Security 101: Secure Connections

[Swynol 375]

Hi all- New emby user, and I'm loving it so far.

 

I've got the emby server running in a docker container on my server. I also have a LetsEncrypt/Nginx docker running. I had no problem getting my nginx config set up to be able to reverse proxy access my server from the outside world (forcing everything over HTTPS).

 

What I haven't figured out is how do I get the emby apps (Android, XBOX, smart TV, etc) to access the emby server now that it's behind the reverse proxy. Sitting here in front of my computer, with WiFi turned off on my phone, the Android app just spins and spins until it finally times out. If I turn WiFi back on, it connects pretty quickly.

 

I'm also running OpenVPN, so I can establish a VPN tunnel to the server then access emby via the app with no problem, but I don't think my son in the Army can do that from his Xbox, and it does seem (without any absolute testing whatsoever) to be a bit slower that way.

 

I read the post by @@Swynol on reverse proxying but that doesn't seem to be what I'm after (I've already got that working), and I looked through his blog post linked earlier in this thread.

 

I saw this post from @ earlier in this thread, as well. I've looked at that configuration page and I'm not sure exactly what those settings will do, so before enabling anything there, I want to make sure I'm not going to lock myself out of my setup by misconfiguring things.

 

If I go to the Advanced page in settings and put "mydomain.com" in the External Domain field, point the Custom ssl certificate path to the location where nginx stores all its certs (I've got .pem files and .pfx files), then hit the https check box, can I then put "mydomain.com" in my app's server Host entry? Would I use 8096 or 443 for the port?

 

As a note - I "own" the domain - it's a free ddns from changeip.com, I don't have anything setup through emby's dns service.

 

Hi @@TheFreeMan

 

When you say how do i get the emby apps to access the server - do you mean internally or externally? if internally use the LAN IP, externally they can connect using your domain name https://.....   and port 443  (im guessing you have port forwarded 443 on your router to your docker running NGINX). If you just turn the wifi off and it doesnt connect its probably still pointing to your LAN IP.

 

With NGINX does it point to emby on port 8096 or 8920? if you tick the box to force everything HTTPS then you need a valid PFX cert and password in emby server, Unless you use Alexa with emby i recommend NOT ticking the force HTTPS. And use NGINX config to redirect anything on port 80 http to port 443 https.

 

When using a VPN tunnel remotely it connects to your internal network so your app is probably still using the LAN IP which is why it works over VPN. 

 

if you fill in the Advanced page in emby server with your domain name, pfx, password and then port forward 8920 on your router to emby server then you can connect to your emby server using your domain name (HTTPS with port 8920)

[pir8radio 1292]

I just opened a port through the VPN service, enabled the stealth encryption, configured the client, ran the client on the server, and I'm all set. So now it's running through a proxy and their server handles the encryption. And it's anonymized. 

 

 

Go on, go on........   This ninja encryption, what's the throughput capability?

[Guest asrequested]

Go on, go on........ This ninja encryption, what's the throughput capability?

Comcast only gives me 12Mb/s up, so that is unchanged. The download came out at around 70Mb/s. So my usage is unaffected, but it is reducing the down bandwidth to a quarter of what's available.

[cryzis 7]

Can Someone please tell me how SSL through a reverse proxy secures your server?

 

The encryption hides the data being sent back and forth, but it doesn't stop any person in the world from connecting to your server.

 

A VPN the connection client needs an encryption key to even make the connection. The reverse proxy sends anyone straight to your server. Then it's up to your server to verify.

 

Which leads us to Embys credential verification. It only supports basic auth. Also if you have friendly user names like 'Admin' even if they are hidden will still let remote users in if they crack the password.

 

The password auth isn't even the big concern although it sucks that I have to make sure the users use good passwords ( also not enforcebale in emby). Once a known exploit for emby is released your toast, the attacker can grab hold of your server , and in most user configurations will have direct access to the home network.

 

Am I missing something here?

[dcook 265]

I read this thread and it seems @@Luke and @@ebr are stuck on the fact that they think you need your own domain to have SSL certificate, this is simply not true. 

 

Emby Server could very easily generate a self signed ceritifcate and be SSL enabled by default out of the box.  Lots of applications and services/servers do this, its not hard.

 

Getting your own domain and public cert should be an option not a requirement, basic encryption using a self signed certificate should be on by default.

Edited January 11, 2018 by dcook

[Luke 37060]

Except that most devices will reject the self signed cert and it's not possible for us to override that.

[cryzis 7]

I read this thread and it seems @@Luke and @@ebr are stuck on the fact that they think you need your own domain to have SSL certificate, this is simply not true.

