Help me Secure my Server (SSL)

[saajan4u 79]

Hi

I have a slightly different server setup than before

 

I live in the UK and my server is in a datacenter in Germany.

all my client is currently connecting via port 8096, which I know it's unsecured.

 

I'm completely new to this so step by step help will be appreciated.

 

I have a domain address to my emby server, my domain provider gives me a free ssl certificate, but its not a pfx file, but it's a private key.

 

I don't know what do with it.

 

how can I make it secure?

 

also is it a big deal streaming from my server without it being secure? obviously copyright content!

[aptalca 70]

You can generate a pfx file from the private key and the public cert via openssl. Just Google it.

[saajan4u 79]

@

aptalca i googled and got even confused!

[zigzagtshirt 55]

@@saajan4u

 

There are several guides here on the forum.

 

https://emby.media/community/index.php?/topic/44757-setting-up-ssl-for-emby-wip/

 

Here is one.  However, this guide uses a free ssl certificate, which works just fine in most cases.  You can substitute the one from your provider if you like.  Like someone else mentioned, you'll need to create a pfx file.  If you are having trouble doing it, then specify what exactly you're not understanding so others can help.  

[aptalca 70]

 

@

aptalca i googled and got even confused!

 

 

What is the issue?

 

Here's the first google result: https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/

 

Do you have access to a linux machine? Do you have the original cert and key? Then follow the guide above. 

 

If you only have a windows machine, try this: https://elgwhoppo.com/2013/04/18/combine-crt-and-key-files-into-a-pfx-with-openssl/

[saajan4u 79]

meh, i dont know what i'm doing.

i created a pfx file using my private key, installed it on my server, still no luck

 

i'm just not going to bother.

 

looked at plex and it looks like they have all of this built in, so users like me don't have to deal with all of this.

 

https://support.plex.tv/hc/en-us/articles/206225077-How-to-Use-Secure-Server-Connections

 

i'll just wait until emby catches on

 

thanks for all your help, much appreciated.

Edited May 8, 2017 by saajan4u

[saajan4u 79]

just had a look at the emby wiki,

 

https://github.com/MediaBrowser/Wiki/wiki/Connectivity

 

and nowhere it mentions how to secure the connections. I guess it's not a top priority. otherwise, it would have had better support or some sort built in features by default. complete shame.

 

yes, i appreciate there are guides on how to do it, but nothing officially. not a great user experience. that's how i feel

[aptalca 70]

meh, i dont know what i'm doing.

i created a pfx file using my private key, installed it on my server, still no luck

 

i'm just not going to bother.

 

looked at plex and it looks like they have all of this built in, so users like me don't have to deal with all of this.

 

https://support.plex.tv/hc/en-us/articles/206225077-How-to-Use-Secure-Server-Connections

 

i'll just wait until emby catches on

 

thanks for all your help, much appreciated.

I'm sorry, but you're not telling us what you're doing and what's going wrong so we can't really help you.

 

Setting up https in emby is as easy as pointing it to your cert and it works.

 

And even if you don't have your own cert, it creates a self signed one for you.

 

State how you tried to create the pfx file perhaps post the command you used, your operating system, which company you got your cert from and whether you checked the option to use https as the external address.

 

And then you can tell us what happens when you go to the https address.

 

Maybe your cert is set up correctly but your router blocks NAT loopback which prevents connections from going out to wan and then coming back in. In that case you'd have to test the https from a cell phone on data connection (outside of your network).

[zigzagtshirt 55]

Also specify which OS you are running your server on.  When I set up SSL for my server running on Windows, it had a little quirk to it, but overall was still very easy.

Edited May 10, 2017 by zigzagtshirt

[Jdiesel 1114]

Is there a specific reason you want to use your own certificate versus Emby's self signed generated certificate? 

 

If you are using your own certificate you need to also provide the domain that the certificate was signed based on under in the "External Domain" field under the advanced settings.

[CBers 6771]

@@saajan4u - have you seen this?

 

https://emby.media/community/index.php?/topic/47447-ssl-and-security-quality/

[lorac 100]

I set this up using the emby self signed cert and it works with the Android app but Roku 4 complains

-60: SSL certificate problem: self signed certificate

[Swynol 375]

ok so you have your own domain name and you have a cert in either .crt or .cer format. you also have a private key in .key format and a CA root cert usually called ca_bundle.crt.

 

You need to combine your cert and key into one file called a .pfx - normally a pfx file contains a password to keep the key part of it private, however emby requires you to have no password on the .pfx file to work. 

 

Ideally you need to use openSSL to convert the file, however easier said than done on windows machines. use this command to convert

openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CA_bundle.crt

you can use this site to create pfx files. - https://www.sslshopper.com/ssl-converter.html

 

Type of current cert - PEM

Type to convert to - PFX/PKCS#12

Cert to convert - your .crt

private key - your .key

chain cert - your ca_bundle.crt.

 

leave password blank and convert. you should end up with a .pfx.

