Jump to content

Security and SSL


Beecon
 Share

Recommended Posts

I want to use a sub domain of godaddy to access my emby. It shows it’s not secure when logging in externally.

I like to know if the SSL provided by synology for the server also covers emby access? 
how do I refer to that certificate in emby?

Link to comment
Share on other sites

The SSL security coverage is shown in the security tab on the Synology control panel.

The need for a link is shown on Emby security menu.

The main domain SSL of Godaddy domain is covered by my Google sites, which I use for hosting.

The subdomain I want to use is excluded from this, and Godaddy asks 250$ for SSL for subdomains, which is clearly a waste of money. I have two free options:
- either I use the Synology server cert
- I use the provided quickconnect link by Synology

Both may not provide https security out of the box, unless I link the SSL cert to the emby server. Correct?

Screen Shot 2021-09-22 at 12.16.20 PM.jpg

Screen Shot 2021-09-22 at 12.18.28 PM.jpg

Link to comment
Share on other sites

I haven't tried this myself but if you set this up to go through DSM you're actually using nginx in DSM.

Thus I'm thinking you would put the subdomain in the External domain field.  The port being used for https public use in Emby.
Then you would change the secure connection mode to handled with secure proxy.

Link to comment
Share on other sites

The https port is 8920 is presume.

How do you do this? "Then you would change the secure connection mode to handled with secure proxy."

Any link to a kb?

Link to comment
Share on other sites

Nope, no KB article on this as I haven't done it yet. I have all ports blocked from outside use on my Synology except for Emby ports.

If you like we could setup a remote support session to figure out exactly how to do this. I could then use this info to create a KB article or tutorial.
We could try it a couple of ways using the Synology server cert or using quickconnect to see which method would work best.
 

 

Link to comment
Share on other sites

Hi, I checked the workings, and get confused with settings as expected.

My guess is to use to the same port number to:
- router-in <> router-out <> proxy <> emby server

proxy setting :
- allow IP of known user to watch movies
- allow incoming router IP (external IP address) (is it necessary?)

Any other suggestion?

When I run this trial, the other apps cannot get access to the web anymore, so somehow those packages also need to be included in the proxy settings, incl the ports they need to communicate.

 

 

Link to comment
Share on other sites

I wouldn't worry about Cloudflare until you get remote working first.
You can get non-SSL port 8096 working first (even if you turn it off right away) then setup for SSL.

 

Link to comment
Share on other sites

7 hours ago, cayars said:

I wouldn't worry about Cloudflare until you get remote working first.
You can get non-SSL port 8096 working first (even if you turn it off right away) then setup for SSL.

 

I’ve got that working now. 

Link to comment
Share on other sites

4 hours ago, DJX said:

I use a ddns URL and have a certificate using synology letsencrypt. Not sure if this helps 

 

Thanks for the link! The image for conversion is gone. Any chance you can refresh that?

Link to comment
Share on other sites

19 hours ago, cayars said:

Nope, no KB article on this as I haven't done it yet. I have all ports blocked from outside use on my Synology except for Emby ports.

If you like we could setup a remote support session to figure out exactly how to do this. I could then use this info to create a KB article or tutorial.
We could try it a couple of ways using the Synology server cert or using quickconnect to see which method would work best.
 

 

Thanks for the offer. After study, the proxy needs me to figure out all the 'allow' rules.

I prefer to go for a simple SSL option, using the 2 suggestions.

  • Like 1
Link to comment
Share on other sites

Hi, I got it to work :


1. Set-up ddns xxx.synology.me domain in Synology Control Panel/Security
    - this step is really necessary? To be verified.
    - Synology can create a free 'Let's certify' SSL.
    - When I export it I cannot activate it. I gave up on this and went for other free SSL. (see 3.)
2. From the Control Panel/Security export the SSL cert to my harddisk
3. Get the free SSL cert files from https://www.sslforfree.com/ (3 month expiry)
4. Download the zip file (with pem format cert files) to my harddisk
5. Download the CA bundle file from https://www.ssls.com/knowledgebase/where-do-i-get-a-ca-bundle-file/
     - I downloaded both, but used only the ECC format for conversion.
6. Convert the pem files into PKCS#12 format: https://decoder.link/converter
     - cert file, private key file and CA bundle file
     - set the password for the certificate (use in control panel/network)
7. Check the SSL with my xxx.synology.me domain using checker tool on the same site.
8. Upload the cert file to the emby content folder on my nas.
9. Enter the SSL file and password info in the Emby server/Network settings
10. Map https: ports in router and firewall, and
     - Check that you assigned the same port in Emby/Network settings...

Hope its helpful.

Edited by Beecon
Link to comment
Share on other sites

  • 3 months later...
Beecon

Now I am 3 months down the road and have to do it again. This sucks big time.

Any permanent solution available?

 

Link to comment
Share on other sites

Beecon

'Every 90 days your Synology will automatically renew the Let’s Encrypt SSL cert for you.'

I thought this would do the trick1901127428_ScreenShot2022-01-08at9_48_34PM.jpg.e8c6348a53490d7ad51f5cf4f0a92adb.jpg

Link to comment
Share on other sites

Beecon

I see extension/renewal is automated now. Let me try that first.

I am getting old....

Link to comment
Share on other sites

rhummer

FWIW, When I setup my SSL back in the day I used this guide to get it all going and I access my server via my subdomain:

I let DSM generate a cert for Let's Encrypt that I specify as the subdomain I want to expose to the outside world

Though things have changed a bit with DSM7 and used the tip here to tweak the process to generate the .pfx that the emby server wants: 

The cert refreshes every 90 days and I have a scheduled task to re-export the cert to a pfx for the server and everything has been working just fine for a few years now.

 

  • Thanks 1
Link to comment
Share on other sites

Beecon

Thanks for sharing! Let me check it out. 

I really love this community here!


The current version DSM7 security (just updated every version) shows it’s all automated. Great job Emby!💪

I guess it’s taken care of permanently now. Perpetual 90days renewal. 

  • Thanks 2
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...