 

Emby Server could very easily generate a self signed ceritifcate and be SSL enabled by default out of the box. Lots of applications and services/servers do this, its not hard.

 

Getting your own domain and public cert should be an option not a requirement, basic encryption using a self signed certificate should be on by default.

The big distinction here is that emby works with a host of third party devices not just the web browser. Even your web browser throws a warning which you have to manually bypass to get a self signed cert site to load. Edited January 11, 2018 by cryzis

[pir8radio 1292]

1.) Can Someone please tell me how SSL through a reverse proxy secures your server?

      The encryption hides the data being sent back and forth, but it doesn't stop any person in the world from connecting to your server.

 

2.) A VPN the connection client needs an encryption key to even make the connection. The reverse proxy sends anyone straight to your server. Then it's up to your server to verify.

Which leads us to Embys credential verification. It only supports basic auth. Also if you have friendly user names like 'Admin' even if they are hidden will still let remote users in if they crack the password.

 

The password auth isn't even the big concern although it sucks that I have to make sure the users use good passwords ( also not enforcebale in emby).

 

3.) Once a known exploit for emby is released your toast, the attacker can grab hold of your server , and in most user configurations will have direct access to the home network.

 

Am I missing something here?

 

Just some notes, So VPN means either 1.) a VPN service that your server connects to to tunnel to the internet using someone else's connection (vpn service providers internet).  Or  2.) VPN could also mean you have a VPN server setup and all of the clients have VPN clients that connect to your VPN server and they then tunnel through the internet to your network, where they can then connect to your server privately.  I assume you mean the second example.  Which is pretty difficult for most users. I couldn't tell my mom with a roku stick to setup a vpn in her router and restrict just the roku stick traffic to my vpn connection so she could watch a movie and not have the rest of her traffic hitting my vpn.  I guess my view is that this is a media server that I backup to the cloud if that server just gets thrashed it will suck, but I don't lose anything, I will enforce good passwords until emby has the feature. 

 

1.) It protects people from just grabbing your users login info from thin air.  Would you log into your bank website without encryption? You would probably love it if your bank made you VPN into them before connecting to the web based bank gui, but the rest of civilization would hate it. There are compromises, security vs ease. It all comes down to what is at risk, who are your customers, and finding a happy medium of protection. 

 

That said a reverse proxy is much more like a firewall/router for your application servers..   Sure you can hit the firewall all day long, but if it's setup correctly you can narrow your attack surface and block any known exploits or common attack methods.  Much like Cloudflare.com does (which is just an nginx reverse proxy that they tuned/setup).   

 

2.) most of the VPN's i've used have a user name and password to connect up, more advanced VPN's give you a cert for your client, but often uses the same basic login to the vpn site to receive that cert, unless this is a private owned vpn.  Same issues exist as emby, you need a good login/password to protect that.    True emby should have the ability to set password requirements.  Again if the RP is set correctly it doesnt send you straight to the emby server the client talks to the RP the RP talks to emby, sort of like a router would.

 

3.) Yes if there is an exploit the bad guy could gain access to your server, doubtful that they would have access to the network, but yes network drives that are mapped to the emby server.

 

You have valid points, but everyone pretty much knows nothing is impossible to break with time and money.   Sure a private VPN server setup correctly with all clients using certs to connect to your VPN server then to your emby server over that tunnel is more secure than just SSL..  Even more secure, all of your clients are on an MPLS, then use a VPN over the MPLS to your server.  OR.........   It comes down to how secure each admin wants to be with their server vs how easily they want their users to connect.   Your way works for you, my way works for me... My server domain is public, has been for 18 or so years. It's possible that some of the potential attack groups are aware of me which may or may not inherently protect me from being attacked in the first place, but aside from that (knock on wood) I have been ok.  This is all good info for "GUY C", that is reading this, to pick a good method to protect his family media server..  Its good talk and good to see how everyone does their thing.      

Edited January 11, 2018 by pir8radio

[Tur0k 143]

Can Someone please tell me how SSL through a reverse proxy secures your server?

 

The encryption hides the data being sent back and forth, but it doesn't stop any person in the world from connecting to your server.

 

A VPN the connection client needs an encryption key to even make the connection. The reverse proxy sends anyone straight to your server. Then it's up to your server to verify.

 

Which leads us to Embys credential verification. It only supports basic auth. Also if you have friendly user names like 'Admin' even if they are hidden will still let remote users in if they crack the password.

