Jump to content

Linux Setup


abeloin

Recommended Posts

Q-Droid
2 hours ago, leifrodhared said:

Yes, unfortunately there is no control over on/off for http socket

If you leave the port blank it wont have it.

In apache conf or whatever Emby uses as web server there is a simple # out the line to disable listening on HTTP.

For security reasons, HTTP should only be really used to redirect to https interfaces or be shut altogether.

For now I can see that my HTTPS socket does not start at all so Emby can only be accessed via HTTP port. 

 

 

No option to disable HTTP. If you disable that you would not be able to access the server on LAN. If you don't want HTTP on WAN then don't forward the HTTP port on the router and only forward HTTPS.

The server won't bind on HTTPS port until a valid cert is installed.

 

  • Thanks 1
Link to post
Share on other sites
leifrodhared
5 hours ago, Q-Droid said:

 

 

No option to disable HTTP. If you disable that you would not be able to access the server on LAN. If you don't want HTTP on WAN then don't forward the HTTP port on the router and only forward HTTPS.

The server won't bind on HTTPS port until a valid cert is installed.

The inability to turn off HTTP in favour of HTTPS only is a big problem.

Leaving exposed insecure services as a default option just begs for abuse , especially on WAN side.

 

So there is no self signed cert to get things going from setup with HTTPS? Why? Most self hosted apps provide at least a basic self signed cert for the appliance. 

Shouldn't you provide a certifficate like Synology for instance since it's a paid product and since you have your own connection natting mechanism ?

Do you provide a valid cert for paid versions?

Otherwise all instances of Emby which are WAN exposed are inherently insecure as all users are sending their credentials accross the web in plaintext ?

Please clarify.

5 hours ago, Q-Droid said:

 

 

Link to post
Share on other sites
Q-Droid

For LAN connections - you can't disable HTTP or you wouldn't be able to connect to the server. So that's not even an option.

For WAN connections - Emby does have the option to enforce secure remote connections but only when a cert is installed. The only way to even reach an Emby server remotely is to allow the access on the network via port forwarding on your router. You don't have to allow HTTP remotely on your network.

Emby only binds to IP/ports on your server, the rest of your network is up to you to manage.

Emby does not offer domain or proxy services. It does not become a MITM like Synology and Plex.

A self-signed cert has no CA trust anchor so I'm guessing you mean a cert tied to a vendor's service domain, which Emby doesn't offer. There are many free DDNS and free TLS/SSL cert options available for you to choose from.

One of the main selling points for Emby is that it does not get in between you and access to your server and users. Your server, your media, your users, your choice.

 

Link to post
Share on other sites
leifrodhared
1 hour ago, Q-Droid said:

For LAN connections - you can't disable HTTP or you wouldn't be able to connect to the server. So that's not even an option.

For WAN connections - Emby does have the option to enforce secure remote connections but only when a cert is installed. The only way to even reach an Emby server remotely is to allow the access on the network via port forwarding on your router. You don't have to allow HTTP remotely on your network.

Emby only binds to IP/ports on your server, the rest of your network is up to you to manage.

Emby does not offer domain or proxy services. It does not become a MITM like Synology and Plex.

A self-signed cert has no CA trust anchor so I'm guessing you mean a cert tied to a vendor's service domain, which Emby doesn't offer. There are many free DDNS and free TLS/SSL cert options available for you to choose from.

One of the main selling points for Emby is that it does not get in between you and access to your server and users. Your server, your media, your users, your choice.

 

Ok, so can you explain the app mechanism where it asks for your Emby ID to connect to the server? 

How does that work? You have a DDNS service?

 

Link to post
Share on other sites
Q-Droid

Do you mean Emby Connect? It's entirely optional and I don't use it myself.

Someone can correct me if I'm wrong - Connect is meant to simplify access by associating registered users with registered servers. It sends users to the right servers without them having to remember server names or addresses, which can change. For Connect to work my previous post still applies. Remote access has to be enabled and configured and a valid cert is still required for HTTPS access. Connect does not add access or security.

 

Link to post
Share on other sites
  • 3 weeks later...
maxiu
Posted (edited)
On 5/12/2021 at 8:39 AM, leifrodhared said:

The inability to turn off HTTP in favour of HTTPS only is a big problem.

Leaving exposed insecure services as a default option just begs for abuse , especially on WAN side.

 

So there is no self signed cert to get things going from setup with HTTPS? Why? Most self hosted apps provide at least a basic self signed cert for the appliance. 

Shouldn't you provide a certifficate like Synology for instance since it's a paid product and since you have your own connection natting mechanism ?

Do you provide a valid cert for paid versions?

Otherwise all instances of Emby which are WAN exposed are inherently insecure as all users are sending their credentials accross the web in plaintext ?

Please clarify.

 

You should look into reverse proxy for your machine, some come preconfigured to generate free trusted SSL certs (like traefik) and some can do it with minimal configuration (like nginx). There is really no reason to expose Emby to WAN directly.

Edited by maxiu
Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...