Jump to content

Security 101: Secure Connections


regid

Recommended Posts

Good point. I think we have mapped out what we would like to offer the spectrum of users as a user group:

 

1. Emby connect redesigned to function as more of a proxy.

 

I. Minimal user configuration.

II. Check a box pay the monthly charge.

 

2. Use your own cloud hosted proxy provider like cloudflare. (Should we create a published configuration guide?)

 

I. Requires Port forwarding on home router

II. Requires purchase of a public domain with public DNS.

 

3. Use the built in secure web configuration in Emby.

 

I. Requires Port forwarding on home router

II. Requires purchase of a public domain with public DNS.

III. Use of either self-signed or publicly trusted cert (paid).

 

4. Setup your own service

 

A. VPN

 

I. Requires Port forwarding on home router

II. Requires purchase of a public domain with public DNS unless you plan on using public IP address.

III. Management of a local CA for server and client certificates and vpn user accounts.

 

B. Reverse proxy

 

I. Requires Port forwarding on home router

II. Requires purchase of a public domain with public DNS unless you plan on using public IP address.

III. Use of either self-signed or publicly trusted cert (paid).

IV. Management and configuration of the reverse proxy.

V. Possible management of a local CA for client certificates.

 

 

Sent from my iPhone using Tapatalk

 

yes to no. 1. 

Link to comment
Share on other sites

Whilst securing a service you are exposing to the internet isn't generally a simple click and go, it is not exactly rocket science either.  

 

If you can't commit a little time to learning and understanding how to set it up and what it's doing, you probably shouldn't be exposing the service(s) to begin with?

  • Like 4
Link to comment
Share on other sites

  • 2 weeks later...

Whilst securing a service you are exposing to the internet isn't generally a simple click and go, it is not exactly rocket science either.  

 

If you can't commit a little time to learning and understanding how to set it up and what it's doing, you probably shouldn't be exposing the service(s) to begin with?

 

Then I do think that there should be an addition to the wiki section: "How to setup an SSL certificate with emby for Windows, Mac and Linux". Any guides are a bit all over the place and rather disconcerting to new members or those considering switching from plex. Plus, it would make any solution slightly more official and give peace of mind, as opposed to finding a solution via the forums. 

  • Like 1
Link to comment
Share on other sites

I managed to piggy back off the asus routers ssl certs that it sets up by default as part of the ddns setup (on later firmwares, also from letsencrypt). 

I do have to download and convert them to 'emby' format (PKCS#12 with password), every time they get updated, but that is not that often.

  • Like 1
Link to comment
Share on other sites

I managed to piggy back off the asus routers ssl certs that it sets up by default as part of the ddns setup (on later firmwares, also from letsencrypt). 

I do have to download and convert them to 'emby' format (PKCS#12 with password), every time they get updated, but that is not that often.

 

A great example of why a "how to guide" in the wiki wouldn't work as there are so many different ways of doing this.  Some routers have this stuff built-in, you could generate a self-signed cert (although this will have issues with some clients), use a free cert through Letsencrypt or even buy one from any number of providers.  Once you have a cert, how you use it with emby (or any other service for that matter) can be different depending on how your network infrastructure is set-up.  You might just need to save in on the same machine and point to service to the file location, you might need to edit some web server configuration files, you might be running on a different machine and deploying a reverse-proxy, etc.  There are so many different ways to do this, I can't see how a few guides would help and would probably just confuse.  

 

People need to think about their individual situation, what other services they might be running and how they should be reached externally.  Once you understand this, there are already plenty of guides on the internet that will talk you through how to set this up.  I have a number of services which I want to use with HTTPS so my solution is a reverse-proxy which means all my external services can come in at the same point.  I can also manage all the certs there and simply redirect to the appopriate service internally.

Link to comment
Share on other sites

A great example of why a "how to guide" in the wiki wouldn't work as there are so many different ways of doing this.  Some routers have this stuff built-in, you could generate a self-signed cert (although this will have issues with some clients), use a free cert through Letsencrypt or even buy one from any number of providers.  Once you have a cert, how you use it with emby (or any other service for that matter) can be different depending on how your network infrastructure is set-up.  You might just need to save in on the same machine and point to service to the file location, you might need to edit some web server configuration files, you might be running on a different machine and deploying a reverse-proxy, etc.  There are so many different ways to do this, I can't see how a few guides would help and would probably just confuse.  

 

People need to think about their individual situation, what other services they might be running and how they should be reached externally.  Once you understand this, there are already plenty of guides on the internet that will talk you through how to set this up.  I have a number of services which I want to use with HTTPS so my solution is a reverse-proxy which means all my external services can come in at the same point.  I can also manage all the certs there and simply redirect to the appopriate service internally.

 

 

pfft, and why SSL might – should, in my opinion – be a consideration for emby to integrate into Emby Connect. In my feature request – in that part of the forum – i specify the option of least resistance, or, whatever emby thinks is the best solution for someone, say, coming from plex, who just wants to organise and enjoy their movies and tv shows and wants online security when outside their home to work, with no fussing with domains, renewing, command lines, extra logins etc. It's all too technical; you, others, talk of sitting down to learn all this, but why should not converts to emby or those looking at emby not seek to be delighted – and emby should aim to delight in the set-up experience. This SSL complexity did not delight me in the least and I have not moved from plex for that reason; when areas of resistance are removed then people like me will have less reason to use plex and more reasons to use emby.

