Jump to content

SSL made easy


MikeB111

Recommended Posts

  • 2 weeks later...
  • 2 weeks later...
sross44

Wondering if someone can help me out via TeamView or something else. I had everything set up and working perfectly via Cloudfare. And now all of a sudden I can't connect to my secure domain for Emby. I think something somehow got messed up with the port forwarding rules. Anyone want to give this a shot and see what's going on? I'm lost.... And I've tried everything I can think of. It was working perfectly and loved it and now BAM... nothing. 

Link to comment
Share on other sites

Hi, I can take a look for you via TeamViewer.  Send me over via PM the userid and one-time password with a time if you have a preference or I can log right in and open a chat with you.

Edited by cayars
Link to comment
Share on other sites

sross44
2 hours ago, cayars said:

Hi, I can take a look for you via TeamViewer.  Send me over via PM the userid and one-time password with a time if you have a preference or I can log right in and open a chat with you.

Shot you a PM... let me know whenever you're free. Thanks for helping! 

Link to comment
Share on other sites

I have SSL + Caddy V2 successfully working as my Reverse Proxy for Emby Server running on Windows 10 for about a year now thanks to all the info sharing on this post.

I now am in the process of moving my Emby Server from Windows 10 to Synology NAS 1520+. Can anyone tell me how I can install Caddy V2 on my NAS? Are there any other learnings I should take into consideration?

Any assistance would be greatly appreciated.

Link to comment
Share on other sites

  • 5 months later...
BillOatman

Great info in this thread and a big thanks to the OP. I have an asus router with a DDNS feature that allows you to have asus host a domain name for you, and forward requests to your router.  So for example I can have asus create EmbyServer.asuscomm.com and putting that into a browser ends up going to my router, where I would forward browser ports to my emby server.  Should work in theory :) But I was wondering if anyone managed to get this working with emby?  I did not need to register a domain name so I don't have everything I think I need to execute the original post in this thread.

Thanks! 

Link to comment
Share on other sites

Q-Droid
39 minutes ago, BillOatman said:

Great info in this thread and a big thanks to the OP. I have an asus router with a DDNS feature that allows you to have asus host a domain name for you, and forward requests to your router.  So for example I can have asus create EmbyServer.asuscomm.com and putting that into a browser ends up going to my router, where I would forward browser ports to my emby server.  Should work in theory :) But I was wondering if anyone managed to get this working with emby?  I did not need to register a domain name so I don't have everything I think I need to execute the original post in this thread.

Thanks! 

 

Does this thread get you any closer?

 

 

  • Thanks 1
Link to comment
Share on other sites

BillOatman
39 minutes ago, Q-Droid said:

 

Does this thread get you any closer?

 

 

Woo hoo I would think so!

  • Like 1
Link to comment
Share on other sites

  • 4 weeks later...

Using duckdns with home assistant so it creates the cert with letsencrypt any way to use that setup and the cert it creates automictically? 

Link to comment
Share on other sites

  • 1 month later...

I finally got SSL setup.  Thank you original poster.

I do have a question though,  is there a way to check that all remote streams are actually coming over 8920?

Thank you

Link to comment
Share on other sites

Check this option on your Network menu
image.png.3795e2ac36caa936fa22b6d6011acdde.png

That will require all connections to be through SSL.

Link to comment
Share on other sites

  • 4 weeks later...
  • 3 months later...

Hi there,

 

I am trying to setup my SSL Stuff with my emby server, I have followed every stepped I think of but as soon as I switch my mobile data on my phone on and I try and remote connect on my phone I get a connection error. Can anybody maybe assist me with were I am going wrong?

 

Router Setup for Port Forwarding

image.png.f345240e23f4d9dd0c054b2316554f7c.png

 

Emby network Configuration

image.png.2f543080bd67fdc76c16e5027a6d745f.png

image.png.93940f98fe955430d0b3f8cc29c26bdb.png

 

image.png.cfc587fa71f14615457b7450ba96a62c.png

P.S: With the enable automatic port mapping I have tried it with it off and the same issue still happens.

