Security 101: Secure Connections

[Fratopolis 62]

It's in my home, but it's probably more of a small business setup

 

I was thinking about a new router to replace my Apple Airport Extreme, but need to do some wider research.  I run various external services (VPN, WordPress, ownCloud, emby, calibre) from a FreeNAS box (using a variety of jails and VMs).  These are all accessed through a Jail running an NGINX reverse proxy and certbot to handle the SSL certificates.  It works OK and I have awstats setup to give me some ideas of what traffic is coming in, although I'd like a little more visibility and control.  Perhaps I need to investigate pfsense a little more.

 

Well the Asus router has an internal syslogger as well as the option to point all logging use a standalone syslog server (This includes logging all incoming and outgoing connections wether they are blocked or accepted connections). Still not sure why you need multiple domain names though. One will do what you have listed. Unless I am missing something.

Edited January 17, 2018 by Fratopolis

[adrianwi 237]

Thanks for the replies and info.  I created a pfsense VM in FreeNAS some time ago but didn't have much time to play around with it and it looked like it would take quite some time to understand!  

 

As a minimum, I'd need two domains - one for my company and one for my personal stuff.  I like to use the subdomain for the service, and given Letsencrypt doesn't deal with wildcards at the minute end up with several certificates for each domain.  I know Letsencrypt have this in their roadmap, so maybe that will simplify things a little for me.

[Swynol 375]

Thanks for the replies and info.  I created a pfsense VM in FreeNAS some time ago but didn't have much time to play around with it and it looked like it would take quite some time to understand!  

 

As a minimum, I'd need two domains - one for my company and one for my personal stuff.  I like to use the subdomain for the service, and given Letsencrypt doesn't deal with wildcards at the minute end up with several certificates for each domain.  I know Letsencrypt have this in their roadmap, so maybe that will simplify things a little for me.

 

you can use their v2 API and get wilds cards now. its in BETA, meant to be release in Feb. 

 

You can list subdomains in one cert. Alternatively use cloudflare which will give you a wildcard cert for free

 

https://community.letsencrypt.org/t/i-want-to-set-wildcart-ssl-in-my-domain-help-me-how-to-set/50575/2

Edited January 17, 2018 by Swynol

[regid 6]

Nobody is suggesting that, just have an option for security through emby.

 

Applying an SSL is a PITA. Any more than 2 clicks, is waste my time.

 Doofus, thanks for keeping the desire for a simple (yet secure) "option" from getting lost in this interesting conversation thread.

[lorac 100]

I gave up trying to use SSL with the Roku. Once i imported the cert it work sometimes but not for everyone including going through emby connect. I have no idea why it would be so hit and miss with nothing changing on my end. Personally I think the Roku's are just too damn picky.

[Tur0k 143]

I gave up trying to use SSL with the Roku. Once i imported the cert it work sometimes but not for everyone including going through emby connect. I have no idea why it would be so hit and miss with nothing changing on my end. Personally I think the Roku's are just too damn picky.

So this is using cloudflare or connecting direct to your Emby server from the public Internet.

 

I don’t have Rokus as we mainly have IOS, Android, Linux and Windows here. I still suspect that there is something missing either in the config or in the certificate chain.

 

 

Sent from my iPhone using Tapatalk

[lorac 100]

Both. Only issues are using Roku devices.

 

Sent from my STV100-3 using Tapatalk

[Tur0k 143]

Both. Only issues are using Roku devices.

 

Sent from my STV100-3 using Tapatalk

Do you have the same problem when the roku is on the same LAN as the Emby server?

 

 

Sent from my iPhone using Tapatalk

[lorac 100]

I have no issues with my internal Roku devices.

 

Sent from my STV100-3 using Tapatalk

[Tur0k 143]

Ok for the sake of testing, would you confirm you have configured the following:

1. Have a public domain.

2. loaded a publicly trusted SSL cert on your Emby server.

3. open port 8920 on your router.

4. port forward it to your Emby server’s IP address.

5. Turned off your Emby server’s windows firewall.

 

 

Sent from my iPhone using Tapatalk

[lorac 100]

1,3,4 & 5 are yes. There's no issue reaching the server through Cloudfare using a browser or via the android App. 2 I generated the cert using the two files provided via CF on the website in the instructions. It works sometimes and other times people say they can't connect.

 

Sent from my STV100-3 using Tapatalk

[horstepipe 356]

Hey

I‘m thinking about trying to setup nginx and a ca authority to give my Kodi clients a client certificate.

But first I‘m having a basic question of understanding:

If one client gets one specific client certificate, can this file just being copied to another device which then gets access to the server, too? I don’t want this to be true, but I guess that’s the way it works?

What happens if two clients try to establish a connection to the server with the same client cert?

[Tur0k 143]

1,3,4 & 5 are yes. There's no issue reaching the server through Cloudfare using a browser or via the android App. 2 I generated the cert using the two files provided via CF on the website in the instructions. It works sometimes and other times people say they can't connect.

