boggle247 2 Posted May 30, 2019 Share Posted May 30, 2019 I have a server running Debian. I also have an instance of Nextcloud running alongside Emby on it. Nextcloud doesn't use port 8096 and 8920, so I'm not worried about conflictions there. Which port(s) do I use for remote access? This wiki shows both of these ports, but I would only need one of them correct? Shouldn't I use the HTTPS port? Any security precautions that I should take? How do I prevent random people from accessing my emby server through that port? Do I need an emby connect account to make this secure? 1 Link to comment Share on other sites More sharing options...
sector327 3 Posted May 30, 2019 Share Posted May 30, 2019 (edited) I have a server running Debian. I also have an instance of Nextcloud running alongside Emby on it. Nextcloud doesn't use port 8096 and 8920, so I'm not worried about conflictions there. Which port(s) do I use for remote access? This wiki shows both of these ports, but I would only need one of them correct? Shouldn't I use the HTTPS port? Any security precautions that I should take? How do I prevent random people from accessing my emby server through that port? Do I need an emby connect account to make this secure? I'm no expert but I'll try to help. (I'm on Fedora fwiw.) Yes I use the http port but you could have them both enabled. As for random people accessing, you'll set up users and anyone who hits that page/port will get a login screen (where btw, they'l see the names of everyone you set up to have a login. so if anyone is nervous about having their name there, just set them up as "Bob" or whatever fake name.) edit - how weird. I just tried to login from outside and it actually ASKED my username and pwd. That's the manual login. It usually shows users (shown as blocks you can choose). hmph...interesting... And no, I don't believe you need an emby account to make it secure. Edited May 30, 2019 by sector327 Link to comment Share on other sites More sharing options...
boggle247 2 Posted May 30, 2019 Author Share Posted May 30, 2019 I'm no expert but I'll try to help. (I'm on Fedora fwiw.) Yes I use the http port but you could have them both enabled. As for random people accessing, you'll set up users and anyone who hits that page/port will get a login screen (where btw, they'l see the names of everyone you set up to have a login. so if anyone is nervous about having their name there, just set them up as "Bob" or whatever fake name.) edit - how weird. I just tried to login from outside and it actually ASKED my username and pwd. That's the manual login. It usually shows users (shown as blocks you can choose). hmph...interesting... And no, I don't believe you need an emby account to make it secure. I'll just try to use the HTTPS port and leave the HTTP port closed if possible. It's good practice to not have open ports if you aren't going to use them. How do you setup new users for external access? is that done in the same screen for setting up remote access? regarding your edit, are you using some other device to login than you've used in the past? For example, maybe you normally login on a roku from outside your home, but are now trying to do it via Android? Or maybe your server version has updated? Link to comment Share on other sites More sharing options...
sector327 3 Posted May 30, 2019 Share Posted May 30, 2019 I'll just try to use the HTTPS port and leave the HTTP port closed if possible. It's good practice to not have open ports if you aren't going to use them. How do you setup new users for external access? is that done in the same screen for setting up remote access? regarding your edit, are you using some other device to login than you've used in the past? For example, maybe you normally login on a roku from outside your home, but are now trying to do it via Android? Or maybe your server version has updated? goto the Emby dashboard and select Users. set up a new user. If you use DDNS, they can set up a roku with the domain, their login info and they're in. I use it for my son who is away at college. and yeah, I just updated the OS last night, tried hitting it from my phone outside the home. Its not a problem. we have the app on our phones logged in already and then the rokus. on the https, how do you set it so there's a certificate? I need to just look that whole process up I suppose. I just didnt bother and went w/ just plain http. Worst case I guess is someone grabs the pwd for that emby account and can see stuff. they cant write/delete stuff and if I see an increase in activity from an odd location then I'd kill the acct Link to comment Share on other sites More sharing options...
boggle247 2 Posted May 30, 2019 Author Share Posted May 30, 2019 goto the Emby dashboard and select Users. set up a new user. If you use DDNS, they can set up a roku with the domain, their login info and they're in. I use it for my son who is away at college. and yeah, I just updated the OS last night, tried hitting it from my phone outside the home. Its not a problem. we have the app on our phones logged in already and then the rokus. on the https, how do you set it so there's a certificate? I need to just look that whole process up I suppose. I just didnt bother and went w/ just plain http. Worst case I guess is someone grabs the pwd for that emby account and can see stuff. they cant write/delete stuff and if I see an increase in activity from an odd location then I'd kill the acct I see. Yeah I'll setup another DDNS for this service (I have one for nextcloud). I'm not sure about the certificate, I forgot about that. I just assumed that emby would have Let's encrypt integrated into it for that reason. On my nextcloud server, Let's Encrypt is bundled (in NextcloudPi) so I just turn it on and point it at my ddns address. Maybe someone can explain how to do this on emby. Link to comment Share on other sites More sharing options...
