Another no external connection thing

[arrbee99 1561]

Am suspecting I need to do port mapping to enable external access to Emby.

I've tried this CanYouSeeMe thing -

Never seemed to be a problem with the old router but I have a UniFi Dream Machine now.

Should I have something like this on the router... (8096) for Emby and Forward IP = In-Home (LAN) Access address given in the Emby dashboard -

Any thoughts please. Would this be correct...and... .Would it be secure ?

[GrimReaper 3330]

22 minutes ago, arrbee99 said:

Would this be correct...and... .Would it be secure ?

Correct: yes. Secure: no.

[arrbee99 1561]

can that 8920 thing be used ? https ? but really really easily.

Another method ?

[GrimReaper 3330]

Yep, you need to setup SSL, few different routes you can take, it basically comes down to personal preference and particular setup additional requirements/needs. Few pinned topics about securing access in General/Windows and several other unpinned around forums. (and no, neither will be really, really easy, though some will be less challenging than the others).

 

[arrbee99 1561]

Should I enable Emby > Network > Secure connection mode ?

[GrimReaper 3330]

Just now, arrbee99 said:

Should I enable Emby > Network > Secure connection mode ?

Not if you don't have secure access (https) already set-up, as you'll effectively refuse all (unsecure: http) remote connections.

[arrbee99 1561]

Would you say if it was working before on the old router (I think) without any special setup, it was just because access was simply being allowed insecurely ?

[GrimReaper 3330]

1 minute ago, arrbee99 said:

Would you say if it was working before on the old router (I think) without any special setup, it was just because access was simply being allowed insecurely ?

Yup (likely Port Mapper took care of that for you).

[Happy2Play 8351]

1 minute ago, arrbee99 said:

Would you say if it was working before on the old router (I think) without any special setup, it was just because access was simply being allowed insecurely ?

No, if it worked before then something new with the UniFi Dream Machine is different.

Does it have its own firewall?

[arrbee99 1561]

Yes it has a firewall.

Know nothing about them except they exist though.

Edited November 22, 2022 by arrbee99

[GrimReaper 3330]

1 minute ago, Happy2Play said:

No, if it worked before then something new with the UniFi Dream Machine is different.

Does it have its own firewall?

If it was working before with no SSL and on default port 8096, then for sure it was unsecure, as asked?

[Happy2Play 8351]

So you need to look at Portforwarding if not using portmapper plugin or if plugin is not working.  And potentially firewall rules on this new hardware.

[arrbee99 1561]

Guess it was insecure then.

I just glaze over after about 30 seconds of this internet / firewall / port / ssl etc stuff

I'll try reading a bit more, but if I just do port forwarding is it disaster area insecure or a bit iffy or...

[arrbee99 1561]

and is port forwarding bad if I have a firewall on the router and Norton (yes I know) anti-everything installed as well ?

[pwhodges 1538]

Port forwarding is not bad, it's a necessary part of enabling contact with your server from outside your network. 

The choice is whether you let Emby try to set it up automatically (which requires the router to accept such requests) or whether instead you do it manually.  Automation is convenient, but is in itself an insecurity to the extent that any malware which managed to get into your system could use it to break your security further.

Paul

[arrbee99 1561]

Hmm. Well. I'm deciding whether to do port mapping on the router, which seems to work - turn on and CanYouSeeMe can find Emby, turn it off and it can't.

Can also do the above but there's also a router setting to enable it for specific IP addresses, so I can only allow it for the computers of family members, which sounds good (unless their address changes of course).

Also having a look through Emby ssl guides which might be doable, even by me, but if not, then back to either of the above.

[rbjtech 4324]

For upnp to work on the udm, you need to enable it as a service (as it's quite rightly turned off by default - udm is a prosumer product - and thus take security reasonable seriously).

I believe it's in gateway, pnp - turn it on.

But my strong recommendation is to a) setup SSL/TLS - there really is no excuse not to these days with free certs from Lets Encrypt/Certbot etc and b) manually port forward - so YOU are in control of your internet ingress, not an automated out of date protocol.  

If you take your home network security seriously, then you need to invest the time to learn about a reverse proxy - this is the next step to protecting your network from the public internet.

edit - ah - I see in another thread you are now using Caddy, good - this is a reverse proxy - I'm not familiar with it myself (I use nginx) but I'm sure it's giving you the same level of additional protection vs a direct internet > emby connection. 

Edited November 23, 2022 by rbjtech

[arrbee99 1561]

Well, not there with reverse proxy thingy yet. I live in hope but its a spell out every step, then break those steps into 10 times smaller sized steps. I mean, manual port forwarding, see the instructions, follow the instructions, bugger up the instructions because I''m using them on firmware with a version 0.0001 different than the example uses. Anyway...

[rbjtech 4324]

Absolutely - take things at your own pace and have an understanding on what you are doing and why.   A badly or naïvely deployed reverse proxy is potentially more of a security risk than what you have with just port forwarding.

[pwhodges 1538]

In your favour, using Caddy, is that the default with nothing in the configuration apart from the actual reverse-proxy directive is already very secure.

Paul

[arrbee99 1561]

I hope so. If I can bugger it up, I will. Would there be a way to check if I've done things properly, like using CanYouSeeMe.org  or similar ?

[pwhodges 1538]

If you've done things properly, it'll work.

You need only four things: (1) Emby running, which you have; (2) Caddy running, with a configuration containing the directive "reverse_proxy http://localhost:8096", replace localhost with the IP address of the Emby machine if different; (2) port forwarding of ports 80 and 443 to the machine running Caddy; (4) A domain name with an A record pointing at your external IP address.

Paul

[arrbee99 1561]

Think I have, or can enable, all of that except the A name thing. In Google Domains Resource Records I presume -

for hostname I type in the name of the name I bought,

for Type I use A

for TTL I leave as 3600

for Data, the IPv4 adress, I put my remote access address, not the local (192..) address, with no ':8096' ?

[seanbuff 842]

51 minutes ago, arrbee99 said:

for Data, the IPv4 adress, I put my remote access address, not the local (192..) address, with no ':8096' ?

Correct

[arrbee99 1561]

Really basic thing I guess, but caddy won't run.

Tried, double clicking. Tried Run as Administrator. Tried running in cmd window.

either it tells me to run in a cmd window or I try -

PS C:\Users\schoo> cd c:\caddy
PS C:\caddy> caddy run

and it says -

caddy : The term 'caddy' is not recognized as the name of a cmdlet, function, script file, or operable program. Check
the spelling of the name, or if a path was included, verify that the path is correct and try again.
At line:1 char:1
+ caddy run
+ ~~~~~
    + CategoryInfo          : ObjectNotFound: (caddy:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException