Jump to content

Security and SSL


Beecon

Recommended Posts

I want to use a sub domain of godaddy to access my emby. It shows it’s not secure when logging in externally.

I like to know if the SSL provided by synology for the server also covers emby access? 
how do I refer to that certificate in emby?

Link to comment
Share on other sites

The SSL security coverage is shown in the security tab on the Synology control panel.

The need for a link is shown on Emby security menu.

The main domain SSL of Godaddy domain is covered by my Google sites, which I use for hosting.

The subdomain I want to use is excluded from this, and Godaddy asks 250$ for SSL for subdomains, which is clearly a waste of money. I have two free options:
- either I use the Synology server cert
- I use the provided quickconnect link by Synology

Both may not provide https security out of the box, unless I link the SSL cert to the emby server. Correct?

Screen Shot 2021-09-22 at 12.16.20 PM.jpg

Screen Shot 2021-09-22 at 12.18.28 PM.jpg

Link to comment
Share on other sites

I haven't tried this myself but if you set this up to go through DSM you're actually using nginx in DSM.

Thus I'm thinking you would put the subdomain in the External domain field.  The port being used for https public use in Emby.
Then you would change the secure connection mode to handled with secure proxy.

Link to comment
Share on other sites

The https port is 8920 is presume.

How do you do this? "Then you would change the secure connection mode to handled with secure proxy."

Any link to a kb?

Link to comment
Share on other sites

Nope, no KB article on this as I haven't done it yet. I have all ports blocked from outside use on my Synology except for Emby ports.

If you like we could setup a remote support session to figure out exactly how to do this. I could then use this info to create a KB article or tutorial.
We could try it a couple of ways using the Synology server cert or using quickconnect to see which method would work best.
 

 

Link to comment
Share on other sites

Hi, I checked the workings, and get confused with settings as expected.

My guess is to use to the same port number to:
- router-in <> router-out <> proxy <> emby server

proxy setting :
- allow IP of known user to watch movies
- allow incoming router IP (external IP address) (is it necessary?)

Any other suggestion?

When I run this trial, the other apps cannot get access to the web anymore, so somehow those packages also need to be included in the proxy settings, incl the ports they need to communicate.

 

 

Link to comment
Share on other sites

I wouldn't worry about Cloudflare until you get remote working first.
You can get non-SSL port 8096 working first (even if you turn it off right away) then setup for SSL.

 

Link to comment
Share on other sites

7 hours ago, cayars said:

I wouldn't worry about Cloudflare until you get remote working first.
You can get non-SSL port 8096 working first (even if you turn it off right away) then setup for SSL.

 

I’ve got that working now. 

Link to comment
Share on other sites

4 hours ago, DJX said:

I use a ddns URL and have a certificate using synology letsencrypt. Not sure if this helps 

 

Thanks for the link! The image for conversion is gone. Any chance you can refresh that?

Link to comment
Share on other sites

19 hours ago, cayars said:

Nope, no KB article on this as I haven't done it yet. I have all ports blocked from outside use on my Synology except for Emby ports.

If you like we could setup a remote support session to figure out exactly how to do this. I could then use this info to create a KB article or tutorial.
We could try it a couple of ways using the Synology server cert or using quickconnect to see which method would work best.
 

 

Thanks for the offer. After study, the proxy needs me to figure out all the 'allow' rules.

I prefer to go for a simple SSL option, using the 2 suggestions.

  • Like 1
Link to comment
Share on other sites

Hi, I got it to work :


1. Set-up ddns xxx.synology.me domain in Synology Control Panel/Security
    - this step is really necessary? To be verified.
    - Synology can create a free 'Let's certify' SSL.
    - When I export it I cannot activate it. I gave up on this and went for other free SSL. (see 3.)
2. From the Control Panel/Security export the SSL cert to my harddisk
3. Get the free SSL cert files from https://www.sslforfree.com/ (3 month expiry)
4. Download the zip file (with pem format cert files) to my harddisk
5. Download the CA bundle file from https://www.ssls.com/knowledgebase/where-do-i-get-a-ca-bundle-file/
     - I downloaded both, but used only the ECC format for conversion.
6. Convert the pem files into PKCS#12 format: https://decoder.link/converter
     - cert file, private key file and CA bundle file
     - set the password for the certificate (use in control panel/network)
7. Check the SSL with my xxx.synology.me domain using checker tool on the same site.
8. Upload the cert file to the emby content folder on my nas.
9. Enter the SSL file and password info in the Emby server/Network settings
10. Map https: ports in router and firewall, and
     - Check that you assigned the same port in Emby/Network settings...

Hope its helpful.

Edited by Beecon
  • Thanks 1
Link to comment
Share on other sites

  • 3 months later...
Beecon

'Every 90 days your Synology will automatically renew the Let’s Encrypt SSL cert for you.'

I thought this would do the trick1901127428_ScreenShot2022-01-08at9_48_34PM.jpg.e8c6348a53490d7ad51f5cf4f0a92adb.jpg

Link to comment
Share on other sites

rhummer

FWIW, When I setup my SSL back in the day I used this guide to get it all going and I access my server via my subdomain:

I let DSM generate a cert for Let's Encrypt that I specify as the subdomain I want to expose to the outside world

Though things have changed a bit with DSM7 and used the tip here to tweak the process to generate the .pfx that the emby server wants: 

The cert refreshes every 90 days and I have a scheduled task to re-export the cert to a pfx for the server and everything has been working just fine for a few years now.

