saajan4u 79 Posted May 8, 2017 Share Posted May 8, 2017 Hi I have a slightly different server setup than before I live in the UK and my server is in a datacenter in Germany. all my client is currently connecting via port 8096, which I know it's unsecured. I'm completely new to this so step by step help will be appreciated. I have a domain address to my emby server, my domain provider gives me a free ssl certificate, but its not a pfx file, but it's a private key. I don't know what do with it. how can I make it secure? also is it a big deal streaming from my server without it being secure? obviously copyright content! Link to comment Share on other sites More sharing options...
aptalca 70 Posted May 8, 2017 Share Posted May 8, 2017 You can generate a pfx file from the private key and the public cert via openssl. Just Google it. Link to comment Share on other sites More sharing options...
saajan4u 79 Posted May 8, 2017 Author Share Posted May 8, 2017 @ aptalca i googled and got even confused! Link to comment Share on other sites More sharing options...
zigzagtshirt 55 Posted May 8, 2017 Share Posted May 8, 2017 @@saajan4u There are several guides here on the forum. https://emby.media/community/index.php?/topic/44757-setting-up-ssl-for-emby-wip/ Here is one. However, this guide uses a free ssl certificate, which works just fine in most cases. You can substitute the one from your provider if you like. Like someone else mentioned, you'll need to create a pfx file. If you are having trouble doing it, then specify what exactly you're not understanding so others can help. Link to comment Share on other sites More sharing options...
aptalca 70 Posted May 8, 2017 Share Posted May 8, 2017 @ aptalca i googled and got even confused! What is the issue? Here's the first google result: https://www.ssl.com/how-to/create-a-pfx-p12-certificate-file-using-openssl/ Do you have access to a linux machine? Do you have the original cert and key? Then follow the guide above. If you only have a windows machine, try this: https://elgwhoppo.com/2013/04/18/combine-crt-and-key-files-into-a-pfx-with-openssl/ Link to comment Share on other sites More sharing options...
saajan4u 79 Posted May 8, 2017 Author Share Posted May 8, 2017 (edited) meh, i dont know what i'm doing. i created a pfx file using my private key, installed it on my server, still no luck i'm just not going to bother. looked at plex and it looks like they have all of this built in, so users like me don't have to deal with all of this. https://support.plex.tv/hc/en-us/articles/206225077-How-to-Use-Secure-Server-Connections i'll just wait until emby catches on thanks for all your help, much appreciated. Edited May 8, 2017 by saajan4u Link to comment Share on other sites More sharing options...
saajan4u 79 Posted May 9, 2017 Author Share Posted May 9, 2017 just had a look at the emby wiki, https://github.com/MediaBrowser/Wiki/wiki/Connectivity and nowhere it mentions how to secure the connections. I guess it's not a top priority. otherwise, it would have had better support or some sort built in features by default. complete shame. yes, i appreciate there are guides on how to do it, but nothing officially. not a great user experience. that's how i feel Link to comment Share on other sites More sharing options...
aptalca 70 Posted May 9, 2017 Share Posted May 9, 2017 meh, i dont know what i'm doing. i created a pfx file using my private key, installed it on my server, still no luck i'm just not going to bother. looked at plex and it looks like they have all of this built in, so users like me don't have to deal with all of this. https://support.plex.tv/hc/en-us/articles/206225077-How-to-Use-Secure-Server-Connections i'll just wait until emby catches on thanks for all your help, much appreciated. I'm sorry, but you're not telling us what you're doing and what's going wrong so we can't really help you. Setting up https in emby is as easy as pointing it to your cert and it works. And even if you don't have your own cert, it creates a self signed one for you. State how you tried to create the pfx file perhaps post the command you used, your operating system, which company you got your cert from and whether you checked the option to use https as the external address. And then you can tell us what happens when you go to the https address. Maybe your cert is set up correctly but your router blocks NAT loopback which prevents connections from going out to wan and then coming back in. In that case you'd have to test the https from a cell phone on data connection (outside of your network). Link to comment Share on other sites More sharing options...
zigzagtshirt 55 Posted May 10, 2017 Share Posted May 10, 2017 (edited) Also specify which OS you are running your server on. When I set up SSL for my server running on Windows, it had a little quirk to it, but overall was still very easy. Edited May 10, 2017 by zigzagtshirt Link to comment Share on other sites More sharing options...
