Jump to content

Security 101: Secure Connections


regid

Recommended Posts

Guest asrequested

Yes, we understand.  I just wanted to be sure you understood the implications of that simplicity meant that your "secure" setup was under someone else's control.

 

If you're okay with that, then that's fine.

 

It would still be a choice for us to use it or not. And I'm sure you could add a disclaimer. 

  • Like 1
Link to comment
Share on other sites

Tur0k

From what I understand users don't want to:

1. Manually, configure their home router to port forward.

2. own their own domain.

3. Manage their own public DNS.

4. Manage their SSL certificates for secure remote access.

5. Manage their SSL certificates between an intermediate service like a reverse proxy or cloudflare like service and their Emby server.

 

The Emby install has the ability to setup port forwarding on routers that are UPNP enabled. As long as this remains functional this should sufficiently address gripe 1.

 

From what I can see the Emby connect service is the offering for novice users to access their systems from a secure web server remotely. This service mitigates gripes 2,3, and 4.

 

Emby connect requires an Emby server's edge router to be setup with port forwarding, an ssl certificate be configured in Emby server (if forcing encrypted external connections.

 

It might be worth looking into furthering the development of the Emby connect service to mimic the steps that cloudflare uses to encrypt data between cloudflare and the source web service.

Meaning provide an SSL certificate between an end user's Emby server instance and the Emby connect service.

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

It might be worth looking into furthering the development of the Emby connect service to mimic the steps that cloudflare uses to encrypt data between cloudflare and the source web service.

Meaning provide an SSL certificate between an end user's Emby server instance and the Emby connect service.

 

Yes, some flavor of that is what we are discussing.

 

However, it is important to understand that, right now, Emby Connect is a dynamic DNS service rather than a go-between for your traffic.  It is simply used to obtain the proper address.  None of the actual traffic goes through it.

  • Like 2
Link to comment
Share on other sites

Tur0k

Yea, I assumed it was more of a DDNS and didn't act as a proxy. That kind of cloud hosted backend infrastructure and HA design is likely costly.

 

I would like to chime in an say that it would be nice to maintaining configuration options that allow users who want it to host their own secure remote access at their own home.

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

Guest asrequested

The cost of being a proxy is why I suggested it could be a paid service. An annual fee. Pay your money click a ox in the server, and some measure of security is applied. The one thing I hadn't considered is the legal ramifications. I guess that would put emby in the hot seat if any of our servers got hacked.

Link to comment
Share on other sites

Spaceboy

It's still more than I want to do. I don't want to waste my time on external security. I don't want a domain, or acquire certificates. I want to set it and forget it. I've got enough services and passwords and accounts. I don't want any more. It's too much information to keep track of. This is an entertainment system, not the pentagon. For those who enjoy and are fluent in security protocols, it's great. But for the rest of us it's a PITA. This is why I haven't set up a reverse proxy. I could, but it's just a nuisance.

a reverse proxy is pretty set and forget
  • Like 1
Link to comment
Share on other sites

Guest asrequested

a reverse proxy is pretty set and forget

But you have to sign up for and manage the certificates etc. I've got enough subscriptions and accounts, I don't want any more. it's management that I just don't want.

Link to comment
Share on other sites

Spaceboy

But you have to sign up for and manage the certificates etc. I've got enough subscriptions and accounts, I don't want any more. it's management that I just don't want.

no, nginx does this all for you. it is a set once and forget. you literally register your domain and email address on the first run and you are done with that for good

Link to comment
Share on other sites

Do any of you guys running reverse proxies whitelist certain IPs at your router level? This way only traffic from trusted IPs are forwarded to your reverse proxy?

 

I want to allow remote access but right now I feel like the only secure way of doing this is through a VPN. Just tell them to buy an Nvidia Shield, it can play everything direct and you can run a VPN client on it.

  • Like 1
Link to comment
Share on other sites

CBers

no, nginx does this all for you. it is a set once and forget. you literally register your domain and email address on the first run and you are done with that for good

Even I have an nginx reverse proxy :)

 

Mind you, I had a lot of help from @@Swynol.

  • Like 1
Link to comment
Share on other sites

Jdiesel

Do any of you guys running reverse proxies whitelist certain IPs at your router level? This way only traffic from trusted IPs are forwarded to your reverse proxy?

 

I want to allow remote access but right now I feel like the only secure way of doing this is through a VPN. Just tell them to buy an Nvidia Shield, it can play everything direct and you can run a VPN client on it.

 

Problem with this is if they run other services on their client. Unless you are able to do an advanced setup with routes you end up passing all their traffic (Netflix, Amazon, Hulu, etc) through your VPN and not just Emby.

Edited by Jdiesel
Link to comment
Share on other sites

Good day,

 

Strange how media server turn to be more than web services now days, yes with these remote and "other things".

 

I am at most levels agree with Doofus on a media server.

