Mantra6475 0 Posted June 30, 2023 Share Posted June 30, 2023 (edited) Hello, I've noticed that Emby implemented X-Forwarded-For and X-Real-IP in such a way, that it ignores local addresses. This makes it impossible to use multiple networks. I, for example, have Emby running inside a docker network: - 172.22.0.0/16 My home network is: - 192.168.178.0/24 It seems like that 192.168.178.0/24 is considered local by Emby and therefore discards the X-Forwarded-For header. This means, that I see all clients in my network (Desktop, Mobiles, Consoles) as if they're coming from the Docker network, which is simply not correct. This is also an issue for defining allowed trusted clients by pinpointing a specific device IP with /32 inside Embys settings impossible. If this applies to all Class C networks, this is really bad as there might be Site-to-Site VPN connections from other locations (like other Family houses). Why has this restriction been made? Please remove that. I personally don't see any advantage or benefit in this. Please help me understand why this decision has been made. Best Mantra Edited June 30, 2023 by Mantra6475 Link to comment Share on other sites More sharing options...
Mantra6475 0 Posted June 30, 2023 Author Share Posted June 30, 2023 (edited) I think I found the reason for this, which is based on a CVE from 2021 and also a record on GitHub: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-25827 https://github.com/advisories/GHSA-m4q9-68f2-5wc6 I do understand the risks, but there is a solution to this: Allow the admin to tell Emby that it is being used behind a reversed proxy Allow the admin to set one or multiple uplinks as a Trusted Host (the reverse proxy) If Emby is operated with the Reverse Proxy-Mode enabled and the request comes from a configured Trusted Host, use the X-Forwarded-For and X-Real-IP headers If not, discard them This, or a similar mechanism, is used by various softwares. For example: Home Assistant Atlassian Crowd WHMCS Edited June 30, 2023 by Mantra6475 Replace user with admin Link to comment Share on other sites More sharing options...
darkassassin07 432 Posted July 1, 2023 Share Posted July 1, 2023 This change is a temporary fix to a massive security vulnerability that was leveraged by hackers in May. The emby team is in the process of reworking embys security/network handling. This won't stay as it is now. Patience. 1 Link to comment Share on other sites More sharing options...
Luke 37161 Posted July 1, 2023 Share Posted July 1, 2023 Hi, yes we'll be adding more options to control this soon on the beta channel. Thanks. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now