teddybear75 11 Posted December 25, 2019 Posted December 25, 2019 (edited) So, i needed to enable remote connections for Emby server, and i wanted to secure it with https. I have seen quite a few guides on how to enable https on emby server, but i find this to be an easier way if you own an asus router that supports Lets Encrypt. Im not sure which models that support this, but my AC-86U did. All i did to get a hold of the ssl ceritifactes was to enable this in the WAN-DDNS section in the router, then export files like this: Then i converted the cert and key file to a pfx file with "Win64OpenSSL_Light-1_1_0L" https://slproweb.com/products/Win32OpenSSL.html and imported this in to Emby: I used this command: "openssl pkcs12 -inkey key.pem -in cert.pem -export -out output.pfx" Of course you also have to port forward the needed ports to make this work. Thats it, so if you own an ASUS router with this option you can save a lot of time, and a bonus, the router also automaticly renews the certificates. If this already has been posted i apologize, and feel free to leave comments if there are things i have missed or if this method seems like a bad idea. Edited April 25, 2020 by teddybear75 2
Luke 38498 Posted December 26, 2019 Posted December 26, 2019 Hi, that's very interesting, thanks for the tip ! @@Happy2Play @
Luke 38498 Posted December 26, 2019 Posted December 26, 2019 I think alternatively you could have also not imported it into Emby and just selected the "handled by reverse proxy" option for secure connections.
teddybear75 11 Posted December 26, 2019 Author Posted December 26, 2019 (edited) Hi, that's very interesting, thanks for the tip ! @@Happy2Play @ I think alternatively you could have also not imported it into Emby and just selected the "handled by reverse proxy" option for secure connections. With "handled by reverse proxy", will it then also force a secure connection, or would one be able to connect with both http and https? I am now using "requiered for all remote connections" Edited December 26, 2019 by teddybear75
WilhelmStroker 96 Posted December 26, 2019 Posted December 26, 2019 This is a good tip as I have a similar router and didn't know that this feature existed.
teddybear75 11 Posted December 26, 2019 Author Posted December 26, 2019 (edited) This is a good tip as I have a similar router and didn't know that this feature existed. Great Now im trying to find a way to only allow spesific ips to connect via the open port in the router, but it seems i might need a custom router firmware to make this happen, and thats not an option right now. For now i have only allowed connections to Emby server from one device from this spesific remote user, but it would nice to be able to ban and ip after 3 or so failed password attempts or block all other ips than the one i want to allow in, i see there might be something like this in Linux (fail2ban or something) but i did not see anything like this in Windows. Yes i know, tinfoil hat............ Edited December 26, 2019 by teddybear75
Guest asrequested Posted December 26, 2019 Posted December 26, 2019 You can whitelist IPs in the emby server.
cncb 17 Posted December 26, 2019 Posted December 26, 2019 Disappointing that all Asus routers do not support this.
KingMovies 8 Posted December 26, 2019 Posted December 26, 2019 If any of you guys have a T-Mobile asus Router, you can do that as well by putting RT-AC68u on it.
teddybear75 11 Posted December 26, 2019 Author Posted December 26, 2019 (edited) You can whitelist IPs in the emby server. Thanks, did not know this! Im all set then Edited December 27, 2019 by teddybear75
teddybear75 11 Posted December 26, 2019 Author Posted December 26, 2019 Disappointing that all Asus routers do not support this. From asus website: "This article shows how to enable HTTPS connection on ASUSWRT without any warning message popping up in the browser by using Let’s Encrypt function to automatically obtain a free SSL/TLS certificates. (Firmware currently supports GT-AC5300, RT-AC5300, RT-AC88U, RT-AC3100)" Obviously RT-AC86U also supports this.
MikeB111 53 Posted January 3, 2020 Posted January 3, 2020 Hi Everyone, This is my first post on the forum, but I've read a lot so far, thanks to everyone for all the great help. I've got an ASUS router that supports this as the original poster indicated. Two questions: 1. If you set this up as described in the original post so that the router is renewing the certificate, and then you export it, convert to .pfx, and import into Emby, do you have to re-export it every 3 months as it is renewed? Or is the exported certificate always the same and the renewal is only on the Lets Encrypt side? 2. Can anyone confirm Luke's comment that the certificate doesn't have to be installed in Emby as long as "handled by reverse proxy" is enabled? This would imply that the ASUS router is acting like a reverse proxy, which surprises me a little. So the SSL encryption would be between the router and the internet client, and traffic between the router and the Emby server on my local network would be unencrypted? Is that right? If so, what ports do I forward between the router and the Emby server? Thanks in advance. This could really simplify SSL setup for me if I can get it working!
pwhodges 1713 Posted January 3, 2020 Posted January 3, 2020 (1) The certificate contains its expiry date, so if you use it outside the router, then yes, you'd have to copy it every now and then. (2) A NAT router is not unlike some aspects of a reverse proxy, so there's no need to be surprised. I don't know this router's exact capabilities, but I presume it can forward unencrypted (otherwise you'd need another certificate for the additional encrypted link!). You set the required port in Emby, but the default setting is 8096 for http. Paul
AviatorBimmer 28 Posted February 28, 2020 Posted February 28, 2020 @@teddybear75 @@Luke What a find! So much simpler and easier to get a DDNS and SSL going. Of course in my world, nothing ever goes smooth LOL I went ahead and created a new SSL certificate and DDNS (I already had a domain name which I had purchased from Google Domains). As you can see below, the SSL certifcate has been verified and it's active. I then went to the network page of Emby Server, set the external domain name and selected Handled By Reverse Proxy as the Secure Connection Mode: I then went to my router and made sure the ports were forwarded to my PC where Emby Server is running, using the default ports as they were in the network page: Finally in the dashboard, it shows my domain name as the link for Remote (WAN) Access: I opened up my cell phone, disabled my WiFi so that I wa snot connected to my local network, opened up Chrome and when I tried to visit the HTTPS page as shown on the dashboard, I keep getting the "The site can't be reached, took too long to respond" error. What could I be doing wrong?
