Jump to content


Photo

Security 101: Secure Connections

Secure Connect Security Remote Access Encrypted

  • Please log in to reply
319 replies to this topic

#41 Doofus ONLINE  

Doofus

    Advanced Member

  • Members
  • 12282 posts
  • Local time: 11:47 AM

Posted 08 January 2018 - 04:31 PM

Lol...you guys are really trying to sell me on the reverse proxy. So here's my deal. I have only opened a port for emby. If there were a way that wasn't necessary or could be secured by emby, this issue would be moot, for me. I don't need my system to be the national reserve. With layers of security. That's why the simple option for me is to use a VPN. The intention was to use my USG for that, but it can't handle the encryption. I could run the VPN client on my server and just forward the port through their proxy, but I figure I'll put everything through the VPN and just stop thinking about it. Added bonus of adding pfsense and have more security.
  • Tur0k likes this

#42 Jdiesel OFFLINE  

Jdiesel

    Advanced Member

  • Members
  • 2682 posts
  • Local time: 12:47 PM
  • LocationRegina, SK

Posted 08 January 2018 - 04:34 PM

I think I have one of the simplest setups possible.

 

1. Purchased SSL cert for $5/year (Good for 3 years without renewal)

2. Purchased Google domain for $12/year

3. Generated CSR using openssl. Can use online tools if you trust them.

4. Verified domain by running a temporary webserver to host key (domain.com/.well-known/pki-validation/). Once verified webserver is no longer needed.

5. Use openssl to generate pfx from csr and pem file. Can use online tools if you trust them.

6. Enter your external domain and path to your pfx into Emby.

 

Now I have a pfx good for 3 years that can be used directly in Emby. No need for a reverse proxy or cloudflare but both could be used if wanted.

 

Emby could integrate some of the functions of openssl and hosting the domain verification to make things very simple but that might be outside the scope of the software.


  • Tur0k likes this

#43 Doofus ONLINE  

Doofus

    Advanced Member

  • Members
  • 12282 posts
  • Local time: 11:47 AM

Posted 08 January 2018 - 04:38 PM

Yeah, see that's just too much jiggery pokery, for me. Can I do it? Yes. Do I want to create 3 more accounts? No.

Edited by Doofus, 08 January 2018 - 04:39 PM.

  • regid likes this

#44 CBers OFFLINE  

CBers

    Advanced Member

  • Moderators
  • 15014 posts
  • Local time: 07:47 PM
  • LocationKent, England.

Posted 08 January 2018 - 04:41 PM

If you have services other them Emby that you want to access remotely, even if only you accessing them, then a reverse proxy must be the safest/securest option.

Yes? No?

#45 Jdiesel OFFLINE  

Jdiesel

    Advanced Member

  • Members
  • 2682 posts
  • Local time: 12:47 PM
  • LocationRegina, SK

Posted 08 January 2018 - 04:44 PM

Yeah, see that's just too much jiggery pokery, for me. Can I do it? Yes. Do I want to create 3 more accounts? No.

 

Your preference would be something to what Plex does? Sign in through Emby Connect and let Emby do all the behind the scenes stuff? Although there are many who are dead against this I think it is a good solution. Besides you always have the option to bypass Plex's account and use a reverse proxy anyways.



#46 Jdiesel OFFLINE  

Jdiesel

    Advanced Member

  • Members
  • 2682 posts
  • Local time: 12:47 PM
  • LocationRegina, SK

Posted 08 January 2018 - 04:45 PM

If you have services other them Emby that you want to access remotely, even if only you accessing them, then a reverse proxy must be the safest/securest option.

Yes? No?

 

Was this question directed at anyone specific? I would argue that an OpenVPN connection would be the safest/secure option.



#47 CBers OFFLINE  

CBers

    Advanced Member

  • Moderators
  • 15014 posts
  • Local time: 07:47 PM
  • LocationKent, England.

Posted 08 January 2018 - 04:46 PM

Was this question directed at anyone specific? I would argue that an OpenVPN connection would be the safest/secure option.


Only at someone who knows the answer :)

#48 Jdiesel OFFLINE  

Jdiesel

    Advanced Member

  • Members
  • 2682 posts
  • Local time: 12:47 PM
  • LocationRegina, SK

Posted 08 January 2018 - 04:47 PM

Only at someone who knows the answer :)

 

Well then obviously not me  :lol: 


  • CBers likes this

#49 Doofus ONLINE  

Doofus

    Advanced Member

  • Members
  • 12282 posts
  • Local time: 11:47 AM

Posted 08 January 2018 - 05:00 PM

If you have services other them Emby that you want to access remotely, even if only you accessing them, then a reverse proxy must be the safest/securest option.

Yes? No?

