Does port 8096 have to be exposed?

[mannyrothman 8]

I'm looking to cut down on as many exposed ports as possible. Does Emby's HTTP port 8096 have to be port forwarded on my router? I only use port 8920 for HTTPS when connecting remotely.

If 8096 does not need to be public, how can I disable Emby from port forwarding it?

[Q-Droid 653]

No, the HTTP (8096) port does not have to be forwarded for remote access if using the HTTPS (8920) port. It's preferable to not expose it unless you are not using a reverse proxy AND you want HTTP connections to be automatically redirected to HTTPS. Emby should not be forwarding the HTTP port on your router, meaning it's also a good practice to disable UPnP in both places.

That said it IS highly recommended to use a reverse proxy for remote access to Emby and any other apps you expose to the internet.

[mannyrothman 8]

34 minutes ago, Q-Droid said:

No, the HTTP (8096) port does not have to be forwarded for remote access if using the HTTPS (8920) port. It's preferable to not expose it unless you are not using a reverse proxy AND you want HTTP connections to be automatically redirected to HTTPS. Emby should not be forwarding the HTTP port on your router, meaning it's also a good practice to disable UPnP in both places.

That said it IS highly recommended to use a reverse proxy for remote access to Emby and any other apps you expose to the internet.

Understood. I’ve disabled “enable automatic port mapping” in Emby, but my router still shows 8096 as forwarded. Am I missing something?

I am using Cloudflare proxy to access port 8920 remotely. But I can still access Emby by using https://{NAS PUBLIC IP}:8920. Is there a way to stop this from happening and only have it accessible via Cloudflare’s proxied DNS?

[Happy2Play 8296]

1 minute ago, mannyrothman said:

I’ve disabled “enable automatic port mapping” in Emby, but my router still shows 8096 as forwarded. Am I missing something?

Have you disabled UPNP on your router?

Did you restart your router?

 

[mannyrothman 8]

4 minutes ago, Happy2Play said:

Have you disabled UPNP on your router?

Did you restart your router?

 

Will disabling UPNP on my router mess with my other devices' connectivity?

[Happy2Play 8296]

1 minute ago, mannyrothman said:

Will disabling UPNP on my router mess with my other devices' connectivity?

If they are requesting ports yes.  But personally see upnp as a big security hole.

[Q-Droid 653]

5 minutes ago, mannyrothman said:

Understood. I’ve disabled “enable automatic port mapping” in Emby, but my router still shows 8096 as forwarded. Am I missing something?

I am using Cloudflare proxy to access port 8920 remotely. But I can still access Emby by using https://{NAS PUBLIC IP}:8920. Is there a way to stop this from happening and only have it accessible via Cloudflare’s proxied DNS?

If the port wasn't forwarded manually by you but thru the UPnP then it may expire after some time but this isn't guaranteed so probably better to restart it as @Happy2Play asked.

Your origin (public IP) is going to be accessible. To completely hide it you could use a tunnel to Cloudflare or other service. Or use gear more sophisticated than consumer routers to filter traffic based on the source and only allow the connections from Cloudflare.

 

[mannyrothman 8]

5 minutes ago, Q-Droid said:

If the port wasn't forwarded manually by you but thru the UPnP then it may expire after some time but this isn't guaranteed so probably better to restart it as @Happy2Play asked.

Your origin (public IP) is going to be accessible. To completely hide it you could use a tunnel to Cloudflare or other service. Or use gear more sophisticated than consumer routers to filter traffic based on the source and only allow the connections from Cloudflare.

 

I see. Yeah, I would normally use a Cloudflare tunnel and expose no ports but I read that streaming media over a tunnel is against their ToS. So instead I just use their proxied DNS feature to route a subdomain to the public ip of my Emby server via HTTPS. Is this a bad idea/insecure?

Edited February 23 by mannyrothman

[Q-Droid 653]

3 minutes ago, mannyrothman said:

I see. Yeah, I would normally use a Cloudflare tunnel and expose no ports but I read that streaming media over a tunnel is against their ToS. So instead I just use their proxied DNS feature to route a subdomain to the public ip of my Emby server via HTTPS. Is this a bad idea/insecure?

It's not a bad idea or inherently insecure, just less than ideal. It does mean that you rely on Emby to not be vulnerable and open to attack. Which is why at least a local reverse proxy is recommended. Some have IDS/IPS on top of that for better peace of mind.

[mannyrothman 8]

1 minute ago, Q-Droid said:

It's not a bad idea or inherently insecure, just less than ideal. It does mean that you rely on Emby to not be vulnerable and open to attack. Which is why at least a local reverse proxy is recommended. Some have IDS/IPS on top of that for better peace of mind.

Would it be possible to keep using the Cloudflare proxied DNS alongside a local reverse proxy? Then I could hide my public IP entirely? Or am I not understanding how these things interact?

[Q-Droid 653]

Nothing is going to hide your public IP and only a tunnel would block all visibility of the ports you want to open.

You can use Cloudflare together with a local reverse proxy. The reason for a reverse proxy is to add a layer of protection against exploits which might exist in Emby but already fixed in the proxy and not exposed. Most are open source web servers in use by millions handling requests by the gazillions, many attacks, and are heavily scrutinized for security. Vulnerabilities are handled quickly and verified thoroughly. The heavy usage is a big part of what makes them secure.

Something like SWAG combines nginx with automation for cert renewal and fail2ban to block bad actors. This should still work with Cloudflare and there are threads/guides in these forums for Emby+SWAG.

 

Edited February 23 by Q-Droid