Jump to content

Search the Community

Showing results for tags 'reverse-proxy'.



More search options

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


Forums

  • General
    • Announcements
    • Emby Premiere Purchase/Subscription Support
    • Feature Requests
    • Tutorials and Guides
  • Emby Server
    • General/Windows
    • Android Server
    • Asustor
    • FreeBSD
    • Linux
    • NetGear ReadyNAS
    • MacOS
    • QNAP
    • Synology
    • TerraMaster NAS
    • Thecus
    • Western Digital
    • DLNA
    • Live TV
  • Emby Apps
    • Amazon Alexa
    • Android Mobile
    • Android TV / Fire TV
    • Emby Theater
    • iOS
    • Apple TV
    • Kodi
    • Raspberry Pi
    • Roku
    • Samsung Smart TV
    • Sony PlayStation
    • LG Smart TV
    • Web App
    • Windows Media Center
    • Plugins
  • Language-specific support
    • Arabic
    • Dutch
    • French
    • German
    • Italian
    • Portuguese
    • Russian
    • Spanish
    • Swedish
  • Community Contributions
    • Ember for Emby
    • Fan Art & Videos
    • Tools and Utilities
    • Web App CSS
  • Other
    • General Discussion
    • Developer API
    • Hardware
    • Media Clubs
    • Legacy Support

Blogs

  • Emby Blog

Find results in...

Find results that contain...


Date Created

  • Start

    End


Last Updated

  • Start

    End


Filter by number of...

