Happy2Play 8296 Posted December 22, 2022 Share Posted December 22, 2022 4 hours ago, justinrh said: @Happy2Play what do you get if Emby is configured with a well-known (TLS) port? Changing Emby to 443 made no difference.. 1 Link to comment Share on other sites More sharing options...
bandit8623 48 Posted September 28, 2023 Author Share Posted September 28, 2023 Version 4.8.0.47 beta getting B- now only thing now is this Link to comment Share on other sites More sharing options...
rbjtech 4289 Posted September 28, 2023 Share Posted September 28, 2023 (edited) If you want the very latest and timely resolution of security vulnerabilities/standard changes (from pcidss,hipaa,nist etc), then you need to use a well supported reverse proxy as has been said earlier on this thread. nginx, caddy etc. Configured correctly, they will also get you an A+ using this testing suite and will decouple all of these security responsibilities/dependencies away from emby. Edited September 28, 2023 by rbjtech 1 Link to comment Share on other sites More sharing options...
Q-Droid 654 Posted September 28, 2023 Share Posted September 28, 2023 (edited) 3 hours ago, rbjtech said: If you want the very latest and timely resolution of security vulnerabilities/standard changes (from pcidss,hipaa,nist etc), then you need to use a well supported reverse proxy as has been said earlier on this thread. nginx, caddy etc. Configured correctly, they will also get you an A+ using this testing suite and will decouple all of these security responsibilities/dependencies away from emby. This is the way! Regardless of the Emby version and platform. Millions use Apache, nginx, Caddy, etc. in publicly facing sites/applications. They are heavily scrutinized and continually updated to fix security findings. Edited September 28, 2023 by Q-Droid Link to comment Share on other sites More sharing options...
bandit8623 48 Posted September 28, 2023 Author Share Posted September 28, 2023 8 hours ago, rbjtech said: If you want the very latest and timely resolution of security vulnerabilities/standard changes (from pcidss,hipaa,nist etc), then you need to use a well supported reverse proxy as has been said earlier on this thread. nginx, caddy etc. Configured correctly, they will also get you an A+ using this testing suite and will decouple all of these security responsibilities/dependencies away from emby. That's fine if that's what it takes currently. But if you make a good product it should include all that in the app itself. 1 Link to comment Share on other sites More sharing options...
Luke 37116 Posted September 29, 2023 Share Posted September 29, 2023 On 9/28/2023 at 1:59 PM, bandit8623 said: That's fine if that's what it takes currently. But if you make a good product it should include all that in the app itself. You're saying we should have our own reverse proxy built-in? I think that would turn us into bloatware. Link to comment Share on other sites More sharing options...
pwhodges 1533 Posted September 29, 2023 Share Posted September 29, 2023 No, he's saying that as you provide an https interface, he feels that you should ensure that it is as secure and up to date as that of the best purpose-made web servers. Personally, I'd rather you concentrate on the media server and encourage us to use a specialised (and free!) reverse proxy if we want (and can justify) a higher level of security. I'd even be happy if you removed the SSL stuff so that we had to use a reverse proxy to provide it! Paul 1 2 Link to comment Share on other sites More sharing options...
bandit8623 48 Posted September 29, 2023 Author Share Posted September 29, 2023 (edited) 2 hours ago, Luke said: You're saying we should have our own reverse proxy built-in? I think that would turn us into bloatware. emby is a webserver. but clearly its not secure on its own ( I think you should make it secure on its own). you are making us do that part too. on top of the ssl certs (cert i get are needed for us to host standalone). If a reverse proxy is needed for our servers to be secure then i would say you should require a reverse proxy... when u add extra steps in the middle like this you open us up to security issues. if you made emby a standalone and secure(no need for proxy) you now control how secure it is vs everyone doing it a different way. Edited September 29, 2023 by bandit8623 Link to comment Share on other sites More sharing options...