Jdiesel 1143 Posted May 10, 2017 Share Posted May 10, 2017 Is there a specific reason you want to use your own certificate versus Emby's self signed generated certificate? If you are using your own certificate you need to also provide the domain that the certificate was signed based on under in the "External Domain" field under the advanced settings. Link to comment Share on other sites More sharing options...
CBers 6882 Posted May 10, 2017 Share Posted May 10, 2017 @@saajan4u - have you seen this? https://emby.media/community/index.php?/topic/47447-ssl-and-security-quality/ Link to comment Share on other sites More sharing options...
lorac 101 Posted May 10, 2017 Share Posted May 10, 2017 I set this up using the emby self signed cert and it works with the Android app but Roku 4 complains -60: SSL certificate problem: self signed certificate Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 11, 2017 Share Posted May 11, 2017 ok so you have your own domain name and you have a cert in either .crt or .cer format. you also have a private key in .key format and a CA root cert usually called ca_bundle.crt. You need to combine your cert and key into one file called a .pfx - normally a pfx file contains a password to keep the key part of it private, however emby requires you to have no password on the .pfx file to work. Ideally you need to use openSSL to convert the file, however easier said than done on windows machines. use this command to convert openssl pkcs12 -export -out certificate.pfx -inkey privateKey.key -in certificate.crt -certfile CA_bundle.crt you can use this site to create pfx files. - https://www.sslshopper.com/ssl-converter.html Type of current cert - PEM Type to convert to - PFX/PKCS#12 Cert to convert - your .crt private key - your .key chain cert - your ca_bundle.crt. leave password blank and convert. you should end up with a .pfx. point your emby server to your pfx file and "report HTTPS as external address" your public and private HTTPS port by default is 8920. you will need to get whoever is hosting your server to forward these ports, or you could change the port to 443 which is open by default. this is much easier and more secure if you use a reverse proxy such as NGINX Link to comment Share on other sites More sharing options...
lorac 101 Posted May 11, 2017 Share Posted May 11, 2017 I have the self signed certificate that emby generated cert_e2d9b400cc60caed31c86c738dc58578.pfx I'm hosting my own server and the ports are forwarded. On Android it prompts me to accept the cert and once I do it works. The problem is the Roku doesn't seem to like the self signed cert. Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 11, 2017 Share Posted May 11, 2017 i dont tend to use self signed certs. you can get a free cert from zeroSSL which use lets encrypt. The issue with self signed is that like you say you have to accept the cert as it isnt signed by a Root authority. Not sure why Roku isnt accepting it, it could be Roku blocking it Link to comment Share on other sites More sharing options...
Tur0k 143 Posted May 11, 2017 Share Posted May 11, 2017 (edited) Yea, many device manufacturers are starting to lockdown their certificate trust stores. I suspect the problem with your Rocky is that you cannot add the self-signed certificate to the certificate trust store. I had a similar problem with smart devices and my wifi. I ended up standing up an ACME service that connects with let's encrypt and gets me publicly verifiable certs with complete chains. This circumvented the self-signed certificate trouble I was seeing with my in-home WPA2-enterprise encrypted wifi. Currently, I am still working on getting everything online with my reverse proxy. Sent from my iPhone using Tapatalk Edited May 11, 2017 by Tur0k Link to comment Share on other sites More sharing options...
Swynol 375 Posted May 11, 2017 Share Posted May 11, 2017 Thanks tur0k. It's easy enough to get a full cert with let's encrypt and I recommend it over a self signed any day. And as Tur0k says, a reverse proxy may seem like a complicated setup but it works so well and is a lot easier to nail down the security. Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
Luke 37994 Posted May 12, 2017 Share Posted May 12, 2017 The next release of Emby Server will allow you to configure a password for your SSL cert, for those of you who might need that. Link to comment Share on other sites More sharing options...
