Jump to content

SSL made easy


MikeB111

Recommended Posts

vaise

My 2c worth - there are so many different options and ways to do this that is is just daunting for anyone who just wants a real easy solution - which is where some people like plex. 

Maybe plex=iphone and Emby=android is a good analogy.

I personally am in the cloudflare/nginx camp - I did use an nginx / letsencrypt docker container first, but now pure cloudflare.

Link to comment
Share on other sites

  • 1 month later...
sross44
On 8/20/2020 at 6:47 PM, vaise said:

My 2c worth - there are so many different options and ways to do this that is is just daunting for anyone who just wants a real easy solution - which is where some people like plex. 

Maybe plex=iphone and Emby=android is a good analogy.

I personally am in the cloudflare/nginx camp - I did use an nginx / letsencrypt docker container first, but now pure cloudflare.

I agree 100% that there are so many options for this. I for one truly would like a really simple method to make this happen. Honestly I'm shocked that Emby doesn't do this natively like Plex does. I know there's somethings that go in to that, but truly in today's world with security being at the forefront of everyone's mind, I'd think this is something that should happen. I'm curious if this is on the radar at Emby or not. If they could somehow do it so things don't pass through their end I know that would make a lot of people happy. 

  • Like 1
Link to comment
Share on other sites

sross44
1 hour ago, Spaceboy said:

https://blog.awelswynol.co.uk/2018-01-setting-up-cloudflare-with-emby/

 

it is very straightforward. required zero admin in the 3 years or so i've been running this setup

I'm not saying it's straightforward and relatively simple, but it is time consuming to set up. Just stating that some people would like the option for it to be implemented automatically. 

Link to comment
Share on other sites

The difference is that Emby allows you to set it up the way you want to suit your needs and requirements vs a canned setup.

Emby let's you access your server via IP, ddns, domain name, Emby Connect, with or without SSL or just used internally only on your LAN.
With that freedom of setup comes a bit of setup which can be as simple as checking a checkbox to allow remote access and allowing Emby to open ports on your router to very advanced setup using CDNs and Reverse Proxy Servers.  Your media, your way!

What a lot of Plex users don't know or understand is that Plex often TUNNELS your media and the amount of tunnel space given for remote access can be as low a 1Mb for non Plex Pass users or 2MB for Plex Pass users.  Emby on the other hand NEVER does anything with tunnels and never limits your ability to use the pipe size you want.

 

  • Like 1
Link to comment
Share on other sites

sooty234

I'm looking for a little guidance. I finally broke down and switched from using a VPN to using SSL. I went the cloudflare route. The domain is set and all appears correct on that side. But I'm getting an SSL Handshake Failed 525 from cloudflare. Checking through my config, it all looks correct....?? I grabbed the certs and made a pfx, but the server dashboard is telling me the domain is still HTTP. I feel like I'm missing something. Bad pfx?

Link to comment
Share on other sites

43 minutes ago, sooty234 said:

I'm looking for a little guidance. I finally broke down and switched from using a VPN to using SSL. I went the cloudflare route. The domain is set and all appears correct on that side. But I'm getting an SSL Handshake Failed 525 from cloudflare. Checking through my config, it all looks correct....?? I grabbed the certs and made a pfx, but the server dashboard is telling me the domain is still HTTP. I feel like I'm missing something. Bad pfx?

 Search your server log for pfx and see is there an error.  Have you forward the correct  port on your firewall? If the server dashboard is saying only http then there's likely some error with the cert. It will say what in the logs.  Ive had issues using passwordless certs so 

Edited by t1m
Link to comment
Share on other sites

Turn on DEBUG info for logging and restart your Emby server.  I don't think you'll get the status without DEBUG turned on.

Once you verified if you have a password error or bad cert you can turn debug off again.

BTW if using CloudFlare you only have a few ports that can be used and can't use the default Emby ports.  Switch to using port 80 and port 443.  Setup port forwarding for:

WAN 80 to Emby 8096
WAN 443 to Emby 8920

Link to comment
Share on other sites

sooty234
41 minutes ago, t1m said:

 Search your server log for pfx and see is there an error.  Have you forward the correct  port on your firewall? If the server dashboard is saying only http then there's likely some error with the cert. It will say what in the logs.  Ive had issues using passwordless certs so 

Thanks for that. I think I had the password wrong. I recreated the certs and pfx, then the server was able to use it.

I had a second issue. I have two routers to portforward through. My initial thought was I had reconfigured them incorrectly, so I had tried various combinations. Of course nothing would work because of the wrong password. With that resolved, I reconfigured both firewalls, and hey presto....encrypted :) 

Groovy

  • Like 1
Link to comment
Share on other sites

On 13/10/2020 at 01:42, Spaceboy said:

https://blog.awelswynol.co.uk/2018-01-setting-up-cloudflare-with-emby/

 

it is very straightforward. required zero admin in the 3 years or so i've been running this setup

Yep, I started with this walkthrough and enhanced it over time with nginx - never looked back.