 

  • Thanks 1
Link to comment
Share on other sites

Beecon

Thanks for sharing! Let me check it out. 

I really love this community here!


The current version DSM7 security (just updated every version) shows it’s all automated. Great job Emby!💪

I guess it’s taken care of permanently now. Perpetual 90days renewal. 

  • Thanks 2
Link to comment
Share on other sites

  • 2 months later...
Speedyhome

 

(Sorry for my bad English!)

DSM7.x Ready

Example for Wildcard Cert

Download Acme.sh script / set Certbot to Letsencrypt / First Initial Command for TXT-Record

execute script not from root !!

 (domain.de is your domain this is example)

mkdir ~/bin
cd ~/bin
wget https://raw.githubusercontent.com/Neilpang/acme.sh/master/acme.sh
chmod 755 acme.sh

acme.sh –set-default-ca –server letsencrypt

cd ~/bin
./acme.sh --issue -d *.domain.de --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

[Sun Oct 27 08:18:17 CET 2019] Add the following TXT record:
[Sun Oct 27 08:18:17 CET 2019] Domain: '_acme-challenge.domain.de'

[Sun Oct 27 08:18:17 CET 2019] TXT value: 'xyzPdaswererfdsf_v9xdfsdfHdsfhHLWEFldsfsf'

Login to Provider for yours DNS and Add TXT Setting from acme.sh script

(example Strato)

image.thumb.png.5a67694efe709fa0d30313e5a8a6e70f.png

 

Run Script again but with -renew -force

cd ~/bin
./acme.sh --renew --force -d *.domain.de --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please

copy Certs from hidden path to user home path

mkdir /home/admin/certs
cp /home/admin/.acme.sh/\*.domain.de/\*.domain.de.cer /home/admin/certs/domain.de.cer
cp /home/admin/.acme.sh/\*.domain.de/\*.domain.de.key /home/admin/certs/domain.de.key
cp /home/admin/.acme.sh/\*.domain.de/ca.cer /home/admin/certs/ca.cer
cp /home/admin/.acme.sh/\*.domain.de/fullchain.cer /home/admin/certs/fullchain.cer

then insert the Cert in DSM

image.thumb.png.623d4f8c824427212e7d59a604d73988.png

I have written a renew Script for letsencrypt wildcard Cert this script can you execute in DSM Planner with root every day

# !/bin/bash
#
# Update LetsEncrypt Wildcard-Certificate
#

# Params XXXX Certpath
CERTPATH="/usr/syno/etc/certificate/_archive/XXXXX"
PEM="fullchain.pem"
DAYS="604800"
OPENSSL="/usr/bin/openssl"
# User der im DSM für das acme.sh verwendet wird
USER="USERNAME"
# Optional Emby Server
EMBYSSLPATH="PATHTOEMBYCERT"
EMBYSSL="Emby.pfx"
PASSOUT="PASSWORDFOREMBYCERT"


USER_HOME=$(bash -c "cd ~$(printf %q "$USER") && pwd")

# Check Cert will be Expire in VALUE $DAYS
$OPENSSL x509 -enddate -noout -in "$CERTPATH/$PEM"  -checkend "$DAYS" | grep -q 'Certificate will expire'

if [ $? -eq 0 ]
then
 # Renew LetsEncrypt command
 su $USER -c "$USER_HOME/bin/acme.sh --renew --force -d *.domain.de --dns --yes-I-know-dns-manual-mode-enough-go-ahead-please"

 # Copy Certifikate to SynoPath
 cp $USER_HOME/.acme.sh/\*.domain.de/\*.domain.de.cer $CERTPATH/cert.pem
 cp $USER_HOME/.acme.sh/\*.domain.de/\*.domain.de.key $CERTPATH/privkey.pem
 cp $USER_HOME/.acme.sh/\*.domain.de/ca.cer $CERTPATH/chain.pem
 cp $USER_HOME/.acme.sh/\*.domain.de/fullchain.cer $CERTPATH/fullchain.pem

 # Synology Web Server neu starten
 synosystemctl restart nginx

 # Optional der einen Emby Media Server betreibt
 # Emby Server Stop
 /usr/syno/bin/synopkg stop EmbyServer
 # Create Pfx-Cert for Emby
 $OPENSSL pkcs12 -inkey $CERTPATH/privkey.pem -in $CERTPATH/fullchain.pem -export -out $EMBYSSLPATH/$EMBYSSL -passout pass:$PASSOUT
 # Emby Server Start
 /usr/syno/bin/synopkg start EmbyServer
fi

 

 

renew_wildcard_cert.sh

image.png

Edited by Speedyhome
  • Like 1
Link to comment
Share on other sites

  • 2 weeks later...
Speedyhome

Correction Script 

pls change in script synosystemctl restart nginx to synosystemctl reload nginx

why this --> my nas reboot VMM Syno Office and more PKG's and running Server in VMM whas killed not shutdown !!!

 

Link to comment
Share on other sites

  • 2 months later...
Speedyhome

Hi

I have found reload nginx with reload cert in Synology after renew certs

here the commands

 synow3tool --gen-all && systemctl reload nginx
 synosystemctl restart pkgctl-WebStation.service
 

 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...