regid 6 Posted January 6, 2018 Posted January 6, 2018 Hello, all Coming from the Plex world Secure Connections was easy to turn on (actually on by default). I am trying to determine if Emby has that on by default or what steps I might have to perform or if it's a non-issue. I am really hoping whatever is involved is pretty straight forward. When I (or a friend) is accessing my Emby server remotely I'd like to be reasonably secure. I liked that "no brainier" aspect to Plex. When I looked in the "Hosting" area of Emby server I saw a check box for requiring HTTPS (the equivalent of secure connects... maybe?) but it then asked me about Certs and stuff and I got lost. I'd rather not go to Plex for external access. I really think Emby is a superior product in many ways. Also, if there is a particular section of Emby (Guide/Site or etc) that really breaks down most of the security related data I'd appreciate. I'd like to be more knowledgeabe. What I've found in the forums is not really clear to me and seems to be spread all over the place. Thank You
Luke 38955 Posted January 6, 2018 Posted January 6, 2018 Hi, the only reason it's not on by default is because you need to supply an ssl cert in the advanced section. You can easily create one with something like let's encrypt. Please let us know if this helps. Thanks !
regid 6 Posted January 6, 2018 Author Posted January 6, 2018 Hey, Luke I've already been struggling with how to set up Let's Encrypt. It's probably me. I'll take a break and try to figure it out later. I'll just disable external access until I can figure it out. Let me put it to the Emby team that it might be a great idea to find a way to incorporate this functionality natively (or as a Plugin) for those of us that are a little less technical. I appreciate the quick response... Hi, the only reason it's not on by default is because you need to supply an ssl cert in the advanced section.You can easily create one with something like let's encrypt.Please let us know if this helps. Thanks !
Luke 38955 Posted January 6, 2018 Posted January 6, 2018 Do you want to have a domain name owned by someone else that resolves/points to your ip address? Or do you not care as long as it works? For us that is essentially what we would need to decide upon if we were going to just include it out of the box. Having said that if you search our community there are numerous guides here about it. I think @ may have participated in one.
Guest asrequested Posted January 6, 2018 Posted January 6, 2018 @@Swynol has a great blog for that stuff https://blog.awelswynol.co.uk/2017/06/easy-lets-encrypt-certificate 1
Guest asrequested Posted January 6, 2018 Posted January 6, 2018 And just to chime in. I would like a simple option in the server that would encrypt all traffic between the server and the emby apps. 3
Luke 38955 Posted January 6, 2018 Posted January 6, 2018 And just to chime in. I would like a simple option in the server that would encrypt all traffic between the server and the emby apps. It's already there. Click require https. 1
Luke 38955 Posted January 6, 2018 Posted January 6, 2018 However @, now we have a new problem to consider. What has prevented you from discovering it on your own?
Guest asrequested Posted January 6, 2018 Posted January 6, 2018 However @, now we have a new problem to consider. What has prevented you from discovering it on your own? You mean, this? I'm not going through the hassle of creating, converting, importing and maintaining a certificate. It's a PITA. I just want to click it and forget it. It's actually easier for me to build a second gateway and configure a VPN service that will just continually run. Which is what I'm planning to do.
Luke 38955 Posted January 6, 2018 Posted January 6, 2018 Ok so in post #4, you are in the "don't care" camp. Is that correct?
