zigzagtshirt 55 Posted February 18, 2017 Share Posted February 18, 2017 I think it's working now. I changed both local and external ports in Emby to 443 and restarted server. Windows gave me a popup to allow a process and I allowed it. I think it said "Windows Command Process" or something. Once I hit that it started working. Link to comment Share on other sites More sharing options...
rice1 1 Posted February 18, 2017 Share Posted February 18, 2017 Thanks for this. I've been wanting to setup HTTPS for a long time. 1 Link to comment Share on other sites More sharing options...
Swynol 375 Posted February 18, 2017 Author Share Posted February 18, 2017 I think it's working now. I changed both local and external ports in Emby to 443 and restarted server. Windows gave me a popup to allow a process and I allowed it. I think it said "Windows Command Process" or something. Once I hit that it started working. Glad you got it working. It's very rare that isp block port 443 as if that port was blocked on a large scale it would break the Internet. You can probably change your internal port back to 8096 or 8920 if https. It sounds like emby needed to be restarted in order to start listening on port 443. Now you know port 443 works you could look at nginx reverse proxy. I find nginx much easier to manage and it might look like a lot of work but it takes 5 mins to setup Sent from my iPhone using Tapatalk 1 Link to comment Share on other sites More sharing options...
Swynol 375 Posted February 18, 2017 Author Share Posted February 18, 2017 @@Swynol Where does it say on the site that the certs expire after 90 days? I don't see it on there anywhere. Is there a way to automate a regeneration of them once they expire? It doesn't say directly on the website but all lets encrypt Certs are only valid for 90 days. If you look at the cert it has an expiry date. Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
Swynol 375 Posted February 18, 2017 Author Share Posted February 18, 2017 (edited) Also another heads up. I found a better site to do the ssl certs. It's called zerossl. I find it better because it allows you to renew Certs without having to re-verify your domain ownership. It knows a good 10-20mins off renewing time Sent from my iPhone using Tapatalk Edited February 18, 2017 by Swynol Link to comment Share on other sites More sharing options...
zigzagtshirt 55 Posted February 18, 2017 Share Posted February 18, 2017 Also another heads up. I found a better site to do the ssl certs. It's called zerossl. I find it better because it allows you to renew Certs without having to re-verify your domain ownership. It knows a good 10-20mins off renewing time I'll check this out- thanks! Glad you got it working. It's very rare that isp block port 443 as if that port was blocked on a large scale it would break the Internet. You can probably change your internal port back to 8096 or 8920 if https. It sounds like emby needed to be restarted in order to start listening on port 443. Now you know port 443 works you could look at nginx reverse proxy. I find nginx much easier to manage and it might look like a lot of work but it takes 5 mins to setup Sent from my iPhone using Tapatalk For now I think I'll stick with what I have set up since it's working and that's all I care about at this point. Not sure I understand the benefits of having a reverse proxy though as I am not running any other services that would need port 443? Also, is there a security benefit? Link to comment Share on other sites More sharing options...
Swynol 375 Posted February 18, 2017 Author Share Posted February 18, 2017 Benefits of using nginx is mainly due to having many services all listening on port 443 so all other ports on my firewall are closed. The other reason I prefer nginx option is because when you create a pfx cert for emby you combine your cert and private key into one file with no password. This is a security risk. However how bothered are hackers with doing a man in he middle attack to see your emby login page. To me it wasn't a huge concern but if your going through all the hassle of setting up https access then going the extra step of using nginx with secure certs was just as easy. The main reason I used nginx was because all my services now use port 443 and rather than updating my certs in 15 places I only have to update it once for nginx. Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
zigzagtshirt 55 Posted February 18, 2017 Share Posted February 18, 2017 Benefits of using nginx is mainly due to having many services all listening on port 443 so all other ports on my firewall are closed. The other reason I prefer nginx option is because when you create a pfx cert for emby you combine your cert and private key into one file with no password. This is a security risk. However how bothered are hackers with doing a man in he middle attack to see your emby login page. To me it wasn't a huge concern but if your going through all the hassle of setting up https access then going the extra step of using nginx with secure certs was just as easy. The main reason I used nginx was because all my services now use port 443 and rather than updating my certs in 15 places I only have to update it once for nginx. Sent from my iPhone using Tapatalk This is very helpful, thanks! This does seem like a great idea if you have a lot of services running. The only other port I have open in my network firewall is for my openvpn server. Would I be able to make that run through port 443 as well if I went down the nginx road? Link to comment Share on other sites More sharing options...
