Jump to content


Photo

Security 101: Secure Connections

Secure Connect Security Remote Access Encrypted

  • Please log in to reply
298 replies to this topic

#1 regid OFFLINE  

regid

    Member

  • Members
  • 17 posts
  • Local time: 08:44 AM

Posted 06 January 2018 - 02:00 PM

Hello, all

Coming from the Plex world Secure Connections was easy to turn on (actually on by default).  I am trying to determine if Emby has that on by default or what steps I might have to perform or if it's a non-issue.  I am really hoping whatever is involved is pretty straight forward.  When I (or a friend) is accessing my Emby server remotely I'd like to be reasonably secure.  I liked that "no brainier" aspect to Plex.  When I looked in the "Hosting" area of Emby server I saw a check box for requiring HTTPS (the equivalent of secure connects... maybe?) but it then asked me about Certs and stuff and I got lost.  I'd rather not go to Plex for external access.  I really think Emby is a superior product in many ways.

 

Also, if there is a particular section of Emby (Guide/Site or etc) that really breaks down most of the security related data I'd appreciate.  I'd like to be more knowledgeabe.  What I've found in the forums is not really clear to me and seems to be spread all over the place.

 

Thank You



#2 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 131576 posts
  • Local time: 09:44 AM

Posted 06 January 2018 - 02:02 PM

Hi, the only reason it's not on by default is because you need to supply an ssl cert in the advanced section.

You can easily create one with something like let's encrypt.

Please let us know if this helps. Thanks !

#3 regid OFFLINE  

regid

    Member

  • Members
  • 17 posts
  • Local time: 08:44 AM

Posted 06 January 2018 - 02:16 PM

Hey, Luke

I've already been struggling with how to set up Let's Encrypt.  It's probably me. I'll take a break and try to figure it out later.  I'll just disable external access until I can figure it out.  Let me put it to the Emby team that it might be a great idea to find a way to incorporate this functionality natively (or as a Plugin)  for those of us that are a little less technical.

 

I appreciate the quick response...

Hi, the only reason it's not on by default is because you need to supply an ssl cert in the advanced section.

You can easily create one with something like let's encrypt.

Please let us know if this helps. Thanks !



#4 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 131576 posts
  • Local time: 09:44 AM

Posted 06 January 2018 - 07:05 PM

Do you want to have a domain name owned by someone else that resolves/points to your ip address? Or do you not care as long as it works?

 

For us that is essentially what we would need to decide upon if we were going to just include it out of the box. Having said that if you search our community there are numerous guides here about it. I think @Doofus may have participated in one.



#5 Doofus OFFLINE  

Doofus

    Advanced Member

  • Members
  • 11486 posts
  • Local time: 06:44 AM

Posted 06 January 2018 - 07:31 PM

@Swynol has a great blog for that stuff

 

https://blog.awelswy...ypt-certificate


  • Tur0k likes this

#6 Doofus OFFLINE  

Doofus

    Advanced Member

  • Members
  • 11486 posts
  • Local time: 06:44 AM

Posted 06 January 2018 - 07:34 PM

And just to chime in. I would like a simple option in the server that would encrypt all traffic between the server and the emby apps. 


  • PrincessClevage, regid and Tur0k like this

#7 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 131576 posts
  • Local time: 09:44 AM

Posted 06 January 2018 - 07:35 PM

And just to chime in. I would like a simple option in the server that would encrypt all traffic between the server and the emby apps. 

 

It's already there. Click require https.


  • Abobader likes this

#8 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 131576 posts
  • Local time: 09:44 AM

Posted 06 January 2018 - 07:36 PM

However @Doofus, now we have a new problem to consider. What has prevented you from discovering it on your own?



#9 Doofus OFFLINE  

Doofus

    Advanced Member

  • Members
  • 11486 posts
  • Local time: 06:44 AM

Posted 06 January 2018 - 07:51 PM

However @Doofus, now we have a new problem to consider. What has prevented you from discovering it on your own?

