KiraCreedeth 1 Posted August 14, 2022 Share Posted August 14, 2022 Hey, I have few questions about Emby Server. I have already installed and my server is currently running without problems. There are however few things I would like to know more. Before I ask any questions, please let me tell you how server is configured: First of all I opened ports from routers settings page as follows: HTTP-EMBY | EXT PORT: 80 | INT PORT: 8096 | TCP HTTPS-EMBY | EXT PORT: 443 | INT PORT: 8920 | TCP After this I followed this guide starting from substep #8: https://mythofechelon.co.uk/blog/2017/01/01/lets-encrypt-emby-server-and-windows -Open IIS Manager. -Expand your server in the section Connection -Right-click on Sites and select Add Website • Site name: Emby • Application pool: Emby • Physical path: C:\inetpub\Emby • Binding type: http • Binding IP address: All Unassigned • Binding port: 80 • Host name: domain.com • Start Website immediately: Yes After that I deleted default application pool and default website. Installed Certify -> Export .pfx and added it to Emby. Lastly from Emby "Network" settings: Local http 8096 Local https 8920 public http 80 public https 443 External domain: domain.com That being said, everything works fantastic, the questions I had: I noticed even when I stop application pool and website from IIS, Emby server is still working. I wonder what is the point of installing it , since it works with IIS stopped? Other question is about security, Should I delete all rules from Windows firewall first and only add Emby rule + the ones that I really need? Or are the default firewall rules fine generally? This was a long post, thanks in advance! Link to comment Share on other sites More sharing options...
Abobader 2947 Posted August 14, 2022 Share Posted August 14, 2022 Hello KiraCreedeth, ** This is an auto reply ** Please wait for someone from staff support or our members to reply to you. It's recommended to provide more info, as it explain in this thread: Thank you. Emby Team Link to comment Share on other sites More sharing options...
pwhodges 1532 Posted August 14, 2022 Share Posted August 14, 2022 As far as I can see you have only used IIS to generate a certificate, or something like that. Your router is forwarding directly to Emby - IIS is not involved, even as a reverse proxy. Paul Link to comment Share on other sites More sharing options...
KiraCreedeth 1 Posted August 14, 2022 Author Share Posted August 14, 2022 Thanks for answer! That is what I suspected too. Though I am fine with that. As for the security aspect, is this config okay? I keep Windows and Emby updated at all times and have strong password for Emby admin aswell as for the server local account itself. Link to comment Share on other sites More sharing options...
pwhodges 1532 Posted August 14, 2022 Share Posted August 14, 2022 What provision have you made to keep the certificate updated (it has a max life of three months)? There are ways to do this, using a program called CertBot - but I don't know how that would tie in with what you've done to create it in the first instance. For my money, the very easiest way to create and update certificates with zero ongoing effort is to use Caddy as a reverse proxy. It does everything necessary by default, and only requires a single line (apart from the domain name and a couple of brackets) to get a working reverse proxy for Emby (which then has no certificate installed). I've written about this before in this forum, but if you want an updated version, I could do one in a couple of days (travelling right now) Paul 1 Link to comment Share on other sites More sharing options...
KiraCreedeth 1 Posted August 15, 2022 Author Share Posted August 15, 2022 I have Certify configured as "Renew certificate 14 days before expiry and authentication method for domain is CNAME challenge. 1 Link to comment Share on other sites More sharing options...
pwhodges 1532 Posted August 15, 2022 Share Posted August 15, 2022 That sounds fine, then; I'll leave you to it! Caddy renews with a month to go, BTW, but that seems over-generous. Paul 1 Link to comment Share on other sites More sharing options...
KiraCreedeth 1 Posted August 21, 2022 Author Share Posted August 21, 2022 Hey, thanks for helping. I have couple more questions. First question: When I am connecting via IP address rather than domain.com, I get "site is not secure". I get that SSL are applied on domains not IPs. But is this normal / safe being able to connect using IP with unsecured connection. I used GoDaddy's DNS management to forward www.domain.com to domain.com. I wonder if I could do the same to IP? Second question: Is there currently way to hide all user settings from specific users expect change password / picture? Link to comment Share on other sites More sharing options...
ebr 14925 Posted August 21, 2022 Share Posted August 21, 2022 4 hours ago, KiraCreedeth said: But is this normal / safe being able to connect using IP with unsecured connection Hi. There is a setting in your server dashboard to control that. Link to comment Share on other sites More sharing options...
