blei 5 Posted June 5, 2018 Share Posted June 5, 2018 (edited) I'm not sure if I'm missing anything, but I basically want to be able to access my site via https://192.168.1.128:8920...but it doesn't seem to work. From within my server: [root@[member="Server"] ~]# lsof -i :8920 COMMAND PID USER FD TYPE DEVICE SIZE/OFF NODE NAME EmbyServe 19278 media 154u IPv6 41696108 0t0 TCP *:8920 (LISTEN) [root@[member="Server"] ~]# telnet localhost 8920 Trying ::1... Connected to localhost. Escape character is '^]'. Connection closed by foreign host. [root@@Server ~]# curl https://localhost:8920 curl: (35) Encountered end of file From my own computer: blei@Fractal:~$ telnet 192.168.1.128 8920 Trying 192.168.1.128... Connected to 192.168.1.128. Escape character is '^]'. Connection closed by foreign host. blei@Fractal:~$ curl https://192.168.1.128:8920 curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated. I can access the HTTP port just fine, but can't seem to do it with HTTPS. Here's an image of me trying to navigate to the site via my browser (note: there's no SSL related error as far as I can tell): It also doesn't look like there are certs: I can't seem to find the documentation for where to generate certs for local network access. Most information seems to point to only using SSL only for remote access. At this point I'm considering using nginx as the SSL frontend and proxy requests to the Emby HTTP port, but I don't think that's the 'proper' way of dealing with the issue. Edit: Well, I tried the nginx idea as well but that didn't go over so well (for Emby Theater). Here's my config: server { listen 8920 http2 ssl; listen [::]:8920 http2 ssl; server_name 192.168.1.128; ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; ssl_dhparam /etc/ssl/certs/dhparam.pem; ssl_session_timeout 1d; ssl_session_cache shared:SSL:50m; ssl_session_tickets off; # modern configuration. tweak to your needs. ssl_protocols TLSv1.2; ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256'; ssl_prefer_server_ciphers on; # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months) add_header Strict-Transport-Security max-age=15768000; location / { proxy_pass http://localhost:8096; } } I was able to access https://192.168.1.128:8920 just fine, but when I tried to use Emby Theater with same hostname it said it couldn't connect. The Emby server did get the request, but Theater just couldn't load anything. I'm going to guess that it might be trying to load http resources at 8096, but since I closed that port it can't even be redirected to https (redirection isn't particularly ideal...). Edited June 5, 2018 by blei Link to comment Share on other sites More sharing options...
Luke 37095 Posted June 5, 2018 Share Posted June 5, 2018 Have you setup an ssl cert? Link to comment Share on other sites More sharing options...
blei 5 Posted June 5, 2018 Author Share Posted June 5, 2018 I have an ssl cert, but I'm not entirely sure where I would put it for Emby. Link to comment Share on other sites More sharing options...
Luke 37095 Posted June 5, 2018 Share Posted June 5, 2018 You can configure it in the Advanced section. Link to comment Share on other sites More sharing options...
blei 5 Posted June 5, 2018 Author Share Posted June 5, 2018 There's no option for it, though, unless I enable remote connections. Link to comment Share on other sites More sharing options...
Luke 37095 Posted June 5, 2018 Share Posted June 5, 2018 Right yea, I've hidden it. Do you really need it over the local network? Link to comment Share on other sites More sharing options...
blei 5 Posted June 5, 2018 Author Share Posted June 5, 2018 I'd really like it enabled, as it does give me some extra closure in terms of safety (within my own network). Link to comment Share on other sites More sharing options...
Luke 37095 Posted June 5, 2018 Share Posted June 5, 2018 I suppose you could check the box to allow remote connections, setup the ssl cert, and then uncheck the box. Link to comment Share on other sites More sharing options...
blei 5 Posted June 5, 2018 Author Share Posted June 5, 2018 That seems to have done the trick. Thanks! Link to comment Share on other sites More sharing options...
blei 5 Posted June 5, 2018 Author Share Posted June 5, 2018 Wait, so I can connect to it via my browser, but I can't do it with Emby Theater (note: I disabled the public port as I only want SSL): Nothing is logged when I attempt to connect. Link to comment Share on other sites More sharing options...
Luke 37095 Posted June 5, 2018 Share Posted June 5, 2018 The problem that you're going to run into is that if this is some kind of self signed cert, we haven't done the work in every single app to force them to accept the cert. In fact in some apps it's not even possible. Link to comment Share on other sites More sharing options...
blei 5 Posted June 5, 2018 Author Share Posted June 5, 2018 It is a self signed cert :/ Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted June 5, 2018 Share Posted June 5, 2018 out of curiosity, why do you want SSL on a local network? Link to comment Share on other sites More sharing options...
blei 5 Posted June 5, 2018 Author Share Posted June 5, 2018 out of curiosity, why do you want SSL on a local network? I'd really like it enabled, as it does give me some extra closure in terms of safety (within my own network). Basically an extra layer of false sense of security. Besides that Plex seems to allow HTTPS-only connections. Theoretically speaking if someone did 'break into' my local network, I'd have bigger things to worry about than encrypted traffic between internal machines from Emby... but again. Better false sense of security. Link to comment Share on other sites More sharing options...
