[Docker] Can't locally access Emby server via HTTPS

[blei 5]

I'm not sure if I'm missing anything, but I basically want to be able to access my site via https://192.168.1.128:8920...but it doesn't seem to work.

 

 

From within my server:

[root@[member="Server"] ~]# lsof -i :8920
COMMAND     PID  USER   FD   TYPE   DEVICE SIZE/OFF NODE NAME
EmbyServe 19278 media  154u  IPv6 41696108      0t0  TCP *:8920 (LISTEN)
[root@[member="Server"] ~]# telnet localhost 8920
Trying ::1...
Connected to localhost.
Escape character is '^]'.
Connection closed by foreign host.

[root@@Server ~]# curl https://localhost:8920

curl: (35) Encountered end of file

 

From my own computer:

blei@Fractal:~$ telnet 192.168.1.128 8920
Trying 192.168.1.128...
Connected to 192.168.1.128.
Escape character is '^]'.
Connection closed by foreign host.

blei@Fractal:~$ curl https://192.168.1.128:8920

curl: (35) gnutls_handshake() failed: The TLS connection was non-properly terminated.

I can access the HTTP port just fine, but can't seem to do it with HTTPS.

 

Here's an image of me trying to navigate to the site via my browser (note: there's no SSL related error as far as I can tell):

 

It also doesn't look like there are certs:

 

I can't seem to find the documentation for where to generate certs for local network access. Most information seems to point to only using SSL only for remote access.

 

At this point I'm considering using nginx as the SSL frontend and proxy requests to the Emby HTTP port, but I don't think that's the 'proper' way of dealing with the issue.

 

 

Edit: Well, I tried the nginx idea as well but that didn't go over so well (for Emby Theater). Here's my config:

server {
    listen 8920 http2 ssl;
    listen [::]:8920 http2 ssl;

    server_name 192.168.1.128;

    ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt;
    ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key;
    ssl_dhparam /etc/ssl/certs/dhparam.pem;
    ssl_session_timeout 1d;
    ssl_session_cache shared:SSL:50m;
    ssl_session_tickets off;

    # modern configuration. tweak to your needs.
    ssl_protocols TLSv1.2;
    ssl_ciphers 'ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-CHACHA20-POLY1305:ECDHE-RSA-CHACHA20-POLY1305:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256';
    ssl_prefer_server_ciphers on;

    # HSTS (ngx_http_headers_module is required) (15768000 seconds = 6 months)
    add_header Strict-Transport-Security max-age=15768000;

    location / {
        proxy_pass http://localhost:8096;
    }
}

I was able to access https://192.168.1.128:8920 just fine, but when I tried to use Emby Theater with same hostname it said it couldn't connect. The Emby server did get the request, but Theater just couldn't load anything. I'm going to guess that it might be trying to load http resources at 8096, but since I closed that port it can't even be redirected to https (redirection isn't particularly ideal...).

Edited June 5, 2018 by blei

[Luke 37095]

Have you setup an ssl cert?

[blei 5]

I have an ssl cert, but I'm not entirely sure where I would put it for Emby.

[Luke 37095]

You can configure it in the Advanced section.

[blei 5]

There's no option for it, though, unless I enable remote connections.

[Luke 37095]

Right yea, I've hidden it. Do you really need it over the local network?

[blei 5]

I'd really like it enabled, as it does give me some extra closure in terms of safety (within my own network).

[Luke 37095]

I suppose you could check the box to allow remote connections, setup the ssl cert, and then uncheck the box.

[blei 5]

That seems to have done the trick. Thanks!

[blei 5]

Wait, so I can connect to it via my browser, but I can't do it with Emby Theater (note: I disabled the public port as I only want SSL):

 

 

 

Nothing is logged when I attempt to connect.

[Luke 37095]

The problem that you're going to run into is that if this is some kind of self signed cert, we haven't done the work in every single app to force them to accept the cert. In fact in some apps it's not even possible.

[blei 5]

It is a self signed cert :/

[mastrmind11 717]

out of curiosity, why do you want SSL on a local network?

[blei 5]

out of curiosity, why do you want SSL on a local network?

 

I'd really like it enabled, as it does give me some extra closure in terms of safety (within my own network).

 

Basically an extra layer of false sense of security. Besides that Plex seems to allow HTTPS-only connections. Theoretically speaking if someone did 'break into' my local network, I'd have bigger things to worry about than encrypted traffic between internal machines from Emby... but again. Better false sense of security.

[Luke 37095]

It's not that we don't allow it, we do. It's just that you will have to make sure the devices will trust your certificate.

[mastrmind11 717]

I'm not really sure how this would be possible w/o a self signed cert.  Normal certs have to resolve to a valid externally facing hostname so that the cert can be validated/verified.  Internally I don't know how you could do that w/o jumping through hoops generating certs, messing w/ internal DNS servers, etc.  To my knowledge, it's not possible w/o a self signed cert.  I could be wrong.