 

The password auth isn't even the big concern although it sucks that I have to make sure the users use good passwords ( also not enforcebale in emby). Once a known exploit for emby is released your toast, the attacker can grab hold of your server , and in most user configurations will have direct access to the home network.

 

Am I missing something here?

A proxy is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. In order to filter requests by source you would need to add functionality.

 

1. Client system authentication using X509 certificate. I have a project to get this implemented.

2. Possibly requiring another layer of authentication inside the reverse proxy.

 

3. Obscure your services based on URI.

One thing I do is to obscure services based on URI request in the HTTPS request. I have a single synthetic a+ record that points to my house, I then use CNAME records to divide multiple services. I use ACLs on the front end of the reverse proxy that associate the URI to the back end service. Outside of those ACLs the default ACL action for the front end is to point to a dummy IP and port backend. This default action would appear to be a service down to a potential attacker.

 

Requests to the main synthetic a+ record and requests to the public IP address instead of one of the CNAMES are are sent to the dummy IP backend.

 

Then I use that dummy back end as a honey pot of sorts. I have log monitoring integrated with my firewall. I systematically block those source IP addresses that were proxied to the dummy backend if they are forwarded there more than 2 times in a week.

 

I also choose not to use domains like Emby.mydomain.com, as this would give a potential attacker more information than is publicly needed.

 

 

Sent from my iPhone using Tapatalk

Edited January 11, 2018 by Tur0k

[lorac 100]

Using a domain through CloudFlare I can't connect directly using a Roku even if I disable SSL. Connection times out when trying to connect directly, where as if I try my dyndns hostname with SSL enabled if refuses the connection right away. I can still connect via my old dyndns hostname on port 8096. If users go through emby connect they are able to connect even if SSl is enabled. There are no issues connecting using the CF hostname via a web browser or android app.

[cryzis 7]

Just some notes, So VPN means either 1.) a VPN service that your server connects to to tunnel to the internet using someone else's connection (vpn service providers internet). Or 2.) VPN could also mean you have a VPN server setup and all of the clients have VPN clients that connect to your VPN server and they then tunnel through the internet to your network, where they can then connect to your server privately. I assume you mean the second example. Which is pretty difficult for most users. I couldn't tell my mom with a roku stick to setup a vpn in her router and restrict just the roku stick traffic to my vpn connection so she could watch a movie and not have the rest of her traffic hitting my vpn. I guess my view is that this is a media server that I backup to the cloud if that server just gets thrashed it will suck, but I don't lose anything, I will enforce good passwords until emby has the feature.

 

1.) It protects people from just grabbing your users login info from thin air. Would you log into your bank website without encryption? You would probably love it if your bank made you VPN into them before connecting to the web based bank gui, but the rest of civilization would hate it. There are compromises, security vs ease. It all comes down to what is at risk, who are your customers, and finding a happy medium of protection.

 

That said a reverse proxy is much more like a firewall/router for your application servers.. Sure you can hit the firewall all day long, but if it's setup correctly you can narrow your attack surface and block any known exploits or common attack methods. Much like Cloudflare.com does (which is just an nginx reverse proxy that they tuned/setup).

 

2.) most of the VPN's i've used have a user name and password to connect up, more advanced VPN's give you a cert for your client, but often uses the same basic login to the vpn site to receive that cert, unless this is a private owned vpn. Same issues exist as emby, you need a good login/password to protect that. True emby should have the ability to set password requirements. Again if the RP is set correctly it doesnt send you straight to the emby server the client talks to the RP the RP talks to emby, sort of like a router would.

 

3.) Yes if there is an exploit the bad guy could gain access to your server, doubtful that they would have access to the network, but yes network drives that are mapped to the emby server.

 

You have valid points, but everyone pretty much knows nothing is impossible to break with time and money. Sure a private VPN server setup correctly with all clients using certs to connect to your VPN server then to your emby server over that tunnel is more secure than just SSL.. Even more secure, all of your clients are on an MPLS, then use a VPN over the MPLS to your server. OR......... It comes down to how secure each admin wants to be with their server vs how easily they want their users to connect. Your way works for you, my way works for me... My server domain is public, has been for 18 or so years. It's possible that some of the potential attack groups are aware of me which may or may not inherently protect me from being attacked in the first place, but aside from that (knock on wood) I have been ok. This is all good info for "GUY C", that is reading this, to pick a good method to protect his family media server.. Its good talk and good to see how everyone does their thing.

Thank you, this was all great info. I think my concern for any publicly available server is how secure is your network assuming the server was breached.

 

Many people use their home network without ever thinking about how each device on the network is insulated from any other device on the network.