Luke 38498 Posted February 28, 2020 Posted February 28, 2020 Don't know but first i would try it without https just to reduce the number of variables.
AviatorBimmer 28 Posted February 28, 2020 Posted February 28, 2020 Don't know but first i would try it without https just to reduce the number of variables. What you mean? It has been working all along as HTTP. I am just trying to make it work in HTTPS. Sent from my iPhone using Tapatalk
Happy2Play 9060 Posted February 28, 2020 Posted February 28, 2020 (edited) What you mean? It has been working all along as HTTP. I am just trying to make it work in HTTPS. Sent from my iPhone using Tapatalk Since you know port 8096 is open, does port 8920 show open a site like canyouseeme.org? Can you have multiple ports in one port forwarding rule? Would appear so looking at here. So the above question applies. I don't have this router but do my ports separately. If you are forwarding a single port number, enter it into the External Port box. If you are forwarding a range of ports, enter the lowest number of that range into the External Port box followed by a colon followed by the largest number. For example a range of port numbers might look like this: 1000:2000. Or you can forward a list containing both single ports and port ranges, separated by commas. An example of a list would look something like this: 1000:2000,3000,4000:5000. Edited February 28, 2020 by Happy2Play
Q-Droid 803 Posted February 28, 2020 Posted February 28, 2020 Have you checked to make sure your router can work as a reverse proxy? It might only support SSL termination for services running on the router itself and everything else is passthru.
AviatorBimmer 28 Posted February 29, 2020 Posted February 29, 2020 (edited) Have you checked to make sure your router can work as a reverse proxy? It might only support SSL termination for services running on the router itself and everything else is passthru. I think this was the issue indeed. I did like the OP (@@teddybear75) did, which was to convert the exported files from the router into a .pfx certificate, edited the Emby Server to read that .pfx file, entered the domain name, forwarded the SSL ports and finally selected "Required for all connections" as the Secure Connection mode and now it works! I am now able to securely connect to Emby! Thanks @@teddybear75 and @@Q-Droid PS. I also removed the port forward to the HTTP port, thus making everyone connect securely. Awesome! Edited February 29, 2020 by AviatorBimmer 1
eskimos20 0 Posted March 14, 2020 Posted March 14, 2020 This was great news for all with asus router. I have one and I wrote a script that uses expect to login to the router and runs openssl in the router and then sends the .pfx file back to localhost. I use this script to always have an updated version of the certificate. I´ll share it with you #!/usr/bin/expect -f spawn ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null myuser@myip expect "myuser@myip's password:" send "mypassword\n" expect "myuser@RT-AC88U-07E8:/tmp/home/root#" send "cd /jffs/.le/mydnsentry\n" expect "myuser@RT-AC88U-07E8:/jffs/.le/mydnsentry#" send "openssl pkcs12 -inkey /jffs/.le/mydnsentry/my.key -in /jffs/.le/mydnsentry/my.cer -export -out /jffs/.le/mydnsentry/my.pfx\n" expect "Enter Export Password:" send "mypass\n" expect "Verifying - Enter Export Password:" send "mypass\n" send "scp /jffs/.le/mydnsentry/my.pfx myuser@myip:/certPath\n" expect "myuser@myip's password:" send "mypassword\n" expect "myuser@RT-AC88U-07E8:/jffs/.le/mydnsentry#" send "exit\n" interact Hope that this helps for someone
MSI2017 44 Posted November 10, 2020 Posted November 10, 2020 @teddybear75 Thanks for the tip, I did all your steps but when connecting externally it still uses http and not https. How can I fix this? When looking at the dashboards it shows th ddns on external acces but with the https port at the end, not the https port 1
teddybear75 11 Posted November 19, 2020 Author Posted November 19, 2020 On 10/11/2020 at 15:03, MSI2017 said: @teddybear75 Thanks for the tip, I did all your steps but when connecting externally it still uses http and not https. How can I fix this? When looking at the dashboards it shows th ddns on external acces but with the https port at the end, not the https port Not really sure, but have you enabled secure connection mode to be requiered for all remote connections?
MSI2017 44 Posted November 19, 2020 Posted November 19, 2020 Yes, I required it. But still only shows http. Maybe @Luke can help? This feature can be super useful for all Asus router users. 2 minutes ago, teddybear75 said: Not really sure, but have you enabled secure connection mode to be requiered for all remote connections?
teddybear75 11 Posted November 19, 2020 Author Posted November 19, 2020 (edited) I use 4 diefferent ports in the settings, this is how my setup looks like, not sure if that would help, but maybe something to try, as i see your server only is running on one http port. Also, i dont use automatic port mapping. Manually in the router, i forward external port 4 to local port 2. (No upnp enabled in router) Yeah, even better, ask Luke, he probably has a good answer Edited November 19, 2020 by teddybear75
Carlo 4451 Posted November 19, 2020 Posted November 19, 2020 (edited) I don't see a cert password listed in the settings and most setups will need this. Go to Logs and turn on DEBUG then restart Emby. Give it time to load up then post the server log or PM it to take a look at. If Emby is not able to setup SSL properly then it will default back to http (non SSL) mode. Edited November 20, 2020 by cayars
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now