Guest asrequested Posted January 6, 2018 Posted January 6, 2018 Ok so in post #4, you are in the "don't care" camp. Is that correct? Yeah. I don't want to configure proxies, and domains etc. I just want the traffic encrypted. 1
Tur0k 144 Posted January 7, 2018 Posted January 7, 2018 (edited) Outline to get a public domain and a publicly trusted SSL certificate is: 1. Open and forward port 8920 on your router to your Emby server. A. Ensure that your Emby server always gets the same IP address on your internal network. This is done by either: I. Statically IP addressing the server or II. Set up a DHCP reserved IP address in the router's DHCP configuration. B. I would also recommend not listing users on the login screen. C. I would also recommend not using the name "Admin" or "administrator as the username of the administrative user account. D. I would not recommend linking the administrative user account to your Emby connect account. E. I would also recommend limiting the ability to delete media to non-administrative accounts. 2. Purchase a public domain. I pay google 12 dollars annually for mine. NOTE: There are probably cheaper solutions, just make sure that they will allow you to have a public DNS that you can manage, and allow you to have SSL certificates issued for them. 3. Configure a public DNS on the above host with a DNS record that points to your house's DHCP assigned public IP address (this is sometimes called a DDNS, A+, or synthetic record). A. Setup a DDNS client on a device in your network that will update the record if your public IP address changes. NOTE: most domain hosts will offer a software application. That can do this. Also, most home routers have DDNS client capabilities built in. 4. Purchase an SSL certificate from a trusted public CA. I hear RapidSSL is really cheap. I have seen comodo work. Here, I use Let's Encrypt. For let's encrypt you would need to setup an Acme client to keep your cert issued every 90 days. A. Create a CSR on the Emby server. B. Upload the CSR to the CA C. Download the certificate once it is issued. D. Possibly convert it to a PFX file. E. Link the SSL certificate's location and password in your Emby Server. NOTE: 1. You will likely need to pay annually for steps 2 and 4. 2. You will likely need to perform step 4D- 4E annually. 3. If you change operating systems or upgrade the OS you would need to create a new CSR and re-issue the SSL certificate. I will add in the references that I have on how to do this once I get back home. Sent from my iPhone using Tapatalk Edited January 7, 2018 by Tur0k
ebr 15474 Posted January 7, 2018 Posted January 7, 2018 Yeah. I don't want to configure proxies, and domains etc. I just want the traffic encrypted. You want the traffic encrypted but you don't care that some other entity is maintaining a domain pointing directly to your public IP address and they are actually the ones in control of the certificate that encrypts that traffic...? 3
adrianwi 251 Posted January 7, 2018 Posted January 7, 2018 (edited) To be fair, Plex did provide quite a clever solution for this, but the trade-off was it only worked where the clients and server were connected to the plex.tv service. It marked the beginning of the end for my Plex journey Edited January 7, 2018 by adrianwi 4
ebr 15474 Posted January 7, 2018 Posted January 7, 2018 To be fair, Plex did provide quite a clever solution for this, but the trade-off was it only worked where the clients and server were connected to the plex.tv service. Yes, because they are doing this: You want the traffic encrypted but you don't care that some other entity is maintaining a domain pointing directly to your public IP address and they are actually the ones in control of the certificate that encrypts that traffic...?
Guest asrequested Posted January 7, 2018 Posted January 7, 2018 You want the traffic encrypted but you don't care that some other entity is maintaining a domain pointing directly to your public IP address and they are actually the ones in control of the certificate that encrypts that traffic...? Right now, I have nothing. And a lot of people won't have anything, either. And a lot of people will be overwhelmed with how to configure a domain and applying a cert, then having to manage it. Remember that a lot of people just want to watch their movies and are not that tech savvy. Just look at all the posts of people having difficulty just opening a port and the basic config. There's no way they'll be able to do the encryption config. So having some encryption, is better than nothing. As I mentioned, in my case I'm eventually going to put my entire network behind a VPN service, and this will be moot. 3
Jdiesel 1253 Posted January 7, 2018 Posted January 7, 2018 I personally would never open Emby up outside my home network without forced HTTPS connections. Maybe I am overly cautious but I think it is just good practice. While Plex solution isn't ideal it does just work. No need to purchase a domain name, not need to create SSL certificates, no need to renew the certificates. My suggestion would be for Emby to partner with a SSL cert provider and have and easy way of authenticating the cert from within the Emby dashboard. 9
Guest asrequested Posted January 7, 2018 Posted January 7, 2018 Maybe even offer it as some sort of service plan? I'd be happy to pay an annual fee to emby for a 'one cliick' security option. 2
Spaceboy 2563 Posted January 7, 2018 Posted January 7, 2018 I personally would never open Emby up outside my home network without forced HTTPS connections. Maybe I am overly cautious but I think it is just good practice. While Plex solution isn't ideal it does just work. No need to purchase a domain name, not need to create SSL certificates, no need to renew the certificates. My suggestion would be for Emby to partner with a SSL cert provider and have and easy way of authenticating the cert from within the Emby dashboard. while I wouldn’t use it, this is a great idea 2
