Bobby121418 11 Posted March 30 Share Posted March 30 Hi, I am trying to understand how to secure my Emby connection. However given DSM7 now does the Letsencrypt magic internally I cannot get the certificates as per https://emby.media/support/articles/Secure-Your-Server.html To be honest this guide isn't very useful as it suggests using SSL for Free when I use Letsencrypt and the rest of the instructions are bit gibberish. Is there an up to date guide for DSM 7? As said I already have HTTPS working fine for the NAS. Thanks Link to comment Share on other sites More sharing options...
Dicken 15 Posted March 30 Share Posted March 30 I simply did it via a reverse proxy. For Example Link to comment Share on other sites More sharing options...
Luke 37082 Posted March 31 Share Posted March 31 Hi, this topic goes over what some other synology users did: does that help? Link to comment Share on other sites More sharing options...
BaronVonJ 1 Posted April 2 Share Posted April 2 Hi @LukeI have the reverse proxy setup for TLS connects and it's all working fine. Accessing the server in a browser I can see that it's using https://<fqdn> just fine. But I get the impression that my mobile (Android) devices are connecting via http://<IP>:8096 instead of https with the hostname. Even if I force stop the app, clear cache, clear storage, and start again I get the exact same "Sign in to <Server>" page with a tile showing my username in the top left. When I click "Change Server" the page that opens shows my server with http://<IP>:8096 in the top left. I can long-press on it, select Delete, and confirm to delete it, and the tile just stays there. If I "Add Server" and use the https URL I get a login dialog, and it does login, but the "Select Server" page of the app never shows it as https://<fqdn>. I don't see an option in the admin pages of the web UI to change how it advertises itself. The "Server > Dashboard" page in the admin settings says "In-Home (LAN) Access: http://<IP>:8096" and I don't see any way to change it. Link to comment Share on other sites More sharing options...
Happy2Play 8289 Posted April 2 Share Posted April 2 (edited) I guess in theory you would apply a LAN network via Network menu to something besides your LAN to force all LAN devices to be Remote. Or others may know more to do this with your Reverse Proxy. Used the host system no clients on the LAN are able to access locally and are forced to uses WAN. But personally, don't understand the need in your Personal LAN. Edited April 2 by Happy2Play 1 Link to comment Share on other sites More sharing options...
Luke 37082 Posted April 2 Share Posted April 2 44 minutes ago, BaronVonJ said: Hi @LukeI have the reverse proxy setup for TLS connects and it's all working fine. Accessing the server in a browser I can see that it's using https://<fqdn> just fine. But I get the impression that my mobile (Android) devices are connecting via http://<IP>:8096 instead of https with the hostname. Even if I force stop the app, clear cache, clear storage, and start again I get the exact same "Sign in to <Server>" page with a tile showing my username in the top left. When I click "Change Server" the page that opens shows my server with http://<IP>:8096 in the top left. I can long-press on it, select Delete, and confirm to delete it, and the tile just stays there. If I "Add Server" and use the https URL I get a login dialog, and it does login, but the "Select Server" page of the app never shows it as https://<fqdn>. I don't see an option in the admin pages of the web UI to change how it advertises itself. The "Server > Dashboard" page in the admin settings says "In-Home (LAN) Access: http://<IP>:8096" and I don't see any way to change it. Hi, yes, Emby apps always try to use the LAN address and then fallback to the remote address when that can't be reached. Link to comment Share on other sites More sharing options...
Q-Droid 649 Posted April 2 Share Posted April 2 As Luke said the apps favor the LAN connection. If your local and remote access settings are correct on the Emby server dashboard the apps can switch back and forth between them as needed. They fetch and save the settings for LAN and WAN access. Link to comment Share on other sites More sharing options...
BaronVonJ 1 Posted April 2 Share Posted April 2 I don't have remote enabled (either in Emby or for my NAS in general). But I do have local DNS server for my LAN and still want to use https internally. Link to comment Share on other sites More sharing options...
Q-Droid 649 Posted April 3 Share Posted April 3 Then pretty much what @Happy2Play posted. Try to make your server look/behave as if all clients are remote so they use the WAN address. You could still browse to the LAN IP unless you block access to that but apps shouldn't try to connect to the LAN IP. The thing about apps is when you login to your server they fetch the details for LAN and WAN connectivity and is how they are able to switch as they move between networks. If the server always appears to be on a different network then apps should use the WAN address. Link to comment Share on other sites More sharing options...
Q-Droid 649 Posted April 3 Share Posted April 3 I just did this: To make it display this: But honestly I have no idea how an Emby device app would react to this. Browser doesn't care. You might be able to use any IP in that field because as far as I know this doesn't affect how the server binds to host IP on startup. Link to comment Share on other sites More sharing options...
Bobby121418 11 Posted April 3 Author Share Posted April 3 Hi, I did the reverse proxy as per Dicken's post (above) but for Emby if I configure port 8920 for HTTPS as per the Network tab in Emby Settings, I do not get through to the Emby app. If I configure port 8096 and just HTTP, then it works and I see Emby app when using the sub-domain address. Any suggestions as to enabling the HTTPS? Thanks Link to comment Share on other sites More sharing options...
Luke 37082 Posted April 3 Share Posted April 3 12 hours ago, Bobby121418 said: Hi, I did the reverse proxy as per Dicken's post (above) but for Emby if I configure port 8920 for HTTPS as per the Network tab in Emby Settings, I do not get through to the Emby app. If I configure port 8096 and just HTTP, then it works and I see Emby app when using the sub-domain address. Any suggestions as to enabling the HTTPS? Thanks it sounds like you want your public facing port to be 443 based on what you said earlier when you connected manually. It is important to configure the network settings correctly so that the server displays the correct remote address that you want to connect with. Link to comment Share on other sites More sharing options...