 

You mean, this?

 

5a515fba9425c_Snapshot_388.jpg

 

I'm not going through the hassle of creating, converting, importing and maintaining a certificate. It's a PITA. I just want to click it and forget it. It's actually easier for me to build a second gateway and configure a VPN service that will just continually run. Which is what I'm planning to do. 



#10 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 131576 posts
  • Local time: 09:44 AM

Posted 06 January 2018 - 07:52 PM

Ok so in post #4, you are in the "don't care" camp. Is that correct?



#11 Doofus OFFLINE  

Doofus

    Advanced Member

  • Members
  • 11486 posts
  • Local time: 06:44 AM

Posted 06 January 2018 - 07:58 PM

Ok so in post #4, you are in the "don't care" camp. Is that correct?

 

Yeah. I don't want to configure proxies, and domains etc. I just want the traffic encrypted.


  • PrincessClevage likes this

#12 Tur0k OFFLINE  

Tur0k

    Advanced Member

  • Members
  • 510 posts
  • Local time: 07:44 AM

Posted 06 January 2018 - 10:25 PM

Outline to get a public domain and a publicly trusted SSL certificate is:

1. Open and forward port 8920 on your router to your Emby server.
A. Ensure that your Emby server always gets the same IP address on your internal network. This is done by either:
I. Statically IP addressing the server or
II. Set up a DHCP reserved IP address in the router's DHCP configuration.

B. I would also recommend not listing users on the login screen.
C. I would also recommend not using the name "Admin" or "administrator as the username of the administrative user account.
D. I would not recommend linking the administrative user account to your Emby connect account.
E. I would also recommend limiting the ability to delete media to non-administrative accounts.

2. Purchase a public domain. I pay google 12 dollars annually for mine.
NOTE: There are probably cheaper solutions, just make sure that they will allow you to have a public DNS that you can manage, and allow you to have SSL certificates issued for them.

3. Configure a public DNS on the above host with a DNS record that points to your house's DHCP assigned public IP address (this is sometimes called a DDNS, A+, or synthetic record).
A. Setup a DDNS client on a device in your network that will update the record if your public IP address changes. NOTE: most domain hosts will offer a software application. That can do this. Also, most home routers have DDNS client capabilities built in.

4. Purchase an SSL certificate from a trusted public CA. I hear RapidSSL is really cheap. I have seen comodo work. Here, I use Let's Encrypt. For let's encrypt you would need to setup an Acme client to keep your cert issued every 90 days.
A. Create a CSR on the Emby server.
B. Upload the CSR to the CA
C. Download the certificate once it is issued.
D. Possibly convert it to a PFX file.
E. Link the SSL certificate's location and password in your Emby Server.

NOTE:
1. You will likely need to pay annually for steps 2 and 4.
2. You will likely need to perform step 4D- 4E annually.
3. If you change operating systems or upgrade the OS you would need to create a new CSR and re-issue the SSL certificate.

I will add in the references that I have on how to do this once I get back home.

Sent from my iPhone using Tapatalk

Edited by Tur0k, 06 January 2018 - 11:02 PM.


#13 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 45409 posts
  • Local time: 09:44 AM

Posted 07 January 2018 - 11:18 AM

Yeah. I don't want to configure proxies, and domains etc. I just want the traffic encrypted.

 

You want the traffic encrypted but you don't care that some other entity is maintaining a domain pointing directly to your public IP address and they are actually the ones in control of the certificate that encrypts that traffic...?


  • Abobader and Tur0k like this

#14 adrianwi OFFLINE  

adrianwi

    Advanced Member

  • Members
  • 338 posts
  • Local time: 02:44 PM
  • LocationScotland

Posted 07 January 2018 - 12:54 PM

To be fair, Plex did provide quite a clever solution for this, but the trade-off was it only worked where the clients and server were connected to the plex.tv service.  It marked the beginning of the end for my Plex journey  :(


Edited by adrianwi, 07 January 2018 - 12:55 PM.