 

edit, for reference:  https://security.stackexchange.com/questions/121163/how-do-i-run-proper-https-on-an-internal-network

Edited June 5, 2018 by mastrmind11

[blei 5]

It's not that we don't allow it, we do. It's just that you will have to make sure the devices will trust your certificate.

I've trusted my cert on my own machine... but Emby Theater doesn't seem to be OK with that (accessing website is fine). I'm not sure how many people care about having this type of feature, but perhaps if it requires a large rewrite on the client then it's probably not worth it.

 

 

I'm not really sure how this would be possible w/o a self signed cert.  Normal certs have to resolve to a valid externally facing hostname so that the cert can be validated/verified.  Internally I don't know how you could do that w/o jumping through hoops generating certs, messing w/ internal DNS servers, etc.  To my knowledge, it's not possible w/o a self signed cert.  I could be wrong.

 

edit, for reference:  https://security.stackexchange.com/questions/121163/how-do-i-run-proper-https-on-an-internal-network

Yes it is a self signed cert, and I did follow some guide online to generate private keys/certs (pk12).

[Luke 37095]

Right you've trusted it on your server machine, but the devices running your Emby apps will not trust it. Even if it's a different app on the same machine.

 

The reason why you can get it to work in the browser is because you can override it in the browser, but this type of thing isn't available in all apps.

[blei 5]

To clear what I think may be a misunderstanding.... let's call my server "Server" and my computer "PC" (two separate entities). PC can use Chrome Browser to visit Server via HTTPS. PC has also imported cert generated from Server as a trusted authority . But PC can't use the app Emby Theater to connect to Server (because Emby Theater doesn't follow the same cert management as Chrome).

 

It (self signed SSL) doesn't have to be available to all apps, but if I have enabled HTTPS it would be nice if my (emphasis on myself) existing apps (in particular, Emby Theater) used that protocol instead of HTTP. But it's sounding more to me that if you were to enable such a thing, you would have to standardized it across all the other supported Emby clients... which would be a high level effort with minor benefits.

Edited June 5, 2018 by blei

[Luke 37095]

If you have ever seen the mobile android app, we have implemented this according to android guidelines where if the device rejects the cert, we can then prompt you to manually allow it. And once you manually allow it, we can then configure the app's connection routines to allow that certificate.

 

Our initial plan was to do this sort of thing on all platforms, however we've since realized that on some platforms this isn't even possible. So rather than create a situation where something only half works, we chose to abandon it and just advise that everyone have a trusted certificate.

[lucid88 0]

Just edit your hosts file on the(each) client machine to point the servers ip to whatever domain you registered for the cert. easy peasy lemon squeezy. It removes the cert warnings via browser as well. 

 

Example if i add to my client hosts file :

 

192.168.1.50 google.com

 

 

 

then when i put google.com in the browser it will access my emby server. and if i had a self signed cert for google.com, then it would be secure.

DONT USE GOOGLE.COM lol, just an example. since hosts files overides dns lookup, any and all attempts to reach google.com will redirect to your emby server

 

Only problem is this is a solution that may be cumbersom when trying to quickly deploy on a friend or families device for example.. it is doable on phone devices though with apps like dns66 or adaway on android. Adguard for iphone... all these apps are made for adblocking via hosts file by downloading lists and merging them... redirecting thousands of ad domains to 127.0.0.1 local, so they just loop. great for blocking ads, but also for making a local cert authorized  

doing this also lets you use the hostname, google.com (example) in other devices like shares \\google.com\ 

Also if you wanted local and internet https on the same cert, you'd just put in your hosts file: yourdomain.com 192.168.1.50 or whatever the emby server is and you're certs will work for both local and internet.

Edited September 18, 2018 by lucid88

[k3rnel-pan1c 0]

Right you've trusted it on your server machine, but the devices running your Emby apps will not trust it. Even if it's a different app on the same machine.

 

The reason why you can get it to work in the browser is because you can override it in the browser, but this type of thing isn't available in all apps.

 

Okay, first of all sorry for reviving an "old" post!

 

Second, there is a way to get all your Local machines to trust a cert, IF you get a self-signed "root"-cert and build a proper cert chain on that.

That root-cert then only needs to be installed on all machines and you should be good.

FreeNAS kind-of offers this functionality, as you can create a "local"-CA that you then use to create certs for all your local services. (but for more of that pls use google)

Anyway, following this approach brings some security issues with it though as a "custom" root-cert can be abused in other ways, but I digress.

 

Thanks for the post though, helped me setup my local https

[Luke 37095]

That is something that will vary per platform. For something like a desktop PC, usually that kind of configuration will be available. For a smart tv or set top box like Roku though, it generally will not.

[Kornflex 3]

Hi,

 

HTTPS on lan is needed if you want to cast the emby webpage to a google nest hub. only https is shown :/

 

I want it, with self signed certificate I think, And I will be able to listen to my music in all the house without using the app

[Luke 37095]

Did you try a self signed certificate?