Jump to content

Security 101: Secure Connections


regid

Recommended Posts

MSattler

Your preference would be something to what Plex does? Sign in through Emby Connect and let Emby do all the behind the scenes stuff? Although there are many who are dead against this I think it is a good solution. Besides you always have the option to bypass Plex's account and use a reverse proxy anyways.

 

One of the reasons I've stayed with Plex since my switch.   I like the fact that I don't have to worry about someone brute-forcing their way into my Emby install.   It's not a worry with Plex, unless their endpoint has been authenticated, they are trying to brute-force against the Plex login servers.  And the only endpoints that are authenticated, unless someone has got my Plex login info.   

 

Now I'm making the assumption that the Plex guys are doing something like banning IP's that repeatedly try to access various Plex servers over and over and fail auth.   Regardless, I don't have to worry about it.   I actually requested the same thing as a feature request of Emby a while back.   Just allow me to turn off Emby web or client access unless the client/browser has been authenticated.   

Link to comment
Share on other sites

Tur0k

Do any of you guys running reverse proxies whitelist certain IPs at your router level? This way only traffic from trusted IPs are forwarded to your reverse proxy?

 

I want to allow remote access but right now I feel like the only secure way of doing this is through a VPN. Just tell them to buy an Nvidia Shield, it can play everything direct and you can run a VPN client on it.

I do the opposite actually. I have blacklists that systematically deny access to nodes or entire blocks of the public Internet. I block by publicly maintained lists. I block traffic to and from:

1. IP Nodes that deal in illicit content.

2. Known malicious sites.

3. World regions (that I know I will never connect from)

 

I do this using an add on to my PFsense firewall called PFBlockerNG.

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

Tur0k

I think I have one of the simplest setups possible.

 

1. Purchased SSL cert for $5/year (Good for 3 years without renewal)

2. Purchased Google domain for $12/year

3. Generated CSR using openssl. Can use online tools if you trust them.

4. Verified domain by running a temporary webserver to host key (domain.com/.well-known/pki-validation/). Once verified webserver is no longer needed.

5. Use openssl to generate pfx from csr and pem file. Can use online tools if you trust them.

6. Enter your external domain and path to your pfx into Emby.

 

Now I have a pfx good for 3 years that can be used directly in Emby. No need for a reverse proxy or cloudflare but both could be used if wanted.

 

Emby could integrate some of the functions of openssl and hosting the domain verification to make things very simple but that might be outside the scope of the software.

Seems pretty easy to me to, but I think that we as a user group may need to do a better job of creating a single place to find a guide.

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

Guest asrequested

We have to remember that we are all nerds lol. We dig this stuff :) But there is a legion of people that just want to watch their movies, and they won't/can't do this stuff. We don't represent the general emby user.

  • Like 5
Link to comment
Share on other sites

Tur0k

If you have services other them Emby that you want to access remotely, even if only you accessing them, then a reverse proxy must be the safest/securest option.

 

Yes? No?

This is difficult to answer.

 

The most secure network is the network that isn't connected to the Internet, has no avenues to introduce new resources (ex: no USB inputs that people could add USB flash drives to), and is located in physically separate quarters.

 

Once that isn't an option you talk about risk appetite. Some people are ok with going about the normal process and getting their systems on the public Internet. They may even be ok with doing all that insecurely.

 

Reverse proxies are just that a proxy. They are a tool in the Bat-belts of network guys. You can SSL secure them, you can client authenticate using credentials and or certificates so only people with the right authentication or client certificate are allowed access. That last part means you can support mutual authentication and multi-factor authentication.

 

VPNs are designed to create secure tunnels. They are designed to allow for mutual authentication, and can support multi-factor Authentication.

 

The most secure places I have worked had completely separate networks for their prized data, others forced 100% SSL encryption over VPN.

 

 

Sent from my iPhone using Tapatalk

  • Like 1
Link to comment
Share on other sites

Tur0k

We have to remember that we are all nerds lol. We dig this stuff :) But there is a legion of people that just want to watch their movies, and they won't/can't do this stuff. We don't represent the general emby user.