 

Sent from my STV100-3 using Tapatalk

So PKI (public key infrastructure) is a set technologies, systems, and structure that is used to manage public key encryption. From an end users perspective the core function is that a certificate is trusted because there is a hierarchical chain of certificates that lead to a CA (certificate authority) that you and your client device trusts. Your SSL needs to list those parent certs in the certificate hierarchy. Sometimes, people only list their SSL cert and no parent. This would break the ability for your device to confirm that your cert was issued by someone thy trust.

 

I would recommend checking that your trusted certificate chain is complete. You should be able to use the below link to check it.

https://whatsmychaincert.com

 

 

 

 

Sent from my iPhone using Tapatalk

[lorac 100]

It has the correct chain. It's the CF shared SSL cert.

 

Now that I went back to my pre ssl settings and changing it back to SSL I only get a black screen in a browser.

 

Port 443 is forward to 8920 and windows firewall is set to allow port 8920. WAN IP is correct.

 

OK it is working in browser now. Just doesn't want to work behind PIA VPN. I'll test a roku using my cell to see if it works. Time will tell if it will work for everyone.

Edited January 24, 2018 by lorac

[Guest asrequested]

Just so the thread topic doesn't get buried under all the advanced security configurations. Some of us are asking for a basic encryption option in the server settings. Not using letsencrypt or any kind of proxy. Just click this and encrypt the server data. 

[afullmark 20]

Just so the thread topic doesn't get buried under all the advanced security configurations. Some of us are asking for a basic encryption option in the server settings. Not using letsencrypt or any kind of proxy. Just click this and encrypt the server data. 

 

I quite agree with you; I have stuck with plex because everything, in this regard (ssl), is easy. An option in settings to auto set-up everything, hand-held like, would be welcomed by me.

[Swynol 375]

I quite agree with you; I have stuck with plex because everything, in this regard (ssl), is easy. An option in settings to auto set-up everything, hand-held like, would be welcomed by me.

 

You cant really compare this to Plex. to me Plex is insecure. How Plex works is it acts like a man in the middle attack. So you open a browser and connect to your plex server. the Data goes from you, to the plex servers (SSL connection). Plex then sees your username/password, IP details, headers etc. From here your data is sent from the plex servers to your plex server in sort of plain text and not over a SSL connection. The websocket is then opened from your plex server directly to your web browser. From what i can gather this isnt over SSL. 

 

Every bit of data you send over your SSL connection to Plex is actually decrypted by their servers before being sent on. So in theory they could snoop on it. i.e. man in the middle attack

 

There is an option in Plex to use your own certificates. If you use your own then the data is encrypt as only you have the key/crt combo and plex cant man in the middle it. Adding your own cert is exactly the same as emby, knowledge/skill wise. 

Edited April 19, 2018 by Swynol

[Guest asrequested]

The thing to remember here, is that by default there is no security at all. So even if emby is the middle man, there will at least be some security, for the people who have no skills to apply their own. Some is better than none. A disclaimer can be added to let people know the details of what is happening.

[Swynol 375]

doesnt emby connect offer some security? probably the same amount at plex.tv offers

[Luke 37010]

doesnt emby connect offer some security? probably the same amount at plex.tv offers

 

The login process is over https, so yes.

[Guest asrequested]

That's just password security. I would think you could offer more security as an add-on, and charge a little money for it?

[Swynol 375]

Ye so it’s basically a ddns sort of. Which is almost exactly what plex offers as standard. Except all the snooping that plex does as extra.

 

So comparing both, emby is actually more secure as standard if you use emby connect

 

 

Sent from my iPhone using Tapatalk

[afullmark 20]

You cant really compare this to Plex. to me Plex is insecure. How Plex works is it acts like a man in the middle attack. So you open a browser and connect to your plex server. the Data goes from you, to the plex servers (SSL connection). Plex then sees your username/password, IP details, headers etc. From here your data is sent from the plex servers to your plex server in sort of plain text and not over a SSL connection. The websocket is then opened from your plex server directly to your web browser. From what i can gather this isnt over SSL. 

 

Every bit of data you send over your SSL connection to Plex is actually decrypted by their servers before being sent on. So in theory they could snoop on it. i.e. man in the middle attack

 

There is an option in Plex to use your own certificates. If you use your own then the data is encrypt as only you have the key/crt combo and plex cant man in the middle it. Adding your own cert is exactly the same as emby, knowledge/skill wise. 

 

Despite all this - and maybe Emby would do these things (those above) differently - I would appreciate an option in emby to set this up for me; paying a yearly fee to emby would be preferable. 

[afullmark 20]

That's just password security. I would think you could offer more security as an add-on, and charge a little money for it?

Yes, this is what I'd support, as an option, with a fee attached. 

[afullmark 20]

I personally would never open Emby up outside my home network without forced HTTPS connections. Maybe I am overly cautious but I think it is just good practice.

 

While Plex solution isn't ideal it does just work. No need to purchase a domain name, not need to create SSL certificates, no need to renew the certificates.

 

My suggestion would be for Emby to partner with a SSL cert provider and have and easy way of authenticating the cert from within the Emby dashboard.

 

Yes, to this.