Jump to content

https:// access on public Internet


dhenzler

Recommended Posts

dhenzler

I'm back at this... a year later, and it still confounds me how to get this working.  My first Emby system was on VMware running under Linux Mint.  Worked fine, but couldn't put it on the Internet for extended use as it was unprotected.

Now using emby on a BSD 12.2 jail running on TrueNAS-12.0-U6.1.  I like this because of the extra features like "Mount Points" which greatly reduces the stress of adding content.

The Secure Socket Layer SSL or HTTPS as some prefer to call it is the bottleneck here.

Emby claims that it's server will create a self signed certificate if a domain name & certificate is NOT provided... Well some searching shows that to be a lie.

I've configured my firewall to work with either 8096 or 8920.  8920 should be an HTTPS port.  It isn't !  I choose blacklist

Has anyone done this...?

https://support.emby.media/support/solutions/articles/44001159601-network-hosting-settings  <== This is BS

The local and public https ports can be configured in much the same way as regular http:

yTQGUIQo6TjrzH87bCY2OU0ajckFHbktYg.png?1

In addition you can also supply your own custom SSL certificate. This is highly recommended for https usage. If omitted, the server will create a self-signed certificate.  ???

Not here !

-xeJLJHQEWDZAT9idZVf6_6mlYlQlNyM1Q.png?1

Dave

Edited by dhenzler
added info
Link to comment
Share on other sites

Hi, sorry that help text is outdated. @cayars

The server no longer creates a self-signed certificate because most devices will just end up rejecting it anyway. You'll need to provide an SSL certificate.

  • Agree 1
Link to comment
Share on other sites

dhenzler

Been looking into how Emby-server works... looks like a Windoz thing, which for me greatly complicates things.  I'd like to use a self signed certificate.  Looking around for the way to make a p12 is a task in of itself.  Any recommendations?  Configuration tips...

I'm assuming that blacklist is likely my best way to proceed.

image.png.482fa0fc87c098e80926cfbb519520a9.png

image.png.4dff96c83eb8120311e6506164b2a8c1.png

image.png.fb6b854cafa3f889515b6ea805ef893f.png

Is this just the path... no filenames?

Corrections to the screens should be made so that the confusion factor is removed.

As well a simple link to a location on making the requisite files with openssl would be greatly appreciated.

D

image.png

Edited by dhenzler
duplicate entry
Link to comment
Share on other sites

Trust us, you don't want a self signed cert if using anything other than a browser as you can't easily add it.

Do you have a domain? If not get a cheap or free one and then you can get a legit cert as well.

That would be the full path including the cert name.

You can use this web page that works really well for converting to pkcs#12 format.
https://www.sslshopper.com/ssl-converter.html

Link to comment
Share on other sites

dhenzler

I went to this ==> https://blog.pavelsklenar.com/how-to-create-pkcs-12-for-your-application/

Looked like a good possibility.

Self Signed would be fine as I'm only using it to keep prying eyes out when using the system, no man in the middle stuff...

I'm not big into getting hooked up with OTHERS as they come and go.

Thanks for the tips.. will continue to spend time until it works.

Dave

Link to comment
Share on other sites

dhenzler

I restarted Emby after putting the p12 file in place... and as always... nothing worked.  https://my_address:8920 fails to do anything.

Link to comment
Share on other sites

dhenzler
13 minutes ago, dhenzler said:

image.png.49af59415b1d1a9480196352fc286e16.png

Using the magnifier glass thing... the certificate path seemed to be satisfied.  I'm not totally sure the .p12 file contains the requisite stuff,  but it should be ok.

I'm going to give it up for today... tired of no progress.

 

Link to comment
Share on other sites

metsuke

I'm not sure what Emby expects for a cert, but you have a few other options as well.

You can use a reverse proxy (nginx) and just put the cert in there, then point nginx to emby. I use this technique.

Or, you can use a service like cloudflare to be your SSL and proxy to your emby server. Then you don't have to modify Emby at all or do anything with certs. You would probably want to firewall off anything other than cloudflare IPs if you go this route, but it works well.

 

In the end, the aforementioned advice is still the best option, which is to get a domain for cheap, which enables you to get a legitimate SSL certificate for free.

Link to comment
Share on other sites

dhenzler

Thank you for the ideas.  I try to steer clear of services that cost money or that are provided by others.  They seem to come and go.  As well as change... requiring me to change as well.

I don't know how to configure reverse proxy.  And I have ZERO knowledge of Emby's server system.  Seems to be a Windows IIS server of some sort.  I see lots of dll's

My confort zone is Linux & Unix.  My system is built in a BSD 12.2 jail on  TrueNAS-12.0-U6.1

I'd need some hand holding to get through a configuration to use Nginx reverse proxy... are you willing to provide some assist ?