I love the country firewall rules at the cloudflare level also - no point opening up your emby system (and house) to countries where there are no users.  I have one line that controls the countries, another that only allows uptimerobot access so I am alerted when emby goes down.  My router (pfsense) handles the ddns updates fro cloudflares A record, and my other endpoints refer to that.  If I am going on holiday, I just add that country while I am there. Setup cloudflare 2FA also for additional security.

Link to comment
Share on other sites

sross44

I'm going to try setting this up tomorrow as I have a few domains that I no longer use that are still active. Hopefully it's as straightforward as it seems! 

Link to comment
Share on other sites

If you understand networking in general or at a high level and know what A & C records are in DNS then you'll be fine!

Link to comment
Share on other sites

Yep, open a browser and go to your https domain name :)

If you scroll down through say 10 pages of movie listings letting every pic fully load they should get cached as well on Cloudflare.  Leave that library and come back.
If you see super fast graphic loading times you know you got that right as well!

Alternately setup a "cayars" account and PM me the password and I'll verify it for every day.  LOL

But if your A or C record points to Cloudflare and you don't get any cert errors using https you should be gold!

  • Like 1
Link to comment
Share on other sites

Honestly, I just use NGINX as a local reverse proxy, on a Raspberry PI (controls all inbound to my network).
Here is the config to make it work, using default ports, then translating that to SSL.

End result is https://YOUR.DOMAIN.COM local proxy to 192.168.1.2:8096.

Config:
192.168.1.2 = my LAN IP of the Emby server.

server {
    server_name YOUR.DOMAIN.COM;

    location / {
        proxy_pass http://192.168.1.2:8096;
        proxy_set_header Host YOUR.DOMAIN.COM;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }

}

server {
    listen 8096;
    server_name YOUR.DOMAIN.COM;
    location / {
        proxy_pass http://192.168.1.2:8096;
        proxy_set_header Host YOUR.DOMAIN.COM;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

    }
}

From there you just install certbot, create the certificates for www. and the bare sub/domain. It will auto-renew every 3 months. Never have to touch it again.
Plus you have a buffer in front of Emby that allows you to record some data on the web front that Emby doesn't record.
Just to note, I use this on my local network, then I also use CloudFlare, just to hide the IP from a few people I don't fully trust knowing my home range.

Edited by Dazik
Link to comment
Share on other sites

  • 2 weeks later...
  • 2 weeks later...
schnappi

There is a lot more to a port 443 Nginx reverse proxy for Emby (SSL certificates, port 80 forwarding), that being said I just wanted to add the relevant Nginx section and note that it has never worked if the location says anything other than "/emby/" (bolded below). To be clear, if you use "/emby2/" or "/media/" the reverse proxy will not work. This is an Emby issue, not Nginx issue.

Emby
        location /emby/ {
        proxy_pass http://127.0.0.1:8096;
        rewrite ^/emby(/.*)$ $1 break;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-for $proxy_add_x_forwarded_for;
        proxy_set_header Host $host;
        proxy_set_header X-Forwarded-Proto $remote_addr;
        proxy_set_header X-Forwarded-Protocol $scheme;
        proxy_redirect off;
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
        }

 

Link to comment
Share on other sites

It's not an Emby issue but an admin issue doing that.  You are far better off using a sub domain such as "emby.domain.ext" as this will easily work for web and apps.

Link to comment
Share on other sites

schnappi

To clarify. If you choose use yourdomain.com/emby/ instead of a subdomain like media.yourdomain.com, it is an Emby issue. It has nothing to do with Nginx, Apache, or any other webserver) that the directory has to be named /emby/ (with end slash required).

Edited by schnappi
Link to comment
Share on other sites

Using /emby won't work reliably.  Using a subdomain on the other hand will work.

This isn't an Emby issue either way when you have a 3rd party product "rewriting" the URL.

Link to comment
Share on other sites

schnappi

Using “/emby” does not work reliably...you MUST use ”/emby/“ (end dash included).

To anyone reading this just be clear that these issues are not Nginx or Apache issues, in that no reverse proxy configuration will ever solve the issue.

Also, if using Emby with SSL natively (without reverse proxy) the available ciphers are not all secure as of last time that checked. If a browser can force an insecure cipher (or if using an old browser) it could be an issue. I’m sure the developers just keep the insecure ciphers though for things like Windows XP IE compatibility, which isn’t any different than most products. Just things to be aware of and understand before making best choice for yourself.

 

Link to comment
Share on other sites

pwhodges
8 hours ago, schnappi said:

Using “/emby” does not work reliably...you MUST use ”/emby/“ (end dash included).

To anyone reading this just be clear that these issues are not Nginx or Apache issues, in that no reverse proxy configuration will ever solve the issue.

I know nothing about nginx (it always seems unnecessarily complex to me), but with correct configuration this is simply not an issue with Apache or Caddy, so I presume the same is true for nginx.

Paul

Link to comment
Share on other sites

  • 2 weeks later...

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...