Securing Emby with HTTPS

[Bobby121418 11]

Hi,

I am trying to understand how to secure my Emby connection. However given DSM7 now does the Letsencrypt magic internally I cannot get the certificates as per 

https://emby.media/support/articles/Secure-Your-Server.html

To be honest this guide isn't very useful as it suggests using SSL for Free when I use Letsencrypt and the rest of the instructions are bit gibberish.

Is there an up to date guide for DSM 7? As said I already have HTTPS working fine for the NAS.

Thanks

[Dicken 15]

I simply did it via a reverse proxy.

For Example

[Luke 37082]

Hi, this topic goes over what some other synology users did: 

does that help?

[BaronVonJ 1]

Hi @LukeI have the reverse proxy setup for TLS connects and it's all working fine. Accessing the server in a browser I can see that it's using https://<fqdn> just fine. But I get the impression that my mobile (Android) devices are connecting via http://<IP>:8096 instead of https with the hostname. Even if I force stop the app, clear cache, clear storage, and start again I get the exact same "Sign in to <Server>" page with a tile showing my username in the top left. When I click "Change Server" the page that opens shows my server with http://<IP>:8096 in the top left. I can long-press on it, select Delete, and confirm to delete it, and the tile just stays there. If I "Add Server" and use the https URL I get a login dialog, and it does login, but the "Select Server" page of the app never shows it as https://<fqdn>. I don't see an option in the admin pages of the web UI to change how it advertises itself. The "Server > Dashboard" page in the admin settings says "In-Home (LAN) Access: http://<IP>:8096" and I don't see any way to change it.

[Happy2Play 8289]

I guess in theory you would apply a LAN network via Network menu to something besides your LAN to force all LAN devices to be Remote.  Or others may know more to do this with your Reverse Proxy.

Used the host system no clients on the LAN are able to access locally and are forced to uses WAN.

But personally, don't understand the need in your Personal LAN.

Edited April 2 by Happy2Play

[Luke 37082]

44 minutes ago, BaronVonJ said:

Hi @LukeI have the reverse proxy setup for TLS connects and it's all working fine. Accessing the server in a browser I can see that it's using https://<fqdn> just fine. But I get the impression that my mobile (Android) devices are connecting via http://<IP>:8096 instead of https with the hostname. Even if I force stop the app, clear cache, clear storage, and start again I get the exact same "Sign in to <Server>" page with a tile showing my username in the top left. When I click "Change Server" the page that opens shows my server with http://<IP>:8096 in the top left. I can long-press on it, select Delete, and confirm to delete it, and the tile just stays there. If I "Add Server" and use the https URL I get a login dialog, and it does login, but the "Select Server" page of the app never shows it as https://<fqdn>. I don't see an option in the admin pages of the web UI to change how it advertises itself. The "Server > Dashboard" page in the admin settings says "In-Home (LAN) Access: http://<IP>:8096" and I don't see any way to change it.

Hi, yes, Emby apps always try to use the LAN address and then fallback to the remote address when that can't be reached.

[Q-Droid 649]

As Luke said the apps favor the LAN connection. If your local and remote access settings are correct on the Emby server dashboard the apps can switch back and forth between them as needed. They fetch and save the settings for LAN and WAN access.

 

[BaronVonJ 1]

I don't have remote enabled (either in Emby or for my NAS in general). But I do have local DNS server for my LAN and still want to use https internally.

[Q-Droid 649]

Then pretty much what @Happy2Play posted. Try to make your server look/behave as if all clients are remote so they use the WAN address. You could still browse to the LAN IP unless you block access to that but apps shouldn't try to connect to the LAN IP.

The thing about apps is when you login to your server they fetch the details for LAN and WAN connectivity and is how they are able to switch as they move between networks. If the server always appears to be on a different network then apps should use the WAN address.

[Q-Droid 649]

I just did this:

To make it display this:

 

But honestly I have no idea how an Emby device app would react to this. Browser doesn't care. You might be able to use any IP in that field because as far as I know this doesn't affect how the server binds to host IP on startup.

[Bobby121418 11]

Hi,

I did the reverse proxy as per Dicken's post (above) but for Emby if I configure port 8920 for HTTPS as per the Network tab in Emby Settings, I do not get through to the Emby app.

If I configure port 8096 and just HTTP, then it works and I see Emby app when using the sub-domain address.

Any suggestions as to enabling the HTTPS?

Thanks

[Luke 37082]

12 hours ago, Bobby121418 said:

Hi,

I did the reverse proxy as per Dicken's post (above) but for Emby if I configure port 8920 for HTTPS as per the Network tab in Emby Settings, I do not get through to the Emby app.

If I configure port 8096 and just HTTP, then it works and I see Emby app when using the sub-domain address.