 

point your emby server to your pfx file and "report HTTPS as external address" 

 

your public and private HTTPS port by default is 8920. you will need to get whoever is hosting your server to forward these ports, or you could change the port to 443 which is open by default.

 

 

this is much easier and more secure if you use a reverse proxy such as NGINX

[lorac 100]

I have the self signed certificate that emby generated cert_e2d9b400cc60caed31c86c738dc58578.pfx

 

I'm hosting my own server and the ports are forwarded. On Android it prompts me to accept the cert and once I do it works.

 

The problem is the Roku doesn't seem to like the self signed cert.

[Swynol 375]

i dont tend to use self signed certs. you can get a free cert from zeroSSL which use lets encrypt.

 

The issue with self signed is that like you say you have to accept the cert as it isnt signed by a Root authority. Not sure why Roku isnt accepting it, it could be Roku blocking it

[Tur0k 143]

Yea, many device manufacturers are starting to lockdown their certificate trust stores. I suspect the problem with your Rocky is that you cannot add the self-signed certificate to the certificate trust store.

 

I had a similar problem with smart devices and my wifi. I ended up standing up an ACME service that connects with let's encrypt and gets me publicly verifiable certs with complete chains. This circumvented the self-signed certificate trouble I was seeing with my in-home WPA2-enterprise encrypted wifi.

 

Currently, I am still working on getting everything online with my reverse proxy.

 

 

Sent from my iPhone using Tapatalk

Edited May 11, 2017 by Tur0k

[Swynol 375]

Thanks tur0k. It's easy enough to get a full cert with let's encrypt and I recommend it over a self signed any day.

 

And as Tur0k says, a reverse proxy may seem like a complicated setup but it works so well and is a lot easier to nail down the security.

 

 

Sent from my iPhone using Tapatalk

[Luke 37066]

The next release of Emby Server will allow you to configure a password for your SSL cert, for those of you who might need that.

[Tur0k 143]

So, reporting back now.  I know nginx is nicer for the designed purpose of a reverse proxy, but I ended up using squid.  I did this because I don't want add more servers into my network rack if at all possible and I don't want to punch ports through my firewall and setup port forwarding on my router.  I built my own Firewall on PFSENSE and a mini PC (the system has resources to spare, Intel i5 5500, 8GB RAM, 120GB SSD, and 2x NICs).  I also have an enterprise wireless access point and built a linux based controller for it on a Raspberry Pi.  I am hosting a slew of services on my firewall that assist with:

  Network Management (Routing, DHCP IPv4/6, DNS IPv4/6, SNTP, VLANs, Guest network isolation from my internal subnet, isolated IoT device access, DDNS synchronization)

  Network Security (firewall services, public IP region blocking, IDS, automated SSL management (using let's encrypt), Reverse Proxy, WPA2 enterprise Wi-Fi encryption, etc.),

  Authentication Management (radius)

  Remote Access (VPN)  

 

my external resources are:

1.  The domain I purchased from Google for $12 that also allows me to setup a 3rd level DDNS sub-domain, and management of my domain's external DNS entries (this allowed me to automate my let's encrypt SSL re-registration).  

2. Let's Encrypt SSL management (free). 

3. Emby premiere (I pay annually I think)

 

I don't really need much to be accessible to the Internet through my firewall, as all of my internal resources are accessible once I start my VPN.  Emby is really the only service I would want to be accessible outside of the VPN.  I have Squid working properly now.  my troubles ended up being self-inflicted with my Squid setup.  I was tired when I set this up and didn't ensure that i was using my new FQDN on my reverse peer mappings URI settings.

Edited May 13, 2017 by Tur0k

[Ol_Hag 0]

worker_processes 2;events { worker_connections 8192;}http { include mime.types; default_type application/octet-stream; server_tokens off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64;## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10;## End: Timeouts ## ## Default Listening ##server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri;} ##EMBY Server##server {listen [::]:80;listen 80;listen [::]:443 ssl;listen 443 ssl;server_name https://emby.mydomain.media; #your subdomain.domainname.com heressl_session_timeout 30m;ssl_protocols TLSv1.2 TLSv1.1 TLSv1;ssl_certificate SSL/cert.pem;ssl_certificate_key SSL/private.key;ssl_session_cache shared:SSL:10m;ssl_prefer_server_ciphers on;ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; proxy_hide_header X-Powered-By;add_header X-Xss-Protection "1; mode=block" always;add_header X-Content-Type-Options "nosniff" always;add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;add_header X-Frame-Options "SAMEORIGIN" always;add_header 'Referrer-Policy' 'no-referrer';add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; #add your domainname and all subdomains listed on your cert location / {proxy_pass http://127.0.0.1:8096; # Local emby ip and non SSL portproxy_hide_header X-Powered-By;proxy_set_header Range $http_range;proxy_set_header If-Range $http_if_range;proxy_set_header X-Real-IP $remote_addr;proxy_set_header Host $host;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;#Next three lines allow websocketsproxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";}}}

 

 

Sent from my iPhone using Tapatalk

[Luke 37066]

Hi, do you have a question?