Jump to content

How to secure Emby


oRBIT

Recommended Posts

I just tried out Emby and it looks nice, my problem is that is seems to be wide open. I don't even need to login anywhere, if I know the URL, it just gives me my moviecollection..

I can't disable external access, when i try and disable it it just says "to enable https for external connections, you'll need to supply a trusted certificate...." and the setting is never saved. Neither is the uPnP-setting, it gives the same error-message.

Is there a guide how to secure Emby properly?

 

Thanks

Link to comment
Share on other sites

I just tried out Emby and it looks nice, my problem is that is seems to be wide open. I don't even need to login anywhere, if I know the URL, it just gives me my moviecollection..

I can't disable external access, when i try and disable it it just says "to enable https for external connections, you'll need to supply a trusted certificate...." and the setting is never saved. Neither is the uPnP-setting, it gives the same error-message.

Is there a guide how to secure Emby properly?

 

Thanks

 

It looks like you set the option to require secure connections, but you can't do that without an SSL cert. So first, change that setting back to default and then you'll be able to save the options on that page. Thanks.

Link to comment
Share on other sites

Ok, thanks, that did the trick. One down, one to go.. :)

How do I secure the accounts so I need to login when accessing my collection?

Link to comment
Share on other sites

majorsl

Since you're in the Synology forum, I assume you're using one.  If you have a cert for your Synology, or even using the self-signed one, and want https for Emby, you can use the reverse proxy under Application Portal in DSM.

 

Once setup, the Synology handles the https and cert so you don't have to muck around with certs in Emby. Mine looks like this (screenshot):

5afeb5755e6eb_ScreenShot20180518at70744A

  • Like 1
Link to comment
Share on other sites

majorsl thanks for the post.

I'm trying to set this up on my synology (very new to this), can you show us what settings you've changed on the emby side to get this working please?

 

Regards

Link to comment
Share on other sites

majorsl

No settings on the Emby side, actually - which is the nice part. Only the Synology.

 

The source is what you're going to actually connect via https to whatever IP or dns name your synology is.  I pickup port 8921 because it was available and it was "one up" from Emby's preferred https port.  I'm not using Emby's secure port, but if I wanted to play with that in the future, I didn't want to use the same one and have a conflict.

 

Destination 8096 is Emby's default http unsecured port.

 

Lets say my Synology's IP is 10.0.1.100

 

When you connect, you'll use https://10.0.1.100:8921 - the Synology will automatically reverse proxy that to Emby.  Hopefully your Synology is behind a firewall, so you'll need to allow port 8921 connections from the outside world if you're using Emby from outside.  Don't open port 8096 as that would defeat the purpose of this.

 

I've tested this using the androidtv & roku clients in house (not really needed), and externally on my phone with the android app as well as various browsers.  I don't have an Emby Connect account, so don't know if it works that way.

  • Like 1
Link to comment
Share on other sites

Thanks for that majorsI 

 

Got it all set up that way but not connecting so far, but i've got a feeling it that could be my virgin  modem/router (seems to have a mind of it's own)

 

Thanks very much for the pointers, i'll keep giving it a try.

Link to comment
Share on other sites

  • 4 weeks later...
  • 8 months later...

@@majorsl thanks for the info...

Couple of things though, why ain't you passing the proxy onto Embys SECURE port?

Also, in Emby, does remote connections need to be checked and if so do you need to select, handled by reverse proxy?

Thanks

Link to comment
Share on other sites

Hi!  Well, there is no need to pass it onto the secure port and you'd probably have to get a cert working with Emby, and if you're going to do that why bother with this?

 

With that said, my main goal was to have secure access from outside my home LAN.  When we travel, our iPads, phones, computers, etc can have that secure connection.  Inside the LAN, at home, you can use either connection, although I just setup everything for https.

 

Yes, leave remote connections checked.

 

But, just open what you chose for the secure connection in your firewall/router 8921 in the example above.  Do NOT open the non-secure port 8096, you won't need it open externally.

 

Hope that helps.

Link to comment
Share on other sites

Thanks, I'm slowly learning.

What about the Handled by reverse proxy option?

Thanks

Link to comment
Share on other sites

Thanks, I'm slowly learning.

