Few questions about Emby Server

[KiraCreedeth 1]

Hey, I have few questions about Emby Server. I have already installed and my server is currently running without problems. There are however few things I would like to know more.

Before I ask any questions, please let me tell you how server is configured:

First of all I opened ports from routers settings page as follows: 

HTTP-EMBY | EXT PORT: 80 | INT PORT: 8096 | TCP

HTTPS-EMBY | EXT PORT: 443 | INT PORT: 8920 | TCP

 

After this I followed this guide starting from substep #8: https://mythofechelon.co.uk/blog/2017/01/01/lets-encrypt-emby-server-and-windows

-Open IIS Manager.

-Expand your server in the section Connection

-Right-click on Sites and select Add Website

• Site name: Emby
• Application pool: Emby
• Physical path: C:\inetpub\Emby
• Binding type: http
• Binding IP address: All Unassigned
• Binding port: 80
• Host name: domain.com
• Start Website immediately: Yes

After that I deleted default application pool and default website. Installed Certify -> Export .pfx and added it to Emby.

Lastly from Emby "Network" settings:

Local http 8096

Local https 8920

public http 80

public https 443

External domain: domain.com

 

That being said, everything works fantastic, the questions I had:

I noticed even when I stop application pool and website from IIS, Emby server is still working. I wonder what is the point of installing it , since it works with IIS stopped?

Other question is about security, Should I delete all rules from Windows firewall first and only add Emby rule + the ones that I really need? Or are the default firewall rules fine generally?

 

This was a long post, thanks in advance!

 

[Abobader 2941]

Hello KiraCreedeth,

** This is an auto reply **

Please wait for someone from staff support or our members to reply to you.

It's recommended to provide more info, as it explain in this thread:

Thank you.

Emby Team

[pwhodges 1523]

As far as I can see you have only used IIS to generate a certificate, or something like that.  Your router is forwarding directly to Emby - IIS is not involved, even as a reverse proxy.

Paul

[KiraCreedeth 1]

Thanks for answer! That is what I suspected too. Though I am fine with that. As for the security aspect, is this config okay? I keep Windows and Emby updated at all times and have strong password for Emby admin aswell as for the server local account itself.

[pwhodges 1523]

What provision have you made to keep the certificate updated (it has a max life of three months)?

There are ways to do this, using a program called CertBot - but I don't know how that would tie in with what you've done to create it in the first instance.

For my money, the very easiest way to create and update certificates with zero ongoing effort is to use Caddy as a reverse proxy.  It does everything necessary by default, and only requires a single line (apart from the domain name and a couple of brackets) to get a working reverse proxy for Emby (which then has no certificate installed).  I've written about this before in this forum, but if you want an updated version, I could do one in a couple of days (travelling right now)

Paul

 

[KiraCreedeth 1]

I have Certify configured as "Renew certificate 14 days before expiry and authentication method for domain is CNAME challenge.

[pwhodges 1523]

That sounds fine, then; I'll leave you to it! 

Caddy renews with a month to go, BTW, but that seems over-generous.

Paul

[KiraCreedeth 1]

Hey, thanks for helping. I have couple more questions. 

First question: When I am connecting via IP address rather than domain.com, I get "site is not secure". I get that SSL are applied on domains not IPs. But is this normal / safe being able to connect using IP with unsecured connection. I used GoDaddy's DNS management to forward www.domain.com to domain.com. I wonder if I could do the same to IP?

Second question: Is there currently way to hide all user settings from specific users expect change password / picture?

[ebr 14904]

4 hours ago, KiraCreedeth said:

But is this normal / safe being able to connect using IP with unsecured connection

Hi.  There is a setting in your server dashboard to control that.

 

[KiraCreedeth 1]

It is already required for all remote connections. Connecting trough domain.com is secure, connecting trough public IP address is not.

[pwhodges 1523]

In any case, if the domain is set up and working, why would you ever want to use the IP instead?

You can't redirect an IP to a domain name - the purpose of a domain name is to give you the IP!  But when you use a domain name in a browser, it is not exactly equivalent to using an IP address, because the domain name itself is forwarded to the server to verify against the certificate (and to separate different web sites on the same IP address).

Paul

[KiraCreedeth 1]

I know, what I meant is: Is it normal to emby site open using only IP address? It's something I tried out of curiosity.

[Luke 37010]

13 minutes ago, KiraCreedeth said:

I know, what I meant is: Is it normal to emby site open using only IP address? It's something I tried out of curiosity.

It depends. If you have a domain name you can use that instead. Do you have a domain?

[Happy2Play 8244]

12 hours ago, KiraCreedeth said:

Second question: Is there currently way to hide all user settings from specific users expect change password / picture?

No as almost all of those setting will be for that user on that device.  Not all of those setting a global setting.

Sure, on the Web client there is custom CSS to achieve this but applies to all users.

 

[ebr 14904]

15 hours ago, Luke said:

It depends. If you have a domain name you can use that instead. Do you have a domain?

Yes, he does.  What he is saying is - even though he has a domain and has his server set to only allow secure remote connections, if someone discovers his IP address, they can use that instead to connect and he's afraid that would be an insecure connection.

[Q-Droid 634]

The security warning is for the client,  not the server.  The connection is still encrypted but the cert can't be verified by the client so it warns the user that the connection can't be trusted. It's up to you whether you trust your own server. 

[ebr 14904]

2 minutes ago, Q-Droid said:

The security warning is for the client,  not the server.  The connection is still encrypted but the cert can't be verified by the client so it warns the user that the connection can't be trusted. It's up to you whether you trust your own server. 

Yes, that is a very good explanation.  Many people only think of SSL as a means for encrypting the traffic and forget about the fact that it also is designed to ensure you are actually connected to whom you think you are.  In the Emby world, this is not as important but, in normal Web access it is paramount.

[pwhodges 1523]

23 hours ago, KiraCreedeth said:

I know, what I meant is: Is it normal to emby site open using only IP address? It's something I tried out of curiosity.

If you have just one web server on an IP address (and port, if not default), then yes, it would be normal for it to respond.  Using a domain name is just a convenient way of looking up the IP address in that situation.  In the case of an HTTPS connection, the domain name is also used to match the certificate which the server provides.

However, it is common these days to have multiple web sites on the same IP address and (default) port combination.  This is possible because of a feature of the HTTP protocol which passes the domain name across so that the server can determine which web site to cause to respond.  But Emby can't do this, because it serves only its own single site; so people (like me) who want Emby alongside other web sites will typically use a reverse proxy which can determine which website is required and pass the request to Emby if that is the one (the alternative of using different ports is less convenient).  A proxy will typically also provide the ability to redirect HTTP requests to HTTPS to ensure that only secure connections can be made.

Paul