Setting up SSL for Emby (WIP)

[NicCo 1]

Hi,

Thanks for the tutorial

I would like to know your opinion. I have Windows 10 Pro with Hyper-V and an Ubuntu Server 16.04 virtual machine that hosts my Nextcloud (I'm using Apache2). Public ports 80 and 443 are redirected to this virtual machine. I have a domain name "domain.fr" and I access my Nextcloud by the address "https://domain.fr".I use Let's Encrypt for SSL.

I would like to install Emby for Windows and set up HTTPS and I have several questions:

- Is it possible to use a port other than 443 to access Emby from HTTPS ?

- Can I generate certificates on my Ubuntu machine and copy them to Windows?

- If what is above is not possible, is it possible to use the Nginx reverse proxy in my installation?

Thanks for your help.

[KMBanana 109]

 

Hi,

Thanks for the tutorial

I would like to know your opinion. I have Windows 10 Pro with Hyper-V and an Ubuntu Server 16.04 virtual machine that hosts my Nextcloud (I'm using Apache2). Public ports 80 and 443 are redirected to this virtual machine. I have a domain name "domain.fr" and I access my Nextcloud by the address "https://domain.fr".I use Let's Encrypt for SSL.

I would like to install Emby for Windows and set up HTTPS and I have several questions:

- Is it possible to use a port other than 443 to access Emby from HTTPS ?

- Can I generate certificates on my Ubuntu machine and copy them to Windows?

- If what is above is not possible, is it possible to use the Nginx reverse proxy in my installation?

Thanks for your help.

 

Yes you can use a port other than 443, you will need to add :<PortNumber> after your URL when accessing your server remotely though. (Example, domain.fr:8920)  You will also need to redirect that port to your Windows machine.  

Yes you can copy certificates from Ubuntu to windows, but I'm not sure exactly what type of certificate you currently have.  Emby is looking for a .pfx extension on the cert. You should be able to convert any certificate into a .pfx one with openssl I think.  

Yes you can do an nginx reverse proxy.  You would have nginx listen on a port and pass Emby traffic to your Windows machine's IP address and the port Emby is running on.  

 

I have a somewhat similar setup.

I have an ubuntu VM running inside my windows hyper-v.  Emby runs on the Windows host.  

443 and 80 are pointed at the Ubuntu VM. 

Using the linuxserver/letsencrypt docker image on Ubuntu as my nginx reverse proxy, it automatically generates certificates for me using LetsEncrypt (Including the .pfx file). 

I shared the folder where the certs are placed on the Ubuntu VM over my network and have a scheduled task in Windows for it to copy them to the Windows machine.  

Edited January 18, 2018 by KMBanana

[NicCo 1]

Thank you for you reply, I'll try that !

[Swynol 375]

if your using apache you can also reverse proxy from apache to emby.

 

this way you can still use your domain name say emby.domain.fr the request will go to apache and then apache will forward it to your internal emby server. 

 

this way you dont need to use the port number on the end and you dont need to open any more ports on your router/firewall.

[Menissalt 15]

I don't think this works anymore? Can't get emby to load through nginx. Not getting errors in the log file and when not using nginx everything works fine. I really want to force https and use nginx to redirect but working off this thread that doesn't work.

Update: Might want to include dropping the Windows firewall or allowing this traffic through the Windows firewall... I'm sad it took me this long to think of that. All working! Thanks for the thread. 
 

Edited February 27, 2018 by Menissalt

[Swynol 375]

@@Menissalt - sorry i didnt see your comment sooner. Thats a good call on adding it to windows firewall. Something I have overlooked before.

 

Also the guide is now out of date. There are easier ways to get a cert with NGINX and have auto renewing etc. I have a guide elsewhere which I need to tidy up and move here.

[Jdiesel 1333]

Can someone give me a some guidance of using subdomains in my nginx reverse proxy? Last time I had my reverse proxy setup it looked like https://mydomain.com/emby, https://mydomain.com/ombi, etc. Here is my current config:

## Default Listening ##

server {
    listen 80 default_server;
    listen [::]:80 default_server;
    server_name _;

          return 301 https://$host$request_uri;
}

##EMBY Server##

        server {
   # listen 80;
   #listen [::] 80;
    listen [::]:443 ssl;
    listen 443 ssl;
    server_name emby.mydomain.com;

        ssl_session_timeout 30m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_certificate      /etc/letsencrypt/live/mydomain.com/cert.pem;
        ssl_certificate_key  /etc/letsencrypt/live/mydomain.com/privkey.pem;
        ssl_session_cache shared:SSL:10m;

