Jump to content

Recommended Posts

Posted

The changes are in the browsers getting more strict about it.

ShadowKindjal
Posted

Understood, thank you for the clarification 

ShadowKindjal
Posted

To conclude, there isn't a secure way to notify swagger I'm using a reverse proxy and enable HTTPS requests. Is that a correct assumption?

Posted

What do you mean by notify swagger?

ShadowKindjal
Posted
On 3/28/2023 at 12:13 AM, Luke said:

What do you mean by notify swagger?

I may be using the wrong terminology but I'm asking if there's a way to notify Swagger that I'm using HTTPS via a reverse proxy. Right now Swagger loads with a HTTP address.

 

image.thumb.png.474b1fe4128a846db0ffd569b71e91ea.png

Posted

What do you want it to load with?

ShadowKindjal
Posted

I figured it would load with my HTTPS prefixed web address unless I'm understanding something incorrectly. Attempting to run Swagger APIs fails because of the wrong URL. Copying the request URL and switching to HTTPS works.

Posted

How is the url wrong?

rbjtech
Posted (edited)

Rewind a bit - are you trying to use swagger (https://swagger.emby.media) to send remote API requests to your external site via https ?

If yes, then just change the 'serverUrl' to https and it'll work.

If you wanna use http - then you can - but it needs to be localhost due to CORS.  You can add an exception into the browser which allows you to use other hosts as well (this is what I do).

In Edge - 'edge://flags' - then add your emby url (http) and you can access it via the swagger API (https) using a local http listener.

image.png.134ce6e81637a4d348c4eb3d0e15f436.png

Edited by rbjtech
Posted
4 hours ago, ShadowKindjal said:

The URL in swagger is http://emby.domain.org but it should be https://emby.domain.org

Do you mean that this link

image.png.a7f21f1f8e2ae1216c6bff1cbeed1987.png

...is referring to your server with an http URL instead of an https URL?

So essentially, you are asking for the letter 's' to be added to that URL, right?

Happy2Play
Posted
3 hours ago, softworkz said:

Do you know that you can just open

https://swagger.emby.media/

and then, enter:

https://emby.domain.org/emby/openapi into the box?

Won't OP reverse proxy do the same thing with the "Servers" box, as this does not happen for a direct https connection?

ShadowKindjal
Posted
5 hours ago, softworkz said:

Do you mean that this link

image.png.a7f21f1f8e2ae1216c6bff1cbeed1987.png

...is referring to your server with an http URL instead of an https URL?

So essentially, you are asking for the letter 's' to be added to that URL, right?

Yes, that's what I was referring to. I apologize for not making that clear.

Posted

But not when you add the 's' here, right?

image.png.ab4ba6481825d9e80f336389d237997a.png

  • Agree 1
rbjtech
Posted
3 hours ago, softworkz said:

But not when you add the 's' here, right?

image.png.ab4ba6481825d9e80f336389d237997a.png

Agreed - if you add the https into the URL - swagger then using it ongoing (as the listed 'server').

  • Like 1
Posted

The reasons why this is a bit complicated are these:

The swagger/openapi spec is intended to describe rest api services in the cloud that are reachable via a fixed defined URL, but in case of Emby, there are at multiple possible URLs how one might can access the server:

  • localhost
  • LAN IP
  • LAN host/dns name (with or without SSL)
  • Public IP
  • Public host/dns name (with or without SSL)

And for all these cases, there may be different ports in place.
Usually Emby 'knows' all these from the network configuration where you can define this.

But at the time when I had done all this, OpenAPI (Swagger 3.0) was just brand-new and Swagger (2.0) doesn't allow specifying multiple server URLs. Yet we wanted to support 2.0 as well, so I came to the "trick" of serving the swagger JSON document dynamically, which works in a way that the server uses the http(s) through which the swagger.json or openapi.json documents are requested, to build the server URL and put it into the json doc before it's being served.

This way, the URL in the doc is (almost) always the right one.

OpenAPI allow specifying multiple URLs (that's why you see a dropdown), but I chose not to populate them from the server configuration for two reasons:

  • Security
    The swagger/openapi docs are accessible without authentication and adding all the server urls to the doc would reveal your internal ports and IP addresses
  • Auto-Authorization
    The hosted swagger UI (https://swagger.emby.media/) has a few modifications. One of them is automatic authorization. 
    When you go through the link from the dashboard page, it conveys an api_key with which you are authorized automatically and you're ready to try out the APIs.
    This wouldn't work when there would be multiple URLs

I guess I made it all a bit too convenient. After all, it was just meant to be an API documentation for developers as we didn't have any at that time (until recently: https://dev.emby.media/reference/RestAPI.html), When it doesn't work perfectly in a few edge cases, then I wouldn't see that as a critical thing as there are multiple easy ways to deal with it:

  1. Just save the corrected URL somewhere and use it instead of the API link
  2. Download the OpenAPI document, enter the correct server url and save it wherever you want
    (on some web server,  web storage, or even put it somewhere under 'dashboard-ui' in the Emby server installation, so you can access it through Emby)
  3. Save it locally and load it into any of the swagger.io tools or postman or whatever...

For 2 and 3, you'll need to authorize manually by entering the api_key, but that's not really a big thing.

  • Thanks 1
rbjtech
Posted (edited)

Thanks for the Info @softworkz

While on the topic - is there a way on the emby server to reject non-local LAN use of an API key ?

I purposely remove remote access for my only Admin user - would this apply to an API key remote request (which effectively acts as an Admin user ?)

I reject swagger on the Reverse Proxy, but I'd like to block it on the emby server as well if possible..

thanks.

Edited by rbjtech
Posted
14 minutes ago, rbjtech said:

I purposely remove remote access for my only Admin user - would this apply to an API key remote request (which effectively acts as an Admin user ?)

No, this is separate.

16 minutes ago, rbjtech said:

I reject swagger on the Reverse Proxy

How do you "reject swagger"?

  • Thanks 1
rbjtech
Posted
3 minutes ago, softworkz said:

How do you "reject swagger"?

I just return 404 in the nginx config.

        location ^~/swagger {
                return 404;
        }

 

Posted

You would need

  • /openapi
  • /openapi.json
  • /swagger
  • /swagger.json
  • /emby/openapi
  • /emby/openapi.json
  • /emby/swagger
  • /emby/swagger.json

But that's kind of pointless, because none of those URLs is needed to access your server via API and neither does it prevent your server from being recognized as Emby server.

  • Agree 1
rbjtech
Posted
1 minute ago, softworkz said:

You would need

  • /openapi
  • /openapi.json
  • /swagger
  • /swagger.json
  • /emby/openapi
  • /emby/openapi.json
  • /emby/swagger
  • /emby/swagger.json

But that's kind of pointless, because none of those URLs is needed to access your server via API and neither does it prevent your server from being recognized as Emby server.

Exactly - which is why I asked the question ;) - can it just be blocked on the Emby Server itself - blocking API for remote use should be a configurable item imo.  

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...