Jump to content

How to secure Emby


oRBIT
 Share

Recommended Posts

yes, let's encrypt is built into synology.
The default certificate is not a trusted one & that's why you're getting the security warning.

But that's not an issue of emby.
You would also have this issue when trying to connect to your synology over https://

Link to comment
Share on other sites

Right with the https://.  That was my earlier post and @@Luke said I need a new certificate because Apple Apps and not just except the Synology Certificate is how I took it.

 

Now, while trying to create the Let's Encrypt Certificate in the Synology Security / Certificate ....  I get this:

 

Failed to connect to Let's Encrypt.  Please make sure your DiskStation and router have port 80 open to Let's Encrypt domain validation FROM the internet.  I guess I will have port 80 port forwarded to my Synology Router.

Link to comment
Share on other sites

Thanks to @@Luke and @@CChris.  I got it working.  Turns out it was not that hard with some help.  Really happy I went through this because I had been planning to work on this for a bit to secure my web site.  Nice to have a free certificate.

Link to comment
Share on other sites

Correct.
Let's encrypt is using http for the validation (can't use https, because therefore, you would need a signed certificate ;))

 

You should forward port 80 and 443 in your router to your synology.
Then, you can create the Let's Encrypt certificate and continue with other setings like reverse proxy or virtual hosts as needed.

I have documented my setup somewhere here... just need to search for the link ... :)

here it is:
https://emby.media/community/index.php?/topic/58980-how-to-secure-emby/&do=findComment&comment=711059

Edited by CChris
Link to comment
Share on other sites

  • 3 weeks later...

@@CChris I like the idea of using different subdomains controlled by reverse proxy, but one thing I'm wondering...

Does the reverse proxy just establish a connection, allowing data to flow directly after that or does the data has to be relayed through the reverse proxy, putting pressure on that NAS?

Link to comment
Share on other sites

Hi, since all subdomains are linked to a service on the NAS at the moment, I can't really tell you.
But also, I am not really sure, what you exactly want to know... :(

Link to comment
Share on other sites

Well, let's say you have 2 NAS's.

 

NAS 1 has the reverse proxy rules and NAS 2 has Emby.

 

When a video request comes through, would NAS 1 send the request to NAS 2 and the video then stream directly from NAS 2 to the client. NAS 1 has no further role during this session.

 

Or, does NAS 1 send the request to NAS 2 but this time, video streams via NAS 1 and then onto the client?

 

How that makes sense!

Link to comment
Share on other sites

Not sure this will help.  But after setting up Reverse Proxy for Emby SSL (on the same NAS) it was quite helpful to me for a work situation.  I have a windows server that did not have a ssl certificate and since Synology was so easy to setup for this I decided to use a reverse proxy from my NAS to a Windows Machine running on as a VM under a separate computer.  For this to work the browser request hits the NAS and the reverse proxy sends the request to the Windows machine which I believe has tor reply via the NAS for the ssl to happen end to end.  So, my guess in your situation it would do the same but I can not say for sure.

Link to comment
Share on other sites

Not sure this will help. But after setting up Reverse Proxy for Emby SSL (on the same NAS) it was quite helpful to me for a work situation. I have a windows server that did not have a ssl certificate and since Synology was so easy to setup for this I decided to use a reverse proxy from my NAS to a Windows Machine running on as a VM under a separate computer. For this to work the browser request hits the NAS and the reverse proxy sends the request to the Windows machine which I believe has tor reply via the NAS for the ssl to happen end to end. So, my guess in your situation it would do the same but I can not say for sure.

That's correct the ssl is to your nas with the certificate and the reverse proxy is on there doing the grunt work of hiding behind the scenes going ons..

Edited by unisoft
Link to comment
Share on other sites

Hi, can somebody please point on what I am doing wrong here. Attached pls find prtscr of all places I figure needs to be changed for a reverse proxy to work. i am new to all this and my trial and error method don't work:

1. I have my Emby server on Synology NAS (obviously)

2. I have my ports forwarded in my router (probably badly)

3. I use my own "mydomain.pl" for people to connect from outside my LAN and default port is unsecured 80 (so when somebody just type"mydomain.pl" in the browser it directs him to emby login page but on unsecured port with a red warning in chrome - I would like to automatically connect via secured port (443 or 8921?)