 

That is hardest part for me to give up. I don't want to have to think about all those things, if my router blocks all incoming requests by default it isn't nearly as big of a concern.

 

With that being said, if I were to implement the reverse proxy method , I think I would need the server to live on a different network interface then the rest of my home network. Opening the front door but severely limiting the potential damage.

[cryzis 7]

A proxy is a server (a computer system or an application) that acts as an intermediary for requests from clients seeking resources from other servers. In order to filter requests by source you would need to add functionality.

 

1. Client system authentication using X509 certificate. I have a project to get this implemented.

2. Possibly requiring another layer of authentication inside the reverse proxy.

 

3. Obscure your services based on URI.

One thing I do is to obscure services based on URI request in the HTTPS request. I have a single synthetic a+ record that points to my house, I then use CNAME records to divide multiple services. I use ACLs on the front end of the reverse proxy that associate the URI to the back end service. Outside of those ACLs the default ACL action for the front end is to point to a dummy IP and port backend. This default action would appear to be a service down to a potential attacker.

 

Requests to the main synthetic a+ record and requests to the public IP address instead of one of the CNAMES are are sent to the dummy IP backend.

 

Then I use that dummy back end as a honey pot of sorts. I have log monitoring integrated with my firewall. I systematically block those source IP addresses that were proxied to the dummy backend if they are forwarded there more than 2 times in a week.

 

I also choose not to use domains like Emby.mydomain.com, as this would give a potential attacker more information than is publicly needed.

 

 

Sent from my iPhone using Tapatalk

I would love an x509 setup.

 

Right now I am looking for a small but powerful VPN client/ WiFi router.

 

I can load it VPN credentials and routing rules, then give those out. The user hooks it up to their Ethernet, then connects whatever client they want access to my server.

 

I just haven't found a small/cheap one that doesn't sacrifice the speed. It's needs to support 25Mpbs with the VPN on :/

 

The only thing right now that I think would work is by using Nvidia Shield, they play everything direct and can run a VPN client. Problem is they are expensive and I would be forcing the client player on anyone who wants access.

[Guest asrequested]

What I like about the way I've just implemented my VPN service, is that yes, if someone got the proxy address, they can access my server. But...they don't get my WAN IP, and I can easily change the proxy. I'm not looking to make it impregnable, just make it harder.

 

I'm eventually going to use pfsense and then openvpn will also be used on top of the VPN service. But for now, this will work.

Edited January 11, 2018 by Doofus

[Swynol 375]

I think VPN works for some and SSL connection for others. either reverse proxy, cloud flare or straight to emby server with https.

 

I use a mix of reverse proxy and cloudflare. Reason I don’t use VPN is that my work place blocks all VPNs so I wouldn’t be able to connect to my server from work. Because I work oncall it’s handy to have access to my services from work.

 

Also with vpn it will mean I would need to setup my family with vpn on all their device and explain to them how to use it. With SSL through cloudflare I can just send them a link and it’s done.

 

 

Sent from my iPhone using Tapatalk

[Tur0k 143]

Using a domain through CloudFlare I can't connect directly using a Roku even if I disable SSL. Connection times out when trying to connect directly, where as if I try my dyndns hostname with SSL enabled if refuses the connection right away. I can still connect via my old dyndns hostname on port 8096. If users go through emby connect they are able to connect even if SSl is enabled. There are no issues connecting using the CF hostname via a web browser or android app.

Are you using a real public domain and publicly trusted SSL certificate. Did you check the certificate chain that links to a trusted root CA?

 

Otherwise it could be a config issue.

 

 

Sent from my iPhone using Tapatalk

[Tur0k 143]

I would love an x509 setup.

 

Right now I am looking for a small but powerful VPN client/ WiFi router.

 

I can load it VPN credentials and routing rules, then give those out. The user hooks it up to their Ethernet, then connects whatever client they want access to my server.

 

I just haven't found a small/cheap one that doesn't sacrifice the speed. It's needs to support 25Mpbs with the VPN on :/

 

The only thing right now that I think would work is by using Nvidia Shield, they play everything direct and can run a VPN client. Problem is they are expensive and I would be forcing the client player on anyone who wants access.

Build a firewall and pickup a stand alone AP. you can then test hosting both a vpn and a reverse proxy to see which you prefer. That is what I did and I prefer the reverse proxy for non-administrative tasks and the VPN when I need to get my hands dirty.

 

 

Sent from my iPhone using Tapatalk

[lorac 100]

I have a real public domain. Haven't checked the cert. I took the files from cloudflare and had them combined into the cert file. I assume it is just Roku being picky.

