seanbuff 846 Posted November 25, 2022 Share Posted November 25, 2022 12 minutes ago, arrbee99 said: Do you run caddy as a service. I do, but my setup is quite old and I used NSSM to run it as a service way back when. I'm sure the more up-to-date info from Caddy using SC or WinSW would be better. Link to comment Share on other sites More sharing options...
arrbee99 1562 Posted November 25, 2022 Author Share Posted November 25, 2022 Roger dodger. Link to comment Share on other sites More sharing options...
pwhodges 1538 Posted November 25, 2022 Share Posted November 25, 2022 I run Caddy (and Emby) using nssm. The different mechanisms for running a service are of little consequence - a service is a Windows feature, which these programs merely help you set up. Paul Link to comment Share on other sites More sharing options...
arrbee99 1562 Posted November 25, 2022 Author Share Posted November 25, 2022 I'll have a go, probably with that sc.exe thing, just have to get round to it. Link to comment Share on other sites More sharing options...
rbjtech 4331 Posted November 25, 2022 Share Posted November 25, 2022 6 hours ago, arrbee99 said: Thanks. Maybe I should stop obsessing so much. Do you run caddy as a service. I guess I can just follow the Windows section of this - https://caddyserver.com/docs/running Queries on how it runs and observations are good. It shows interest in the subject rather than a 'i just want it to work' attitude. Just keep an eye on the number of intrusion alerts, to reduce them maybe look at geo blocking and use an ips (possibly what norton is trying to do) but scanners/bots are the norm i'm afraid. You may be able to surpress alerts for common scans. Link to comment Share on other sites More sharing options...
arrbee99 1562 Posted November 25, 2022 Author Share Posted November 25, 2022 It is quite interesting, but at the same time its hopefully set and forget, so by the next time I look at it I've forgotten the tiny bit I know / knew. And also, at the same time, I still wonder whether I should just forward 8096 (less 'attackable' than 80 / 443) and only allow it from the one computer, as in my sons laptop, which I imagine would be pretty safe, but not so good if his computer address changes every 5 minutes (or every 5 days). So its all to allow one person access (or maybe two at most). Link to comment Share on other sites More sharing options...
rbjtech 4331 Posted November 25, 2022 Share Posted November 25, 2022 A valid question. If you are happy to use a non standard port for https, 8920 for example, then that would cut down the scans for sure. The downside of course is you need to use :8920 in a browser url. Ip Whitelists will be a nightmare to maintain so I wouldn't go there unless they have a fixed public ip. Link to comment Share on other sites More sharing options...
pwhodges 1538 Posted November 25, 2022 Share Posted November 25, 2022 There would also be more work to configure Caddy to do https over a different port. In any case you cannot completely escape attack - I'm sure that the Emby ports are on lists of ports to try. Using a good reverse proxy should be sufficient to keep you safe. Whitelisting a computer doesn't prevent others attacking just the same - it merely transfers the responsibility for blocking the attacks to a different piece of software or feature of the reverse proxy. Paul 1 Link to comment Share on other sites More sharing options...
rbjtech 4331 Posted November 25, 2022 Share Posted November 25, 2022 (edited) If you only have one external connection, then a better solution is actually just create a vpn between that end point and you. This connectionis 100% private, thus you are not exposing anything to the public internet .. Edited November 25, 2022 by rbjtech Link to comment Share on other sites More sharing options...
arrbee99 1562 Posted November 25, 2022 Author Share Posted November 25, 2022 Thanks. Sounds interesting. I'll have a Google... Link to comment Share on other sites More sharing options...
pwhodges 1538 Posted November 25, 2022 Share Posted November 25, 2022 Before deciding on additional security measures (which may cost money and effort), take a little time to think about what you are even trying to protect against over and above what protection you already have. Paul Link to comment Share on other sites More sharing options...
arrbee99 1562 Posted November 25, 2022 Author Share Posted November 25, 2022 To me I'm just trying to keep everything out that I can thats evil, using a decent router that has a firewall (at least), and Norton, which has firewall / antivirus / etc. All I want is the usual, safe browsing and hopefully remote Emby access to a child or two. I'm not doing any hosting / torrenting etc. The occasional play with a vpn for a bit of extra security / getting round geo-restrictions, but its off most of the time. Link to comment Share on other sites More sharing options...