See, that's the point. If you have multiple systems (security cams etc) then it makes sense, but we are only talking about protecting your emby server. The average emby customer is just watching their own movies, and want to be able to watch them when they're away from home. So they have to open a port. It would be nice to be able to have some kind of easy security for those people. For people who want more, they have other options.

Edited by Doofus, 08 January 2018 - 05:17 PM.

  • denz likes this

#50 Doofus ONLINE  

Doofus

    Advanced Member

  • Members
  • 12282 posts
  • Local time: 11:47 AM

Posted 08 January 2018 - 05:03 PM

Your preference would be something to what Plex does? Sign in through Emby Connect and let Emby do all the behind the scenes stuff? Although there are many who are dead against this I think it is a good solution. Besides you always have the option to bypass Plex's account and use a reverse proxy anyways.

I think it would be a good option for the basic emby customer.

For me, I'm just going to build a second gateway and use a VPN.

Edited by Doofus, 08 January 2018 - 05:38 PM.


#51 Spaceboy OFFLINE  

Spaceboy

    Advanced Member

  • Members
  • 3891 posts
  • Local time: 07:47 PM

Posted 08 January 2018 - 06:24 PM

Lol...you guys are really trying to sell me on the reverse proxy. So here's my deal. I have only opened a port for emby. If there were a way that wasn't necessary or could be secured by emby, this issue would be moot, for me. I don't need my system to be the national reserve. With layers of security. That's why the simple option for me is to use a VPN. The intention was to use my USG for that, but it can't handle the encryption. I could run the VPN client on my server and just forward the port through their proxy, but I figure I'll put everything through the VPN and just stop thinking about it. Added bonus of adding pfsense and have more security.

just ensuring that other readers get accurate information :)


  • Doofus likes this

#52 Doofus ONLINE  

Doofus

    Advanced Member

  • Members
  • 12282 posts
  • Local time: 11:47 AM

Posted 08 January 2018 - 07:08 PM

just ensuring that other readers get accurate information :)


Yup, but look at what it takes to establish it.

https://emby.media/c...xy/#entry492200

#53 MSattler OFFLINE  

MSattler

    Advanced Member

  • Alpha Testers
  • 1449 posts
  • Local time: 02:47 PM

Posted 08 January 2018 - 07:57 PM

Your preference would be something to what Plex does? Sign in through Emby Connect and let Emby do all the behind the scenes stuff? Although there are many who are dead against this I think it is a good solution. Besides you always have the option to bypass Plex's account and use a reverse proxy anyways.

 

One of the reasons I've stayed with Plex since my switch.   I like the fact that I don't have to worry about someone brute-forcing their way into my Emby install.   It's not a worry with Plex, unless their endpoint has been authenticated, they are trying to brute-force against the Plex login servers.  And the only endpoints that are authenticated, unless someone has got my Plex login info.   

 

Now I'm making the assumption that the Plex guys are doing something like banning IP's that repeatedly try to access various Plex servers over and over and fail auth.   Regardless, I don't have to worry about it.   I actually requested the same thing as a feature request of Emby a while back.   Just allow me to turn off Emby web or client access unless the client/browser has been authenticated.   



#54 Tur0k OFFLINE  

Tur0k

    Advanced Member

  • Members
  • 511 posts
  • Local time: 12:47 PM

Posted 08 January 2018 - 07:57 PM

Do any of you guys running reverse proxies whitelist certain IPs at your router level? This way only traffic from trusted IPs are forwarded to your reverse proxy?

I want to allow remote access but right now I feel like the only secure way of doing this is through a VPN. Just tell them to buy an Nvidia Shield, it can play everything direct and you can run a VPN client on it.


I do the opposite actually. I have blacklists that systematically deny access to nodes or entire blocks of the public Internet. I block by publicly maintained lists. I block traffic to and from:
1. IP Nodes that deal in illicit content.
2. Known malicious sites.
3. World regions (that I know I will never connect from)

I do this using an add on to my PFsense firewall called PFBlockerNG.


Sent from my iPhone using Tapatalk

Edited by Tur0k, 08 January 2018 - 07:59 PM.


#55 Tur0k OFFLINE  

Tur0k

    Advanced Member

  • Members
  • 511 posts
  • Local time: 12:47 PM

Posted 08 January 2018 - 08:01 PM

I think I have one of the simplest setups possible.

1. Purchased SSL cert for $5/year (Good for 3 years without renewal)
2. Purchased Google domain for $12/year
3. Generated CSR using openssl. Can use online tools if you trust them.
4. Verified domain by running a temporary webserver to host key (domain.com/.well-known/pki-validation/). Once verified webserver is no longer needed.
5. Use openssl to generate pfx from csr and pem file. Can use online tools if you trust them.
6. Enter your external domain and path to your pfx into Emby.