What about the Handled by reverse proxy option?

Thanks

 

Do you have a reverse proxy?

Link to comment
Share on other sites

Hi, I just want to show you how I did my setup.

Port forwarding for 443 and 80 on my router to the synology disk station
5c7bac4ad2386_2019030311_16_40FRITZBox64

On Synology, I have setup a reverse Proxy and a virtual host:
Reverse Proxy setting:
 

5c7bac7cf0f8c_2019030311_17_53DS218Synol
5c7bacae69e20_2019030311_29_30DS218Synol5c7bacbab300e_2019030311_29_41DS218Synol

Then, the Virtual Host settings:
5c7bacd93d814_2019030311_18_41DS218Synol

And the .htaccess file for the virtual host:
5c7bacf0a88f3_2019030311_19_37C__Users_C

This setup will allow me, that the connection will always use the secured https connection, even if I just try to connect on http.

I have several other urls in my reverse Proxy - for different applications.

5c7badc2b1105_2019030311_34_14DS218Synol
This setup allows me to use differend subdomains and only need to forward port 80 and 443 on my router.
I don't need to care about different ports and things like this.
I only have my Subdomain, my let's encrypt certificates and the reverse proxy will do everything.

My Setup in Emby for this is just as simple:
5c7bae6ae48ba_2019030311_37_01bersicht.p
No settings for certificates, or other things needed in emby.
I don't even need the settings for "allow remote connection".

  • Like 1
Link to comment
Share on other sites

Thanks for that detailed info @@CChris

I will bare all that in mind!

It's amazing even after having my Synology NAS for many years how much it can do that I still don't know.

Link to comment
Share on other sites

  • 2 weeks later...

Since you're in the Synology forum, I assume you're using one.  If you have a cert for your Synology, or even using the self-signed one, and want https for Emby, you can use the reverse proxy under Application Portal in DSM.

 

Once setup, the Synology handles the https and cert so you don't have to muck around with certs in Emby. Mine looks like this (screenshot):

5afeb5755e6eb_ScreenShot20180518at70744A

 

This seems very simple but I can not connect.  I checked and 8921 is open.  I checked security and the Synology Cert is showing *:8921 on the end of the list.  Any idea what could be wrong?  I also tested with 8096 just to see if I could connect with that and it works.  I am testing on cellular with my iPhone using Emby App.

Edited by d21mike
Link to comment
Share on other sites

This seems very simple but I can not connect.  I checked and 8921 is open.  I checked security and the Synology Cert is showing *:8921 on the end of the list.  Any idea what could be wrong?  I also tested with 8096 just to see if I could connect with that and it works.  I am testing on cellular with my iPhone using Emby App.

 

In addition to the Synology Setup I change this in Emby:

 

Public https port number = 8921

External domain               = my domain name used for outside connections

Secure connection mode = Handled by reverse proxy

 

Now under Dashboard it shows the correct Remote access url.

 

Maybe this is cosmetic.

 

1.  My iPhone iOS Emby App still will not connect.

2.  My Safari Browser (from remote) gets s security error but I allow it to continue which appears to make a SSL Connection.

 

If anybody can make a suggestion on what I am doing wrong I would appreciate it.  My goal is remote APP access and not the WEB BROWSER.

Link to comment
Share on other sites

You'll need to use a trusted certificate that apple devices will accept. If you see the security prompt in the browser, then you know it's not a trusted certificate. There is no such override in the app to force it to accept it.

Link to comment
Share on other sites

If you have done your Port Forwarding in the Router and everything setup correctly, you don't need to set emby to "allow remote access".
Can you show us some more information about your configuration and the certificates?

I use Certificates from Let's Encrypt...
 

Link to comment
Share on other sites

If you have done your Port Forwarding in the Router and everything setup correctly, you don't need to set emby to "allow remote access".

Can you show us some more information about your configuration and the certificates?

 

I use Certificates from Let's Encrypt...

 

 

On Synology there is a default certificate from Synology for the applications.  I assume I could use that because the instruction earlier in this thread did not mention I need to install another certificate.  Maybe that person is not using Apple Applications and I will need another certificate because of it.  I plan to use Let's Encrypt as well.  I believe it is built into Synology.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...