Obviously the Emby server runs on port 80.  How to get openssl to configure with it is a question I've had.  I like to use self-signed certs because I build and destroy stuff on whim.  Know how that works with FAMP server

Thanks again for the suggestions... Any GitHub scripts that will do what I need?

Dave

Link to comment
Share on other sites

dhenzler

will this work ?

server {
	listen 80;
	server_name
		media.yourdomain.com
		media.int.yourdomain.com
	;

	root /var/www/html;

	return 301 https://$server_name$request_uri;
}

server {
	listen 443 ssl;
	server_name
		media.yourdomain.com
		media.int.yourdomain.com
	;

	if ($host !~ ^media(\.int)?\.yourdomain\.com$) {
		return 444;
	}

	root /var/www/html/emby;

	ssl_certificate     /etc/letsencrypt/live/media.yourdomain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/media.yourdomain.com/privkey.pem;

	error_page 502 @502;
	error_page 503 @503;

	location = / {
		return 301 https://$server_name/web/index.html;
	}

	location / {
		try_files $uri $uri/ @backend;
	}

	location @backend {
		proxy_pass http://127.0.0.1:5200;

		# Allow WebSocket connections via HTTP 201
		proxy_http_version 1.1;
		proxy_set_header   Upgrade    $http_upgrade;
		proxy_set_header   Connection "upgrade";

		proxy_set_header X-Forwarded-Host   $host;
	        proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
		proxy_set_header X-Real-IP          $remote_addr;

		proxy_redirect off;
	}

	location @502 {
		try_files /unavailable.html =502;
	}

	location @503 {
		try_files /unavailable.html =503;
	}
}

 

Edited by dhenzler
add question
Link to comment
Share on other sites

dhenzler
  • Is there a particular Nginx download I should use?
  • I can use sub-domains of existing registered domains yes?
  • I wish to use openssl to create my self signed certificate & key
  • If I don't want to use a sub-domain, can I use the public IP for my Internet and port number?

 

Link to comment
Share on other sites

metsuke
16 minutes ago, dhenzler said:
  • Is there a particular Nginx download I should use?
    • I use vanilla FreeBSD (not TrueNAS) so I don't know if the pkg system is the same, but I just use nginx from the latest pkg repository.
  • I can use sub-domains of existing registered domains yes?
    • You can use any part of a domain that you own, only.
  • I wish to use openssl to create my self signed certificate & key
    • That's fine.
  • If I don't want to use a sub-domain, can I use the public IP for my Internet and port number?
    • You can either use the domain or sub-domain that you own and paid for, or your public IP. The port would be added to either.

 

Here is an abbreviated version of my nginx reverse proxy in a jail. You may not need all those config options, but I use them and more with success.

user www;
worker_processes 2;

http {
  add_header Strict-Transport-Security "max-age=15552000; includeSubdomains" always;
  add_header X-Content-Type-Options "nosniff" always;
  add_header X-Download-Options noopen;
  add_header X-Frame-Options "SAMEORIGIN";
  add_header X-Permitted-Cross-Domain-Policies none;
  add_header X-Robots-Tag none;
  add_header X-Xss-Protection "1; mode=block" always;
  add_header Referrer-Policy 'no-referrer';
  client_body_buffer_size 128k;
  client_header_buffer_size 1m;
  client_max_body_size 0;
  default_type application/octet-stream;
  fastcgi_buffers 512 16k;
  fastcgi_max_temp_file_size 0;
  gzip on;
  gzip_min_length 1100;
  gzip_buffers 4 32k;
  gzip_types text/plain application/x-javascript text/xml text/css;
  include mime.types;
  keepalive_timeout 3600;
  large_client_header_buffers 4 64k;
  proxy_hide_header X-Powered-By;
  proxy_set_header Host $host;
  proxy_set_header If-Range $http_if_range;
  proxy_set_header Range $http_range;
  proxy_set_header X-Real-IP $remote_addr;
  proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
  proxy_ssl_session_reuse on;
  real_ip_header X-Forwarded-For;
  real_ip_recursive on;
  sendfile on;
  server_names_hash_bucket_size 64;
  set_real_ip_from 127.0.0.1;
  set_real_ip_from <THE IP OF YOUR REVERSE PROXY JAIL GOES HERE>;
  ssl_certificate /<PATH TO YOUR CERT>/fullchain.pem;
  ssl_certificate_key /<PATH TO YOUR CERT>/privkey.pem;
  ssl_ciphers 'EECDH+AESGCM:EDH+AESGCM:AES256+EECDH:AES256+EDH';
  ssl_prefer_server_ciphers on;
  ssl_protocols TLSv1.3 TLSv1.2;
  ssl_session_cache shared:SSL:10m;
  ssl_session_timeout 60m;
  tcp_nodelay on;
  tcp_nopush on;

  server {
    listen 443 ssl;
    add_header Referrer-Policy 'no-referrer';
    add_header X-Frame-Options "SAMEORIGIN" always;
    server_name <SOME RESOLVABLE DOMAIN NAME>;

    location / {
      proxy_pass https://<IP TO YOUR EMBY JAIL>:8920;
      proxy_http_version 1.1;
      proxy_set_header Upgrade $http_upgrade;
      proxy_set_header Connection "upgrade";
    }
  }
}