Now I have a pfx good for 3 years that can be used directly in Emby. No need for a reverse proxy or cloudflare but both could be used if wanted.

Emby could integrate some of the functions of openssl and hosting the domain verification to make things very simple but that might be outside the scope of the software.


Seems pretty easy to me to, but I think that we as a user group may need to do a better job of creating a single place to find a guide.


Sent from my iPhone using Tapatalk

#56 Doofus ONLINE  

Doofus

    Advanced Member

  • Members
  • 12282 posts
  • Local time: 11:47 AM

Posted 08 January 2018 - 08:08 PM

We have to remember that we are all nerds lol. We dig this stuff :) But there is a legion of people that just want to watch their movies, and they won't/can't do this stuff. We don't represent the general emby user.
  • denz, Tur0k, afullmark and 2 others like this

#57 Tur0k OFFLINE  

Tur0k

    Advanced Member

  • Members
  • 511 posts
  • Local time: 12:47 PM

Posted 08 January 2018 - 08:11 PM

If you have services other them Emby that you want to access remotely, even if only you accessing them, then a reverse proxy must be the safest/securest option.

Yes? No?


This is difficult to answer.

The most secure network is the network that isn't connected to the Internet, has no avenues to introduce new resources (ex: no USB inputs that people could add USB flash drives to), and is located in physically separate quarters.

Once that isn't an option you talk about risk appetite. Some people are ok with going about the normal process and getting their systems on the public Internet. They may even be ok with doing all that insecurely.

Reverse proxies are just that a proxy. They are a tool in the Bat-belts of network guys. You can SSL secure them, you can client authenticate using credentials and or certificates so only people with the right authentication or client certificate are allowed access. That last part means you can support mutual authentication and multi-factor authentication.

VPNs are designed to create secure tunnels. They are designed to allow for mutual authentication, and can support multi-factor Authentication.

The most secure places I have worked had completely separate networks for their prized data, others forced 100% SSL encryption over VPN.


Sent from my iPhone using Tapatalk
  • cayars likes this

#58 Tur0k OFFLINE  

Tur0k

    Advanced Member

  • Members
  • 511 posts
  • Local time: 12:47 PM

Posted 08 January 2018 - 10:02 PM

We have to remember that we are all nerds lol. We dig this stuff :) But there is a legion of people that just want to watch their movies, and they won't/can't do this stuff. We don't represent the general emby user.

Good point. I think we have mapped out what we would like to offer the spectrum of users as a user group:

1. Emby connect redesigned to function as more of a proxy.

I. Minimal user configuration.
II. Check a box pay the monthly charge.

2. Use your own cloud hosted proxy provider like cloudflare. (Should we create a published configuration guide?)

I. Requires Port forwarding on home router
II. Requires purchase of a public domain with public DNS.

3. Use the built in secure web configuration in Emby.

I. Requires Port forwarding on home router
II. Requires purchase of a public domain with public DNS.
III. Use of either self-signed or publicly trusted cert (paid).

4. Setup your own service

A. VPN

I. Requires Port forwarding on home router
II. Requires purchase of a public domain with public DNS unless you plan on using public IP address.
III. Management of a local CA for server and client certificates and vpn user accounts.

B. Reverse proxy

I. Requires Port forwarding on home router
II. Requires purchase of a public domain with public DNS unless you plan on using public IP address.
III. Use of either self-signed or publicly trusted cert (paid).
IV. Management and configuration of the reverse proxy.
V. Possible management of a local CA for client certificates.


Sent from my iPhone using Tapatalk

Edited by Tur0k, 08 January 2018 - 11:05 PM.


#59 cryzis OFFLINE  

cryzis

    Member

  • Members
  • 26 posts
  • Local time: 01:47 PM

Posted 08 January 2018 - 10:38 PM

I do the opposite actually. I have blacklists that systematically deny access to nodes or entire blocks of the public Internet. I block by publicly maintained lists. I block traffic to and from:
1. IP Nodes that deal in illicit content.
2. Known malicious sites.
3. World regions (that I know I will never connect from)

I do this using an add on to my PFsense firewall called PFBlockerNG.


Sent from my iPhone using Tapatalk

Ahh yeah that's another way to do it. I just figured it was easier and more secure but there is the hassle of dealing with IPs that update. Although you could setup each user with DyDns and white list their domains.
  • Tur0k likes this

#60 cryzis OFFLINE  

cryzis

    Member

  • Members
  • 26 posts
  • Local time: 01:47 PM

Posted 08 January 2018 - 10:38 PM

Edit: Had a double post by mistake

Edited by cryzis, 08 January 2018 - 10:44 PM.






Also tagged with one or more of these keywords: Secure Connect, Security, Remote Access, Encrypted

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users