK:!RC4 SSLHonorCipherOrder On SSLCompression off Header always set Strict-Transport-Security "max-age=63072000; includeSubdomains" Header always set X-Frame-Options SAMEORIGIN Header always set X-Content-Type-Options nosniff SSLCertificateFile /etc/letsencrypt/live/example.com/cert.pem SSLCertificateKeyFile /etc/letsencrypt/live/example.com/privkey.pem SSLCertificateChainFile /etc/letsencrypt/live/example.com/fullchain.pem <Files ~ "\.(cgi|shtml|phtml|php3?)$"> SSLOptions +StdEnvVars </Files> <Directory "/var/www/cgi-bin"> SSLOptions +StdEnvVars </Directory> BrowserMatch "MSIE [2-5]" \ nokeepalive ssl-unclean-shutdown \ downgrade-1.0 force-response-1.0 ServerName example.com ServerAlias example.com ErrorLog logs/example-error_log RewriteEngine on RewriteRule ^/emby(.*) http://127.0.0.1:8096/emby$1 [proxy] RewriteRule ^/emby http://127.0.0.1:8096 [proxy] RewriteRule ^/embywebsocket(.*) http://127.0.0.1:8096/embywebsocket$1 [proxy] RewriteRule ^/embywebsocket http://127.0.0.1:8096 [proxy] <location /emby> ProxyPass http://127.0.0.1:8096/ ProxyPassReverse http://127.0.0.1:8096/ </location> <location /embywebsocket> ProxyPass http://127.0.0.1:8096/ ProxyPassReverse http://127.0.0.1:8096/ </location> </VirtualHost> So what this does for me is let Apache handle all incoming port 80 requests, and turns them into encrypted traffic. All connections to and from the server (that can support it) are encapsulated in HTTP/2 packets. All of my SSL encrypted web traffic is handled by one certificate, so I can have multiple URL paths served by the same domain name, with only the https port used, and it just plain looks cleaner. For example, you can have: https://example.com/emby https://example.com/nextcloud https://example.com/hello_kitty_island_adventure Or whatever suits your needs. My Emby server doesn't have to worry about any proxy configurations or SSL, as Apache takes care of all of that. My example is using the localhost IP address to direct all incoming and outgoing Emby requests, but if you are using a separate host that runs Emby, just make sure to use the IP of that system instaed and that you have port 8096 open and available. I hope that others may find this helpful.
  25. atlas780

    SSL not working after cert renewal

    Hey, I had it setup for a while with an Letsencrypt Certificate converted into p12. It worked flawlessly. Then my cert ran out and I had to renew it. So i did "certbot --renew" which worked and converted it into a p12 with openssl pkcs12 -export -out certificate.p12 -inkey privkey.pem -in cert.pem -certfile fullchain.pem But sinse then HTTPS is not working: (Sorry for German) I already tried to change the path, the certfile has all rights and I have no idea why it's not working. Also in the Dashboard it's not shown with HTTPS: The logs are attached. Maybe someone here has an idea. Thanks in Advance! embyserver.txt ffmpeg-remux-fee6f20e-34b8-41bf-8c2b-f9d6f324abf5_1.txt ffmpeg-transcode-ffc235e7-a070-4e74-965f-9e8f183059c8_1.txt hardware_detection-63715285219.txt
×
×
  • Create New...