Found 2 results

  1. What I have done so far, I have a domain name purchased from namecheap i'll call it <mydomain> I used namecheap's DDNS on my emby server which creates an A record on the domain. for whatever reason, I had to use www.<mydomain>.com I don't know why but i had to add the www's to get it to work, I had also tried @<mydomain>.com but it would never update I have let this run for a week so everything should be updated and ready to go On my router I forwarded ports 80 and 443 to the emby server with my particular router I can't figure out a way to permit it through the firewall but my test has the firewall turned off so I dont think it is causing the issue. Emby's setting local http 8096 https 8920 public http 80 https 443 allow remote is checked caddy v2 I downloaded the zip, unzipped it on the root directory. Created the extension-less "caddyfile" its contents are, { email <mygmail>@gmail.com } www.<mydomain>.com { reverse_proxy http://192.168.0.18:80 } I know I can use localhost instead of the IP, this should work though because I know it's internal IP and I have it set to not change as I use it to connect using RDP. Running everything I use command prompt and navigate to the Caddy directory with router firewall on and the server's firewall off, I run # caddy run C:\Caddy>caddy run 2020/06/21 14:46:17.402 [34mINFO[0m using adjacent Caddyfile 2020/06/21 14:46:17.413 [34mINFO[0m admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]} 2020/06/21 08:46:17 [INFO][cache:0xc0005ff7c0] Started certificate maintenance routine 2020/06/21 14:46:17.415 [34mINFO[0m http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443} 2020/06/21 14:46:17.415 [34mINFO[0m http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"} 2020/06/21 14:46:17.418 [34mINFO[0m tls cleaned up storage units 2020/06/21 14:46:17.418 [34mINFO[0m http enabling automatic TLS certificate management {"domains": ["www.<mydomain>.com"]} 2020/06/21 08:46:17 [INFO][www.<mydomain>.com] Obtain certificate; acquiring lock... 2020/06/21 14:46:17.425 [34mINFO[0m autosaved config {"file": "C:\\Users\\<myuser>\\AppData\\Roaming\\Caddy\\autosave.json"} 2020/06/21 14:46:17.428 [34mINFO[0m serving initial configuration 2020/06/21 08:46:17 [INFO][www.<mydomain>.com] Obtain: Lock acquired; proceeding... 2020/06/21 08:46:17 [INFO][www.<mydomain>.com] Waiting on rate limiter... 2020/06/21 08:46:17 [INFO][www.<mydomain>.com] Done waiting 2020/06/21 08:46:17 [INFO] [www.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR 2020/06/21 08:46:18 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387022605 2020/06/21 08:46:18 [INFO] [www.<mydomain>.com] acme: Could not find solver for: tls-alpn-01 2020/06/21 08:46:18 [INFO] [www.<mydomain>.com] acme: use http-01 solver 2020/06/21 08:46:18 [INFO] [www.<mydomain>.com] acme: Trying to solve HTTP-01 2020/06/21 08:46:25 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387022605 2020/06/21 08:46:25 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387022605 2020/06/21 08:46:25 [ERROR] acme: Error -> One or more domains had a problem: [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.<mydomain>.com/.well-known/acme-challenge/P-jvWvwSBjkK_9PQepBe5puAo_TLpsdonnZVunocu-I: Connection reset by peer, url: (challenge=http-01 remaining=[tls-alpn-01]) 2020/06/21 08:46:27 [INFO] [www.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR 2020/06/21 08:46:27 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387024673 2020/06/21 08:46:27 [INFO] [www.<mydomain>.com] acme: use tls-alpn-01 solver 2020/06/21 08:46:27 [INFO] [www.<mydomain>.com] acme: Trying to solve TLS-ALPN-01 2020/06/21 08:46:28 http: TLS handshake error from 127.0.0.1:61875: EOF 2020/06/21 08:46:28 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387024673 2020/06/21 08:46:28 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387024673 2020/06/21 08:46:28 [ERROR] acme: Error -> One or more domains had a problem: [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url: (challenge=tls-alpn-01 remaining=[]) 2020/06/21 08:46:30 [ERROR] attempt 1: [www.<mydomain>.com] Obtain: [www.<mydomain>.com] acme: Error -> One or more domains had a problem: [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url: - retrying in 1m0s (13.0492981s/720h0m0s elapsed)... 2020/06/21 14:46:34.960 [34mINFO[0m shutting down {"signal": "SIGINT"} 2020/06/21 08:46:34 [INFO][cache:0xc0005ff7c0] Stopped certificate maintenance routine 2020/06/21 08:46:34 [INFO][www.<mydomain>.com] Obtain: Releasing lock 2020/06/21 14:46:34.963 [34mINFO[0m shutdown done {"signal": "SIGINT"} with both router and caddy server's firewalls off I run caddy and it does this, C:\Caddy>caddy run 2020/06/21 14:47:55.788 [34mINFO[0m using adjacent Caddyfile 2020/06/21 14:47:55.794 [34mINFO[0m admin admin endpoint started {"address": "localhost:2019", "enforce_origin": false, "origins": ["localhost:2019"]} 2020/06/21 14:47:55.795 [34mINFO[0m http server is listening only on the HTTPS port but has no TLS connection policies; adding one to enable TLS {"server_name": "srv0", "https_port": 443} 2020/06/21 14:47:55.795 [34mINFO[0m http enabling automatic HTTP->HTTPS redirects {"server_name": "srv0"} 2020/06/21 08:47:55 [INFO][cache:0xc0002e3b80] Started certificate maintenance routine 2020/06/21 14:47:55.796 [34mINFO[0m http enabling automatic TLS certificate management {"domains": ["www.<mydomain>.com"]} 2020/06/21 14:47:55.797 [34mINFO[0m tls cleaned up storage units 2020/06/21 14:47:55.798 [34mINFO[0m autosaved config {"file": "C:\\Users\\<myuser>\\AppData\\Roaming\\Caddy\\autosave.json"} 2020/06/21 14:47:55.799 [34mINFO[0m serving initial configuration 2020/06/21 08:47:55 [INFO][www.<mydomain>.com] Obtain certificate; acquiring lock... 2020/06/21 08:47:55 [INFO][www.<mydomain>.com] Obtain: Lock acquired; proceeding... 2020/06/21 08:47:55 [INFO][www.<mydomain>.com] Waiting on rate limiter... 2020/06/21 08:47:55 [INFO][www.<mydomain>.com] Done waiting 2020/06/21 08:47:55 [INFO] [www.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR 2020/06/21 08:47:56 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387042878 2020/06/21 08:47:56 [INFO] [www.<mydomain>.com] acme: Could not find solver for: tls-alpn-01 2020/06/21 08:47:56 [INFO] [www.<mydomain>.com] acme: use http-01 solver 2020/06/21 08:47:56 [INFO] [www.<mydomain>.com] acme: Trying to solve HTTP-01 2020/06/21 08:48:03 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387042878 2020/06/21 08:48:03 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387042878 2020/06/21 08:48:03 [ERROR] acme: Error -> One or more domains had a problem: [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Fetching http://www.<mydomain>.com/.well-known/acme-challenge/fZqo0DmEmVjo9sElqDlmfJv6r_y50shAJ87QeOgb_rE: Connection reset by peer, url: (challenge=http-01 remaining=[tls-alpn-01]) 2020/06/21 08:48:05 [INFO] [www.<mydomain>.com] acme: Obtaining bundled SAN certificate given a CSR 2020/06/21 08:48:06 [INFO] [www.<mydomain>.com] AuthURL: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387045568 2020/06/21 08:48:06 [INFO] [www.<mydomain>.com] acme: use tls-alpn-01 solver 2020/06/21 08:48:06 [INFO] [www.<mydomain>.com] acme: Trying to solve TLS-ALPN-01 2020/06/21 08:48:06 http: TLS handshake error from 127.0.0.1:62306: EOF 2020/06/21 08:48:11 [INFO] Deactivating auth: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387045568 2020/06/21 08:48:11 [INFO] Unable to deactivate the authorization: https://acme-v02.api.letsencrypt.org/acme/authz-v3/5387045568 2020/06/21 08:48:11 [ERROR] acme: Error -> One or more domains had a problem: [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url: (challenge=tls-alpn-01 remaining=[]) 2020/06/21 08:48:13 [ERROR] attempt 1: [www.<mydomain>.com] Obtain: [www.<mydomain>.com] acme: Error -> One or more domains had a problem: [www.<mydomain>.com] acme: error: 400 :: urn:ietf:params:acme:error:connection :: Connection refused, url: - retrying in 1m0s (17.8656781s/720h0m0s elapsed)... 2020/06/21 14:48:24.865 [34mINFO[0m shutting down {"signal": "SIGINT"} 2020/06/21 08:48:24 [INFO][cache:0xc0002e3b80] Stopped certificate maintenance routine 2020/06/21 08:48:24 [INFO][www.<mydomain>.com] Obtain: Releasing lock 2020/06/21 14:48:24.867 [34mINFO[0m shutdown done {"signal": "SIGINT"} The emby server is running windows server 2019 like a lot of server's it doesn't have any additional antivirus or firewall beyond windows defender. This is what I am referring to when I say in the test that the firewall is turned off. Both Private and Public network settings are set to 'Turn off Windows Defender Firewall'. Any help with why this isn't working would be appreciated. If I left out anything that is important please let me know. I am unfamiliar with all of this so if I didn't mention it I almost certainly didn't do it.
  2. fc7

