Jump to content


Photo

Security 101: Secure Connections

Secure Connect Security Remote Access Encrypted

  • Please log in to reply
319 replies to this topic

#21 Tur0k OFFLINE  

Tur0k

    Advanced Member

  • Members
  • 511 posts
  • Local time: 09:45 AM

Posted 07 January 2018 - 04:53 PM

I am a geek from the old guard. I started on a Mac in the 80s when I was a little kid then moved to Linux, then windows. I built my own systems and would have done so even if I didn't need it for Emby as I use the domain, SSL certificates, and reverse proxy to operate remote access to my home automation server, my network monitor, my VPN, and eventually my NVR. The only part that cloudflare could offer me that I can not do already is some DDOS attack mitigation.

To me it sounds like our less techy users are asking for a cloudflare (https://www.cloudflare.com) like service.

In this case the cloudflare service is stood up as a reverse proxy for a user's home Emby service. A user would still need to pickup a domain and redirect it to cloudflare.

Cloudflare's should give you an SSL certificate to place on your local Emby install (this encrypts the data between your Emby server and the cloudflare system.

It looks like Cloudflare's free service gives you a publicly trusted SSL. This is the piece that is setup on the front end of the cloudflare service. This encrypts the traffic between cloudflare and your public Emby clients.

I suspect you could use the free service from cloudflare to get all of this done. I also suspect that others on the forum have put up instructions on how to set this up Emby with cloudflare.

Sent from my iPhone using Tapatalk

Edited by Tur0k, 07 January 2018 - 06:34 PM.


#22 Jdiesel ONLINE  

Jdiesel

    Advanced Member

  • Members
  • 2676 posts
  • Local time: 09:45 AM
  • LocationRegina, SK

Posted 07 January 2018 - 04:57 PM

I am a geek from the old guard. I started on a Mac in the 80s when I was a little kid then moved to Linux, then windows. I built my own systems and would have done so even if I didn't need it for Emby as I use the domain, SSL certificates, and reverse proxy to operate remote access to my home automation server, my network monitor, my VPN, and eventually my NVR. The only part that cloudflare could offer me that I can not do already is some DDOS attack mitigation.

To me it sounds like our less techy users are asking for a cloudflare (https://www.cloudflare.com) like service.

In this case the cloudflare service is stood up as a reverse proxy for a user's home Emby service. A user would still need to pickup a domain and redirect it to cloudflare.

Cloudflare's should give you an SSL certificate to place on your local Emby install (this encrypts the data between your Emby server and the cloudflare system.

It looks like Cloudflare's free service gives you a publicly trusted SSL. This is the piece that is setup on the front end of the cloudflare service. This encrypts the traffic between cloudflare and your public Emby clients.

I suspect you could use the free service from cloudflare to get all of this done. I also suspect that others on the forum have put up instructions on how to set this up Emby with cloudflare.


Sent from my iPhone using Tapatalk

This is what I did for a while and it was simple to setup and worked quite well. Emby has since removed the ability to generate self-signed certificates, at least on the .Net Core version, so you now need to generate your own self signed certificate for the connection between your server and Cloudflare.



#23 Doofus OFFLINE  

Doofus

    Advanced Member

  • Members
  • 12255 posts
  • Local time: 08:45 AM

Posted 07 January 2018 - 05:28 PM

It's still more than I want to do. I don't want to waste my time on external security. I don't want a domain, or acquire certificates. I want to set it and forget it. I've got enough services and passwords and accounts. I don't want any more. It's too much information to keep track of. This is an entertainment system, not the pentagon. For those who enjoy and are fluent in security protocols, it's great. But for the rest of us it's a PITA. This is why I haven't set up a reverse proxy. I could, but it's just a nuisance. 


  • afullmark likes this

#24 CBers OFFLINE  

CBers

    Advanced Member

  • Moderators
  • 15003 posts
  • Local time: 04:45 PM
  • LocationKent, England.

Posted 07 January 2018 - 06:12 PM

This is why I haven't set up a reverse proxy. I could, but it's just a nuisance.


I tend to agree, but I have a reverse proxy (nginx) in place now and it all works without hardly any intervention.

Although saying that, I did have someone access my Emby server somehow, but a quick re-jig seems to have stopped that.

I'm not saying a reverse proxy is more secure, but I never had any intrusions before I set it up.