                #add_header Public-Key-Pins '
                #pin-sha256="8TzXdhbnv+l6EjDG2Vj9EmgGiSmZenrTZSNaUFEwyUE=";
                #pin-sha256="YLh1dUR9y6Kja30RrAn7JKnbQG/uEtLMkBgFF2Fuihg=";
                #pin-sha256="Vjs8r4z+80wjNcr1YKepWQboSIRi63WsWXhIMN+eWys=";
                #max-age=86400; includeSubDomains';

                add_header X-Xss-Protection "1; mode=block" always;
                add_header X-Content-Type-Options "nosniff" always;
                add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;
                add_header X-Frame-Options "SAMEORIGIN" always;
                proxy_hide_header X-Powered-By;
                add_header 'Referrer-Policy' 'no-referrer';
                add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;";


     location / {
        proxy_pass http://127.0.0.1:8096;

                proxy_set_header Range $http_range;
                proxy_set_header If-Range $http_if_range;
                proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
                }


}

If I browse to https://mydomain.com it goes to Emby. If I try https://emby.mydomain.com I get an error saying the page can't be reached. Is it something with my setup or do I need to setup a CNAME for each service under my domain provider?

 

 

Edit: I tried adding a CNAME for an Emby subdomain and how I get this when trying to connect. Do I need to generate a new certificate with all my subdomains?

Edited May 9, 2018 by Jdiesel

[Jdiesel 1333]

Got it figured out. Needed to update both my CNAME's and Cert to reflect the new domain names.

[Swynol 375]

Got it figured out. Needed to update both my CNAME's and Cert to reflect the new domain names.

Sorry for the delayed reply. I noticed you got it sorted. Yes the cert will need to include all sub domains unless you use a wildcard cert (*.mydomain.com)

 

Also remove the pic as it still has your domain listed in it

 

 

Sent from my iPhone using Tapatalk

Edited March 20, 2018 by Swynol

[BestYohman 5]

When doing the sslfree I have waited over a hour and am still getting no txt record found when I click verify.

 

Sent from my SM-G955U using Tapatalk

[Tur0k 144]

So there is a TTL (time to live) on the DNS records. I set this intentionally very low (1 minute). That way during updates I can update as needed.

 

Also, check that your subdomain TXT record is formatted properly for your provider.

 

 

Sent from my iPhone using Tapatalk

[BestYohman 5]

I have followed everything (using the same sites as shown) and have set to 1 min. Still nothing

 

Sent from my SM-G955U using Tapatalk

[kingy444 114]

This is something i have been meaning to finish off - this guide might finally be the answer to that.

 

Couple of questions:

 

In emby server there was a check box that says 'require https connections', when this is ticked i assume it is the equivalent of turning http communication off.

 

Are there any apps that this would break by turning it on, and, if the certificate became invalid (because we always forget the little things) will apps continue to function?

 

edit1: Is there a requirement to change the default port to 443. I want to implement ssl, but i like using custom ports for added security (security through obscurity  )  using the le.exe method would lead me to think  that requirement is now removed?

 

edit2: Looking at the LE.exe github, an added benefit meaning you can skip part 4, emby now accepting passwords for certificates

Windows binaries include export functions into PFX/P12 format, which is normally required by IIS. The export (in addition to saving certificates in PEM format) can be activated by specifying a PFX password with --export-pfx option.

Edited May 9, 2018 by kingy444

[BestYohman 5]

Ok it seems that there may have been a issue with name cheap. I got the ssl to download. I am now having issue that the site is not forwarding to my server. All I get is server IP address could not be found.

 

Sent from my SM-G955U using Tapatalk

[thekingswolf 47]

 

firewall off, antivirus disabled.  been googling and checking things for hours and I still can't get past this.  thoughts please

[thekingswolf 47]

why use 443 for the port instead of keeping it 8920?

[Swynol 375]

Sorry for the late reply. We use 443 so that we don’t have to append the port number onto the end of the url.

 

If you kept 8920

 

Https://emby.mymedia.com:8920

 

With 443

 

Https://emby.mymedia.com

 

 

Sent from my iPhone using Tapatalk

[gnollo 17]

Part.2 - Getting a Domain Name.

 

Getting a personal domain name not only looks better but makes getting a SSL cert much easier. There are plenty of registrars out there, goDaddy, crazydomains, 123.reg, namecheap etc.

 

For the purpose of this write up i will use namecheap.

