Jump to content


Photo

How to secure Emby


  • Please log in to reply
68 replies to this topic

#1 oRBIT OFFLINE  

oRBIT

    Member

  • Members
  • 25 posts
  • Local time: 12:51 PM

Posted 14 May 2018 - 02:54 PM

I just tried out Emby and it looks nice, my problem is that is seems to be wide open. I don't even need to login anywhere, if I know the URL, it just gives me my moviecollection..

I can't disable external access, when i try and disable it it just says "to enable https for external connections, you'll need to supply a trusted certificate...." and the setting is never saved. Neither is the uPnP-setting, it gives the same error-message.

Is there a guide how to secure Emby properly?

 

Thanks



#2 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 146173 posts
  • Local time: 06:51 AM

Posted 14 May 2018 - 03:03 PM

I just tried out Emby and it looks nice, my problem is that is seems to be wide open. I don't even need to login anywhere, if I know the URL, it just gives me my moviecollection..

I can't disable external access, when i try and disable it it just says "to enable https for external connections, you'll need to supply a trusted certificate...." and the setting is never saved. Neither is the uPnP-setting, it gives the same error-message.

Is there a guide how to secure Emby properly?

 

Thanks

 

It looks like you set the option to require secure connections, but you can't do that without an SSL cert. So first, change that setting back to default and then you'll be able to save the options on that page. Thanks.



#3 oRBIT OFFLINE  

oRBIT

    Member

  • Members
  • 25 posts
  • Local time: 12:51 PM

Posted 14 May 2018 - 03:05 PM

it's set to "prefered but not required"?



#4 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 146173 posts
  • Local time: 06:51 AM

Posted 14 May 2018 - 03:06 PM

That also requires an SSL cert, so you will need to set it to disabled.



#5 oRBIT OFFLINE  

oRBIT

    Member

  • Members
  • 25 posts
  • Local time: 12:51 PM

Posted 14 May 2018 - 03:08 PM

Ok, thanks, that did the trick. One down, one to go.. :)

How do I secure the accounts so I need to login when accessing my collection?



#6 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 146173 posts
  • Local time: 06:51 AM

Posted 14 May 2018 - 03:10 PM

Just give them passwords. You can learn more by checking out our user wiki:

https://github.com/M.../wiki/Passwords

 

Thanks.



#7 ebr OFFLINE  

ebr

    Chief Bottle Washer

  • Administrators
  • 48994 posts
  • Local time: 06:51 AM

Posted 14 May 2018 - 04:06 PM

...and don't check the "Remember Me" checkbox when you do log in.



#8 majorsl OFFLINE  

majorsl

    Advanced Member

  • Members
  • 118 posts
  • Local time: 06:51 AM

Posted 18 May 2018 - 07:14 AM

Since you're in the Synology forum, I assume you're using one.  If you have a cert for your Synology, or even using the self-signed one, and want https for Emby, you can use the reverse proxy under Application Portal in DSM.

 

Once setup, the Synology handles the https and cert so you don't have to muck around with certs in Emby. Mine looks like this (screenshot):

5afeb5755e6eb_ScreenShot20180518at70744A


  • d21mike likes this

#9 demotic OFFLINE  

demotic

    Newbie

  • Members
  • 9 posts
  • Local time: 11:51 AM

Posted 19 May 2018 - 01:18 AM

majorsl thanks for the post.

I'm trying to set this up on my synology (very new to this), can you show us what settings you've changed on the emby side to get this working please?

 

Regards



#10 majorsl OFFLINE  

majorsl

    Advanced Member

  • Members
  • 118 posts
  • Local time: 06:51 AM

Posted 19 May 2018 - 08:32 AM

No settings on the Emby side, actually - which is the nice part. Only the Synology.

 

The source is what you're going to actually connect via https to whatever IP or dns name your synology is.  I pickup port 8921 because it was available and it was "one up" from Emby's preferred https port.  I'm not using Emby's secure port, but if I wanted to play with that in the future, I didn't want to use the same one and have a conflict.

 

Destination 8096 is Emby's default http unsecured port.

 

Lets say my Synology's IP is 10.0.1.100

 

When you connect, you'll use https://10.0.1.100:8921 - the Synology will automatically reverse proxy that to Emby.  Hopefully your Synology is behind a firewall, so you'll need to allow port 8921 connections from the outside world if you're using Emby from outside.  Don't open port 8096 as that would defeat the purpose of this.

 

I've tested this using the androidtv & roku clients in house (not really needed), and externally on my phone with the android app as well as various browsers.  I don't have an Emby Connect account, so don't know if it works that way.