 

You talk from a technical perspective and I from a marketing one (that's my thing). The two should work together, with emby taking care of technical matters and users not.   

  • Like 1
Link to comment
Share on other sites

Yeah Facebook was taking care of technical matters for users, look how that turned out. A bit of personal responsibility for understanding the situation you are getting yourself into goes a long way

  • Like 3
Link to comment
Share on other sites

and if you dont use emby Connect - what happens then?

 

obviously you dont mind Plex knowing more about you and your viewing habits than necessary

 

security is something we all have to take seriously these days - leaving it to somebody else - not a good idea

  • Like 1
Link to comment
Share on other sites

My opinion is. If your opening up your home network to the big bad web you should take responsibility for your own security.

 

It’s like leaving your house doors and windows wide open when you go away. Yes you pay the police for security, but it’s not always the best option.

 

I’m not sure how feasible or even possible it is for emby to encrypt traffic from your server to your clients. They would have to be a middle man of sorts which brings with it a world of other issues.

 

Everyone always say plex just works, I’m getting tired of saying it doesn’t. It only encrypts the login (same as emby connect). Your traffic after the initial login is all over http and ws.

 

Just as an example from my setup. I block on average 10,000 connection attempts every 24 hours. 3-5 unique IPs attempts to run hacking tool kits every 24 hours. I have a list of 35k blacklisted and blocked IPs.

 

 

Sent from my iPhone using Tapatalk

  • Like 3
Link to comment
Share on other sites

You talk from a technical perspective and I from a marketing one (that's my thing). The two should work together, with emby taking care of technical matters and users not.   

 

 

If marketing people took more interest in how things work, they'd be better marketing people ;)

  • Like 2
Link to comment
Share on other sites

If marketing people took more interest in how things work, they'd be better marketing people ;)

 

That's not certain; being more concerned with customers, people, is certain to being a better person. My point centres on representativeness of the customer base, and is this base mostly technical or not; and, further, is this the direction emby wants to take – be portrayed as – or do they wish to expand their market and remove barriers to entry etc. 

 

But this is all rather off-centre, and I wanted only to represent an opinion.

Link to comment
Share on other sites

My scenario is this:

 

1. I don't have a static IP (whether that matters, I don't know).

2. I'm happy to buy a domain from Google (let's assume that)

3. I'm on a Mac

4. I'm only interested in an SSL certificate for emby – and I assume this would make all connections to the server secure (inc. those invited to share library etc?)

5. Assume using http://letsencrypt.org (as this is what I have noted talked off in forums).

 

Based on that how would I get a certificate and cert. password to use with emby, step by step, and how would that be renewed, step by step. 

Link to comment
Share on other sites

That's not certain; being more concerned with customers, people, is certain to being a better person. My point centres on representativeness of the customer base, and is this base mostly technical or not; and, further, is this the direction emby wants to take – be portrayed as – or do they wish to expand their market and remove barriers to entry etc. 

 

But this is all rather off-centre, and I wanted only to represent an opinion.

definitely a marketing person. :)

Link to comment
Share on other sites

My opinion is. If your opening up your home network to the big bad web you should take responsibility for your own security.

 

It’s like leaving your house doors and windows wide open when you go away. Yes you pay the police for security, but it’s not always the best option.

 

I’m not sure how feasible or even possible it is for emby to encrypt traffic from your server to your clients. They would have to be a middle man of sorts which brings with it a world of other issues.

 

Everyone always say plex just works, I’m getting tired of saying it doesn’t. It only encrypts the login (same as emby connect). Your traffic after the initial login is all over http and ws.

 

Just as an example from my setup. I block on average 10,000 connection attempts every 24 hours. 3-5 unique IPs attempts to run hacking tool kits every 24 hours. I have a list of 35k blacklisted and blocked IPs.

 

 

Sent from my iPhone using Tapatalk

Security is important but I don't see it as not like leaving your doors and windows open. Perhaps if you had a whole bunch of users listed on the login screen w/ no passwords that would be more apt. For most home users I don't think there are that many attacks of people trying to get into emby.

 

I think eventually emby will feature some type of SSL built in but it seems like there's a never ending list of features / fixes the Dev's need to get done.

 

Sent from my STV100-3 using Tapatalk

Link to comment
Share on other sites

Security is important but I don't see it as not like leaving your doors and windows open. Perhaps if you had a whole bunch of users listed on the login screen w/ no passwords that would be more apt. For most home users I don't think there are that many attacks of people trying to get into emby.

 

I think eventually emby will feature some type of SSL built in but it seems like there's a never ending list of features / fixes the Dev's need to get done.

 

Sent from my STV100-3 using Tapatalk

 

opening ports on your router is like opening a door. using plain text (http) to send usernames and passwords is like leaving your keys in the door. 

 

I work for a large organisation, probably biggest in the UK, I work alot with data security etc. 