Swynol 375 Posted February 18, 2017 Author Share Posted February 18, 2017 (edited) Yes you can configure openvpn to use port 443. It requires more configuration in nginx which I managed to get working however I wasn't able to connect with other machines on my lan. I then ran out of time and haven't looked at it again since Sent from my iPad using Tapatalk Edited February 18, 2017 by Swynol Link to comment Share on other sites More sharing options...
pr3dict 33 Posted February 23, 2017 Share Posted February 23, 2017 does this work with our lovely android tv devices that only work with particular CA's? I know this was the issue awhile back instead of using a self signed cert. Also, can you post a photo of your webpage that you created that links to the other services you have listed? I've been looking to create something like that for awhile! Link to comment Share on other sites More sharing options...
feerlessleadr 154 Posted February 23, 2017 Share Posted February 23, 2017 (edited) Thanks for the guide - I'm not sure what I'm doing wrong, but when I go to https://emby.mydomain.com, I get a self signed cert error (I followed your instructions on adding the dns address to the cert), and when I click proceed anyway, it takes me to my router's login screen. I'm trying to access this using nginx. Any idea what the heck I'm doing wrong? EDIT - Just to be more clear, I have followed the guide using both sslforfree & zerossl, both give me the insecure message when accessing https://emby.mydomain.com. Additionally, I have tried everything I can to get the nginx reverse proxy to point to my internal emby instance, but everything I do redirects to my router's login page. Edited February 23, 2017 by feerlessleadr Link to comment Share on other sites More sharing options...
Swynol 375 Posted February 24, 2017 Author Share Posted February 24, 2017 does this work with our lovely android tv devices that only work with particular CA's? I know this was the issue awhile back instead of using a self signed cert. Also, can you post a photo of your webpage that you created that links to the other services you have listed? I've been looking to create something like that for awhile! I dont have any android TV boxes to test with but it does work fine with my Android tablet. I cant see why it wouldnt work as Lets Encrypt has been around for a while now and uses the DST CA root. I use something called HTPC Manager. it runs on Python for windows. Here are some screenshots of what i have. Link to comment Share on other sites More sharing options...
Swynol 375 Posted February 24, 2017 Author Share Posted February 24, 2017 (edited) Thanks for the guide - I'm not sure what I'm doing wrong, but when I go to https://emby.mydomain.com, I get a self signed cert error (I followed your instructions on adding the dns address to the cert), and when I click proceed anyway, it takes me to my router's login screen. I'm trying to access this using nginx. Any idea what the heck I'm doing wrong? EDIT - Just to be more clear, I have followed the guide using both sslforfree & zerossl, both give me the insecure message when accessing https://emby.mydomain.com. Additionally, I have tried everything I can to get the nginx reverse proxy to point to my internal emby instance, but everything I do redirects to my router's login page. i've seen this happen before and it was something to do with nginx config. We know your DDNS is working as you get your router page. Also what router do you have? wonder if that is listening on port 443. So just to be clear. when you created the cert. did you add the top level domain name and all the subdomains. i.e. mydomain.com emby.mydomain.com ddns.mydomain.com etc? also can you post your NGINX config (remove the domain name and any external IP info) Edited February 24, 2017 by Swynol Link to comment Share on other sites More sharing options...
feerlessleadr 154 Posted February 24, 2017 Share Posted February 24, 2017 i've seen this happen before and it was something to do with nginx config. We know your DDNS is working as you get your router page. Also what router do you have? wonder if that is listening on port 443. So just to be clear. when you created the cert. did you add the top level domain name and all the subdomains. i.e. mydomain.com emby.mydomain.com ddns.mydomain.com etc? also can you post your NGINX config (remove the domain name and any external IP info) When I created the cert I added mydomain.com emby.mydomain.com dns.mydomain.com. I have Verizon Fios, and am using their router (MI424WR-GEN3I). I can access all of my services outside my network when I forward the appropraite ports and use my ddns addres (i.e. ddns.myddnsservice.com:8096). Here is my NGINX conf: #user nobody; # multiple workers works ! worker_processes 2; events { worker_connections 8192; } http { #include /nginx/conf/naxsi_core.rules; include mime.types; default_type application/octet-stream; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64; ## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10; ## End: Timeouts ## #gzip on; ##EMBY Server## server { listen [::]:80; listen 80; listen [::]:443 ssl; listen 443 ssl; server_name emby.mydomain.com; ssl_session_timeout 30m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; ssl_session_cache shared:SSL:10m; if ($scheme = http) { return 301 https://$server_name$request_uri; } location / { proxy_pass http://192.168.1.17:8096; # Local emby ip and non SSL port proxy_hide_header X-Powered-By; proxy_set_header Range $http_range; proxy_set_header If-Range $http_if_range; proxy_set_header X-Real-IP $remote_addr; proxy_set_header Host $host; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; #Next three lines allow websockets proxy_http_version 1.1; proxy_set_header Upgrade $http_upgrade; proxy_set_header Connection "upgrade"; } } } It is a straight copy/paste from the conf you posted on page 1 (with my details added in obviously). Do I need to do any port port forwarding on my router/change any emby settings with the NGINX method? Link to comment Share on other sites More sharing options...
