Jump to content

Security 101: Secure Connections


regid

Recommended Posts

Hello, all

Coming from the Plex world Secure Connections was easy to turn on (actually on by default).  I am trying to determine if Emby has that on by default or what steps I might have to perform or if it's a non-issue.  I am really hoping whatever is involved is pretty straight forward.  When I (or a friend) is accessing my Emby server remotely I'd like to be reasonably secure.  I liked that "no brainier" aspect to Plex.  When I looked in the "Hosting" area of Emby server I saw a check box for requiring HTTPS (the equivalent of secure connects... maybe?) but it then asked me about Certs and stuff and I got lost.  I'd rather not go to Plex for external access.  I really think Emby is a superior product in many ways.

 

Also, if there is a particular section of Emby (Guide/Site or etc) that really breaks down most of the security related data I'd appreciate.  I'd like to be more knowledgeabe.  What I've found in the forums is not really clear to me and seems to be spread all over the place.

 

Thank You

Link to comment
Share on other sites

Hi, the only reason it's not on by default is because you need to supply an ssl cert in the advanced section.

 

You can easily create one with something like let's encrypt.

 

Please let us know if this helps. Thanks !

Link to comment
Share on other sites

Hey, Luke

I've already been struggling with how to set up Let's Encrypt.  It's probably me. I'll take a break and try to figure it out later.  I'll just disable external access until I can figure it out.  Let me put it to the Emby team that it might be a great idea to find a way to incorporate this functionality natively (or as a Plugin)  for those of us that are a little less technical.

 

I appreciate the quick response...

Hi, the only reason it's not on by default is because you need to supply an ssl cert in the advanced section.

You can easily create one with something like let's encrypt.

Please let us know if this helps. Thanks !

Link to comment
Share on other sites

Do you want to have a domain name owned by someone else that resolves/points to your ip address? Or do you not care as long as it works?

 

For us that is essentially what we would need to decide upon if we were going to just include it out of the box. Having said that if you search our community there are numerous guides here about it. I think @ may have participated in one.

Link to comment
Share on other sites

Guest asrequested

And just to chime in. I would like a simple option in the server that would encrypt all traffic between the server and the emby apps. 

  • Like 3
Link to comment
Share on other sites

And just to chime in. I would like a simple option in the server that would encrypt all traffic between the server and the emby apps. 

 

It's already there. Click require https.

  • Like 1
Link to comment
Share on other sites

However @, now we have a new problem to consider. What has prevented you from discovering it on your own?

Link to comment
Share on other sites

Guest asrequested

However @, now we have a new problem to consider. What has prevented you from discovering it on your own?

 

You mean, this?

 

5a515fba9425c_Snapshot_388.jpg

 

I'm not going through the hassle of creating, converting, importing and maintaining a certificate. It's a PITA. I just want to click it and forget it. It's actually easier for me to build a second gateway and configure a VPN service that will just continually run. Which is what I'm planning to do. 

Link to comment
Share on other sites

Guest asrequested

Ok so in post #4, you are in the "don't care" camp. Is that correct?

 

Yeah. I don't want to configure proxies, and domains etc. I just want the traffic encrypted.

  • Like 1
Link to comment
Share on other sites

Tur0k

Outline to get a public domain and a publicly trusted SSL certificate is:

 

1. Open and forward port 8920 on your router to your Emby server.

A. Ensure that your Emby server always gets the same IP address on your internal network. This is done by either:

I. Statically IP addressing the server or

II. Set up a DHCP reserved IP address in the router's DHCP configuration.

 

B. I would also recommend not listing users on the login screen.

C. I would also recommend not using the name "Admin" or "administrator as the username of the administrative user account.

D. I would not recommend linking the administrative user account to your Emby connect account.

E. I would also recommend limiting the ability to delete media to non-administrative accounts.

 

2. Purchase a public domain. I pay google 12 dollars annually for mine.

NOTE: There are probably cheaper solutions, just make sure that they will allow you to have a public DNS that you can manage, and allow you to have SSL certificates issued for them.

 

3. Configure a public DNS on the above host with a DNS record that points to your house's DHCP assigned public IP address (this is sometimes called a DDNS, A+, or synthetic record).