    Hardening Emby login

    After using Emby for a while I'm so happy with it that I decided to publish it to the Internet so I can listen to my music when I'm away, without needing to VPN home. I'm publishing Emby behind a Squid reverse proxy, using SSL termination. Meaning: Internet Client -----HTTPS SSL connection-----> | Squid reverse-proxy -----PLAIN HTTP-----> Emby | INTERNET | LAN Now I have a couple of questions/features requests regarding publishing Emby to the "evil" Internet: Is there any known issue/concern that I should be aware off that is not too relevant while Emby is only visible in the LAN but that can be dangerous if Emby is visible from the Internet? I'm worried about brute force attacks. Is it possible to enable a captcha on the login screen so for example after 3 failed logins the user will need to validate the captcha to try to login again? About the login screen: would it be posible to have a configuration parameter in Emby to "harden" the login form like for example disabling autocomplete on the username field? Is it possible to enable a configuration parameter to hide all users from the login screen, server wide, instead of doing it on user basis only? How does the "in-network sign-in" with the easy pin code works? How does Emby know that the user is logging in from the LAN or from the Internet? What happen if the user is in the Internet but Emby is behind a reverse-proxy in the LAN (all requests comes from the LAN IP of the proxy)? Would Emby check the X-Forwarded-For HTTP header if the reverse-proxy provides it? I know these are a lot of questions and some things may not be even implemented right now, but if they are not, maybe they can be a good idea to implement in the near future since they can help us to protect our server for the "evil" Internet. Cheers
×
×
  • Create New...