Security 101: Secure Connections

[Luke 37062]

6 minutes ago, nahtay said:

Well Plex has it. 

Hi, but don't you want a personal media server and not one that puts your information into the cloud?

[KMBanana 84]

Some kind of certbot/letsencrypt/acme integration to get and pull a free SSL cert could conceivably be implemented, I do think it would be nice for less tech savvy users.  It still would require owning a domain, or having the user register with a 3rd party service like duckdns.  

 

Something well outside the scope of Emby's team that conceptually could be done is integrate a ddns type service into Emby.

Some setting or plugin on Emby is set up, it basically phones into Emby and tells it "I want to use <bazinga43> and am remotely connectable at <WAN IP ADDRESS> and here is my Emby premiere license."

Emby on their end makes an A record entry for something like bazinga43>.emby.media to the server WAN IP address, and the server then uses that to pull a free letsencrypt cert.  

[nahtay 2]

I dont want me media in the cloud, just be able to securely remotely access it not via http. 

[Happy2Play 8281]

Just now, nahtay said:

I dont want me media in the cloud, just be able to securely remotely access it not via http. 

But per your comment using Plex you are allowing them access to your media or at least them seeing absolutely everything you do through their servers.

[nahtay 2]

Well that shows my lack of understanding I guess. I thought it was encrypted. 

[Q-Droid 642]

34 minutes ago, nahtay said:

Well that shows my lack of understanding I guess. I thought it was encrypted. 

Plex can do what they do because they own the domains used to "give" you HTTPS. They also make you give them a login name and the login name for all of your users. This is what @Luke means when he asks if you'd rather have a personal media server that you control fully as well as your access details.

 

[nahtay 2]

I would but am struggling to know how to get https working on emby. 

[vaise 304]

6 minutes ago, nahtay said:

I would but am struggling to know how to get https working on emby. 

If you are every planning on hosting more than just emby in your home, maybe you should instead look at running a reverse proxy on your home system (nginx, caddy) and that goes between the internet and your services - and that does the SSL for you and automates updates of it.  Then in emby, you just tick the box that says 'handled by reverse proxy'.  Its no longer an 'emby' thing then.  There are threads on that I believe.

[nahtay 2]

step by step instructions?

[jaycedk 379]

Guess you should start with some lessons.

What is a reverse proxy? | Proxy servers explained | Cloudflare

[firefox1970 7]

I was using this Guide, works fine for me:

Synology: How to Allow Emby to Work Over an HTTPS Connection – Marius Hosting

[nahtay 2]

I don't have a synology but I have a couple domains. How would I create a reverse proxy for that?

[vaise 304]

Google nginx, caddy, have a read.  Learn it.  In the meantime you can also research wireguard or tailscale to safe access via a vpn.

[PrincessClevage 173]

Do yourself a favour and get yourself one of these:

https://firewalla.com
 

easy to setup and control with free WireGuard vpn for most devices to connect back to home from where ever you travel or share vpn with family, friends for access to emby 

[nahtay 2]

I have an API key from a domain, docker installed but I am struggling understanding docker commands for ngnix to get it working.

[Blam84 11]

Just hopping in to say that this thread has been active since 2018. From a basic customer service standpoint, offering a solution to those who don't want to get a college degree in networking just to use Emby securely is something the Devs should consider. I don't know the impact of offering this (cost, maintenance etc) so I concede if the demand is too much. But offering this as an OPTION and not a REQUIREMENT seems reasonable.

I'm just curious why this hasn't been developed and offered yet?

[Happy2Play 8281]

1 minute ago, Blam84 said:

I'm just curious why this hasn't been developed and offered yet?

And how would they do that?  Make you login to their servers like Plex does?  Then you lose your Personal media server and are tracked and monitor per the third party server.

 

 

[Blam84 11]

6 minutes ago, Happy2Play said:

And how would they do that?  Make you login to their servers like Plex does?  Then you lose your Personal media server and are tracked and monitor per the third party server.

 

 

That is correct, yes. And for those who don't care about being tracked, they would choose this option.

[Happy2Play 8281]

Just now, Blam84 said:

That is correct, yes. And for those who don't care about being tracked, they would choose this option.

I would assume the overhead running these servers would add a major additional cost.

[jaycedk 379]

Guess an ADMIN should educate them self.

They are administrating an infrastructure they won't.

If they don't know how to secure it them self and there infrastructure, they should not be admins.

Edited April 4 by jaycedk

[Blam84 11]

2 minutes ago, jaycedk said:

Guess an ADMIN should educate them self.

They are administrating an infrastructure they won't.

If they don't know how to secure it them self and there infrastructure, they should not be admins.

Interesting. I'm curious what you mean by Admin? Because I'm pretty certain all Emby users are not Admins sharing their content with others. I'm sure there are many who are regular people looking to stream their own content locally, and from the office or on vacation every so often. 

Are you suggesting these folks need to be just as educated? 

[jaycedk 379]

Well you do have an admin account, right.

Then you are the admin of set server, right.

If you do not know, what you are doing, should you do it.

Sure why not, but educate your self to handle it.

With the role as admin, comes the responsibility to of being set admin.

[Blam84 11]

5 minutes ago, jaycedk said:

Well you do have an admin account, right.

Then you are the admin of set server, right.

If you do not know, what you are doing, should you do it.

Sure why not, but educate your self to handle it.

With the role as admin, comes the responsibility to of being set admin.

If that's the business model being followed here, so be it. But if so, it dramatically limits the amount of users Emby will ever have

[jaycedk 379]

That's just my opinion.

I'm just a emby user/admin, and I had no problems with archiving my gools.

I educated my self !!

[nahtay 2]

I'm close I think. I just have never done a reverse proxy. I have a domain. I installed docker. I just don't know how to get it working to enable SSL.