geppii 2 Posted August 26, 2023 Share Posted August 26, 2023 Hi, It would be nice if there were a setting to allow access to the Images endpoint only when authenticated. Currently, you can read all images using https://my-emby-instance.com/emby/Items/1386486/Images/Primary. Since there are no UUIDs, one can relatively easily iterate over this and potentially spoof an entire server. Somehow not so great. Thank you. 1 Link to comment Share on other sites More sharing options...
Solution ebr 14949 Posted August 26, 2023 Solution Share Posted August 26, 2023 Link to comment Share on other sites More sharing options...
Luke 37191 Posted August 26, 2023 Share Posted August 26, 2023 Hi, yes we're going to be doing this. It's just something that has to be planned out carefully as it will be breaking api change for all consumers, so really they need to get updated first. Link to comment Share on other sites More sharing options...
geppii 2 Posted August 26, 2023 Author Share Posted August 26, 2023 Oh sorry. I even searched for it but couldn't find anything. Since that's from 2020, I'm not getting my hopes up. Link to comment Share on other sites More sharing options...
Luke 37191 Posted August 26, 2023 Share Posted August 26, 2023 13 minutes ago, geppii said: Oh sorry. I even searched for it but couldn't find anything. Since that's from 2020, I'm not getting my hopes up. We're planning on getting it done. 1 Link to comment Share on other sites More sharing options...
geppii 2 Posted August 27, 2023 Author Share Posted August 27, 2023 (edited) I've secured the endpoint in a really cheap way using openresty. Maybe it will help someone out there. Here is my Openresty Config: server { listen 443 ssl; listen 8096; server_name my-emby-host.com; location / { proxy_pass http://localhost:8097; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; proxy_set_header X-Forwarded-Proto $scheme; } location /emby/Sessions/Capabilities/Full { proxy_pass http://localhost:8097; log_by_lua_block { local res = ngx.status local ip = ngx.var.remote_addr if res >= 200 and res < 300 then ngx.shared.my_cache:set(ip, true, 86400) end } } location ~ ^/emby/Items/\d+/Images/Primary { access_by_lua_block { local ip = ngx.var.remote_addr local has_access = ngx.shared.my_cache:get(ip) if not has_access then ngx.exit(ngx.HTTP_FORBIDDEN) end } proxy_pass http://localhost:8097; } ssl_certificate /etc/letsencrypt/live/my-emby-host.com/fullchain.pem; ssl_certificate_key /etc/letsencrypt/live/my-emby-host.com/privkey.pem; include /etc/letsencrypt/options-ssl-nginx.conf; ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; } After that, simply set Emby's local port to 8097 and restart Openresty and Emby. What is being done here? It checks if the IP has received a 200 status from /emby/Sessions/Capabilities/Full within the last 24 hours (apparently, all clients make a request there) and only allows image requests if that is the case. Sure, it's not 100% clean, but it's better than nothing. Edited August 27, 2023 by geppii 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now