  • demotic likes this

#11 demotic OFFLINE  

demotic

    Newbie

  • Members
  • 9 posts
  • Local time: 11:51 AM

Posted 19 May 2018 - 10:45 AM

Thanks for that majorsI 

 

Got it all set up that way but not connecting so far, but i've got a feeling it that could be my virgin  modem/router (seems to have a mind of it's own)

 

Thanks very much for the pointers, i'll keep giving it a try.



#12 DSBenny OFFLINE  

DSBenny

    Newbie

  • Members
  • 5 posts
  • Local time: 12:51 PM

Posted 12 June 2018 - 03:36 PM

Thanks a lot - that's a very useful "How-to"



#13 Ninko OFFLINE  

Ninko

    Advanced Member

  • Members
  • 148 posts
  • Local time: 11:51 AM
  • LocationGloucestershire, England

Posted 02 March 2019 - 04:52 PM

@majorsl thanks for the info...
Couple of things though, why ain't you passing the proxy onto Embys SECURE port?
Also, in Emby, does remote connections need to be checked and if so do you need to select, handled by reverse proxy?
Thanks

#14 majorsl OFFLINE  

majorsl

    Advanced Member

  • Members
  • 118 posts
  • Local time: 06:51 AM

Posted 02 March 2019 - 09:47 PM

Hi!  Well, there is no need to pass it onto the secure port and you'd probably have to get a cert working with Emby, and if you're going to do that why bother with this?

 

With that said, my main goal was to have secure access from outside my home LAN.  When we travel, our iPads, phones, computers, etc can have that secure connection.  Inside the LAN, at home, you can use either connection, although I just setup everything for https.

 

Yes, leave remote connections checked.

 

But, just open what you chose for the secure connection in your firewall/router 8921 in the example above.  Do NOT open the non-secure port 8096, you won't need it open externally.

 

Hope that helps.



#15 Ninko OFFLINE  

Ninko

    Advanced Member

  • Members
  • 148 posts
  • Local time: 11:51 AM
  • LocationGloucestershire, England

Posted 02 March 2019 - 09:57 PM

Thanks, I'm slowly learning.
What about the Handled by reverse proxy option?
Thanks

#16 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 146173 posts
  • Local time: 06:51 AM

Posted 02 March 2019 - 10:51 PM

Thanks, I'm slowly learning.
What about the Handled by reverse proxy option?
Thanks

 

Do you have a reverse proxy?



#17 Ninko OFFLINE  

Ninko

    Advanced Member

  • Members
  • 148 posts
  • Local time: 11:51 AM
  • LocationGloucestershire, England

Posted 02 March 2019 - 11:03 PM

Isn't that what this topic has been about?

#18 CChris OFFLINE  

CChris

    Advanced Member

  • Members
  • 316 posts
  • Local time: 01:51 PM

Posted 03 March 2019 - 06:38 AM

Hi, I just want to show you how I did my setup.

Port forwarding for 443 and 80 on my router to the synology disk station
5c7bac4ad2386_2019030311_16_40FRITZBox64

On Synology, I have setup a reverse Proxy and a virtual host:
Reverse Proxy setting:
 

5c7bac7cf0f8c_2019030311_17_53DS218Synol
5c7bacae69e20_2019030311_29_30DS218Synol5c7bacbab300e_2019030311_29_41DS218Synol

Then, the Virtual Host settings:
5c7bacd93d814_2019030311_18_41DS218Synol

And the .htaccess file for the virtual host:
5c7bacf0a88f3_2019030311_19_37C__Users_C

This setup will allow me, that the connection will always use the secured https connection, even if I just try to connect on http.

I have several other urls in my reverse Proxy - for different applications.

5c7badc2b1105_2019030311_34_14DS218Synol
This setup allows me to use differend subdomains and only need to forward port 80 and 443 on my router.
I don't need to care about different ports and things like this.
I only have my Subdomain, my let's encrypt certificates and the reverse proxy will do everything.

My Setup in Emby for this is just as simple:
5c7bae6ae48ba_2019030311_37_01bersicht.p
No settings for certificates, or other things needed in emby.
I don't even need the settings for "allow remote connection".



#19 Ninko OFFLINE  

Ninko

    Advanced Member

  • Members
  • 148 posts
  • Local time: 11:51 AM
  • LocationGloucestershire, England

Posted 03 March 2019 - 06:48 AM

Thanks for that detailed info @CChris
I will bare all that in mind!
It's amazing even after having my Synology NAS for many years how much it can do that I still don't know.

#20 Luke OFFLINE  

Luke

    System Architect

  • Administrators
  • 146173 posts
  • Local time: 06:51 AM

Posted 03 March 2019 - 07:55 PM

Thanks @CChris !






0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users