Jump to content

Security 101: Secure Connections


regid

Recommended Posts

Tur0k

Don't get me wrong, I don't think that picking up a domain and getting an SSL cert is terribly difficult, but if that is the major barrier to adoption then it is worth looking into. Setting Emby connect up to run as more of a proxy and encrypting data end to end is a TALL order. Just spit-balling here: theoretically there would be two separate points of encryption with an Emby connect proxy.

1. Emby server through home router to Emby connect proxy.

2. Emby connect proxy to public Internet clients.

 

This mirrors the configuration of cloudflare.

 

In the above point 2, Emby connect proxy then handles the domain and encryption at the front end. Client devices see port 443 activity, and publicly trusted certificates.

 

In point 1, a new classification of Emby service can be stood up "Emby connect proxy service". This could be tied into Emby premiere or as a separate line item.

 

The Emby connect already knows the public IP for a premiere copy Emby server. We should maintain this awareness.

 

Emby then stands up a private CA that would then be tied to a paid Emby account.

 

In the Emby server interface there would be a section for Emby connect proxy, with a login or some type of key (like premiere) and a checkbox. Once the check box is checked and he key is authenticated and confirmed as active, a cert is downloaded from the Emby private CA and loaded to the Emby server install.

 

The Emby connect proxy should then be setup to proxy the connection to the Emby server's public IP using port 8920 and only allow the use of the certificate pair that is listed in the Emby private CA.

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

Guest asrequested

Without TorGuard I get ~25Mb/s download, but with it on, it's still ~22Mb/s.

Oh ok. I have 270Mb bandwidth, TG cuts that in half. But on some servers I get much less.

Link to comment
Share on other sites

Tur0k

Note: there would need to be serious discussion of designing scalable HA infrastructure to support an Emby connect proxy.

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

Jdiesel

In additions to security benefits there can also be performance benefits as well. Back when I hosted my Emby/Plex server in a German data center I had poor peering back to North America. By switching to a https connection over port 443 I noticed significant improvements. Someplace along the way traffic shaping was taking place. Cloudflare can also improve peering as well.

  • Like 2
Link to comment
Share on other sites

Spaceboy

Oh ok. I have 270Mb bandwidth, TG cuts that in half. But on some servers I get much less.

i believe there is a megabits / megabytes mix up here
Link to comment
Share on other sites

CBers

Without TorGuard I get ~25Mb/s download, but with it on, it's still ~22Mb/s.

Maybe, but we both used a lower case b, implying bits.

Without TorGuard I get ~25MB/s download, but with it on, it's still ~22MB/s.

 

Better :)

Link to comment
Share on other sites

adrianwi

I'm all for providing people with options, but please please please don't force anyone down the same path as Plex where you can only connect to your own server through their services.  

 

ps: setting up a reverse proxy with SSL is pretty straightforward (especially for one service) and with something like certbot renewing the certificate is easily automated ;)

  • Like 3
Link to comment
Share on other sites

Guest asrequested

Nobody is suggesting that, just have an option for security through emby.

 

Applying an SSL is a PITA. Any more than 2 clicks, is waste my time.

  • Like 1
Link to comment
Share on other sites

Applying an SSL is a PITA. Any more than 2 clicks, is waste my time.

 

And yet you run a custom mpv.conf :)

  • Like 1
Link to comment
Share on other sites

Jdiesel

Does Cloudflare support dynamic dns's from the typical free providers? If so I think something like this might be a good compormise for many and it would be free too:

 

 

Emby Server (dyndns) ---self--signed---cert---->Cloudflare (Strict) ----signed--cert--->Emby Client

 

 

You would need a domain, hopefully a free dynamic dns, and a free Cloudflare account.

  • Like 1
Link to comment
Share on other sites

Guest asrequested

And yet you run a custom mpv.conf :)

Lol...yeah, I know. It isn't that I can't, it's just something I don't want to spend any significant time, doing.

Link to comment
Share on other sites

Guest asrequested

heh, Luke leave Doofus alone :)

 

He doing great testing theater mpv.

Thanks Abo :) Edited by Doofus
  • Like 1
Link to comment
Share on other sites

Swynol

Does Cloudflare support dynamic dns's from the typical free providers? If so I think something like this might be a good compormise for many and it would be free too:

 

 

Emby Server (dyndns) ---self--signed---cert---->Cloudflare (Strict) ----signed--cert--->Emby Client

 

 

You would need a domain, hopefully a free dynamic dns, and a free Cloudflare account.