[TheFreeMan 2]

Hi @@TheFreeMan

 

When you say how do i get the emby apps to access the server - do you mean internally or externally? if internally use the LAN IP, externally they can connect using your domain name https://.....   and port 443  (im guessing you have port forwarded 443 on your router to your docker running NGINX). If you just turn the wifi off and it doesnt connect its probably still pointing to your LAN IP.

 

With NGINX does it point to emby on port 8096 or 8920? if you tick the box to force everything HTTPS then you need a valid PFX cert and password in emby server, Unless you use Alexa with emby i recommend NOT ticking the force HTTPS. And use NGINX config to redirect anything on port 80 http to port 443 https.

 

When using a VPN tunnel remotely it connects to your internal network so your app is probably still using the LAN IP which is why it works over VPN. 

 

if you fill in the Advanced page in emby server with your domain name, pfx, password and then port forward 8920 on your router to emby server then you can connect to your emby server using your domain name (HTTPS with port 8920)

 

Thanks for your input @@Swynol. Unfortunately, you've lost me a bit. Instead of continuing this thread jack, I've opened a new post here and would appreciate some clarification on my questions there.

Edited January 12, 2018 by TheFreeMan

[pir8radio 1292]

i use CSF firewall to filter incoming based on location. 

 

I don't recall seeing that question that you responded to from @cryzis    But to add to his question lol, you can whitelist IP's in nginx... Think of nginx as a firewall for your application servers behind it.   You can limit to certain IP's, Browsers, client types, location.   whatever http headers exist. 

[cryzis 7]

 

i use CSF firewall to filter incoming based on location. [/quote

 

Ok so your firewall filters the incoming connections on your 443 port, then the allowed connections are passed through to your reverse proxy.

 

If that is the case this seems like the correct layer to handle this. Yes you can use your reverse proxy to deny connections, but doing it in the firewall seems a bit more intuitive.

 

When you filter by location, how specific can you get? I assume the lowest you can go is the central office the connection originated from?

 

Also malicious users from oversees are likely to use a VPN to some other endpoint to avoid these types of basic restrictions.

 

Blocking connections based on the IP seems like the best you can do when it comes to this kind of setup. Most users have dynamic IPs which is why I would setup a DyDNS service for connections, then only allow connections from those domains.

 

Far from bullet proof but easier than going to VPN route.

[Tur0k 143]

That doesn't sound too bad. You will likely need to script the domain lookups to get a public IP, and then determine how to dynamically add/remove the IPs from your firewall rules.

 

 

Sent from my iPhone using Tapatalk

[cryzis 7]

That doesn't sound too bad. You will likely need to script the domain lookups to get a public IP, and then determine how to dynamically add/remove the IPs from your firewall rules.

 

 

Sent from my iPhone using Tapatalk

The DynDns on the users routers would keep the IPs up to date. Then just whitelist the domain names, i think it would work.

[Tur0k 143]

The DynDns on the users routers would keep the IPs up to date. Then just whitelist the domain names, i think it would work.

I have not seen the NGINX whitelist, but most firewall traffic rules require IP addresses.

 

 

Sent from my iPhone using Tapatalk

Edited January 13, 2018 by Tur0k

[moviefan 184]

Once a known exploit for emby is released your toast, the attacker can grab hold of your server , and in most user configurations will have direct access to the home network.

 

This is true for ANY public service you host.

 

This is how (what will be known as) the most significant attack in history - Equifax - happened.

 

Struts vulnerability allowed for complete ownership of the network hosting their servers.

 

This is why I have Emby running with an underprivileged account and eventually would love to have placed into an isolated DMZ.

[Tur0k 143]

This is true for ANY public service you host.

 

This is how (what will be known as) the most significant attack in history - Equifax - happened.

 

Struts vulnerability allowed for complete ownership of the network hosting their servers.

 

This is why I have Emby running with an underprivileged account and eventually would love to have placed into an isolated DMZ.

Like I said the most secure network is disconnected from the public Internet, and hosted in a physically secure location with limited entry points for foreign code.

 

The first question should always be, "do you really need to access this on the public Internet?"

 

Once that a private network is no longer an option the best practice methodology is to implement multi-factor authentication. Then protect the network with multiple concentric walls as data and permissions become more and more valuable.

 

Even a conventional DMZ firewall sandwich is designed to have multiple firewalls from different vendors securing the DMZ from the public Internet and the internal network from the DMZ and the Public Internet.

 

Added to it, setting up IPS, and honey-pot systems through out the concentric wallled off systems aid in detection of attack.

 

 

Sent from my iPhone using Tapatalk

Edited January 13, 2018 by Tur0k