Jump to content
regid

Security 101: Secure Connections

Recommended Posts

regid

Hello, all

Coming from the Plex world Secure Connections was easy to turn on (actually on by default).  I am trying to determine if Emby has that on by default or what steps I might have to perform or if it's a non-issue.  I am really hoping whatever is involved is pretty straight forward.  When I (or a friend) is accessing my Emby server remotely I'd like to be reasonably secure.  I liked that "no brainier" aspect to Plex.  When I looked in the "Hosting" area of Emby server I saw a check box for requiring HTTPS (the equivalent of secure connects... maybe?) but it then asked me about Certs and stuff and I got lost.  I'd rather not go to Plex for external access.  I really think Emby is a superior product in many ways.

 

Also, if there is a particular section of Emby (Guide/Site or etc) that really breaks down most of the security related data I'd appreciate.  I'd like to be more knowledgeabe.  What I've found in the forums is not really clear to me and seems to be spread all over the place.

 

Thank You

Share this post


Link to post
Share on other sites
Luke

Hi, the only reason it's not on by default is because you need to supply an ssl cert in the advanced section.

 

You can easily create one with something like let's encrypt.

 

Please let us know if this helps. Thanks !

Share this post


Link to post
Share on other sites
regid

Hey, Luke

I've already been struggling with how to set up Let's Encrypt.  It's probably me. I'll take a break and try to figure it out later.  I'll just disable external access until I can figure it out.  Let me put it to the Emby team that it might be a great idea to find a way to incorporate this functionality natively (or as a Plugin)  for those of us that are a little less technical.

 

I appreciate the quick response...

Hi, the only reason it's not on by default is because you need to supply an ssl cert in the advanced section.

You can easily create one with something like let's encrypt.

Please let us know if this helps. Thanks !

Share this post


Link to post
Share on other sites
Luke

Do you want to have a domain name owned by someone else that resolves/points to your ip address? Or do you not care as long as it works?

 

For us that is essentially what we would need to decide upon if we were going to just include it out of the box. Having said that if you search our community there are numerous guides here about it. I think @ may have participated in one.

Share this post


Link to post
Share on other sites
Guest asrequested

And just to chime in. I would like a simple option in the server that would encrypt all traffic between the server and the emby apps. 

  • Like 3

Share this post


Link to post
Share on other sites
Luke

And just to chime in. I would like a simple option in the server that would encrypt all traffic between the server and the emby apps. 

 

It's already there. Click require https.

  • Like 1

Share this post


Link to post
Share on other sites
Luke

However @, now we have a new problem to consider. What has prevented you from discovering it on your own?

Share this post


Link to post
Share on other sites
Guest asrequested

However @, now we have a new problem to consider. What has prevented you from discovering it on your own?

 

You mean, this?

 

5a515fba9425c_Snapshot_388.jpg

 

I'm not going through the hassle of creating, converting, importing and maintaining a certificate. It's a PITA. I just want to click it and forget it. It's actually easier for me to build a second gateway and configure a VPN service that will just continually run. Which is what I'm planning to do. 

Share this post


Link to post
Share on other sites
Luke

Ok so in post #4, you are in the "don't care" camp. Is that correct?

Share this post


Link to post
Share on other sites
Guest asrequested

Ok so in post #4, you are in the "don't care" camp. Is that correct?

 

Yeah. I don't want to configure proxies, and domains etc. I just want the traffic encrypted.

  • Like 1

Share this post


Link to post
Share on other sites
Tur0k

Outline to get a public domain and a publicly trusted SSL certificate is:

 

1. Open and forward port 8920 on your router to your Emby server.

A. Ensure that your Emby server always gets the same IP address on your internal network. This is done by either:

I. Statically IP addressing the server or

II. Set up a DHCP reserved IP address in the router's DHCP configuration.

 

B. I would also recommend not listing users on the login screen.

C. I would also recommend not using the name "Admin" or "administrator as the username of the administrative user account.

D. I would not recommend linking the administrative user account to your Emby connect account.

E. I would also recommend limiting the ability to delete media to non-administrative accounts.

 

2. Purchase a public domain. I pay google 12 dollars annually for mine.

NOTE: There are probably cheaper solutions, just make sure that they will allow you to have a public DNS that you can manage, and allow you to have SSL certificates issued for them.

 

3. Configure a public DNS on the above host with a DNS record that points to your house's DHCP assigned public IP address (this is sometimes called a DDNS, A+, or synthetic record).