regid 6 Posted January 7, 2018 Author Posted January 7, 2018 Hey, Luke. I think Doofus and Jdiesel really nailed it. A simple. secure, "one click" implementation for those who are not very tech savvy or just don't have a need/desire for advanced features. It's something I imagine everyone should turn on. Thanks for entertaining the discussion, Luke. And Thank you fellow Emby members for clarifying what I was trying to say. Do you want to have a domain name owned by someone else that resolves/points to your ip address? Or do you not care as long as it works? For us that is essentially what we would need to decide upon if we were going to just include it out of the box. Having said that if you search our community there are numerous guides here about it. I think @ may have participated in one. 1
Tur0k 144 Posted January 7, 2018 Posted January 7, 2018 (edited) I am a geek from the old guard. I started on a Mac in the 80s when I was a little kid then moved to Linux, then windows. I built my own systems and would have done so even if I didn't need it for Emby as I use the domain, SSL certificates, and reverse proxy to operate remote access to my home automation server, my network monitor, my VPN, and eventually my NVR. The only part that cloudflare could offer me that I can not do already is some DDOS attack mitigation. To me it sounds like our less techy users are asking for a cloudflare (https://www.cloudflare.com) like service. In this case the cloudflare service is stood up as a reverse proxy for a user's home Emby service. A user would still need to pickup a domain and redirect it to cloudflare. Cloudflare's should give you an SSL certificate to place on your local Emby install (this encrypts the data between your Emby server and the cloudflare system. It looks like Cloudflare's free service gives you a publicly trusted SSL. This is the piece that is setup on the front end of the cloudflare service. This encrypts the traffic between cloudflare and your public Emby clients. I suspect you could use the free service from cloudflare to get all of this done. I also suspect that others on the forum have put up instructions on how to set this up Emby with cloudflare. Sent from my iPhone using Tapatalk Edited January 7, 2018 by Tur0k
Jdiesel 1253 Posted January 7, 2018 Posted January 7, 2018 I am a geek from the old guard. I started on a Mac in the 80s when I was a little kid then moved to Linux, then windows. I built my own systems and would have done so even if I didn't need it for Emby as I use the domain, SSL certificates, and reverse proxy to operate remote access to my home automation server, my network monitor, my VPN, and eventually my NVR. The only part that cloudflare could offer me that I can not do already is some DDOS attack mitigation. To me it sounds like our less techy users are asking for a cloudflare (https://www.cloudflare.com) like service. In this case the cloudflare service is stood up as a reverse proxy for a user's home Emby service. A user would still need to pickup a domain and redirect it to cloudflare. Cloudflare's should give you an SSL certificate to place on your local Emby install (this encrypts the data between your Emby server and the cloudflare system. It looks like Cloudflare's free service gives you a publicly trusted SSL. This is the piece that is setup on the front end of the cloudflare service. This encrypts the traffic between cloudflare and your public Emby clients. I suspect you could use the free service from cloudflare to get all of this done. I also suspect that others on the forum have put up instructions on how to set this up Emby with cloudflare. Sent from my iPhone using Tapatalk This is what I did for a while and it was simple to setup and worked quite well. Emby has since removed the ability to generate self-signed certificates, at least on the .Net Core version, so you now need to generate your own self signed certificate for the connection between your server and Cloudflare.
Guest asrequested Posted January 7, 2018 Posted January 7, 2018 It's still more than I want to do. I don't want to waste my time on external security. I don't want a domain, or acquire certificates. I want to set it and forget it. I've got enough services and passwords and accounts. I don't want any more. It's too much information to keep track of. This is an entertainment system, not the pentagon. For those who enjoy and are fluent in security protocols, it's great. But for the rest of us it's a PITA. This is why I haven't set up a reverse proxy. I could, but it's just a nuisance. 1
CBers 6969 Posted January 7, 2018 Posted January 7, 2018 This is why I haven't set up a reverse proxy. I could, but it's just a nuisance. I tend to agree, but I have a reverse proxy (nginx) in place now and it all works without hardly any intervention. Although saying that, I did have someone access my Emby server somehow, but a quick re-jig seems to have stopped that. I'm not saying a reverse proxy is more secure, but I never had any intrusions before I set it up.
ebr 15474 Posted January 8, 2018 Posted January 8, 2018 Right now, I have nothing. And a lot of people won't have anything, either. And a lot of people will be overwhelmed with how to configure a domain and applying a cert, then having to manage it. Remember that a lot of people just want to watch their movies and are not that tech savvy. Just look at all the posts of people having difficulty just opening a port and the basic config. There's no way they'll be able to do the encryption config. So having some encryption, is better than nothing. As I mentioned, in my case I'm eventually going to put my entire network behind a VPN service, and this will be moot. Yes, we understand. I just wanted to be sure you understood the implications of that simplicity meant that your "secure" setup was under someone else's control. If you're okay with that, then that's fine.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now