KiraCreedeth 1 Posted August 21, 2022 Author Share Posted August 21, 2022 It is already required for all remote connections. Connecting trough domain.com is secure, connecting trough public IP address is not. Link to comment Share on other sites More sharing options...
pwhodges 1532 Posted August 21, 2022 Share Posted August 21, 2022 In any case, if the domain is set up and working, why would you ever want to use the IP instead? You can't redirect an IP to a domain name - the purpose of a domain name is to give you the IP! But when you use a domain name in a browser, it is not exactly equivalent to using an IP address, because the domain name itself is forwarded to the server to verify against the certificate (and to separate different web sites on the same IP address). Paul Link to comment Share on other sites More sharing options...
KiraCreedeth 1 Posted August 21, 2022 Author Share Posted August 21, 2022 I know, what I meant is: Is it normal to emby site open using only IP address? It's something I tried out of curiosity. Link to comment Share on other sites More sharing options...
Luke 37099 Posted August 21, 2022 Share Posted August 21, 2022 13 minutes ago, KiraCreedeth said: I know, what I meant is: Is it normal to emby site open using only IP address? It's something I tried out of curiosity. It depends. If you have a domain name you can use that instead. Do you have a domain? Link to comment Share on other sites More sharing options...
Happy2Play 8296 Posted August 21, 2022 Share Posted August 21, 2022 12 hours ago, KiraCreedeth said: Second question: Is there currently way to hide all user settings from specific users expect change password / picture? No as almost all of those setting will be for that user on that device. Not all of those setting a global setting. Sure, on the Web client there is custom CSS to achieve this but applies to all users. Link to comment Share on other sites More sharing options...
ebr 14925 Posted August 22, 2022 Share Posted August 22, 2022 15 hours ago, Luke said: It depends. If you have a domain name you can use that instead. Do you have a domain? Yes, he does. What he is saying is - even though he has a domain and has his server set to only allow secure remote connections, if someone discovers his IP address, they can use that instead to connect and he's afraid that would be an insecure connection. Link to comment Share on other sites More sharing options...
Q-Droid 652 Posted August 22, 2022 Share Posted August 22, 2022 The security warning is for the client, not the server. The connection is still encrypted but the cert can't be verified by the client so it warns the user that the connection can't be trusted. It's up to you whether you trust your own server. 1 Link to comment Share on other sites More sharing options...
ebr 14925 Posted August 22, 2022 Share Posted August 22, 2022 2 minutes ago, Q-Droid said: The security warning is for the client, not the server. The connection is still encrypted but the cert can't be verified by the client so it warns the user that the connection can't be trusted. It's up to you whether you trust your own server. Yes, that is a very good explanation. Many people only think of SSL as a means for encrypting the traffic and forget about the fact that it also is designed to ensure you are actually connected to whom you think you are. In the Emby world, this is not as important but, in normal Web access it is paramount. Link to comment Share on other sites More sharing options...
pwhodges 1532 Posted August 22, 2022 Share Posted August 22, 2022 23 hours ago, KiraCreedeth said: I know, what I meant is: Is it normal to emby site open using only IP address? It's something I tried out of curiosity. If you have just one web server on an IP address (and port, if not default), then yes, it would be normal for it to respond. Using a domain name is just a convenient way of looking up the IP address in that situation. In the case of an HTTPS connection, the domain name is also used to match the certificate which the server provides. However, it is common these days to have multiple web sites on the same IP address and (default) port combination. This is possible because of a feature of the HTTP protocol which passes the domain name across so that the server can determine which web site to cause to respond. But Emby can't do this, because it serves only its own single site; so people (like me) who want Emby alongside other web sites will typically use a reverse proxy which can determine which website is required and pass the request to Emby if that is the one (the alternative of using different ports is less convenient). A proxy will typically also provide the ability to redirect HTTP requests to HTTPS to ensure that only secure connections can be made. Paul Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now