Tur0k 143 Posted January 9, 2018 Share Posted January 9, 2018 Don't get me wrong, I don't think that picking up a domain and getting an SSL cert is terribly difficult, but if that is the major barrier to adoption then it is worth looking into. Setting Emby connect up to run as more of a proxy and encrypting data end to end is a TALL order. Just spit-balling here: theoretically there would be two separate points of encryption with an Emby connect proxy. 1. Emby server through home router to Emby connect proxy. 2. Emby connect proxy to public Internet clients. This mirrors the configuration of cloudflare. In the above point 2, Emby connect proxy then handles the domain and encryption at the front end. Client devices see port 443 activity, and publicly trusted certificates. In point 1, a new classification of Emby service can be stood up "Emby connect proxy service". This could be tied into Emby premiere or as a separate line item. The Emby connect already knows the public IP for a premiere copy Emby server. We should maintain this awareness. Emby then stands up a private CA that would then be tied to a paid Emby account. In the Emby server interface there would be a section for Emby connect proxy, with a login or some type of key (like premiere) and a checkbox. Once the check box is checked and he key is authenticated and confirmed as active, a cert is downloaded from the Emby private CA and loaded to the Emby server install. The Emby connect proxy should then be setup to proxy the connection to the Emby server's public IP using port 8920 and only allow the use of the certificate pair that is listed in the Emby private CA. Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 9, 2018 Share Posted January 9, 2018 Without TorGuard I get ~25Mb/s download, but with it on, it's still ~22Mb/s. Oh ok. I have 270Mb bandwidth, TG cuts that in half. But on some servers I get much less. Link to comment Share on other sites More sharing options...
Tur0k 143 Posted January 9, 2018 Share Posted January 9, 2018 Note: there would need to be serious discussion of designing scalable HA infrastructure to support an Emby connect proxy. Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
Jdiesel 1112 Posted January 9, 2018 Share Posted January 9, 2018 In additions to security benefits there can also be performance benefits as well. Back when I hosted my Emby/Plex server in a German data center I had poor peering back to North America. By switching to a https connection over port 443 I noticed significant improvements. Someplace along the way traffic shaping was taking place. Cloudflare can also improve peering as well. 2 Link to comment Share on other sites More sharing options...
Spaceboy 2484 Posted January 9, 2018 Share Posted January 9, 2018 Oh ok. I have 270Mb bandwidth, TG cuts that in half. But on some servers I get much less.i believe there is a megabits / megabytes mix up here Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 9, 2018 Share Posted January 9, 2018 i believe there is a megabits / megabytes mix up here Maybe, but we both used a lower case b, implying bits. Link to comment Share on other sites More sharing options...
CBers 6742 Posted January 9, 2018 Share Posted January 9, 2018 Without TorGuard I get ~25Mb/s download, but with it on, it's still ~22Mb/s. Maybe, but we both used a lower case b, implying bits. Without TorGuard I get ~25MB/s download, but with it on, it's still ~22MB/s. Better Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 9, 2018 Share Posted January 9, 2018 Oh so it is bytes lol. Not that it makes any difference. Your bandwidth isn't affected, much. Link to comment Share on other sites More sharing options...
adrianwi 237 Posted January 9, 2018 Share Posted January 9, 2018 I'm all for providing people with options, but please please please don't force anyone down the same path as Plex where you can only connect to your own server through their services. ps: setting up a reverse proxy with SSL is pretty straightforward (especially for one service) and with something like certbot renewing the certificate is easily automated 3 Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 9, 2018 Share Posted January 9, 2018 Nobody is suggesting that, just have an option for security through emby. Applying an SSL is a PITA. Any more than 2 clicks, is waste my time. 1 Link to comment Share on other sites More sharing options...
Luke 36884 Posted January 9, 2018 Share Posted January 9, 2018 Applying an SSL is a PITA. Any more than 2 clicks, is waste my time. And yet you run a custom mpv.conf 1 Link to comment Share on other sites More sharing options...
Abobader 2934 Posted January 9, 2018 Share Posted January 9, 2018 heh, Luke leave Doofus alone He doing great testing theater mpv. Link to comment Share on other sites More sharing options...
Jdiesel 1112 Posted January 9, 2018 Share Posted January 9, 2018 Does Cloudflare support dynamic dns's from the typical free providers? If so I think something like this might be a good compormise for many and it would be free too: Emby Server (dyndns) ---self--signed---cert---->Cloudflare (Strict) ----signed--cert--->Emby Client You would need a domain, hopefully a free dynamic dns, and a free Cloudflare account. 1 Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 9, 2018 Share Posted January 9, 2018 And yet you run a custom mpv.conf Lol...yeah, I know. It isn't that I can't, it's just something I don't want to spend any significant time, doing. Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 9, 2018 Share Posted January 9, 2018 (edited) heh, Luke leave Doofus alone He doing great testing theater mpv. Thanks Abo Edited January 9, 2018 by Doofus 1 Link to comment Share on other sites More sharing options...