Tur0k 143 Posted May 13, 2017 Share Posted May 13, 2017 (edited) So, reporting back now. I know nginx is nicer for the designed purpose of a reverse proxy, but I ended up using squid. I did this because I don't want add more servers into my network rack if at all possible and I don't want to punch ports through my firewall and setup port forwarding on my router. I built my own Firewall on PFSENSE and a mini PC (the system has resources to spare, Intel i5 5500, 8GB RAM, 120GB SSD, and 2x NICs). I also have an enterprise wireless access point and built a linux based controller for it on a Raspberry Pi. I am hosting a slew of services on my firewall that assist with: Network Management (Routing, DHCP IPv4/6, DNS IPv4/6, SNTP, VLANs, Guest network isolation from my internal subnet, isolated IoT device access, DDNS synchronization) Network Security (firewall services, public IP region blocking, IDS, automated SSL management (using let's encrypt), Reverse Proxy, WPA2 enterprise Wi-Fi encryption, etc.), Authentication Management (radius) Remote Access (VPN) my external resources are: 1. The domain I purchased from Google for $12 that also allows me to setup a 3rd level DDNS sub-domain, and management of my domain's external DNS entries (this allowed me to automate my let's encrypt SSL re-registration). 2. Let's Encrypt SSL management (free). 3. Emby premiere (I pay annually I think) I don't really need much to be accessible to the Internet through my firewall, as all of my internal resources are accessible once I start my VPN. Emby is really the only service I would want to be accessible outside of the VPN. I have Squid working properly now. my troubles ended up being self-inflicted with my Squid setup. I was tired when I set this up and didn't ensure that i was using my new FQDN on my reverse peer mappings URI settings. Edited May 13, 2017 by Tur0k 1 Link to comment Share on other sites More sharing options...
Ol_Hag 0 Posted December 23, 2019 Share Posted December 23, 2019 worker_processes 2;events { worker_connections 8192;}http { include mime.types; default_type application/octet-stream; server_tokens off; gzip on; gzip_disable "msie6"; gzip_comp_level 6; gzip_min_length 1100; gzip_buffers 16 8k; gzip_proxied any; gzip_types text/plain text/css text/js text/xml text/javascript application/javascript application/x-javascript application/json application/xml application/rss+xml image/svg+xml; tcp_nodelay on; sendfile off; server_names_hash_bucket_size 128; map_hash_bucket_size 64;## Start: Timeouts ## client_body_timeout 10; client_header_timeout 10; keepalive_timeout 30; send_timeout 10; keepalive_requests 10;## End: Timeouts ## ## Default Listening ##server { listen 80 default_server; listen [::]:80 default_server; server_name _; return 301 https://$host$request_uri;} ##EMBY Server##server {listen [::]:80;listen 80;listen [::]:443 ssl;listen 443 ssl;server_name https://emby.mydomain.media; #your subdomain.domainname.com heressl_session_timeout 30m;ssl_protocols TLSv1.2 TLSv1.1 TLSv1;ssl_certificate SSL/cert.pem;ssl_certificate_key SSL/private.key;ssl_session_cache shared:SSL:10m;ssl_prefer_server_ciphers on;ssl_ciphers ECDH+AESGCM:ECDH+AES256:ECDH+AES128:DH+3DES:!ADH:!AECDH:!MD5; proxy_hide_header X-Powered-By;add_header X-Xss-Protection "1; mode=block" always;add_header X-Content-Type-Options "nosniff" always;add_header Strict-Transport-Security "max-age=2592000; includeSubdomains" always;add_header X-Frame-Options "SAMEORIGIN" always;add_header 'Referrer-Policy' 'no-referrer';add_header Content-Security-Policy "frame-ancestors mydomain.com emby.mydomain.com;"; #add your domainname and all subdomains listed on your cert location / {proxy_pass http://127.0.0.1:8096; # Local emby ip and non SSL portproxy_hide_header X-Powered-By;proxy_set_header Range $http_range;proxy_set_header If-Range $http_if_range;proxy_set_header X-Real-IP $remote_addr;proxy_set_header Host $host;proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;#Next three lines allow websocketsproxy_http_version 1.1;proxy_set_header Upgrade $http_upgrade;proxy_set_header Connection "upgrade";}}} Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
Luke 37994 Posted December 23, 2019 Share Posted December 23, 2019 Hi, do you have a question? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now