 

Also I have my own Domain for my company I have issued a SSL Certificate from there but no success. I should also mention for some reason if I do an Ipconfig via CMD the system shows my ip as something completely different to the one in emby if you remove the external domain name, I have rebooted the router but still the same thing

Any Advice to were I might be going wrong?

Regards,

image.png

Link to comment
Share on other sites

Q-Droid

Disable automatic port mapping. For most it just fills logs and it's a bad feature to have enabled on routers so it shouldn't be trying.

Your cert has a .txt extension so if you created a PEM file for your keystore it won't work. Emby requires a PKCS12 store (usually PFX) for the certificates. And when you do create the correct format make sure it contains the server cert, intermediate certs (chain) if any and the private key.

 

 

 

Edited by Q-Droid
Link to comment
Share on other sites

9 minutes ago, Q-Droid said:

Disable automatic port mapping. For most it just fills logs and it's a bad feature to have enabled on routers so it shouldn't be trying.

Your cert has a .txt extension so if you created a PEM file for your keystore it won't work. Emby requires a PKCS12 store (usually PFX) for the certificates. And when you do create the correct format make sure it contains the server cert, intermediate certs (chain) if any and the private key.

 

 

 

Ahh okay cool will give it a try thanks man! :)

Link to comment
Share on other sites

  • 1 month later...
thejr007

PLEASE NOTE THIS GUIDE IS FOR SYNOLOGY NAS WITH EMBY SERVER RUNNING ON IT. 

I would like to thank the original poster for several of his ideas/steps are straight forward.  Though I must admit with a mix of his steps and as several others have pointed out you can go multiple different ways to get to the same end result, a secure connection.

Follow guide for google domain purchase, and setup the google dynamic dns record for emby.  

 

Google domains / dns option left bar / advanced settings at the bottom /  manage dynamic dns / create record

example = emby

To clarify the dynamic dns entry you only need to type in emby 
A visual indicator will fill out the rest of the domain.

Once you save that record you can go right back and click view credentials as they are needed in the next step.

 

Updating the google domains dynamic dns, for some reason the standard google option listed didn't work for me, here's my setup.

In synology control panel / external access / ddns - click the Customize Provider button

"Service provider:"
Whatever you want. example = customgoogledns

"Query URL:"
https://domains.google.com/nic/update?hostname=__HOSTNAME__&user=__USERNAME__&pass=__PASSWORD__&myip=__MYIP__

After saving that customized provider - click add button

Service provider = customgoogledns

Hostname = emby.yourdomain.com

Username = provided from google credentials

Password = provided from google credentials

External address = auto

Hopefully you test successful / normal

 

 

Next step certificates
Forget doing the manual ACME client certificate... use the nas.


In synology control panel / security / certificate

For the domain point it to your dynamic dns record. example = emby.yourdomain.com

 


As other's have pointed out you can use synology's reverse proxy instead of the headache of telling emby what certificate to use.

 

In synology control panel / login portal / advanced - click reverse proxy button

name it whatever. example = embylink

source 

protocol = https
hostname = emby.yourdomain.com
port = 443
check hsts * lol no idea what it does but figure'd meh...

destination

protocol = http
hostname = locoalhost
port = 8096

 

Then you need to point the correct certificate to the reverse proxy

In synology control panel / security / certificate - click settings

from the dropdown list match your reverse proxy to the certificate for the dynamic domain


Inside Emby server network settings

checked allow remote connections

public port = 8096 
public https port = 8920

leave everything else blank
external domain = 
custom ssl cert pat = 
cert pass = 

Secure connection mode = handled by reverse proxy

Save and restart emby server from dashboard.

 

As the original poster stated it isn't in the scope of my guide to teach you how to port forward, but as 443 is what we used for reverse proxy source... logic would suggest to open that pointed to the nas.