Luke 37095 Posted June 5, 2018 Share Posted June 5, 2018 It's not that we don't allow it, we do. It's just that you will have to make sure the devices will trust your certificate. Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted June 5, 2018 Share Posted June 5, 2018 (edited) I'm not really sure how this would be possible w/o a self signed cert. Normal certs have to resolve to a valid externally facing hostname so that the cert can be validated/verified. Internally I don't know how you could do that w/o jumping through hoops generating certs, messing w/ internal DNS servers, etc. To my knowledge, it's not possible w/o a self signed cert. I could be wrong. edit, for reference: https://security.stackexchange.com/questions/121163/how-do-i-run-proper-https-on-an-internal-network Edited June 5, 2018 by mastrmind11 Link to comment Share on other sites More sharing options...
blei 5 Posted June 5, 2018 Author Share Posted June 5, 2018 It's not that we don't allow it, we do. It's just that you will have to make sure the devices will trust your certificate. I've trusted my cert on my own machine... but Emby Theater doesn't seem to be OK with that (accessing website is fine). I'm not sure how many people care about having this type of feature, but perhaps if it requires a large rewrite on the client then it's probably not worth it. I'm not really sure how this would be possible w/o a self signed cert. Normal certs have to resolve to a valid externally facing hostname so that the cert can be validated/verified. Internally I don't know how you could do that w/o jumping through hoops generating certs, messing w/ internal DNS servers, etc. To my knowledge, it's not possible w/o a self signed cert. I could be wrong. edit, for reference: https://security.stackexchange.com/questions/121163/how-do-i-run-proper-https-on-an-internal-network Yes it is a self signed cert, and I did follow some guide online to generate private keys/certs (pk12). Link to comment Share on other sites More sharing options...
Luke 37095 Posted June 5, 2018 Share Posted June 5, 2018 Right you've trusted it on your server machine, but the devices running your Emby apps will not trust it. Even if it's a different app on the same machine. The reason why you can get it to work in the browser is because you can override it in the browser, but this type of thing isn't available in all apps. Link to comment Share on other sites More sharing options...
blei 5 Posted June 5, 2018 Author Share Posted June 5, 2018 (edited) To clear what I think may be a misunderstanding.... let's call my server "Server" and my computer "PC" (two separate entities). PC can use Chrome Browser to visit Server via HTTPS. PC has also imported cert generated from Server as a trusted authority . But PC can't use the app Emby Theater to connect to Server (because Emby Theater doesn't follow the same cert management as Chrome). It (self signed SSL) doesn't have to be available to all apps, but if I have enabled HTTPS it would be nice if my (emphasis on myself) existing apps (in particular, Emby Theater) used that protocol instead of HTTP. But it's sounding more to me that if you were to enable such a thing, you would have to standardized it across all the other supported Emby clients... which would be a high level effort with minor benefits. Edited June 5, 2018 by blei Link to comment Share on other sites More sharing options...
Luke 37095 Posted June 5, 2018 Share Posted June 5, 2018 If you have ever seen the mobile android app, we have implemented this according to android guidelines where if the device rejects the cert, we can then prompt you to manually allow it. And once you manually allow it, we can then configure the app's connection routines to allow that certificate. Our initial plan was to do this sort of thing on all platforms, however we've since realized that on some platforms this isn't even possible. So rather than create a situation where something only half works, we chose to abandon it and just advise that everyone have a trusted certificate. Link to comment Share on other sites More sharing options...
lucid88 0 Posted September 18, 2018 Share Posted September 18, 2018 (edited) Just edit your hosts file on the(each) client machine to point the servers ip to whatever domain you registered for the cert. easy peasy lemon squeezy. It removes the cert warnings via browser as well. Example if i add to my client hosts file : 192.168.1.50 google.com then when i put google.com in the browser it will access my emby server. and if i had a self signed cert for google.com, then it would be secure. DONT USE GOOGLE.COM lol, just an example. since hosts files overides dns lookup, any and all attempts to reach google.com will redirect to your emby server Only problem is this is a solution that may be cumbersom when trying to quickly deploy on a friend or families device for example.. it is doable on phone devices though with apps like dns66 or adaway on android. Adguard for iphone... all these apps are made for adblocking via hosts file by downloading lists and merging them... redirecting thousands of ad domains to 127.0.0.1 local, so they just loop. great for blocking ads, but also for making a local cert authorized doing this also lets you use the hostname, google.com (example) in other devices like shares \\google.com\ Also if you wanted local and internet https on the same cert, you'd just put in your hosts file: yourdomain.com 192.168.1.50 or whatever the emby server is and you're certs will work for both local and internet. Edited September 18, 2018 by lucid88 Link to comment Share on other sites More sharing options...
k3rnel-pan1c 0 Posted January 6, 2019 Share Posted January 6, 2019 Right you've trusted it on your server machine, but the devices running your Emby apps will not trust it. Even if it's a different app on the same machine. The reason why you can get it to work in the browser is because you can override it in the browser, but this type of thing isn't available in all apps. Okay, first of all sorry for reviving an "old" post! Second, there is a way to get all your Local machines to trust a cert, IF you get a self-signed "root"-cert and build a proper cert chain on that. That root-cert then only needs to be installed on all machines and you should be good. FreeNAS kind-of offers this functionality, as you can create a "local"-CA that you then use to create certs for all your local services. (but for more of that pls use google) Anyway, following this approach brings some security issues with it though as a "custom" root-cert can be abused in other ways, but I digress. Thanks for the post though, helped me setup my local https Link to comment Share on other sites More sharing options...
Luke 37095 Posted January 6, 2019 Share Posted January 6, 2019 That is something that will vary per platform. For something like a desktop PC, usually that kind of configuration will be available. For a smart tv or set top box like Roku though, it generally will not. Link to comment Share on other sites More sharing options...
Kornflex 3 Posted December 30, 2019 Share Posted December 30, 2019 Hi, HTTPS on lan is needed if you want to cast the emby webpage to a google nest hub. only https is shown :/ I want it, with self signed certificate I think, And I will be able to listen to my music in all the house without using the app Link to comment Share on other sites More sharing options...
Luke 37095 Posted December 30, 2019 Share Posted December 30, 2019 Did you try a self signed certificate? Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now