A. Setup a DDNS client on a device in your network that will update the record if your public IP address changes. NOTE: most domain hosts will offer a software application. That can do this. Also, most home routers have DDNS client capabilities built in.

 

4. Purchase an SSL certificate from a trusted public CA. I hear RapidSSL is really cheap. I have seen comodo work. Here, I use Let's Encrypt. For let's encrypt you would need to setup an Acme client to keep your cert issued every 90 days.

A. Create a CSR on the Emby server.

B. Upload the CSR to the CA

C. Download the certificate once it is issued.

D. Possibly convert it to a PFX file.

E. Link the SSL certificate's location and password in your Emby Server.

 

NOTE:

1. You will likely need to pay annually for steps 2 and 4.

2. You will likely need to perform step 4D- 4E annually.

3. If you change operating systems or upgrade the OS you would need to create a new CSR and re-issue the SSL certificate.

 

I will add in the references that I have on how to do this once I get back home.

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

Yeah. I don't want to configure proxies, and domains etc. I just want the traffic encrypted.

 

You want the traffic encrypted but you don't care that some other entity is maintaining a domain pointing directly to your public IP address and they are actually the ones in control of the certificate that encrypts that traffic...?

  • Like 3
Link to comment
Share on other sites

adrianwi

To be fair, Plex did provide quite a clever solution for this, but the trade-off was it only worked where the clients and server were connected to the plex.tv service.  It marked the beginning of the end for my Plex journey  :(

Edited by adrianwi
  • Like 4
Link to comment
Share on other sites

To be fair, Plex did provide quite a clever solution for this, but the trade-off was it only worked where the clients and server were connected to the plex.tv service.  

 

Yes, because they are doing this:

 

 

You want the traffic encrypted but you don't care that some other entity is maintaining a domain pointing directly to your public IP address and they are actually the ones in control of the certificate that encrypts that traffic...?

Link to comment
Share on other sites

Guest asrequested

You want the traffic encrypted but you don't care that some other entity is maintaining a domain pointing directly to your public IP address and they are actually the ones in control of the certificate that encrypts that traffic...?

Right now, I have nothing. And a lot of people won't have anything, either. And a lot of people will be overwhelmed with how to configure a domain and applying a cert, then having to manage it. Remember that a lot of people just want to watch their movies and are not that tech savvy. Just look at all the posts of people having difficulty just opening a port and the basic config. There's no way they'll be able to do the encryption config. So having some encryption, is better than nothing. As I mentioned, in my case I'm eventually going to put my entire network behind a VPN service, and this will be moot.

  • Like 3
Link to comment
Share on other sites

Jdiesel

I personally would never open Emby up outside my home network without forced HTTPS connections. Maybe I am overly cautious but I think it is just good practice.

 

While Plex solution isn't ideal it does just work. No need to purchase a domain name, not need to create SSL certificates, no need to renew the certificates.

 

My suggestion would be for Emby to partner with a SSL cert provider and have and easy way of authenticating the cert from within the Emby dashboard.

  • Like 9
Link to comment
Share on other sites

Guest asrequested

Maybe even offer it as some sort of service plan? I'd be happy to pay an annual fee to emby for a 'one cliick' security option.

  • Like 2
Link to comment
Share on other sites

Spaceboy

I personally would never open Emby up outside my home network without forced HTTPS connections. Maybe I am overly cautious but I think it is just good practice.

 

While Plex solution isn't ideal it does just work. No need to purchase a domain name, not need to create SSL certificates, no need to renew the certificates.

 

My suggestion would be for Emby to partner with a SSL cert provider and have and easy way of authenticating the cert from within the Emby dashboard.

while I wouldn’t use it, this is a great idea
  • Like 2
Link to comment
Share on other sites

Hey, Luke. I think Doofus and Jdiesel really nailed it.  A simple. secure, "one click" implementation for those who are not very tech savvy or just don't have a need/desire for advanced features.  It's something I imagine everyone should turn on. 

Thanks for entertaining the discussion, Luke.  And Thank you fellow Emby members for clarifying what I was trying to say.

 

Do you want to have a domain name owned by someone else that resolves/points to your ip address? Or do you not care as long as it works?

 

For us that is essentially what we would need to decide upon if we were going to just include it out of the box. Having said that if you search our community there are numerous guides here about it. I think @ may have participated in one.