pwhodges 1538 Posted November 26, 2022 Share Posted November 26, 2022 A VPN doesn't keep things out - it is merely a different way in to your system - and having it adds an additional (small) attack surface; but its use for getting round geo-restrictions can be useful (though not always effective IME). The privacy it affords by using an IP address not directly related to your ISP connection may be invaluable for some, but probably not many. Paul Link to comment Share on other sites More sharing options...
arrbee99 1562 Posted November 26, 2022 Author Share Posted November 26, 2022 you don't think a vpn just between me and the kids PCs is a decent alternative to the whole caddy thing if I wanted to give it a go ? Link to comment Share on other sites More sharing options...
pwhodges 1538 Posted November 26, 2022 Share Posted November 26, 2022 It's not equivalent, as it doesn't enforce encryption between your kids' client and the VPN endpoint unless you add a certificate to Emby itself (thus losing the benefit of Caddy's automation). I wouldn't bother, but it's up to you how you run your system. Paul Link to comment Share on other sites More sharing options...
rbjtech 4331 Posted November 26, 2022 Share Posted November 26, 2022 (edited) 6 hours ago, pwhodges said: It's not equivalent, as it doesn't enforce encryption between your kids' client and the VPN endpoint unless you add a certificate to Emby itself (thus losing the benefit of Caddy's automation). I wouldn't bother, but it's up to you how you run your system. Paul I'm referring to a point to point VPN via IPSec - I'm not taking about a 3rd party VPN providing 'anonymous' internet access as I agree, that does not stop anything other than hiding your public IP. If the VPN is between the end point and emby - then it's 100% secure - as the internet is only used as a transport, nothing is 'opened' on it. Encryption will be part of the VPN tunnel - so you don't even need to use https for emby - http will be fine - it will still be secure. If you want to use https - no issues, it will be encrypted twice. It's effectively like extending your LAN - over a secure private channel. But if caddy is working - and you have an A rating - then in all honesty - that is secure enough . Edited November 26, 2022 by rbjtech Link to comment Share on other sites More sharing options...
pwhodges 1538 Posted November 26, 2022 Share Posted November 26, 2022 I thought of mentioning point-to-point VPN, but honestly I have no idea how few or many people even realise it exists let alone set it up and use it. But of course https provides end-to-end encryption as well - and using Caddy doesn't let you use http by mistake, because redirecting that to https is part of its default automation. Point-to-point VPN would let Emby see the client as local, and so might upset automatic speed settings. Paul Link to comment Share on other sites More sharing options...
arrbee99 1562 Posted November 30, 2022 Author Share Posted November 30, 2022 Using Caddy, and the other bits around its implementation, is done on our main PC, so presumably if the main PC is powered off (to add a card or whatever...), I need to at least turn off the port forwarding on the router to be safe in that situation ? Link to comment Share on other sites More sharing options...
pwhodges 1538 Posted November 30, 2022 Share Posted November 30, 2022 Why? If the port that is forwarded to is on a computer running Caddy that is then switched off, it simply becomes inaccessible - that is even more secure, not a vulnerability! Paul Link to comment Share on other sites More sharing options...
arrbee99 1562 Posted November 30, 2022 Author Share Posted November 30, 2022 So it wouldn't make other laptops etc still running / connected more vulnerable then ? Link to comment Share on other sites More sharing options...
arrbee99 1562 Posted November 30, 2022 Author Share Posted November 30, 2022 ...Oh right the Destination Port is the PC that is switched off Link to comment Share on other sites More sharing options...
pwhodges 1538 Posted November 30, 2022 Share Posted November 30, 2022 You got it Paul 1 Link to comment Share on other sites More sharing options...
arrbee99 1562 Posted November 30, 2022 Author Share Posted November 30, 2022 (edited) Yay finally emoji. (till I forget it again...) Edited November 30, 2022 by arrbee99 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now