Luke 37116 Posted September 30, 2023 Share Posted September 30, 2023 1 hour ago, bandit8623 said: emby is a webserver. but clearly its not secure on its own ( I think you should make it secure on its own). you are making us do that part too. on top of the ssl certs (cert i get are needed for us to host standalone). If a reverse proxy is needed for our servers to be secure then i would say you should require a reverse proxy... when u add extra steps in the middle like this you open us up to security issues. if you made emby a standalone and secure(no need for proxy) you now control how secure it is vs everyone doing it a different way. A reverse proxy is not required, but much of this depends on the dotnet runtime and what it supports. For example, I notice that starting in .net 7, renegotiation will not be allowed by default anymore. We're currently on .net 6, but we can configure that, so for the next beta server build I'll add a hidden config switch that you can set in the server config file. AllowRenegotiation if you set it to false, then it won't be allowed and that last mention will go away. 1 Link to comment Share on other sites More sharing options...
bandit8623 48 Posted September 30, 2023 Author Share Posted September 30, 2023 29 minutes ago, Luke said: A reverse proxy is not required, but much of this depends on the dotnet runtime and what it supports. For example, I notice that starting in .net 7, renegotiation will not be allowed by default anymore. We're currently on .net 6, but we can configure that, so for the next beta server build I'll add a hidden config switch that you can set in the server config file. AllowRenegotiation if you set it to false, then it won't be allowed and that last mention will go away. I appreciate your efforts! Thanks Link to comment Share on other sites More sharing options...
bandit8623 48 Posted September 30, 2023 Author Share Posted September 30, 2023 18 hours ago, Luke said: A reverse proxy is not required, but much of this depends on the dotnet runtime and what it supports. For example, I notice that starting in .net 7, renegotiation will not be allowed by default anymore. We're currently on .net 6, but we can configure that, so for the next beta server build I'll add a hidden config switch that you can set in the server config file. AllowRenegotiation if you set it to false, then it won't be allowed and that last mention will go away. i also rebooted . no change. did i edit the right file? Link to comment Share on other sites More sharing options...
Luke 37116 Posted September 30, 2023 Share Posted September 30, 2023 49 minutes ago, bandit8623 said: i also rebooted . no change. did i edit the right file? What version number? Link to comment Share on other sites More sharing options...
bandit8623 48 Posted September 30, 2023 Author Share Posted September 30, 2023 1 minute ago, Luke said: What version number? 49 Link to comment Share on other sites More sharing options...
Luke 37116 Posted September 30, 2023 Share Posted September 30, 2023 9 minutes ago, bandit8623 said: 49 OK please try again with the next build. Thanks. Link to comment Share on other sites More sharing options...
bandit8623 48 Posted September 30, 2023 Author Share Posted September 30, 2023 29 minutes ago, Luke said: OK please try again with the next build. Thanks. Will do.thx 1 Link to comment Share on other sites More sharing options...
bandit8623 48 Posted October 3, 2023 Author Share Posted October 3, 2023 On 9/30/2023 at 3:45 PM, Luke said: OK please try again with the next build. Thanks. build 51 Link to comment Share on other sites More sharing options...
Luke 37116 Posted October 3, 2023 Share Posted October 3, 2023 27 minutes ago, bandit8623 said: build 51 OK well there's not much documentation around this, so we may just have to wait on this until we update to .net 7 when it will be disabled out of the box. 1 Link to comment Share on other sites More sharing options...
bandit8623 48 Posted October 4, 2023 Author Share Posted October 4, 2023 17 hours ago, Luke said: OK well there's not much documentation around this, so we may just have to wait on this until we update to .net 7 when it will be disabled out of the box. sounds good. thx for looking into 1 Link to comment Share on other sites More sharing options...
bandit8623 48 Posted January 24 Author Share Posted January 24 (edited) just wanted to say thx as now im A+. .net 7 plus using https://www.nartac.com/Products/IISCrypto this fixed all the issues. Edited January 24 by bandit8623 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now