Questions about SSL Setup

[Swynol 375]

if it took the details successfully. give it 15-30 mins to update and fingers crossed it will work.

 

It will now depend on your other settings

 

On your router what ports have you forwarded? if you have forwarded 8920 or 8096 then you will need to enter the url https://emby.mydomain.com:8920 

 

if you have forwarded port 80 and 443 external to 8096 and 8920 internal then you can just use the url without the port appended. https://emby.mydomain.com

[mattykellyuk 17]

if it took the details successfully. give it 15-30 mins to update and fingers crossed it will work.

 

It will now depend on your other settings

 

On your router what ports have you forwarded? if you have forwarded 8920 or 8096 then you will need to enter the url https://emby.mydomain.com:8920 

 

if you have forwarded port 80 and 443 external to 8096 and 8920 internal then you can just use the url without the port appended. https://emby.mydomain.com

 

OK I will give it a bit longer. I have forwarded 8096 and 8920 and that url isn't working at the moment

[mattykellyuk 17]

if it took the details successfully. give it 15-30 mins to update and fingers crossed it will work.

 

It will now depend on your other settings

 

On your router what ports have you forwarded? if you have forwarded 8920 or 8096 then you will need to enter the url https://emby.mydomain.com:8920 

 

if you have forwarded port 80 and 443 external to 8096 and 8920 internal then you can just use the url without the port appended. https://emby.mydomain.com

 

Oh my god it worked! So can I not use emby connect now?

[mattykellyuk 17]

Also chrome says its not secure?

[Swynol 375]

ye emby connect will still work aslong as the url that it reported on the emby dashboard it correct.

 

when you created the SSL cert what subdomain did you use? 

 

the SSL cert will need to cover both the a record name i.e. ddns.mydomain.com and your emby subdomain. i.e. emby.mydomain.com

[mattykellyuk 17]

ye emby connect will still work aslong as the url that it reported on the emby dashboard it correct.

 

when you created the SSL cert what subdomain did you use? 

 

the SSL cert will need to cover both the a record name i.e. ddns.mydomain.com and your emby subdomain. i.e. emby.mydomain.com

 

Sorry bit lost with that question. I went to https://www.sslforfree.com/ and entered the domain i created. Do i need two certificates? so enter ' ddns.mydomain.com' and download certificate and then 'emby.mydomain.com' and download the certificate 

 

Really appreciate your time with this

[mattykellyuk 17]

On the dashboard the WAN is 'mydomain.com:8920'. Should it ready 'emby.mydomain.com:8920'?

[mattykellyuk 17]

YES! changed 'External domain:' emby.mydomain.com and it works!

 

Amazing thanks so much

[mattykellyuk 17]

Will it now always connect to ssl when not on LAN as I just went through emby connect and it says http not https?

[rbjtech 4283]

Will it now always connect to ssl when not on LAN as I just went through emby connect and it says http not https?

 

Force it it use https for remote (non-LAN) connections - using :-

 

 Advanced > Secure Connection Mode > Required for all remote connections 

 

then save. 

 

Two things to add - 1) May i suggest you also TEST once you have set it to ensure you cannot use http. and 2) then remove the http forwards on your router (leaving the https one only) to Emby - so you then have blocked it on the firewall and emby itself.  Repeat the TEST.

 

Edited September 5, 2018 by rbjtech

[Swynol 375]

Awesome [emoji1303].

 

Ye remove http access then test everything works.

 

Also make sure you have a username/password setup on emby.

 

 

Now just remember to renew your cert before it expires every 90 days. I used to renew mine around 60-70 days, it then gives you some time if you run into problems

 

 

Sent from my iPhone using Tapatalk

[rbjtech 4283]

.. and for extra remote security, may I also suggest the following :-

 

• Hide all users from the login screens.
• Create an administrator account with a name that only you know - and disable/delete the default 'Administrator' account.
• If you are happy to only administer Emby on the local LAN (sensible), then simply untick the 'Allow remote connections' on the newly created Admin only account.  That way, even if you were compromised remotely, they cannot do much with a read only / non-admin account.

From within Emby itself, that is probably as far as you can go with security without adding external IP filters, which limits flexibility but could be useful if you had a fixed IP remote connection that you wanted to secure for example.

[mattykellyuk 17]

Thanks. I have closed the non secure port on the router but http://www.canyouseeme.org says it open. Plus http does work even though the server setting is 'require all remote...'

[rbjtech 4283]

Thanks. I have closed the non secure port on the router but http://www.canyouseeme.org says it open. Plus http does work even though the server setting is 'require all remote...'

 

Are you testing via the internet only ? Try using your mobile - disable wireless and then just use 4G - if that still connects via http then something is definitely wrong .. 

[mattykellyuk 17]

Are you testing via the internet only ? Try using your mobile - disable wireless and then just use 4G - if that still connects via http then something is definitely wrong ..

 

Yeah I was testing on 4g and still connects when I go to http://app.emby.media.

[mattykellyuk 17]

So to recap, I am able to connect with https but when I go through emby connect it looks to be http even though emby settings saying 'require for all remote connection'. I have also removed the ports for http from the 'services' section of the router, leaving only the ssl port. I do have uPnp enabled though, is this relevant?

See screenshots attached

[Angelblue05 4130]

I believe you need to restart your server to update the server address emby connect returns.

 

You can def disable automatic port mapping.

[mattykellyuk 17]

I believe you need to restart your server to update the server address emby connect returns.

 

You can def disable automatic port mapping.

Thanks, removed automatic port mapping and restarted the server, no better. Also just restarted the router to try that and no better either.

 

When i go to my domain its automatically secure and if you edit the address to http it fails, but through emby connect it isn't secure even though at the top of the dashboard the Remote (WAN) access is https://xxx

[Angelblue05 4130]

Is emby connect connecting locally? Did you try with your phone without wifi?

[mattykellyuk 17]

Is emby connect connecting locally? Did you try with your phone without wifi?

Yeah I'm trying on works wifi

[Happy2Play 8296]

I don't believe Connect forces https.  You have to manually ensure you are using https://app.emby.media.

[Angelblue05 4130]

I'm not sure why the address is not updating in emby connect. I don't have this issue, emby connect uses both my local address and my remote one https.

Edited September 6, 2018 by Angelblue05

[mattykellyuk 17]

Is there any setting I should double check? Just to confirm the emby connect thing see attached screenshot done on works wifi

Edited September 6, 2018 by mattykellyuk

[Happy2Play 8296]

Connect is a alternative to your DDNS/WAN address there is nothing you need to enable.  Either use https://app.emby.media or use your WAN address.

 

Connect plays by its own rules.

 

I just logged in with http://app.emby.media and when adding my server I was forced to add my https://WAN address and port, http would not connect.  But the browser will always show unsecure unless you sign into Connect on https address.

[mattykellyuk 17]

Connect is a alternative to your DDNS/WAN address there is nothing you need to enable.  Either use https://app.emby.media or use your WAN address.

 

Connect plays by its own rules.

 

I just logged in with http://app.emby.media and when adding my server I was forced to add my https://WAN address and port, http would not connect.  But the browser will always show unsecure unless you sign into Connect on https address.

 

Right thats a bit annoying. I just tried to login via https://app.emby.media and it won't connect to my server, although my domain works fine. 

So i just need to login using my domain? What about devices like fire sticks?