Swynol 375 Posted February 24, 2017 Author Share Posted February 24, 2017 at a glance it all looks ok. One thing that i didnt mention in the How To part is changing the location of your certs. so this line in NGINX ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; should point to your certs. so SSL/cert.pem is acctually pointing to C:\nginxlion\conf\SSL\cert.pem What you need to do is create a folder called SSL in the conf folder where your NGINX is. then copy the cert.pem and private.key into that folder. And yes you need to port forward 443 and 80 to your NGINX server. - this is likely the reason you see your router login page as it doesnt know what to do when it sees data on port 443 coming in. Link to comment Share on other sites More sharing options...
feerlessleadr 154 Posted February 24, 2017 Share Posted February 24, 2017 at a glance it all looks ok. One thing that i didnt mention in the How To part is changing the location of your certs. so this line in NGINX ssl_certificate SSL/cert.pem; ssl_certificate_key SSL/private.key; should point to your certs. so SSL/cert.pem is acctually pointing to C:\nginxlion\conf\SSL\cert.pem What you need to do is create a folder called SSL in the conf folder where your NGINX is. then copy the cert.pem and private.key into that folder. And yes you need to port forward 443 and 80 to your NGINX server. - this is likely the reason you see your router login page as it doesnt know what to do when it sees data on port 443 coming in. Hot Damn that did it! Thank you! I didn't realize I still needed to port forward 443 on my router to my nginx server, and once I did that, everything worked, including the certs (all green!). Question though, if I don't forward port 80, does that essentially mean that https is the only option to connect externally? Is there a way that I can direct http://emby.mydomain.com to https://emby.mydomain.com? Link to comment Share on other sites More sharing options...
Swynol 375 Posted February 24, 2017 Author Share Posted February 24, 2017 you can now close all other ports if you want. so close 8096 and 8920 as emby will use 443. At the moment NGINX has a rule to automatically change any http requests to https if ($scheme = http) {return 301 https://$server_name$request_uri; If you remove that line from the NGINX config then you can forward port 80 to your NGINX box aswell. that wa you can connect to emby using either HTTP or HTTPS. I prefer that all my clients connect using HTTPS so i force them to use it even if they type http://emby.mydomain.com it will forward to HTTPS://emby.mydomain.com 1 Link to comment Share on other sites More sharing options...
gjviii 48 Posted March 3, 2017 Share Posted March 3, 2017 Following the instructions up to post 04, when i click to test the txt records i get this error "No TXT Record Found. Set the TTL to 1 second or if you cannot set the TTL then you must wait the TTL (in seconds) so it updates before verifying the domain." Attached is the screen shot of how my advanced tab is set up. can anyone see what i have incorrect that is causing the error above? thanks for any direction. Link to comment Share on other sites More sharing options...
gjviii 48 Posted March 4, 2017 Share Posted March 4, 2017 Following the instructions up to post 04, when i click to test the txt records i get this error "No TXT Record Found. Set the TTL to 1 second or if you cannot set the TTL then you must wait the TTL (in seconds) so it updates before verifying the domain." Attached is the screen shot of how my advanced tab is set up. can anyone see what i have incorrect that is causing the error above? thanks for any direction. Any thoughts? thanks Link to comment Share on other sites More sharing options...