Good point. I think we have mapped out what we would like to offer the spectrum of users as a user group:

 

1. Emby connect redesigned to function as more of a proxy.

 

I. Minimal user configuration.

II. Check a box pay the monthly charge.

 

2. Use your own cloud hosted proxy provider like cloudflare. (Should we create a published configuration guide?)

 

I. Requires Port forwarding on home router

II. Requires purchase of a public domain with public DNS.

 

3. Use the built in secure web configuration in Emby.

 

I. Requires Port forwarding on home router

II. Requires purchase of a public domain with public DNS.

III. Use of either self-signed or publicly trusted cert (paid).

 

4. Setup your own service

 

A. VPN

 

I. Requires Port forwarding on home router

II. Requires purchase of a public domain with public DNS unless you plan on using public IP address.

III. Management of a local CA for server and client certificates and vpn user accounts.

 

B. Reverse proxy

 

I. Requires Port forwarding on home router

II. Requires purchase of a public domain with public DNS unless you plan on using public IP address.

III. Use of either self-signed or publicly trusted cert (paid).

IV. Management and configuration of the reverse proxy.

V. Possible management of a local CA for client certificates.

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

I do the opposite actually. I have blacklists that systematically deny access to nodes or entire blocks of the public Internet. I block by publicly maintained lists. I block traffic to and from:

1. IP Nodes that deal in illicit content.

2. Known malicious sites.

3. World regions (that I know I will never connect from)

 

I do this using an add on to my PFsense firewall called PFBlockerNG.

 

 

Sent from my iPhone using Tapatalk

Ahh yeah that's another way to do it. I just figured it was easier and more secure but there is the hassle of dealing with IPs that update. Although you could setup each user with DyDns and white list their domains.
  • Like 1
Link to comment
Share on other sites

Tur0k

Ahh yeah that's another way to do it. I just figured it was easier and more secure but there is the hassle of dealing with IPs that update. Although you could setup each user with DyDns and white list their domains.

So that is a good way to do that. I am working on an offsite solution with a friend. We are going to setup a site to site VPN and map our NAS systems across the tunnel. Our plan is to use synthetic record's (DDNS) to confirm the remote source, and then use mutual authentication using certificates and usernames/passwords to authenticate the tunnel then use a secure protocol (possibly SFTP) to encrypt the data in transit across the tunnel.

 

Currently, one of my network projects as it relates to my reverse proxy is to stand up client authentication using (X509 certificates). This would mean that event though I am opening port 443 to secure connections the connection is denied unless the source client can provide the required x509 certificate emfurther limiting my vulnerable surface area.

 

I am planning on waiting until after I build my new home vmhost and stand up a domain controller and move All authentication to that.

 

Last time I used a dyndns they wanted $40 a year, the domain was a 3rd level domain and it wasn't able to get Let's Encrypt SSL certificates for it. With my $12 google 2nd level domain, I can stand up an unlimited number of 3rd level domain records.

 

 

Sent from my iPhone using Tapatalk

Edited by Tur0k
Link to comment
Share on other sites

So that is a good way to do that. I am working on an offsite solution with a friend. We are going to setup a site to site VPN and map our NAS systems across the tunnel. Our plan is to use synthetic record's (DDNS) to confirm the remote source, and then use mutual authentication using certificates and usernames/passwords to authenticate the tunnel then use a secure protocol (possibly SFTP) to encrypt the data in transit across the tunnel.

 

Currently, one of my network projects as it relates to my reverse proxy is to stand up client authentication using (X509 certificates). This would mean that event though I am opening port 443 to secure connections the connection is denied unless the source client can provide the required x509 certificate emfurther limiting my vulnerable surface area.

 

I am planning on waiting until after I build my new home vmhost and stand up a domain controller and move All authentication to that.

 

Last time I used a dyndns they wanted $40 a year, the domain was a 3rd level domain and it wasn't able to get Let's Encrypt SSL certificates for it. With my $12 google 2nd level domain, I can stand up an unlimited number of 3rd level domain records.

 

 

Sent from my iPhone using Tapatalk

I like the site to site plan, sounds like your friend is on the same page as you in regards to security.