boggle247 2 Posted May 30, 2019 Author Share Posted May 30, 2019 goto the Emby dashboard and select Users. set up a new user. If you use DDNS, they can set up a roku with the domain, their login info and they're in. I use it for my son who is away at college. and yeah, I just updated the OS last night, tried hitting it from my phone outside the home. Its not a problem. we have the app on our phones logged in already and then the rokus. on the https, how do you set it so there's a certificate? I need to just look that whole process up I suppose. I just didnt bother and went w/ just plain http. Worst case I guess is someone grabs the pwd for that emby account and can see stuff. they cant write/delete stuff and if I see an increase in activity from an odd location then I'd kill the acct I found this for HTTPS certificates: https://github.com/MediaBrowser/Wiki/wiki/Secure-Your-Server but it looks a bit deep and involved. Sounds like I will have to renew this and redo this whole process every so often, I'm not doing that..... Link to comment Share on other sites More sharing options...
Luke 37251 Posted May 30, 2019 Share Posted May 30, 2019 Well renewing is just that, it's not re-doing the entire process each time. Link to comment Share on other sites More sharing options...
BAlGaInTl 279 Posted May 30, 2019 Share Posted May 30, 2019 I recently set up my domain with Cloudflare's free service and certificate. I definitely prefer it over Let's Encrypt. It gets rid of the need to renew the certificate. Other good practices Make sure that all remote users have a strong password Hide the user ID on the remote login to force them to use a traditional username to login If possible, don't allow any remote users to be an admin. Keep that account separate, and disable remote access. Sent from my Pixel 2 XL using Tapatalk 1 Link to comment Share on other sites More sharing options...
boggle247 2 Posted May 30, 2019 Author Share Posted May 30, 2019 I recently set up my domain with Cloudflare's free service and certificate. I definitely prefer it over Let's Encrypt. It gets rid of the need to renew the certificate. Other good practices Make sure that all remote users have a strong password Hide the user ID on the remote login to force them to use a traditional username to login If possible, don't allow any remote users to be an admin. Keep that account separate, and disable remote access. Sent from my Pixel 2 XL using Tapatalk So is that an alternative to using a DNS provider like no-ip as well? would it provide me a free domain name to tie to my IP and ports, and also have a certificate system built into it that updates itself? Link to comment Share on other sites More sharing options...
BAlGaInTl 279 Posted May 31, 2019 Share Posted May 31, 2019 So is that an alternative to using a DNS provider like no-ip as well? would it provide me a free domain name to tie to my IP and ports, and also have a certificate system built into it that updates itself? You still need a domain through another provider. Then you have to set up something to update your dynamic IP with Cloudflare. In a nutshell I use My own domain.net (through Google Domains) Cloudflare DNS-o-Matic ddclient You will also have to take the certs from Cloudflare to make a certificate file for Emby. I essentially followed this guide: https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby There's a link to the DNS-o-Matic guide by the same author at the end of that. so now, my users just go to something like https://emby.mydomain.com to access the server. 1 Link to comment Share on other sites More sharing options...
mastrmind11 717 Posted May 31, 2019 Share Posted May 31, 2019 So is that an alternative to using a DNS provider like no-ip as well? would it provide me a free domain name to tie to my IP and ports, and also have a certificate system built into it that updates itself? No, you still have to handle the ddns thing. It's well documented on their website how to set it up. but yeah, for free, cloudflare is the way to go. (you can do a reverse proxy and fail2ban oin your http port if its a must), plenty of tutorials out there to get it set up. Link to comment Share on other sites More sharing options...
BAlGaInTl 279 Posted May 31, 2019 Share Posted May 31, 2019 I also use cloudflare rules to only allow traffic from the U.S. Link to comment Share on other sites More sharing options...
boggle247 2 Posted July 5, 2019 Author Share Posted July 5, 2019 @@Luke BTW the Emby wiki for setting up https connection suggests using dynu.com however, they only permit you to redirect http ports not https. With them, you must use port 443 for https. Which I can't if I wanted to since nextcloud is using that port on my machine. Anyway, maybe you want to consider removing them from the wiki, or state that it will only work with http. just a thought. Link to comment Share on other sites More sharing options...
chef 3749 Posted July 5, 2019 Share Posted July 5, 2019 (edited) Edited July 5, 2019 by chef Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now