  • Tur0k, heciruam and VaporTrail like this

#15 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 45409 posts
  • Local time: 09:44 AM

Posted 07 January 2018 - 12:57 PM

To be fair, Plex did provide quite a clever solution for this, but the trade-off was it only worked where the clients and server were connected to the plex.tv service.  

 

Yes, because they are doing this:

 

 

You want the traffic encrypted but you don't care that some other entity is maintaining a domain pointing directly to your public IP address and they are actually the ones in control of the certificate that encrypts that traffic...?



#16 Doofus OFFLINE  

Doofus

    Advanced Member

  • Members
  • 11486 posts
  • Local time: 06:44 AM

Posted 07 January 2018 - 01:16 PM

You want the traffic encrypted but you don't care that some other entity is maintaining a domain pointing directly to your public IP address and they are actually the ones in control of the certificate that encrypts that traffic...?


Right now, I have nothing. And a lot of people won't have anything, either. And a lot of people will be overwhelmed with how to configure a domain and applying a cert, then having to manage it. Remember that a lot of people just want to watch their movies and are not that tech savvy. Just look at all the posts of people having difficulty just opening a port and the basic config. There's no way they'll be able to do the encryption config. So having some encryption, is better than nothing. As I mentioned, in my case I'm eventually going to put my entire network behind a VPN service, and this will be moot.
  • aspdend, regid and bpbenich like this

#17 Jdiesel OFFLINE  

Jdiesel

    Advanced Member

  • Members
  • 2646 posts
  • Local time: 07:44 AM
  • LocationRegina, SK

Posted 07 January 2018 - 01:35 PM

I personally would never open Emby up outside my home network without forced HTTPS connections. Maybe I am overly cautious but I think it is just good practice.

While Plex solution isn't ideal it does just work. No need to purchase a domain name, not need to create SSL certificates, no need to renew the certificates.

My suggestion would be for Emby to partner with a SSL cert provider and have and easy way of authenticating the cert from within the Emby dashboard.
  • Spaceboy, Doofus, Dibbes and 5 others like this

#18 Doofus OFFLINE  

Doofus

    Advanced Member

  • Members
  • 11486 posts
  • Local time: 06:44 AM

Posted 07 January 2018 - 02:02 PM

Maybe even offer it as some sort of service plan? I'd be happy to pay an annual fee to emby for a 'one cliick' security option.
  • Tremas and afullmark like this

#19 Spaceboy ONLINE  

Spaceboy

    Advanced Member

  • Members
  • 3820 posts
  • Local time: 02:44 PM

Posted 07 January 2018 - 02:08 PM

I personally would never open Emby up outside my home network without forced HTTPS connections. Maybe I am overly cautious but I think it is just good practice.

While Plex solution isn't ideal it does just work. No need to purchase a domain name, not need to create SSL certificates, no need to renew the certificates.

My suggestion would be for Emby to partner with a SSL cert provider and have and easy way of authenticating the cert from within the Emby dashboard.

while I wouldn’t use it, this is a great idea
  • regid and afullmark like this

#20 regid OFFLINE  

regid

    Member

  • Members
  • 17 posts
  • Local time: 08:44 AM

Posted 07 January 2018 - 02:46 PM

Hey, Luke. I think Doofus and Jdiesel really nailed it.  A simple. secure, "one click" implementation for those who are not very tech savvy or just don't have a need/desire for advanced features.  It's something I imagine everyone should turn on. 

Thanks for entertaining the discussion, Luke.  And Thank you fellow Emby members for clarifying what I was trying to say.

 

Do you want to have a domain name owned by someone else that resolves/points to your ip address? Or do you not care as long as it works?

 

For us that is essentially what we would need to decide upon if we were going to just include it out of the box. Having said that if you search our community there are numerous guides here about it. I think @Doofus may have participated in one.


  • Doofus and afullmark like this





Also tagged with one or more of these keywords: Secure Connect, Security, Remote Access, Encrypted

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users