 

I run web services on my nas, but only access for some friends and family members, and most of it not related with Emby.

 

My best

Link to comment
Share on other sites

Problem with this is if they run other services on their client. Unless you are able to do an advanced setup with routes you end up passing all their traffic (Netflix, Amazon, Hulu, etc) through your VPN and not just Emby.

Right you have to set the openvpn client config to only use the VPN for emby traffic. Which shouldn't be hard, not easy but not terrible either.

Edited by cryzis
Link to comment
Share on other sites

Another issue is that the only Auth checks emby has is basic user/pass. No 2FA, or IP whitelisting ( for those who don't know/ can't at the router level)

 

Edit: I removed my unsolicited peanut gallery commentary

Edited by cryzis
Link to comment
Share on other sites

Guest asrequested

Lol...you guys are really trying to sell me on the reverse proxy. So here's my deal. I have only opened a port for emby. If there were a way that wasn't necessary or could be secured by emby, this issue would be moot, for me. I don't need my system to be the national reserve. With layers of security. That's why the simple option for me is to use a VPN. The intention was to use my USG for that, but it can't handle the encryption. I could run the VPN client on my server and just forward the port through their proxy, but I figure I'll put everything through the VPN and just stop thinking about it. Added bonus of adding pfsense and have more security.

  • Like 1
Link to comment
Share on other sites

Jdiesel

I think I have one of the simplest setups possible.

 

1. Purchased SSL cert for $5/year (Good for 3 years without renewal)

2. Purchased Google domain for $12/year

3. Generated CSR using openssl. Can use online tools if you trust them.

4. Verified domain by running a temporary webserver to host key (domain.com/.well-known/pki-validation/). Once verified webserver is no longer needed.

5. Use openssl to generate pfx from csr and pem file. Can use online tools if you trust them.

6. Enter your external domain and path to your pfx into Emby.

 

Now I have a pfx good for 3 years that can be used directly in Emby. No need for a reverse proxy or cloudflare but both could be used if wanted.

 

Emby could integrate some of the functions of openssl and hosting the domain verification to make things very simple but that might be outside the scope of the software.

  • Like 1
Link to comment
Share on other sites

Guest asrequested

Yeah, see that's just too much jiggery pokery, for me. Can I do it? Yes. Do I want to create 3 more accounts? No.

Edited by Doofus
  • Like 1
Link to comment
Share on other sites

CBers

If you have services other them Emby that you want to access remotely, even if only you accessing them, then a reverse proxy must be the safest/securest option.

 

Yes? No?

Link to comment
Share on other sites

Jdiesel

Yeah, see that's just too much jiggery pokery, for me. Can I do it? Yes. Do I want to create 3 more accounts? No.

 

Your preference would be something to what Plex does? Sign in through Emby Connect and let Emby do all the behind the scenes stuff? Although there are many who are dead against this I think it is a good solution. Besides you always have the option to bypass Plex's account and use a reverse proxy anyways.

Link to comment
Share on other sites

Jdiesel

If you have services other them Emby that you want to access remotely, even if only you accessing them, then a reverse proxy must be the safest/securest option.

 

Yes? No?

 

Was this question directed at anyone specific? I would argue that an OpenVPN connection would be the safest/secure option.

Link to comment
Share on other sites

CBers

Was this question directed at anyone specific? I would argue that an OpenVPN connection would be the safest/secure option.

Only at someone who knows the answer :)

Link to comment
Share on other sites

Guest asrequested

If you have services other them Emby that you want to access remotely, even if only you accessing them, then a reverse proxy must be the safest/securest option.

 

Yes? No?

See, that's the point. If you have multiple systems (security cams etc) then it makes sense, but we are only talking about protecting your emby server. The average emby customer is just watching their own movies, and want to be able to watch them when they're away from home. So they have to open a port. It would be nice to be able to have some kind of easy security for those people. For people who want more, they have other options. Edited by Doofus
  • Like 1
Link to comment
Share on other sites

Guest asrequested

Your preference would be something to what Plex does? Sign in through Emby Connect and let Emby do all the behind the scenes stuff? Although there are many who are dead against this I think it is a good solution. Besides you always have the option to bypass Plex's account and use a reverse proxy anyways.

I think it would be a good option for the basic emby customer.

 

For me, I'm just going to build a second gateway and use a VPN.

Edited by Doofus
Link to comment
Share on other sites

Spaceboy

Lol...you guys are really trying to sell me on the reverse proxy. So here's my deal. I have only opened a port for emby. If there were a way that wasn't necessary or could be secured by emby, this issue would be moot, for me. I don't need my system to be the national reserve. With layers of security. That's why the simple option for me is to use a VPN. The intention was to use my USG for that, but it can't handle the encryption. I could run the VPN client on my server and just forward the port through their proxy, but I figure I'll put everything through the VPN and just stop thinking about it. Added bonus of adding pfsense and have more security.

just ensuring that other readers get accurate information :)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...