  • Like 1
Link to comment
Share on other sites

Tur0k

I am a geek from the old guard. I started on a Mac in the 80s when I was a little kid then moved to Linux, then windows. I built my own systems and would have done so even if I didn't need it for Emby as I use the domain, SSL certificates, and reverse proxy to operate remote access to my home automation server, my network monitor, my VPN, and eventually my NVR. The only part that cloudflare could offer me that I can not do already is some DDOS attack mitigation.

 

To me it sounds like our less techy users are asking for a cloudflare (https://www.cloudflare.com) like service.

 

In this case the cloudflare service is stood up as a reverse proxy for a user's home Emby service. A user would still need to pickup a domain and redirect it to cloudflare.

 

Cloudflare's should give you an SSL certificate to place on your local Emby install (this encrypts the data between your Emby server and the cloudflare system.

 

It looks like Cloudflare's free service gives you a publicly trusted SSL. This is the piece that is setup on the front end of the cloudflare service. This encrypts the traffic between cloudflare and your public Emby clients.

 

I suspect you could use the free service from cloudflare to get all of this done. I also suspect that others on the forum have put up instructions on how to set this up Emby with cloudflare.

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

Jdiesel

I am a geek from the old guard. I started on a Mac in the 80s when I was a little kid then moved to Linux, then windows. I built my own systems and would have done so even if I didn't need it for Emby as I use the domain, SSL certificates, and reverse proxy to operate remote access to my home automation server, my network monitor, my VPN, and eventually my NVR. The only part that cloudflare could offer me that I can not do already is some DDOS attack mitigation.

 

To me it sounds like our less techy users are asking for a cloudflare (https://www.cloudflare.com) like service.

 

In this case the cloudflare service is stood up as a reverse proxy for a user's home Emby service. A user would still need to pickup a domain and redirect it to cloudflare.

 

Cloudflare's should give you an SSL certificate to place on your local Emby install (this encrypts the data between your Emby server and the cloudflare system.

 

It looks like Cloudflare's free service gives you a publicly trusted SSL. This is the piece that is setup on the front end of the cloudflare service. This encrypts the traffic between cloudflare and your public Emby clients.

 

I suspect you could use the free service from cloudflare to get all of this done. I also suspect that others on the forum have put up instructions on how to set this up Emby with cloudflare.

 

 

Sent from my iPhone using Tapatalk

This is what I did for a while and it was simple to setup and worked quite well. Emby has since removed the ability to generate self-signed certificates, at least on the .Net Core version, so you now need to generate your own self signed certificate for the connection between your server and Cloudflare.

Link to comment
Share on other sites

Guest asrequested

It's still more than I want to do. I don't want to waste my time on external security. I don't want a domain, or acquire certificates. I want to set it and forget it. I've got enough services and passwords and accounts. I don't want any more. It's too much information to keep track of. This is an entertainment system, not the pentagon. For those who enjoy and are fluent in security protocols, it's great. But for the rest of us it's a PITA. This is why I haven't set up a reverse proxy. I could, but it's just a nuisance. 

  • Like 1
Link to comment
Share on other sites

CBers

This is why I haven't set up a reverse proxy. I could, but it's just a nuisance.

I tend to agree, but I have a reverse proxy (nginx) in place now and it all works without hardly any intervention.

 

Although saying that, I did have someone access my Emby server somehow, but a quick re-jig seems to have stopped that.

 

I'm not saying a reverse proxy is more secure, but I never had any intrusions before I set it up.

Link to comment
Share on other sites

Right now, I have nothing. And a lot of people won't have anything, either. And a lot of people will be overwhelmed with how to configure a domain and applying a cert, then having to manage it. Remember that a lot of people just want to watch their movies and are not that tech savvy. Just look at all the posts of people having difficulty just opening a port and the basic config. There's no way they'll be able to do the encryption config. So having some encryption, is better than nothing. As I mentioned, in my case I'm eventually going to put my entire network behind a VPN service, and this will be moot.

 

Yes, we understand.  I just wanted to be sure you understood the implications of that simplicity meant that your "secure" setup was under someone else's control.

 

If you're okay with that, then that's fine.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...