Swynol 375 Posted January 10, 2018 Share Posted January 10, 2018 (edited) Does Cloudflare support dynamic dns's from the typical free providers? If so I think something like this might be a good compormise for many and it would be free too: Emby Server (dyndns) ---self--signed---cert---->Cloudflare (Strict) ----signed--cert--->Emby Client You would need a domain, hopefully a free dynamic dns, and a free Cloudflare account. ye i use cloudflare with DNS O Matic. completely Free I'm testing Cloudflare at the moment. Free Cloudflare account Free DNS o Matic Account Free Domain name from FreeNom Remote user --- SSL Cert Provided by CF ---> Cloudflare Server <----- A Origin Cert or Self Signed or Let's Encrypt Cert ---> My Emby Server or Remote user --- SSL Cert Provided by CF ---> Cloudflare Server <----- A Origin Cert or Self Signed or Let's Encrypt Cert ---> My NGINX Server --- > My Emby Server DNS o Matic Updates Cloudflare with my WAN IP address EDIT - with some help i've managed to get Cloudflare to cache my images on their server. the end result is images load a lot faster remotely along with the added security of not being able to see my WAN IP, DDOS protection and other stuff. Edited January 10, 2018 by Swynol 2 Link to comment Share on other sites More sharing options...
moviefan 183 Posted January 10, 2018 Share Posted January 10, 2018 Emby removing self signed certs wasnt really embys fault as alot of OS's and some web browsers no longer accept self signed certs. This doesn't sound very accurate to me. Which OS's and web browsers no longer accept self-signed certs? There's so many things that use self-signed certs I can't imagine an operating system completely disabling this. Certainly on Windows (XP-10), Mac, Android, iOS this isn't true. For Chrome, Safari, Firefox, IE, Edge, and Opera. So which OS and/or browser are you referring to? Link to comment Share on other sites More sharing options...
moviefan 183 Posted January 10, 2018 Share Posted January 10, 2018 I'm all for providing people with options, but please please please don't force anyone down the same path as Plex where you can only connect to your own server through their services. This. 1 Link to comment Share on other sites More sharing options...
Luke 36884 Posted January 10, 2018 Share Posted January 10, 2018 We would never force you to login using any particular method, but if we are going to provide an ssl cert that becomes attached to an emby sub-domain then it's possible we may only decide to use that with emby connect, and that if you want to connect manually then you'd need your own cert. But we will see when the time comes. 3 Link to comment Share on other sites More sharing options...
lorac 100 Posted January 10, 2018 Share Posted January 10, 2018 (edited) I tried the guide to setting up emby using CloudFlare but it isn't working. I just get bad gateway. I have my domain, active on CF, configured A record for 'emby' to point to my WAN IP (which is correct). Ports are forwarded on the router and I restarted both the router and emby for good measure. Everything looks correct in the emby dashboard. Nevermind. Firewall issue. All good. Edited January 10, 2018 by lorac 1 Link to comment Share on other sites More sharing options...
TheFreeMan 2 Posted January 11, 2018 Share Posted January 11, 2018 Hi all- New emby user, and I'm loving it so far. I've got the emby server running in a docker container on my server. I also have a LetsEncrypt/Nginx docker running. I had no problem getting my nginx config set up to be able to reverse proxy access my server from the outside world (forcing everything over HTTPS). What I haven't figured out is how do I get the emby apps (Android, XBOX, smart TV, etc) to access the emby server now that it's behind the reverse proxy. Sitting here in front of my computer, with WiFi turned off on my phone, the Android app just spins and spins until it finally times out. If I turn WiFi back on, it connects pretty quickly. I'm also running OpenVPN, so I can establish a VPN tunnel to the server then access emby via the app with no problem, but I don't think my son in the Army can do that from his Xbox, and it does seem (without any absolute testing whatsoever) to be a bit slower that way. I read the post by @@Swynol on reverse proxying but that doesn't seem to be what I'm after (I've already got that working), and I looked through his blog post linked earlier in this thread. I saw this post from @ earlier in this thread, as well. I've looked at that configuration page and I'm not sure exactly what those settings will do, so before enabling anything there, I want to make sure I'm not going to lock myself out of my setup by misconfiguring things. If I go to the Advanced page in settings and put "mydomain.com" in the External Domain field, point the Custom ssl certificate path to the location where nginx stores all its certs (I've got .pem files and .pfx files), then hit the https check box, can I then put "mydomain.com" in my app's server Host entry? Would I use 8096 or 443 for the port? As a note - I "own" the domain - it's a free ddns from changeip.com, I don't have anything setup through emby's dns service. Link to comment Share on other sites More sharing options...
Tur0k 143 Posted January 11, 2018 Share Posted January 11, 2018 So confirm, clients can access your server from the public Internet but not on your LAN? Sent from my iPhone using Tapatalk Link to comment Share on other sites More sharing options...
lorac 100 Posted January 11, 2018 Share Posted January 11, 2018 I can connect to my server via the Web and android app but can't get a remote roku to connect. Sent from my STV100-3 using Tapatalk Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 11, 2018 Share Posted January 11, 2018 I just opened a port through the VPN service, enabled the stealth encryption, configured the client, ran the client on the server, and I'm all set. So now it's running through a proxy and their server handles the encryption. And it's anonymized. Link to comment Share on other sites More sharing options...
Guest asrequested Posted January 11, 2018 Share Posted January 11, 2018 I think stealth means it wears a ninja mask, or something 3 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now