 

Edited by metsuke
Link to comment
Share on other sites

dhenzler

I have several registered domains.  I use sub-domains off these for playing with these toys...

confused by some of the identities.  The example used media.blablabla..  &  media.int.blablabla  is media important?

I see some $server_name$request_uri  I assume those are memory variables

I assume that the proxy_pass http://127.0.0.1:5200 stays...

 

 

Edited by dhenzler
Link to comment
Share on other sites

metsuke

If you have domains then that should work fine. "media" is the sub-domain that whomever you got that from is using. The port will be whatever the port is configured in the Network section of Emby. In my case, it is 8920. My "server" stanza is very stripped down and works fine, but whatever works.

Link to comment
Share on other sites

dhenzler

I guess I'm on my way then... I have control of my DNS through my ISP service and things are pretty much configurable in an instant.

Thanks for the assist !  ;o)

 

D

Link to comment
Share on other sites

12 hours ago, dhenzler said:

will this work ?

server {
	listen 80;
	server_name
		media.yourdomain.com
		media.int.yourdomain.com
	;

	root /var/www/html;

	return 301 https://$server_name$request_uri;
}

server {
	listen 443 ssl;
	server_name
		media.yourdomain.com
		media.int.yourdomain.com
	;

	if ($host !~ ^media(\.int)?\.yourdomain\.com$) {
		return 444;
	}

	root /var/www/html/emby;

	ssl_certificate     /etc/letsencrypt/live/media.yourdomain.com/fullchain.pem;
	ssl_certificate_key /etc/letsencrypt/live/media.yourdomain.com/privkey.pem;

	error_page 502 @502;
	error_page 503 @503;

	location = / {
		return 301 https://$server_name/web/index.html;
	}

	location / {
		try_files $uri $uri/ @backend;
	}

	location @backend {
		proxy_pass http://127.0.0.1:5200;

		# Allow WebSocket connections via HTTP 201
		proxy_http_version 1.1;
		proxy_set_header   Upgrade    $http_upgrade;
		proxy_set_header   Connection "upgrade";

		proxy_set_header X-Forwarded-Host   $host;
	        proxy_set_header X-Forwarded-Server $host;
		proxy_set_header X-Forwarded-For    $proxy_add_x_forwarded_for;
		proxy_set_header X-Real-IP          $remote_addr;

		proxy_redirect off;
	}

	location @502 {
		try_files /unavailable.html =502;
	}

	location @503 {
		try_files /unavailable.html =503;
	}
}

 

Hi there, I would suggest comparing your nginx configuration to that of @pir8radio. Many people here use his settings. Please let us know if this helps. Thanks.

Link to comment
Share on other sites

dhenzler
2 hours ago, Luke said:

Hi there, I would suggest comparing your nginx configuration to that of @pir8radio. Many people here use his settings. Please let us know if this helps. Thanks.

The script I showed you for nginx doesn't work for BSD.  File locations are all wrong.  And access to emby is wrong.

I'll look at @pi8radio again.  But my first glance didn't take me anywhere near the required info.

Edited by dhenzler
changes'\
Link to comment
Share on other sites

dhenzler
3 hours ago, dhenzler said:

The script I showed you for nginx doesn't work for BSD.  File locations are all wrong.  And access to emby is wrong.

I'll look at @pi8radio again.  But my first glance didn't take me anywhere near the required info.

Problem with this is it's Windows centric... I stopped supporting Bill Gates & his org 20 years ago.  Emby appears to be a Windows IIS server or close to it.  I'm not sure how Nginx under BSD would invoke or pass to that?  I'm lost in that area.

Played with it until I was worn out...

Link to comment
Share on other sites

metsuke

It doesn't matter what settings Emby is using internally as long as a web page displays at the end. The reverse proxy can point to it with no issue.

The file location in FreeBSD is /usr/local/etc/nginx/nginx.conf

Are you testing externally or internally? Does it work fine internally?
Have you tried using the config that I posted, replacing the <> variables with your own?

Edited by metsuke
  • Like 1
Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...