 

The figures i gave above are what i consider a normal user. I have very little open to the internet, actually i only have 2 ports open. Only one other person other than me has access to my emby server. 

 

You would be surprised how many attempted connections you get on your home router. most of the 10k attempts are ssh, ftp, vnc type ports, people probing for weaknesses. its very easy to get hold of a probing tool and running it on a large subnet of IPs.

  • Like 1
Link to comment
Share on other sites

mastrmind11

yes ^^.  I get thousands of attempts per day on port 22 alone, 99% of which are standard otc scanners looking for well known exploits hoping to find someone stupid enough to be running exploitable hardware/software.  It's pretty eye opening once you actually take a look at what's going on at the edge of your network. imo, fail2ban is a priceless piece of software that everyone should be running as soon as you decide to open yourself up to the outside world.  

Link to comment
Share on other sites

My scenario is this:

 

1. I don't have a static IP (whether that matters, I don't know).

2. I'm happy to buy a domain from Google (let's assume that)

3. I'm on a Mac

4. I'm only interested in an SSL certificate for emby – and I assume this would make all connections to the server secure (inc. those invited to share library etc?)

5. Assume using http://letsencrypt.org (as this is what I have noted talked off in forums).

 

Based on that how would I get a certificate and cert. password to use with emby, step by step, and how would that be renewed, step by step. 

Not too familiar with Mac compliant ways to use letsencrypt, this guide for Cloudflare seems platform independent though I haven't used it myself.  https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby

Cloudflare supports dynamic dns updating from a cursory googling, you'd want to set that up so your server continues to work when your IP changes.  

You could also look into setting up docker on your mac and using the linuxserver/letsencrypt reverse proxy, though that is a bit more involved.  

Link to comment
Share on other sites

Not too familiar with Mac compliant ways to use letsencrypt, this guide for Cloudflare seems platform independent though I haven't used it myself.  https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby

Cloudflare supports dynamic dns updating from a cursory googling, you'd want to set that up so your server continues to work when your IP changes.  

You could also look into setting up docker on your mac and using the linuxserver/letsencrypt reverse proxy, though that is a bit more involved.  

 

Thank you. But, crikey. 

Link to comment
Share on other sites

opening ports on your router is like opening a door. using plain text (http) to send usernames and passwords is like leaving your keys in the door. 

 

I work for a large organisation, probably biggest in the UK, I work alot with data security etc. 

 

The figures i gave above are what i consider a normal user. I have very little open to the internet, actually i only have 2 ports open. Only one other person other than me has access to my emby server. 

 

You would be surprised how many attempted connections you get on your home router. most of the 10k attempts are ssh, ftp, vnc type ports, people probing for weaknesses. its very easy to get hold of a probing tool and running it on a large subnet of IPs.

Just found your guide – recommended by @@KMBanana

https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby

 

This looks to be the easiest. 

Edited by afullmark
Link to comment
Share on other sites

afullmark

I followed the guide from @@Swynol and I am now waiting for my domain from google to propagate in order to see if all I did worked, SSL wise. I'm guessing the domain will take some 24 hours to be visible. I'll pop back tomorrow-ish with the results. It's the little things; all this domain registration and cloudflare was interesting; i think i'll need to do one more step as my WAN IP is not static.

Link to comment
Share on other sites

  • 2 months later...

Am also starting to look at getting my Emby server exposed to the big bad world so I can watch stuff out of the house and share my library with family.

 

So far I have been using Plex for this, a library shared with the brother in law and watching stuff on the train to and from work and the one click process is easy.

 

I have no issue going through the guides and getting a domain name etc... but I would think a very small % of the user base would know how to do this.

 

having a one click option (even if paid) would be nice.

Link to comment
Share on other sites

For now I decided to just setup a quick VPN on my gateway. Turn on the VPN on my phone and I can view all my media out of the house and Emby isnt 'technically' open to the internet.

 

Not ideal if I wanted to share with family but for now its a good start.

Link to comment
Share on other sites

For now I decided to just setup a quick VPN on my gateway. Turn on the VPN on my phone and I can view all my media out of the house and Emby isnt 'technically' open to the internet.

 

Not ideal if I wanted to share with family but for now its a good start.

 

 

This is the standard way of remotely allowing services, most companies follow this approach. When a server is exposed directly it is typically in its own isolated network and the data that machine has access has a known level of exposure. Opening up a server that sits on your home network without any real configuration of the network is a bad idea, just because the data being sent and received remotely is encrypted doesn't really secure your network once that port has been opened. 

 

With that said one option is to have those that you want to share with use playback clients that supports VPN connections such as Nvidia shield, the client can directly connect to your network and access emby. You would need to configure the VPN so that only the emby traffic is routed through the VPN.

Link to comment
Share on other sites

  • 2 months later...

I'm looking at opening up my emby server so wondering what's the best way SSL method letscrpyt or cloudflares free service (or any better alternatives) that you may know??

Link to comment
Share on other sites

I'm looking at opening up my emby server so wondering what's the best way SSL method letscrpyt or cloudflares free service (or any better alternatives) that you may know??

cloudflare and a reverse proxy.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...