#25 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 46949 posts
  • Local time: 11:45 AM

Posted 07 January 2018 - 09:33 PM

Right now, I have nothing. And a lot of people won't have anything, either. And a lot of people will be overwhelmed with how to configure a domain and applying a cert, then having to manage it. Remember that a lot of people just want to watch their movies and are not that tech savvy. Just look at all the posts of people having difficulty just opening a port and the basic config. There's no way they'll be able to do the encryption config. So having some encryption, is better than nothing. As I mentioned, in my case I'm eventually going to put my entire network behind a VPN service, and this will be moot.

 

Yes, we understand.  I just wanted to be sure you understood the implications of that simplicity meant that your "secure" setup was under someone else's control.

 

If you're okay with that, then that's fine.



#26 Doofus OFFLINE  

Doofus

    Advanced Member

  • Members
  • 12255 posts
  • Local time: 08:45 AM

Posted 07 January 2018 - 09:40 PM

Yes, we understand.  I just wanted to be sure you understood the implications of that simplicity meant that your "secure" setup was under someone else's control.

 

If you're okay with that, then that's fine.

 

It would still be a choice for us to use it or not. And I'm sure you could add a disclaimer. 


  • afullmark likes this

#27 Tur0k OFFLINE  

Tur0k

    Advanced Member

  • Members
  • 511 posts
  • Local time: 09:45 AM

Posted 08 January 2018 - 10:23 AM

From what I understand users don't want to:
1. Manually, configure their home router to port forward.
2. own their own domain.
3. Manage their own public DNS.
4. Manage their SSL certificates for secure remote access.
5. Manage their SSL certificates between an intermediate service like a reverse proxy or cloudflare like service and their Emby server.

The Emby install has the ability to setup port forwarding on routers that are UPNP enabled. As long as this remains functional this should sufficiently address gripe 1.

From what I can see the Emby connect service is the offering for novice users to access their systems from a secure web server remotely. This service mitigates gripes 2,3, and 4.

Emby connect requires an Emby server's edge router to be setup with port forwarding, an ssl certificate be configured in Emby server (if forcing encrypted external connections.

It might be worth looking into furthering the development of the Emby connect service to mimic the steps that cloudflare uses to encrypt data between cloudflare and the source web service.
Meaning provide an SSL certificate between an end user's Emby server instance and the Emby connect service.

Sent from my iPhone using Tapatalk

Edited by Tur0k, 08 January 2018 - 10:25 AM.


#28 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 46949 posts
  • Local time: 11:45 AM

Posted 08 January 2018 - 10:27 AM

It might be worth looking into furthering the development of the Emby connect service to mimic the steps that cloudflare uses to encrypt data between cloudflare and the source web service.
Meaning provide an SSL certificate between an end user's Emby server instance and the Emby connect service.

 

Yes, some flavor of that is what we are discussing.

 

However, it is important to understand that, right now, Emby Connect is a dynamic DNS service rather than a go-between for your traffic.  It is simply used to obtain the proper address.  None of the actual traffic goes through it.


  • Tur0k and afullmark like this

#29 Tur0k OFFLINE  

Tur0k

    Advanced Member

  • Members
  • 511 posts
  • Local time: 09:45 AM

Posted 08 January 2018 - 10:59 AM

Yea, I assumed it was more of a DDNS and didn't act as a proxy. That kind of cloud hosted backend infrastructure and HA design is likely costly.

I would like to chime in an say that it would be nice to maintaining configuration options that allow users who want it to host their own secure remote access at their own home.


Sent from my iPhone using Tapatalk

Edited by Tur0k, 08 January 2018 - 11:10 AM.


#30 Doofus OFFLINE  

Doofus

    Advanced Member

  • Members
  • 12255 posts
  • Local time: 08:45 AM

Posted 08 January 2018 - 02:54 PM

The cost of being a proxy is why I suggested it could be a paid service. An annual fee. Pay your money click a ox in the server, and some measure of security is applied. The one thing I hadn't considered is the legal ramifications. I guess that would put emby in the hot seat if any of our servers got hacked.

#31 Spaceboy OFFLINE  

Spaceboy

    Advanced Member

  • Members
  • 3883 posts
  • Local time: 04:45 PM

Posted 08 January 2018 - 03:32 PM

It's still more than I want to do. I don't want to waste my time on external security. I don't want a domain, or acquire certificates. I want to set it and forget it. I've got enough services and passwords and accounts. I don't want any more. It's too much information to keep track of. This is an entertainment system, not the pentagon. For those who enjoy and are fluent in security protocols, it's great. But for the rest of us it's a PITA. This is why I haven't set up a reverse proxy. I could, but it's just a nuisance.

a reverse proxy is pretty set and forget
  • Tur0k likes this

#32 Doofus OFFLINE  

Doofus

    Advanced Member

  • Members
  • 12255 posts
  • Local time: 08:45 AM

Posted 08 January 2018 - 03:44 PM

a reverse proxy is pretty set and forget


But you have to sign up for and manage the certificates etc. I've got enough subscriptions and accounts, I don't want any more. it's management that I just don't want.