Overseer 66 Posted March 5, 2017 Share Posted March 5, 2017 (edited) It took me a few times to do that through NameCheap. After adding the txt records I just waited between 10-15 minutes before doing the verification. It was pretty madding as I was setting up subdomains for Sonarr, Radarr, Ombi, Sabnzb and Emby and I kept getting that dreaded TXT record not found message and going back required me changing some of those txt records. Finally got it though along with the nginx proxy and everything works great. I have my www set-up as a CNAME. I only have one A Record and that is for the @ record. Edited March 5, 2017 by Overseer Link to comment Share on other sites More sharing options...
pr3dict 33 Posted April 1, 2017 Share Posted April 1, 2017 (edited) I'm trying to follow the guide but I'm stuck. Long story short as possible: I have a Wildcard Domain SSL cert from namecheap (comodo). I created it with a CSR in PFsense and exported the private key to namescheap and they sent me back: my domain.CA-bundle my domain.cert my domain.p7b So for Emby I need a pfx file and to convert that from what I have that means I need to take the exported private key from PFSEnse and that .cert that namecheap gave me and combined them to a pfx? Does that sound correct? EDIT: Well I it works with the wildcard which is really cool. I now need to get the whole reverse proxy thing going but right now I'm going to pause until I figure out what I want to do. I can either install HA-Proxy on my PFSense firewall box and run the proxy from there orrrr I can spin up another VM and run nginx on that as the reverse proxy. Then from there I can also install a web server for Organizr. So many options so little time. Thankfully though after doing this I am now able to finally enable HTTPS for all my clients as I just got an A+ rating for my SSL implementation. Edited April 1, 2017 by pr3dict Link to comment Share on other sites More sharing options...
Swynol 375 Posted April 1, 2017 Author Share Posted April 1, 2017 Any thoughts? thanks Ye it can take 10-15mins for the txt records to replicate over the Internet. You can test it using command prompt and nslookup, can't remover whole command as I'm away from my PC atm. With zerossl if it fails just keep hitting submit until it works. Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
Swynol 375 Posted April 1, 2017 Author Share Posted April 1, 2017 (edited) I'm trying to follow the guide but I'm stuck. Long story short as possible: I have a Wildcard Domain SSL cert from namecheap (comodo). I created it with a CSR in PFsense and exported the private key to namescheap and they sent me back: my domain.CA-bundle my domain.cert my domain.p7b So for Emby I need a pfx file and to convert that from what I have that means I need to take the exported private key from PFSEnse and that .cert that namecheap gave me and combined them to a pfx? Does that sound correct? EDIT: Well I it works with the wildcard which is really cool. I now need to get the whole reverse proxy thing going but right now I'm going to pause until I figure out what I want to do. I can either install HA-Proxy on my PFSense firewall box and run the proxy from there orrrr I can spin up another VM and run nginx on that as the reverse proxy. Then from there I can also install a web server for Organizr. So many options so little time. Thankfully though after doing this I am now able to finally enable HTTPS for all my clients as I just got an A+ rating for my SSL implementation. Awesome work. Wildcards are good just be careful with using it with emby as the pfx file has your private key with no password. And a Wildcard can be used by attackers to create anything.youdomain.com I would use ha-proxy as its on you pfsense which all traffic hits first, although I find nginx easier to use Sent from my iPhone using Tapatalk Edited April 1, 2017 by Swynol Link to comment Share on other sites More sharing options...
Swynol 375 Posted April 1, 2017 Author Share Posted April 1, 2017 Following the instructions up to post 04, when i click to test the txt records i get this error "No TXT Record Found. Set the TTL to 1 second or if you cannot set the TTL then you must wait the TTL (in seconds) so it updates before verifying the domain." Attached is the screen shot of how my advanced tab is set up. can anyone see what i have incorrect that is causing the error above? thanks for any direction. Do you have a static IP? If so you don't need a cname for emby. You need a a record. So emby will point to your IP. If you have a dynamic wan IP. Then you need to create a a+ record using the dynamic ddns section at the bottom of the namecheap page. This will point your IP to your domain name for example ddns.mydomain.com Then create a cname for emby to point to ddns.mydomain.com Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
pr3dict 33 Posted April 1, 2017 Share Posted April 1, 2017 Awesome work. Wildcards are good just be careful with using it with emby as the pfx file has your private key with no password. And a Wildcard can be used by attackers to create anything.youdomain.com I would use ha-proxy as its on you pfsense which all traffic hits first, although I find nginx easier to use Sent from my iPhone using Tapatalk sooo Does that mean there is no way to protect it? Like do I hav eto do something wrong for it to be vulnerable or is that by design. Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now