 

Create an account with namecheap.com and login.

Click Domains at the top and registration.

Now type in the search box what you want your personal domain to be called. i.e. embyssltest.com

 

 

 

once you have decided on your name and bought it you need to set it up so that your new domain name knows where your emby server is. We do that by setting up a record to tell embyssltest.com to point to embyssltest.ddns.net that we set up earlier.

 

On namecheap head to Advanced DNS

Under host records - click add new record

Select CNAME.

host = emby

value = embyssltest.ddns.net (change it to your DDNS)

TTL = Automatic

 

So now we should have emby.embyssltest.com which forwards to embyssltest.ddns.net

 

 

 

Hope your still with me. only a few more things to setup!

Built step by step what you suggested. The "...ddns.net:8096" works perfectly. I created the namecheap domain and added "...ddns.net" as CNAME and it does not redirect. With or without:8096 after the domain name. Contacted namecheap and they are useless

 

Sent from my SM-A520F using Tapatalk

[gnollo 17]

Built step by step what you suggested. The "...ddns.net:8096" works perfectly. I created the namecheap domain and added "...ddns.net" as CNAME and it does not redirect. With or without:8096 after the domain name. Contacted namecheap and they are useless

 

Sent from my SM-A520F using Tapatalk

Ok so if I type "emby." in front of my new domain name, that works as long as I also type :8096 after the domain name.

Is that how it should work?

 

Sent from my SM-A520F using Tapatalk

[Swynol 375]

@@gnollo

 

ye thats correct. so at the moment your browsing to http://emby.ddns.net:8096  - to get it to work with just http://emby.ddns.net  you need to change the ports in emby OR change the port forwarding on your router.

 

so for example. Change Public HTTP port in Emby to port 80 and port forward external port 80 on your router to internal port 80 on your emby server - then http://emby.ddns.net will work

 

OR

 

change your router port forwarding to forward external port 80 to internal port 8096 emby server. again http://emby.ddns.net will work.

 

Next step is maknig it secure over https. over not sure it will work with a ddns.net address unless you own a domain name.

Edited June 18, 2018 by Swynol

[gnollo 17]

@@gnollo

 

ye thats correct. so at the moment your browsing to http://emby.ddns.net:8096 - to get it to work with just http://emby.ddns.net you need to change the ports in emby OR change the port forwarding on your router.

 

so for example. Change Public HTTP port in Emby to port 80 and port forward external port 80 on your router to internal port 80 on your emby server - then http://emby.ddns.net will work

 

OR

 

change your router port forwarding to forward external port 80 to internal port 8096 emby server. again http://emby.ddns.net will work.

 

Next step is maknig it secure over https. over not sure it will work with a ddns.net address unless you own a domain name.

This has been so painful. Got it working as http, but if I force https on the domain I bought, no can do. I created the certificates. Loaded them.

When I try to connect it tells me it cannot find the site.

I would literally PAY to have this working. It has been very painful so far....

 

Sent from my SM-A520F using Tapatalk

[Swynol 375]

ok so you own a domain name. Who is your registrar? 

you got a certificate in pfx format with a password? 

In public HTTPS port in emby server have you kept the port default? or changed to 443?

[gnollo 17]

ok so you own a domain name. Who is your registrar? 

you got a certificate in pfx format with a password? 

In public HTTPS port in emby server have you kept the port default? or changed to 443?

 

ok so you own a domain name. Who is your registrar? 

https://www.fasthosts.co.uk/

 

 

you got a certificate in pfx format with a password? 

Yes to pfx format, but I have left the password field empty

 

In public HTTPS port in emby server have you kept the port default? or changed to 443?

Local https port number:8920

Public https port number:443

[gnollo 17]

 

ok so you own a domain name. Who is your registrar? 

https://www.fasthosts.co.uk/

 

 

you got a certificate in pfx format with a password? 

Yes to pfx format, but I have left the password field empty

 

In public HTTPS port in emby server have you kept the port default? or changed to 443?

Local https port number:8920

Public https port number:443

 

 

Changed local https port to match the public one and now I am able to login to the https://emby.MYDOMAIN via the public internet (device not connected to the Wifi). I think you need to update the server pic in the post below

 

https://emby.media/community/index.php?/topic/44757-setting-up-ssl-for-emby-wip/page-1&do=findComment&comment=419090

[gnollo 17]

Now I just need to workout how to use Certify SSL Manager and the Let’s Encrypt certificate request/auto renewal GUI for IIS on Windows to make the certificate roll ad infinitum.