 

I had no idea about the X509 certificates which sounds like a great option for further locking down the access.

 

Yeah DyDNS comes with with many domain providers now so it's definitely an option.

 

I think I am at the point where the setup/upkeep outweighs the benefits.

Link to comment
Share on other sites

Swynol

Another issue is that the only Auth checks emby has is basic user/pass. No 2FA, or IP whitelisting ( for those who don't know/ can't at the router level)

 

Edit: I removed my unsolicited peanut gallery commentary

 

Ye 2FA would be a nice step, maybe a one off type code you have to use that authenticates you from what ever Device you are using. If you had to use 2FA everytime when logging in remotely it would soon get annoying, also authenticating your IP wouldnt be an option as most people would probably be accessing it from a WAN address that is DHCP.

 

I am a geek from the old guard. I started on a Mac in the 80s when I was a little kid then moved to Linux, then windows. I built my own systems and would have done so even if I didn't need it for Emby as I use the domain, SSL certificates, and reverse proxy to operate remote access to my home automation server, my network monitor, my VPN, and eventually my NVR. The only part that cloudflare could offer me that I can not do already is some DDOS attack mitigation.

 

To me it sounds like our less techy users are asking for a cloudflare (https://www.cloudflare.com) like service.

 

In this case the cloudflare service is stood up as a reverse proxy for a user's home Emby service. A user would still need to pickup a domain and redirect it to cloudflare.

 

Cloudflare's should give you an SSL certificate to place on your local Emby install (this encrypts the data between your Emby server and the cloudflare system.

 

It looks like Cloudflare's free service gives you a publicly trusted SSL. This is the piece that is setup on the front end of the cloudflare service. This encrypts the traffic between cloudflare and your public Emby clients.

 

I suspect you could use the free service from cloudflare to get all of this done. I also suspect that others on the forum have put up instructions on how to set this up Emby with cloudflare.

 

Sent from my iPhone using Tapatalk

 

 

Cloudflare is good, however there was a change to its packages recently. I cant remember what it was exactly, i think its to do with websockets, but the free option wont work now.

 

EDIT - i was talking shit here. I've just setup a test domain running through cloudflare, from registering a new domain to getting a SSL cert through cloudflare and accessing my media, it took 30mins. the SSL cert is managed by cloudflare which auto renews. The Cert required for the emby server to the Cloudflare server has a 15 year expiry so no need to renew any time soon. This was all done for free (including the domain name) and needs no intervention after configuring.

 

This is what I did for a while and it was simple to setup and worked quite well. Emby has since removed the ability to generate self-signed certificates, at least on the .Net Core version, so you now need to generate your own self signed certificate for the connection between your server and Cloudflare.

 

 

Emby removing self signed certs wasnt really embys fault as alot of OS's and some web browsers no longer accept self signed certs.

Edited by Swynol
  • Like 1
Link to comment
Share on other sites

Swynol

so just caught up on this.

 

I have 2 opinions on it.

 

1. Yes it would be nice to have an option to just turn on HTTPS to all clients, but its not that easy and i cant see an easy way to do it. With Plex, plex.tv own the domain and the cert, they then know your IP and access your server. As long as the plex servers dont get hacked your IP will remain secure. But your putting your trust into them, they know your IP and your login details. Also is the data from Plex.tv to your server encrypted? Example. If you setup cloudflare to access emby. You go to your domain name which forwards to cloudflare (this is HTTPS) then cloudflare accesses your server over regular HTTP. So still an semi insecure connection?

 

With Emby you cant get a cert without a Domain name (not talking about self signed). So either Emby has to own the domain and you have a similar setup to Plex, or you own your own domain name and get a certificate. 

 

2. The hardest part with setting up HTTPS is getting the cert for your own domain name. You can either pay for one which has a long expiry, or get a free one which you have to renew every 3 months (can be done automatically). The reason i use NGINX is because i have a load of services behind my reverse proxy which i can access remotely. So it makes sense me using this method.