#33 Night OFFLINE  

Night

    Advanced Member

  • Alpha Testers
  • 128 posts
  • Local time: 05:45 PM

Posted 08 January 2018 - 03:49 PM

But you have to sign up for and manage the certificates etc. I've got enough subscriptions and accounts, I don't want any more. it's management that I just don't want.

You can automate it with scripts so that every 80 day or so certificate is renewed 100% unattended. 


  • Tur0k likes this

#34 Spaceboy OFFLINE  

Spaceboy

    Advanced Member

  • Members
  • 3883 posts
  • Local time: 04:45 PM

Posted 08 January 2018 - 03:51 PM

But you have to sign up for and manage the certificates etc. I've got enough subscriptions and accounts, I don't want any more. it's management that I just don't want.

no, nginx does this all for you. it is a set once and forget. you literally register your domain and email address on the first run and you are done with that for good



#35 cryzis OFFLINE  

cryzis

    Member

  • Members
  • 26 posts
  • Local time: 10:45 AM

Posted 08 January 2018 - 04:00 PM

Do any of you guys running reverse proxies whitelist certain IPs at your router level? This way only traffic from trusted IPs are forwarded to your reverse proxy?

I want to allow remote access but right now I feel like the only secure way of doing this is through a VPN. Just tell them to buy an Nvidia Shield, it can play everything direct and you can run a VPN client on it.
  • Tur0k likes this

#36 CBers OFFLINE  

CBers

    Advanced Member

  • Moderators
  • 15003 posts
  • Local time: 04:45 PM
  • LocationKent, England.

Posted 08 January 2018 - 04:01 PM

no, nginx does this all for you. it is a set once and forget. you literally register your domain and email address on the first run and you are done with that for good


Even I have an nginx reverse proxy :)

Mind you, I had a lot of help from @Swynol.
  • Tur0k likes this

#37 Jdiesel ONLINE  

Jdiesel

    Advanced Member

  • Members
  • 2676 posts
  • Local time: 09:45 AM
  • LocationRegina, SK

Posted 08 January 2018 - 04:03 PM

Do any of you guys running reverse proxies whitelist certain IPs at your router level? This way only traffic from trusted IPs are forwarded to your reverse proxy?

I want to allow remote access but right now I feel like the only secure way of doing this is through a VPN. Just tell them to buy an Nvidia Shield, it can play everything direct and you can run a VPN client on it.

 

Problem with this is if they run other services on their client. Unless you are able to do an advanced setup with routes you end up passing all their traffic (Netflix, Amazon, Hulu, etc) through your VPN and not just Emby.


Edited by Jdiesel, 08 January 2018 - 04:03 PM.


#38 Abobader OFFLINE  

Abobader

    Super-Tester

  • Administrators
  • 9401 posts
  • Local time: 06:45 PM

Posted 08 January 2018 - 04:08 PM

Good day,

 

Strange how media server turn to be more than web services now days, yes with these remote and "other things".

 

I am at most levels agree with Doofus on a media server.

 

I run web services on my nas, but only access for some friends and family members, and most of it not related with Emby.

 

My best


  • Doofus likes this

#39 cryzis OFFLINE  

cryzis

    Member

  • Members
  • 26 posts
  • Local time: 10:45 AM

Posted 08 January 2018 - 04:10 PM

Problem with this is if they run other services on their client. Unless you are able to do an advanced setup with routes you end up passing all their traffic (Netflix, Amazon, Hulu, etc) through your VPN and not just Emby.


Right you have to set the openvpn client config to only use the VPN for emby traffic. Which shouldn't be hard, not easy but not terrible either.

Edited by cryzis, 08 January 2018 - 04:12 PM.


#40 cryzis OFFLINE  

cryzis

    Member

  • Members
  • 26 posts
  • Local time: 10:45 AM

Posted 08 January 2018 - 04:16 PM

Another issue is that the only Auth checks emby has is basic user/pass. No 2FA, or IP whitelisting ( for those who don't know/ can't at the router level)

Edit: I removed my unsolicited peanut gallery commentary

Edited by cryzis, 08 January 2018 - 07:02 PM.






Also tagged with one or more of these keywords: Secure Connect, Security, Remote Access, Encrypted

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users