Any suggestions as to enabling the HTTPS?

Thanks

it sounds like you want your public facing port to be 443 based on what you said earlier when you connected manually.

It is important to configure the network settings correctly so that the server displays the correct remote address that you want to connect with.

[Dicken 15]

23 hours ago, Bobby121418 said:

Hi,

I did the reverse proxy as per Dicken's post (above) but for Emby if I configure port 8920 for HTTPS as per the Network tab in Emby Settings, I do not get through to the Emby app.

If I configure port 8096 and just HTTP, then it works and I see Emby app when using the sub-domain address.

Any suggestions as to enabling the HTTPS?

Thanks

Can you show a screenshot of your network tab in Emby and reverse proxy settings in synology?

[Ahole 3]

It was more complicated as far as setup but I reverse proxy through my pfSense router with HaProxy installed.  Then using Acme certificate service everything is automated so nothing needs to be done.

Edited April 4 by Ahole

[Bobby121418 11]

On 04/04/2024 at 09:45, Dicken said:

Can you show a screenshot of your network tab in Emby and reverse proxy settings in synology?

In order to put security on Emby within the Network tab, I exported the SSL certificates from DSM and I put the path in Emby Networks tab.

I however get a message not found. Please see the picture.

Thanks

[Q-Droid 649]

Path including file name. 

[Bobby121418 11]

1 hour ago, Q-Droid said:

Path including file name. 

Which is the correct file? I have a bunch from my export.

[Q-Droid 649]

Oh cool, the more of them the better and more secure!!! 

No, Emby takes a PFX (PKCS12) format file. If you have the option of different export formats from DSM then pick the right one. If there is no such option then you have to manually import those certs and key into a PFX file. For Let's Encrypt certs you import the fullchain and the private key. If they're from a different CA they usually have quick guides to describe what they've issued.

[Bobby121418 11]

1 hour ago, Q-Droid said:

Oh cool, the more of them the better and more secure!!! 

No, Emby takes a PFX (PKCS12) format file. If you have the option of different export formats from DSM then pick the right one. If there is no such option then you have to manually import those certs and key into a PFX file. For Let's Encrypt certs you import the fullchain and the private key. If they're from a different CA they usually have quick guides to describe what they've issued.

Thanks.

I have been trying with openSSL, however after installing I cannot get the PEM files to be accepted. I have research how to convert PEM files to PFX but do not see the right commands for the task.

[Q-Droid 649]

openssl pkcs12 -export -in <path to>/fullchain.pem -inkey <path to>/privkey.pem -out <path to>/<pfx file>.pfx

You can give the pfx file any name and move or copy it to a path that Emby can access. Just make sure the Emby runtime user (emby?) can open the file.

 

[Dicken 15]

11 hours ago, Bobby121418 said:

 

 

For Destination you have to select "http" as the protocol and the port for LAN access, for me 8096.

 

In the network tab at Emby you only have to enter the public HTTPS port (in your case 443), the external domain (i.e. your dyndns address) and the secure connection mode must be set to Handle by reverse proxy. Automatic port mapping must be activated. Your own SSL certificate path and password must remain empty.

Then it should work without you having to export SSL certificates or install OpenSSL.

 

But I chose a different port for SSL instead of 443. If you want that too, you would of course have to open it on your router and adjust it on the Synology at Source Port. And in Emby's Network tab at public HTTPS port.

Edited April 6 by Dicken

[Bobby121418 11]

20 hours ago, Q-Droid said:

openssl pkcs12 -export -in <path to>/fullchain.pem -inkey <path to>/privkey.pem -out <path to>/<pfx file>.pfx

You can give the pfx file any name and move or copy it to a path that Emby can access. Just make sure the Emby runtime user (emby?) can open the file.

 

Thank you for the suggestion, however, for some reason the private key was causing an issue. 

In the end I used Dicken's solution and that worked.

[Bobby121418 11]

13 hours ago, Dicken said:

For Destination you have to select "http" as the protocol and the port for LAN access, for me 8096.

 

In the network tab at Emby you only have to enter the public HTTPS port (in your case 443), the external domain (i.e. your dyndns address) and the secure connection mode must be set to Handle by reverse proxy. Automatic port mapping must be activated. Your own SSL certificate path and password must remain empty.

Then it should work without you having to export SSL certificates or install OpenSSL.

 

But I chose a different port for SSL instead of 443. If you want that too, you would of course have to open it on your router and adjust it on the Synology at Source Port. And in Emby's Network tab at public HTTPS port.

Thanks a lot for this solution. My Emby now works as you stated.

I have also created subnets and reversed proxyed the rest of the DSM services.

Cheers.

[Dicken 15]

No problem :)