A. Setup a DDNS client on a device in your network that will update the record if your public IP address changes. NOTE: most domain hosts will offer a software application. That can do this. Also, most home routers have DDNS client capabilities built in.

 

4. Purchase an SSL certificate from a trusted public CA. I hear RapidSSL is really cheap. I have seen comodo work. Here, I use Let's Encrypt. For let's encrypt you would need to setup an Acme client to keep your cert issued every 90 days.

A. Create a CSR on the Emby server.

B. Upload the CSR to the CA

C. Download the certificate once it is issued.

D. Possibly convert it to a PFX file.

E. Link the SSL certificate's location and password in your Emby Server.

 

NOTE:

1. You will likely need to pay annually for steps 2 and 4.

2. You will likely need to perform step 4D- 4E annually.

3. If you change operating systems or upgrade the OS you would need to create a new CSR and re-issue the SSL certificate.

 

I will add in the references that I have on how to do this once I get back home.

 

Sent from my iPhone using Tapatalk

Edited by Tur0k

Share this post


Link to post
Share on other sites
ebr

Yeah. I don't want to configure proxies, and domains etc. I just want the traffic encrypted.

 

You want the traffic encrypted but you don't care that some other entity is maintaining a domain pointing directly to your public IP address and they are actually the ones in control of the certificate that encrypts that traffic...?

  • Like 2

Share this post


Link to post
Share on other sites
adrianwi

To be fair, Plex did provide quite a clever solution for this, but the trade-off was it only worked where the clients and server were connected to the plex.tv service.  It marked the beginning of the end for my Plex journey  :(

Edited by adrianwi
  • Like 3

Share this post


Link to post
Share on other sites
ebr

To be fair, Plex did provide quite a clever solution for this, but the trade-off was it only worked where the clients and server were connected to the plex.tv service.  

 

Yes, because they are doing this:

 

 

You want the traffic encrypted but you don't care that some other entity is maintaining a domain pointing directly to your public IP address and they are actually the ones in control of the certificate that encrypts that traffic...?

Share this post


Link to post
Share on other sites
Guest asrequested

You want the traffic encrypted but you don't care that some other entity is maintaining a domain pointing directly to your public IP address and they are actually the ones in control of the certificate that encrypts that traffic...?

Right now, I have nothing. And a lot of people won't have anything, either. And a lot of people will be overwhelmed with how to configure a domain and applying a cert, then having to manage it. Remember that a lot of people just want to watch their movies and are not that tech savvy. Just look at all the posts of people having difficulty just opening a port and the basic config. There's no way they'll be able to do the encryption config. So having some encryption, is better than nothing. As I mentioned, in my case I'm eventually going to put my entire network behind a VPN service, and this will be moot.

  • Like 3

Share this post


Link to post
Share on other sites
Jdiesel

I personally would never open Emby up outside my home network without forced HTTPS connections. Maybe I am overly cautious but I think it is just good practice.

 

While Plex solution isn't ideal it does just work. No need to purchase a domain name, not need to create SSL certificates, no need to renew the certificates.

 

My suggestion would be for Emby to partner with a SSL cert provider and have and easy way of authenticating the cert from within the Emby dashboard.

  • Like 7

Share this post


Link to post
Share on other sites
Guest asrequested

Maybe even offer it as some sort of service plan? I'd be happy to pay an annual fee to emby for a 'one cliick' security option.

  • Like 2

Share this post


Link to post
Share on other sites
Spaceboy

I personally would never open Emby up outside my home network without forced HTTPS connections. Maybe I am overly cautious but I think it is just good practice.

 

While Plex solution isn't ideal it does just work. No need to purchase a domain name, not need to create SSL certificates, no need to renew the certificates.

 

My suggestion would be for Emby to partner with a SSL cert provider and have and easy way of authenticating the cert from within the Emby dashboard.

while I wouldn’t use it, this is a great idea
  • Like 2

Share this post


Link to post
Share on other sites
regid

Hey, Luke. I think Doofus and Jdiesel really nailed it.  A simple. secure, "one click" implementation for those who are not very tech savvy or just don't have a need/desire for advanced features.  It's something I imagine everyone should turn on. 

Thanks for entertaining the discussion, Luke.  And Thank you fellow Emby members for clarifying what I was trying to say.

 

Do you want to have a domain name owned by someone else that resolves/points to your ip address? Or do you not care as long as it works?