 

ye i use cloudflare with DNS O Matic. completely Free

 

 

I'm testing Cloudflare at the moment.

 

Free Cloudflare account

Free DNS o Matic Account

Free Domain name from FreeNom

 

Remote user --- SSL Cert Provided by CF ---> Cloudflare Server <----- A Origin Cert or Self Signed or Let's Encrypt Cert ---> My Emby Server

or

Remote user --- SSL Cert Provided by CF ---> Cloudflare Server <----- A Origin Cert or Self Signed or Let's Encrypt Cert ---> My NGINX Server --- >  My Emby Server

 

DNS o Matic Updates Cloudflare with my WAN IP address

 

EDIT - with some help i've managed to get Cloudflare to cache my images on their server. the end result is images load a lot faster remotely along with the added security of not being able to see my WAN IP, DDOS protection and other stuff.

Edited by Swynol
  • Like 2
Link to comment
Share on other sites

moviefan

Emby removing self signed certs wasnt really embys fault as alot of OS's and some web browsers no longer accept self signed certs.

 

This doesn't sound very accurate to me.

 

Which OS's and web browsers no longer accept self-signed certs?

 

There's so many things that use self-signed certs I can't imagine an operating system completely disabling this.

 

Certainly on Windows (XP-10), Mac, Android, iOS this isn't true.  For Chrome, Safari, Firefox, IE, Edge, and Opera.

 

So which OS and/or browser are you referring to?

Link to comment
Share on other sites

moviefan

I'm all for providing people with options, but please please please don't force anyone down the same path as Plex where you can only connect to your own server through their services.  

 

This.

  • Like 1
Link to comment
Share on other sites

We would never force you to login using any particular method, but if we are going to provide an ssl cert that becomes attached to an emby sub-domain then it's possible we may only decide to use that with emby connect, and that if you want to connect manually then you'd need your own cert. But we will see when the time comes.

  • Like 3
Link to comment
Share on other sites

I tried the guide to setting up emby using CloudFlare but it isn't working. I just get bad gateway. I have my domain, active on CF, configured A record for 'emby' to point to my WAN IP (which is correct). Ports are forwarded on the router and I restarted both the router and emby for good measure. Everything looks correct in the emby dashboard.

 

Nevermind. Firewall issue. All good.

Edited by lorac
  • Like 1
Link to comment
Share on other sites

TheFreeMan

Hi all- New emby user, and I'm loving it so far.
 
I've got the emby server running in a docker container on my server. I also have a LetsEncrypt/Nginx docker running. I had no problem getting my nginx config set up to be able to reverse proxy access my server from the outside world (forcing everything over HTTPS).
 
What I haven't figured out is how do I get the emby apps (Android, XBOX, smart TV, etc) to access the emby server now that it's behind the reverse proxy. Sitting here in front of my computer, with WiFi turned off on my phone, the Android app just spins and spins until it finally times out. If I turn WiFi back on, it connects pretty quickly.
 
I'm also running OpenVPN, so I can establish a VPN tunnel to the server then access emby via the app with no problem, but I don't think my son in the Army can do that from his Xbox, and it does seem (without any absolute testing whatsoever) to be a bit slower that way.
 
I read the post by @@Swynol on reverse proxying but that doesn't seem to be what I'm after (I've already got that working), and I looked through his blog post linked earlier in this thread.

 

I saw this post from @ earlier in this thread, as well. I've looked at that configuration page and I'm not sure exactly what those settings will do, so before enabling anything there, I want to make sure I'm not going to lock myself out of my setup by misconfiguring things.

 

If I go to the Advanced page in settings and put "mydomain.com" in the External Domain field, point the Custom ssl certificate path to the location where nginx stores all its certs (I've got .pem files and .pfx files), then hit the https check box, can I then put "mydomain.com" in my app's server Host entry? Would I use 8096 or 443 for the port?

 

As a note - I "own" the domain - it's a free ddns from changeip.com, I don't have anything setup through emby's dns service.

Link to comment
Share on other sites

So confirm, clients can access your server from the public Internet but not on your LAN?

 

 

Sent from my iPhone using Tapatalk

Link to comment
Share on other sites

I can connect to my server via the Web and android app but can't get a remote roku to connect.

 

Sent from my STV100-3 using Tapatalk

Link to comment
Share on other sites

Guest asrequested

I just opened a port through the VPN service, enabled the stealth encryption, configured the client, ran the client on the server, and I'm all set. So now it's running through a proxy and their server handles the encryption. And it's anonymized. 

 

5a56e6d15255f_Snapshot_393.jpg

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...