Dicken 15 Posted April 4 Share Posted April 4 23 hours ago, Bobby121418 said: Hi, I did the reverse proxy as per Dicken's post (above) but for Emby if I configure port 8920 for HTTPS as per the Network tab in Emby Settings, I do not get through to the Emby app. If I configure port 8096 and just HTTP, then it works and I see Emby app when using the sub-domain address. Any suggestions as to enabling the HTTPS? Thanks Can you show a screenshot of your network tab in Emby and reverse proxy settings in synology? Link to comment Share on other sites More sharing options...
Ahole 3 Posted April 4 Share Posted April 4 (edited) It was more complicated as far as setup but I reverse proxy through my pfSense router with HaProxy installed. Then using Acme certificate service everything is automated so nothing needs to be done. Edited April 4 by Ahole Link to comment Share on other sites More sharing options...
Bobby121418 11 Posted April 5 Author Share Posted April 5 On 04/04/2024 at 09:45, Dicken said: Can you show a screenshot of your network tab in Emby and reverse proxy settings in synology? In order to put security on Emby within the Network tab, I exported the SSL certificates from DSM and I put the path in Emby Networks tab. I however get a message not found. Please see the picture. Thanks Link to comment Share on other sites More sharing options...
Q-Droid 649 Posted April 5 Share Posted April 5 Path including file name. Link to comment Share on other sites More sharing options...
Bobby121418 11 Posted April 5 Author Share Posted April 5 1 hour ago, Q-Droid said: Path including file name. Which is the correct file? I have a bunch from my export. Link to comment Share on other sites More sharing options...
Q-Droid 649 Posted April 5 Share Posted April 5 Oh cool, the more of them the better and more secure!!! No, Emby takes a PFX (PKCS12) format file. If you have the option of different export formats from DSM then pick the right one. If there is no such option then you have to manually import those certs and key into a PFX file. For Let's Encrypt certs you import the fullchain and the private key. If they're from a different CA they usually have quick guides to describe what they've issued. Link to comment Share on other sites More sharing options...
Bobby121418 11 Posted April 5 Author Share Posted April 5 1 hour ago, Q-Droid said: Oh cool, the more of them the better and more secure!!! No, Emby takes a PFX (PKCS12) format file. If you have the option of different export formats from DSM then pick the right one. If there is no such option then you have to manually import those certs and key into a PFX file. For Let's Encrypt certs you import the fullchain and the private key. If they're from a different CA they usually have quick guides to describe what they've issued. Thanks. I have been trying with openSSL, however after installing I cannot get the PEM files to be accepted. I have research how to convert PEM files to PFX but do not see the right commands for the task. Link to comment Share on other sites More sharing options...
Q-Droid 649 Posted April 6 Share Posted April 6 openssl pkcs12 -export -in <path to>/fullchain.pem -inkey <path to>/privkey.pem -out <path to>/<pfx file>.pfx You can give the pfx file any name and move or copy it to a path that Emby can access. Just make sure the Emby runtime user (emby?) can open the file. Link to comment Share on other sites More sharing options...
Solution Dicken 15 Posted April 6 Solution Share Posted April 6 (edited) 11 hours ago, Bobby121418 said: For Destination you have to select "http" as the protocol and the port for LAN access, for me 8096. In the network tab at Emby you only have to enter the public HTTPS port (in your case 443), the external domain (i.e. your dyndns address) and the secure connection mode must be set to Handle by reverse proxy. Automatic port mapping must be activated. Your own SSL certificate path and password must remain empty. Then it should work without you having to export SSL certificates or install OpenSSL. But I chose a different port for SSL instead of 443. If you want that too, you would of course have to open it on your router and adjust it on the Synology at Source Port. And in Emby's Network tab at public HTTPS port. Edited April 6 by Dicken Link to comment Share on other sites More sharing options...
Bobby121418 11 Posted April 6 Author Share Posted April 6 20 hours ago, Q-Droid said: openssl pkcs12 -export -in <path to>/fullchain.pem -inkey <path to>/privkey.pem -out <path to>/<pfx file>.pfx You can give the pfx file any name and move or copy it to a path that Emby can access. Just make sure the Emby runtime user (emby?) can open the file. Thank you for the suggestion, however, for some reason the private key was causing an issue. In the end I used Dicken's solution and that worked. 1 Link to comment Share on other sites More sharing options...
Bobby121418 11 Posted April 6 Author Share Posted April 6 13 hours ago, Dicken said: For Destination you have to select "http" as the protocol and the port for LAN access, for me 8096. In the network tab at Emby you only have to enter the public HTTPS port (in your case 443), the external domain (i.e. your dyndns address) and the secure connection mode must be set to Handle by reverse proxy. Automatic port mapping must be activated. Your own SSL certificate path and password must remain empty. Then it should work without you having to export SSL certificates or install OpenSSL. But I chose a different port for SSL instead of 443. If you want that too, you would of course have to open it on your router and adjust it on the Synology at Source Port. And in Emby's Network tab at public HTTPS port. Thanks a lot for this solution. My Emby now works as you stated. I have also created subnets and reversed proxyed the rest of the DSM services. Cheers. Link to comment Share on other sites More sharing options...
Dicken 15 Posted April 7 Share Posted April 7 No problem :) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now