jon_ 23 Posted January 5, 2019 Share Posted January 5, 2019 Hi Would it be possible to add a field in the Expert -> Hosting page to specify the reverse proxy IP(s), and then treat them as external/untrusted? Use case: If you are allowing remote connections to Emby direct, you can use a PIN for authenticating if you are on the same subnet as the server. If you are remote, you have to use a password. If you are using a reverse proxy, then remote connections appear to be local as they are rewritten to come from the proxy IP, which means it's not a good idea to use a PIN, using a password only is recommended. Security best practice says that this password should be long/complex, which is a pain to enter on most devices (especially those that don't have a touchscreen / keyboard). If it was possible to specify the reverse proxy address, and treat all connections from this as remote/untrusted, then you could still use PIN codes on the local network, but any remote connections from the reverse proxy IP will have to authenticate via password. I know technically you could do this via subnetting, but it's probably beyond the scope of most home users Link to comment Share on other sites More sharing options...
Luke 37252 Posted January 5, 2019 Share Posted January 5, 2019 Hi we already do, you just need to configure the http headers for the proxy. @@pir8radio may have some tips. Thanks ! Link to comment Share on other sites More sharing options...
pir8radio 1293 Posted January 5, 2019 Share Posted January 5, 2019 Hi Would it be possible to add a field in the Expert -> Hosting page to specify the reverse proxy IP(s), and then treat them as external/untrusted? Use case: If you are allowing remote connections to Emby direct, you can use a PIN for authenticating if you are on the same subnet as the server. If you are remote, you have to use a password. If you are using a reverse proxy, then remote connections appear to be local as they are rewritten to come from the proxy IP, which means it's not a good idea to use a PIN, using a password only is recommended. Security best practice says that this password should be long/complex, which is a pain to enter on most devices (especially those that don't have a touchscreen / keyboard). If it was possible to specify the reverse proxy address, and treat all connections from this as remote/untrusted, then you could still use PIN codes on the local network, but any remote connections from the reverse proxy IP will have to authenticate via password. I know technically you could do this via subnetting, but it's probably beyond the scope of most home users You just need to make sure your proxy is set up in a transparent way, passing all of the client headers to emby, emby wont know there is a proxy in the middle. What proxy server are you using... There are a few configs on the forums here that cover nginx, apache, and HA Proxy, IIS ARR has some issues with emby. I can help if nginx, and maybe get you in the right direction if using another proxy. Link to comment Share on other sites More sharing options...
jon_ 23 Posted January 5, 2019 Author Share Posted January 5, 2019 (edited) Ahh - I didn't realise that it was already supported (hint - the docs don't make it clear ) I'm using Apache - basic summary of config: SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite EDH+aRSA+AES256:EECDH+aRSA+AES256 SSLHonorCipherOrder on SSLCompression off SSLProxyEngine On ProxyRequests Off ProxyPreserveHost On ProxyPass / http://localhost:8096/ ProxyPassReverse / http://localhost:8096/ RewriteEngine on RewriteCond %{REQUEST_URI} !^/mediabrowser RewriteRule ^/$ /mediabrowser/$1 [R,L] RewriteCond %{REQUEST_URI} !^/web RewriteRule ^/$ /web/$1 [R,L] RewriteCond %{REQUEST_URI} !^/emby RewriteRule ^/$ /emby/$1 [R,L] To be honest I've not tried it externally to see if it asks me for a password or a PIN when I try and connect.. Edited January 5, 2019 by jon_ Link to comment Share on other sites More sharing options...
pir8radio 1293 Posted January 6, 2019 Share Posted January 6, 2019 (edited) Ahh - I didn't realise that it was already supported (hint - the docs don't make it clear ) I'm using Apache - basic summary of config: SSLEngine on SSLProtocol all -SSLv2 -SSLv3 SSLCipherSuite EDH+aRSA+AES256:EECDH+aRSA+AES256 SSLHonorCipherOrder on SSLCompression off SSLProxyEngine On ProxyRequests Off ProxyPreserveHost On ProxyPass / http://localhost:8096/ ProxyPassReverse / http://localhost:8096/ RewriteEngine on RewriteCond %{REQUEST_URI} !^/mediabrowser RewriteRule ^/$ /mediabrowser/$1 [R,L] RewriteCond %{REQUEST_URI} !^/web RewriteRule ^/$ /web/$1 [R,L] RewriteCond %{REQUEST_URI} !^/emby RewriteRule ^/$ /emby/$1 [R,L] To be honest I've not tried it externally to see if it asks me for a password or a PIN when I try and connect.. That "documentation" hint should be for @Luke I'm just a regular emby user like you.. Yea when users connect and disconnect you should see their "internet" IP.. here is a screen shot of mine.. My setup is a little strange because I run through cloudflare so you not only see the clients internet ip, but the server that is handling their traffic... but you should see one internet ip for your users. I run nginx as my reverse proxy.. Ill see if I can find one of the apache posts. Here is a thread that might help... https://emby.media/community/index.php?/topic/64083-could-not-find-handler-for-embywebsocket/?p=648719 I can help troubleshoot and do some digging if you can't figure it out, but I don't claim to be an apache guru.. Edited January 6, 2019 by pir8radio Link to comment Share on other sites More sharing options...
jon_ 23 Posted January 6, 2019 Author Share Posted January 6, 2019 Thanks - I'll do some proper testing when I'm back at work and can easily access via a remote connection - with good reason I'm a bit paranoid about exposing the server to the internet without doing the due diligence checks (I was the same with Plex for a long time, and was proved right when it turned out they were exposing creds / tokens via cleartext and had some pretty bad security holes..) @@Luke - in terms of the documentation, I was referring to this: https://github.com/MediaBrowser/Wiki/wiki/Passwords Note: The local network sign in option may not work correctly if you've configured the server with a reverse proxy. In such a scenario all incoming requests will appear to be local. What would be really helpful is a 'Remote Access FAQ' sticky post - showing best practice for securing your Emby server, what the pros and cons of direct access / reverse proxy / VPN access are along with links to all of the config guides for nginx / apache / etc.. If I get a chance I'll try and put something together... Link to comment Share on other sites More sharing options...
Luke 37252 Posted January 6, 2019 Share Posted January 6, 2019 Hi, yes that certainly needs updating. Thanks for pointing that out! Link to comment Share on other sites More sharing options...
jon_ 23 Posted January 8, 2019 Author Share Posted January 8, 2019 Thanks all - tested it from a remote connection yesterday and it's showing the remote IP, not the reverse proxy IP so all good. Also implemented fail2ban and put a redirect on the emby root (ie / not /emby) to return access denied which will hopefully confuse automated scanners.. 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now