4. If I add my "mydomain.pl" Claudfare will this do the trick without any reverse proxy or port forwarding?

Of course I could have mixed up all the settings and concepts since I don't know what I'm doing.

Any help appreciated.

5cade0cd1cfc6_emby1.jpg

5cade0e02ad39_emby2.jpg

5cade0f26cdec_nas.jpg

5cade1063ce78_portfwd.jpg

Edited by cochize1
Link to comment
Share on other sites

Hi @@cochize1,

if you are using the reverse Proxy of your synology, you don't need to forward the ports 8096 and 8921.
I would change the setup of your router as the following:

Incomming Port 80 -> destination Port: 80
Incomming Port 443 -> destination Port: 443

In emby, you should change the following settings:
Disable the checkbox: "allow remote connections ..."
and remove the "local https port" configuration.

Additionally, you don't need to setup anything in the 'Advanced' section - remove the External Domain setting and the configuration for Port 80 and 443
 

We will do all required settings in your Reverse Proxy of the synology.

In the Reverse Proxy, I would configure it as followed:
5cadf0e92393f_2019041015_34_01DS218Synol

  • Like 1
Link to comment
Share on other sites

I followed the instructions in this thread and worked right away.  There may be more then one way to make this happen but I decided to follow it as close as possible.

 

1.  In the thread it uses localhost for destination where you are using 192.168.0.10.  But yours should also work since localhost should also point to 192.168.0.10.

 

2.  Look at you Emby Home Dashboard.  It should have your Remote Access URL:

     Not sure required but you are missing a "host".mydomain.pl.  I will create one for you now.

     Remote (WAN) access:  https://emby.mydomain.pl:8921

 

3.  Did you define a Certificate for "emby.mydomain.pl"?

     Synology / Control Panel / Security / Certificates / using "Let's Encrypt".  

 

4.  There should be under Services -   *:8921   -->  emby.mydomain.pl (certificate)

 

5.  Emby Advanced Port Mapping:

     Local and Remote http = 8096

     Local https = 8920

     Remote https = 8921

 

6.  Router mapping:  8921  ---> 192.168.0.10 (Synology).  Not sure what you are doing with 80 and 443.  But not related to Emby for this setup.

 

7.  Port 443 is not related to Emby in this situation.  You can use 443 for maybe "www.mydomain.pl".

     See Web Station for this but again not related to Emby.

 

Again, I believe I got most everything from this thread which was very helpful.

Link to comment
Share on other sites

Hi @@cochize1,

if you are using the reverse Proxy of your synology, you don't need to forward the ports 8096 and 8921.

I would change the setup of your router as the following:

 

Incomming Port 80 -> destination Port: 80

Incomming Port 443 -> destination Port: 443

 

In emby, you should change the following settings:

Disable the checkbox: "allow remote connections ..."

and remove the "local https port" configuration.

Additionally, you don't need to setup anything in the 'Advanced' section - remove the External Domain setting and the configuration for Port 80 and 443

 

We will do all required settings in your Reverse Proxy of the synology.

 

In the Reverse Proxy, I would configure it as followed:

5cadf0e92393f_2019041015_34_01DS218Synol

 

Disable the checkbox: "allow remote connections ..."

 

​I left this checked so I could see the full URL I was setting up on the Dashboard.

I think I read it not necessary but I liked the information for reference and reminder.

 

2.  Look at you Emby Home Dashboard.  It should have your Remote Access URL: 

     Not sure required but you are missing a "host".mydomain.pl.  I will create one for you now.

     Remote (WAN) access:  https://emby.mydomain.pl:8921

Link to comment
Share on other sites

Thanks for the tips, will try to work it now and give you feedback.

 

When creating your Let's Encrypt Certificate port 80 needs to point to your Synology NAS in your Router Port Forwarding.  Something about it need to verify your NAS is there or something.

Link to comment
Share on other sites

That should be the default setting.  Did you check your Dashboard for the URL.   I shows correct URL for both LOCAL and REMOTE is setup properly.

 

Good luck.  I have to take off now but interested to know how you do.

