arrbee99 1561 Posted November 22, 2022 Share Posted November 22, 2022 Am suspecting I need to do port mapping to enable external access to Emby. I've tried this CanYouSeeMe thing - Never seemed to be a problem with the old router but I have a UniFi Dream Machine now. Should I have something like this on the router... (8096) for Emby and Forward IP = In-Home (LAN) Access address given in the Emby dashboard - Any thoughts please. Would this be correct...and... .Would it be secure ? Link to comment Share on other sites More sharing options...
GrimReaper 3330 Posted November 22, 2022 Share Posted November 22, 2022 22 minutes ago, arrbee99 said: Would this be correct...and... .Would it be secure ? Correct: yes. Secure: no. Link to comment Share on other sites More sharing options...
arrbee99 1561 Posted November 22, 2022 Author Share Posted November 22, 2022 can that 8920 thing be used ? https ? but really really easily. Another method ? Link to comment Share on other sites More sharing options...
GrimReaper 3330 Posted November 22, 2022 Share Posted November 22, 2022 Yep, you need to setup SSL, few different routes you can take, it basically comes down to personal preference and particular setup additional requirements/needs. Few pinned topics about securing access in General/Windows and several other unpinned around forums. (and no, neither will be really, really easy, though some will be less challenging than the others). Link to comment Share on other sites More sharing options...
arrbee99 1561 Posted November 22, 2022 Author Share Posted November 22, 2022 Should I enable Emby > Network > Secure connection mode ? Link to comment Share on other sites More sharing options...
GrimReaper 3330 Posted November 22, 2022 Share Posted November 22, 2022 Just now, arrbee99 said: Should I enable Emby > Network > Secure connection mode ? Not if you don't have secure access (https) already set-up, as you'll effectively refuse all (unsecure: http) remote connections. Link to comment Share on other sites More sharing options...
arrbee99 1561 Posted November 22, 2022 Author Share Posted November 22, 2022 Would you say if it was working before on the old router (I think) without any special setup, it was just because access was simply being allowed insecurely ? Link to comment Share on other sites More sharing options...
GrimReaper 3330 Posted November 22, 2022 Share Posted November 22, 2022 1 minute ago, arrbee99 said: Would you say if it was working before on the old router (I think) without any special setup, it was just because access was simply being allowed insecurely ? Yup (likely Port Mapper took care of that for you). Link to comment Share on other sites More sharing options...
Happy2Play 8351 Posted November 22, 2022 Share Posted November 22, 2022 1 minute ago, arrbee99 said: Would you say if it was working before on the old router (I think) without any special setup, it was just because access was simply being allowed insecurely ? No, if it worked before then something new with the UniFi Dream Machine is different. Does it have its own firewall? 1 Link to comment Share on other sites More sharing options...
arrbee99 1561 Posted November 22, 2022 Author Share Posted November 22, 2022 (edited) Yes it has a firewall. Know nothing about them except they exist though. Edited November 22, 2022 by arrbee99 Link to comment Share on other sites More sharing options...
GrimReaper 3330 Posted November 22, 2022 Share Posted November 22, 2022 1 minute ago, Happy2Play said: No, if it worked before then something new with the UniFi Dream Machine is different. Does it have its own firewall? If it was working before with no SSL and on default port 8096, then for sure it was unsecure, as asked? Link to comment Share on other sites More sharing options...
Happy2Play 8351 Posted November 22, 2022 Share Posted November 22, 2022 So you need to look at Portforwarding if not using portmapper plugin or if plugin is not working. And potentially firewall rules on this new hardware. Link to comment Share on other sites More sharing options...
arrbee99 1561 Posted November 22, 2022 Author Share Posted November 22, 2022 Guess it was insecure then. I just glaze over after about 30 seconds of this internet / firewall / port / ssl etc stuff I'll try reading a bit more, but if I just do port forwarding is it disaster area insecure or a bit iffy or... Link to comment Share on other sites More sharing options...
arrbee99 1561 Posted November 22, 2022 Author Share Posted November 22, 2022 and is port forwarding bad if I have a firewall on the router and Norton (yes I know) anti-everything installed as well ? Link to comment Share on other sites More sharing options...
pwhodges 1538 Posted November 22, 2022 Share Posted November 22, 2022 Port forwarding is not bad, it's a necessary part of enabling contact with your server from outside your network. The choice is whether you let Emby try to set it up automatically (which requires the router to accept such requests) or whether instead you do it manually. Automation is convenient, but is in itself an insecurity to the extent that any malware which managed to get into your system could use it to break your security further. Paul Link to comment Share on other sites More sharing options...