 

 

the basics of this are, if you want to force HTTPS you need a domain name and a certificate. if you have a domain name, i can try and come up with the most basic and straight forward way to get a PFX cert for emby. This should take about 30 mins to do.

  • Like 5
Link to comment
Share on other sites

Guest asrequested

I'm going to make things more simple for myself. I'm just going to run the VPN client on the server and open a port through them. It gets double encrypted, and really easy to manage.

Link to comment
Share on other sites

CBers

I'm going to make things more simple for myself. I'm just going to run the VPN client on the server and open a port through them. It gets double encrypted, and really easy to manage.

How do you then access your server locally?

 

Which VPN do you use?

Link to comment
Share on other sites

dcrdev

For me this solution is pretty robust:

 

  • Emby as is, without ssl
  • Apache reverse proxy on top of Emby
  • A certificate signed with a self created certificate authority in Apache. That CA cert installed on all my devices (iOS, Android, Kodi, Computers) .
  • An internal dns server linking my domain to my server.
  • Externally CloudFlare over my server, with Universal SSL enabled - this means that anyone connecting externally doesn't need to install a certificate; it's already trusted. Plus IP Address becomes obscured and plus added DDoS protection and dynamic caching.

This set up means that I can seamlessly transition between the internal network and external - I can start playing something on my phone over wifi, walk out the house with it still playing and it will continue to work on data without so much as a stutter.

  • Like 2
Link to comment
Share on other sites

Guest asrequested

How do you then access your server locally?

 

Which VPN do you use?

It doesn't affect local access. Only when you're outside of your network. That's why I have to open a port on their service. And I use Torguard.

Link to comment
Share on other sites

CBers

It doesn't affect local access. Only when you're outside of your network. That's why I have to open a port on their service. And I use Torguard.

 

I use TorGuard as well, but whenever I connect, the device I start the VPN on, gets a different local IP address.

 

I'll have to double-check my settings.

Link to comment
Share on other sites

For me this solution is pretty robust:

 

  • Emby as is, without ssl
  • Apache reverse proxy on top of Emby
  • A certificate signed with a self created certificate authority in Apache. That CA cert installed on all my devices (iOS, Android, Kodi, Computers) .
  • An internal dns server linking my domain to my server.
  • Externally CloudFlare over my server, with Universal SSL enabled - this means that anyone connecting externally doesn't need to install a certificate; it's already trusted. Plus IP Address becomes obscured and plus added DDoS protection and dynamic caching.
This set up means that I can seamlessly transition between the internal network and external - I can start playing something on my phone over wifi, walk out the house with it still playing and it will continue to work on data without so much as a stutter.

If posted your domain here and I visited it, I would get to your emby login correct?

Link to comment
Share on other sites

Guest asrequested

I use TorGuard as well, but whenever I connect, the device I start the VPN on, gets a different local IP address.

 

I'll have to double-check my settings.

Does it stop you from connecting locally? I'm able to connect. The address in the client is different, but your local IP shouldn't change.

Link to comment
Share on other sites

CBers

Does it stop you from connecting locally? I'm able to connect. The address in the client is different, but your local IP shouldn't change.

Just tried and I can't find a problem, so ignore me for now.

 

I'll leave it running for a while and see if I do get any problems.

Link to comment
Share on other sites

Guest asrequested

Just tried and I can't find a problem, so ignore me for now.

 

I'll leave it running for a while and see if I do get any problems.

It will block external connections, because there are no open ports. So if you have remote users, they'll have no access.

Link to comment
Share on other sites

CBers

It will block external connections, because there are no open ports. So if you have remote users, they'll have no access.

No remote users, but I can still access Emby remotely as I have nginx in place.

Link to comment
Share on other sites

Guest asrequested

No remote users, but I can still access Emby remotely as I have nginx in place.

I'm not sure how it interacts with nginx, but some of TGs servers have slow internet connections. But that may not be an issue, for you.

Link to comment
Share on other sites

CBers

I'm not sure how it interacts with nginx, but some of TGs servers have slow internet connections. But that may not be an issue, for you.

 

Without TorGuard I get ~25Mb/s download, but with it on, it's still ~22Mb/s.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...