Link to comment
Share on other sites

As for now I am disconnected from Emby I cannot see my Dashboard. Any help guys? Last thing I remember before reloding the page is the warning that chenging the ports might cause stability problems.

Link to comment
Share on other sites

ok, after 5 min server went back up, not sure what was wrong.

 

So, I thought I followed all the steps and the only thing I am not sure about now is the "host" name and what do you mean, you have created one for me? Please look at the attached pictures. Since you made your domain visable to anyone I assume it is safe to put my real domain name here, it is heisenberg.pl

 

Strange thing is that when I put heisenberg.pl in the browser it does not connect but after some time it shows up as heisenberg.pl:5000 which is my Synology NAS port number, any thoughts?5cae03d7d1481_dash.jpg

5cae03e682cbb_dash2.jpg

5cae03f6c794f_nas.jpg

5cae0402a1291_port.jpg

Link to comment
Share on other sites

Again, there are multiple ways to set this up.  What I am suggesting works for me.

 

1.  You are you not seeing the Remote URL under the "In-Home access" because you did not select the Allow Remote Access which another person here said to disable.

 

2.  You put 8921 in the local https instead of remote https.  I assume you do not care about Local HTTPS?  Do not change Local Ports.  Only Remote Ports as described above.

 

3.  Did you create the certificate as needed?  You may want a host.domain.ext instead of just domain.ext.

 

4.  You did not port forward 8921 as needed unless you have uPnP setup and something else is doing the port forwarding for you.  In my case I disable nPnP and do my own port forwarding.

 

5.  Your Source and Destination are not setup properly based on my and other prior postings.

Edited by d21mike
Link to comment
Share on other sites

Again, there are multiple ways to set this up.  What I am suggesting works for me.

 

1.  You are you not seeing the Remote URL under the "In-Home access" because you did not select the Allow Remote Access which another person here said to disable.

 

2.  You put 8921 in the local https instead of remote https.  I assume you do not care about Local HTTPS?  Do not change Local Ports.  Only Remote Ports as described above.

 

3.  Did you create the certificate as needed?  You may want a host.domain.ext instead of just domain.ext.

 

4.  You did not port forward 8921 as needed unless you have uPnP setup and something else is doing the port forwarding for you.  In my case I disable nPnP and do my own port forwarding.

 

5.  Your Source and Destination are not setup properly based on my and other prior postings.

 

Regarding HOST name:

 

You pick it and set it up with your DNS Server.

Using your domain name:

heisenberg.pl

 

A host name might be www.your domain name

www.heisenberg.pl

 

I am not sure if it is required but your full name is what you use to create the certificate.

 

I.E. if you use https://heisenberg.pl:8921   -  then you do not have a host name.  But if you use https://www.heisenberg.pl:8921 then you do have a host name and it is www.  You need to create the certificate for either or both heisenberg.pl and/or www.heisenberg.pl.  AGAIN.  I have not tested without a host name so not sure about not using one.

Link to comment
Share on other sites

so, no I don't have Let's Encrypt certificate, I don't know why I figured from @@CChris that there is no need for one. Now trying to set it up it says that my domain name is invalid.

 

I think I'm gonna give up at this point (since my iptv just stopped working on an Emby UI for no reason, but works normally on Theater and Android) adn just stay on http for remote access.

 

EDIT: TV is back to normal after disabling subtitles on the fly, still no luck with Let's Encrypt certificate

Edited by cochize1
Link to comment
Share on other sites

so, no I don't have Let's Encrypt certificate, I don't know why I figured from @@CChris that there is no need for one. Now trying to set it up it says that my domain name is invalid.

 

I think I'm gonna give up at this point (since my iptv just stopped working on an Emby UI for no reason, but works normally on Theater and Android) adn just stay on http for remote access.

 

EDIT: TV is back to normal after disabling subtitles on the fly, still no luck with Let's Encrypt certificate

 

I understand.  But it takes like 30 seconds to create a certificate.  After my Emby setup I have been doing this for my office for multiple host at multiple locations so very nice.  But based on your error you may need a unique fully qualified name with a "host" as part of your fully qualified name.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
 Share

×
×
  • Create New...