 

For us that is essentially what we would need to decide upon if we were going to just include it out of the box. Having said that if you search our community there are numerous guides here about it. I think @ may have participated in one.

  • Like 1

Share this post


Link to post
Share on other sites
Tur0k

I am a geek from the old guard. I started on a Mac in the 80s when I was a little kid then moved to Linux, then windows. I built my own systems and would have done so even if I didn't need it for Emby as I use the domain, SSL certificates, and reverse proxy to operate remote access to my home automation server, my network monitor, my VPN, and eventually my NVR. The only part that cloudflare could offer me that I can not do already is some DDOS attack mitigation.

 

To me it sounds like our less techy users are asking for a cloudflare (https://www.cloudflare.com) like service.

 

In this case the cloudflare service is stood up as a reverse proxy for a user's home Emby service. A user would still need to pickup a domain and redirect it to cloudflare.

 

Cloudflare's should give you an SSL certificate to place on your local Emby install (this encrypts the data between your Emby server and the cloudflare system.

 

It looks like Cloudflare's free service gives you a publicly trusted SSL. This is the piece that is setup on the front end of the cloudflare service. This encrypts the traffic between cloudflare and your public Emby clients.

 

I suspect you could use the free service from cloudflare to get all of this done. I also suspect that others on the forum have put up instructions on how to set this up Emby with cloudflare.

 

Sent from my iPhone using Tapatalk

Edited by Tur0k

Share this post


Link to post
Share on other sites
Jdiesel

I am a geek from the old guard. I started on a Mac in the 80s when I was a little kid then moved to Linux, then windows. I built my own systems and would have done so even if I didn't need it for Emby as I use the domain, SSL certificates, and reverse proxy to operate remote access to my home automation server, my network monitor, my VPN, and eventually my NVR. The only part that cloudflare could offer me that I can not do already is some DDOS attack mitigation.

 

To me it sounds like our less techy users are asking for a cloudflare (https://www.cloudflare.com) like service.

 

In this case the cloudflare service is stood up as a reverse proxy for a user's home Emby service. A user would still need to pickup a domain and redirect it to cloudflare.

 

Cloudflare's should give you an SSL certificate to place on your local Emby install (this encrypts the data between your Emby server and the cloudflare system.

 

It looks like Cloudflare's free service gives you a publicly trusted SSL. This is the piece that is setup on the front end of the cloudflare service. This encrypts the traffic between cloudflare and your public Emby clients.

 

I suspect you could use the free service from cloudflare to get all of this done. I also suspect that others on the forum have put up instructions on how to set this up Emby with cloudflare.

 

 

Sent from my iPhone using Tapatalk

This is what I did for a while and it was simple to setup and worked quite well. Emby has since removed the ability to generate self-signed certificates, at least on the .Net Core version, so you now need to generate your own self signed certificate for the connection between your server and Cloudflare.

Share this post


Link to post
Share on other sites
Guest asrequested

It's still more than I want to do. I don't want to waste my time on external security. I don't want a domain, or acquire certificates. I want to set it and forget it. I've got enough services and passwords and accounts. I don't want any more. It's too much information to keep track of. This is an entertainment system, not the pentagon. For those who enjoy and are fluent in security protocols, it's great. But for the rest of us it's a PITA. This is why I haven't set up a reverse proxy. I could, but it's just a nuisance. 

  • Like 1

Share this post


Link to post
Share on other sites
CBers

This is why I haven't set up a reverse proxy. I could, but it's just a nuisance.

I tend to agree, but I have a reverse proxy (nginx) in place now and it all works without hardly any intervention.

 

Although saying that, I did have someone access my Emby server somehow, but a quick re-jig seems to have stopped that.

 

I'm not saying a reverse proxy is more secure, but I never had any intrusions before I set it up.

Share this post


Link to post
Share on other sites
ebr

Right now, I have nothing. And a lot of people won't have anything, either. And a lot of people will be overwhelmed with how to configure a domain and applying a cert, then having to manage it. Remember that a lot of people just want to watch their movies and are not that tech savvy. Just look at all the posts of people having difficulty just opening a port and the basic config. There's no way they'll be able to do the encryption config. So having some encryption, is better than nothing. As I mentioned, in my case I'm eventually going to put my entire network behind a VPN service, and this will be moot.

 

Yes, we understand.  I just wanted to be sure you understood the implications of that simplicity meant that your "secure" setup was under someone else's control.

 

If you're okay with that, then that's fine.

Share this post


Link to post
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now

×
×
  • Create New...