arrbee99 1561 Posted November 22, 2022 Author Share Posted November 22, 2022 Hmm. Well. I'm deciding whether to do port mapping on the router, which seems to work - turn on and CanYouSeeMe can find Emby, turn it off and it can't. Can also do the above but there's also a router setting to enable it for specific IP addresses, so I can only allow it for the computers of family members, which sounds good (unless their address changes of course). Also having a look through Emby ssl guides which might be doable, even by me, but if not, then back to either of the above. Link to comment Share on other sites More sharing options...
rbjtech 4324 Posted November 23, 2022 Share Posted November 23, 2022 (edited) For upnp to work on the udm, you need to enable it as a service (as it's quite rightly turned off by default - udm is a prosumer product - and thus take security reasonable seriously). I believe it's in gateway, pnp - turn it on. But my strong recommendation is to a) setup SSL/TLS - there really is no excuse not to these days with free certs from Lets Encrypt/Certbot etc and b) manually port forward - so YOU are in control of your internet ingress, not an automated out of date protocol. If you take your home network security seriously, then you need to invest the time to learn about a reverse proxy - this is the next step to protecting your network from the public internet. edit - ah - I see in another thread you are now using Caddy, good - this is a reverse proxy - I'm not familiar with it myself (I use nginx) but I'm sure it's giving you the same level of additional protection vs a direct internet > emby connection. Edited November 23, 2022 by rbjtech Link to comment Share on other sites More sharing options...
arrbee99 1561 Posted November 23, 2022 Author Share Posted November 23, 2022 Well, not there with reverse proxy thingy yet. I live in hope but its a spell out every step, then break those steps into 10 times smaller sized steps. I mean, manual port forwarding, see the instructions, follow the instructions, bugger up the instructions because I''m using them on firmware with a version 0.0001 different than the example uses. Anyway... 1 Link to comment Share on other sites More sharing options...
rbjtech 4324 Posted November 23, 2022 Share Posted November 23, 2022 Absolutely - take things at your own pace and have an understanding on what you are doing and why. A badly or naïvely deployed reverse proxy is potentially more of a security risk than what you have with just port forwarding. 1 Link to comment Share on other sites More sharing options...
pwhodges 1538 Posted November 23, 2022 Share Posted November 23, 2022 In your favour, using Caddy, is that the default with nothing in the configuration apart from the actual reverse-proxy directive is already very secure. Paul Link to comment Share on other sites More sharing options...
arrbee99 1561 Posted November 23, 2022 Author Share Posted November 23, 2022 I hope so. If I can bugger it up, I will. Would there be a way to check if I've done things properly, like using CanYouSeeMe.org or similar ? Link to comment Share on other sites More sharing options...
pwhodges 1538 Posted November 23, 2022 Share Posted November 23, 2022 If you've done things properly, it'll work. You need only four things: (1) Emby running, which you have; (2) Caddy running, with a configuration containing the directive "reverse_proxy http://localhost:8096", replace localhost with the IP address of the Emby machine if different; (2) port forwarding of ports 80 and 443 to the machine running Caddy; (4) A domain name with an A record pointing at your external IP address. Paul Link to comment Share on other sites More sharing options...
arrbee99 1561 Posted November 23, 2022 Author Share Posted November 23, 2022 Think I have, or can enable, all of that except the A name thing. In Google Domains Resource Records I presume - for hostname I type in the name of the name I bought, for Type I use A for TTL I leave as 3600 for Data, the IPv4 adress, I put my remote access address, not the local (192..) address, with no ':8096' ? Link to comment Share on other sites More sharing options...
seanbuff 842 Posted November 24, 2022 Share Posted November 24, 2022 51 minutes ago, arrbee99 said: for Data, the IPv4 adress, I put my remote access address, not the local (192..) address, with no ':8096' ? Correct 1 Link to comment Share on other sites More sharing options...
arrbee99 1561 Posted November 24, 2022 Author Share Posted November 24, 2022 Really basic thing I guess, but caddy won't run. Tried, double clicking. Tried Run as Administrator. Tried running in cmd window. either it tells me to run in a cmd window or I try - PS C:\Users\schoo> cd c:\caddy PS C:\caddy> caddy run and it says - caddy : The term 'caddy' is not recognized as the name of a cmdlet, function, script file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try again. At line:1 char:1 + caddy run + ~~~~~ + CategoryInfo : ObjectNotFound: (caddy:String) [], CommandNotFoundException + FullyQualifiedErrorId : CommandNotFoundException Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now