Good Luck! Hope this helps someone... I sure spent way too long inside emby garnishing no secure result and in the end it wasn't worth the trouble once I learned the reverse proxy trick.

Edited by thejr007
  • Like 1
Link to comment
Share on other sites

Teknician

@MikeB111 I followed your instructions exactly and I am very impressed. Worked like a charm. Purchased my domain name, copied all the TXT string info that was given to me by le64 (which worked perfect in Windows 10), opened 8920 in my router and done.

I've had most all my users delete the http account and log in with the new domain name and port 8920 and I'm ecstatic. I can use the https url in browser and it is locked and secure. 

Thank You for all the work you put into that tutorial. It was actually very easy and I only spent $24 on a 2 year domain name. 

Thank You Again... 

  • Like 1
Link to comment
Share on other sites

MikeB111
12 hours ago, Teknician said:

@MikeB111 I followed your instructions exactly and I am very impressed. Worked like a charm. Purchased my domain name, copied all the TXT string info that was given to me by le64 (which worked perfect in Windows 10), opened 8920 in my router and done.

I've had most all my users delete the http account and log in with the new domain name and port 8920 and I'm ecstatic. I can use the https url in browser and it is locked and secure. 

Thank You for all the work you put into that tutorial. It was actually very easy and I only spent $24 on a 2 year domain name. 

Thank You Again... 

Thanks for the positive comments, and I'm glad it worked so well for you and that my post was easy enough to follow.  I've learned a lot from these forums and am glad that I was able to add a little to the body of knowledge available here.

Thanks!

  • Like 1
  • Thanks 1
Link to comment
Share on other sites

  • 2 weeks later...
GoodOleHarold

For reverse proxy on a windows platform...

 

The way I do it is Nginx & Lets Encrypt 

If your windows server is a relatively good spec create a VM with 2GB memory and 1 core (really needs nothing to run) and install ubuntu server. You can even do it with Docker if you want 

Benefits of it:

  • Renewal is automatic 
  • different 'attack' surfaces. If someone gets into the web server VM..... not much to do really. If you are a bit nervous about security you don't even need the reverse proxy on the same device. If they are different you are providing another point of failure/bottleneck so connectivity between things is important
  • 1 VM can control this for any service you are running such as Radarr, Sonarr, Emby and anything really. 
  • With exception to Emby as it requires a specific port to connect. You do not need to expose all the service ports to the web such as Radarr's port. You just need 443 & 80. Nginx handles the rest for you
  • Adding new sub domains is fairly simple 

In terms of streaming. I find the reverse proxy really doesn't have any impact at all. Been doing it since day 1 and everything is 👌

If it gains any interest I'll happily post a how to

Link to comment
Share on other sites

  • 2 weeks later...
sross44
On 10/12/2020 at 11:42 AM, Spaceboy said:

https://blog.awelswynol.co.uk/2018-01-setting-up-cloudflare-with-emby/

 

it is very straightforward. required zero admin in the 3 years or so i've been running this setup

Seems that this blog/article is down and not working. Does anyone have a copy of these instructions? I had my Emby server set up this way and had to do a clean install of Windows (and with it Emby) so need to reset everything up. Right now nothing is secured with Emby and I've got a lot of remote family members using my server. I'm kind of an idiot when it comes to networking so it was nice to have a breakdown and have everything make sense. 

Link to comment
Share on other sites

sross44
On 3/6/2022 at 8:24 AM, GoodOleHarold said:

For reverse proxy on a windows platform...

 

The way I do it is Nginx & Lets Encrypt 

If your windows server is a relatively good spec create a VM with 2GB memory and 1 core (really needs nothing to run) and install ubuntu server. You can even do it with Docker if you want 

Benefits of it:

  • Renewal is automatic 
  • different 'attack' surfaces. If someone gets into the web server VM..... not much to do really. If you are a bit nervous about security you don't even need the reverse proxy on the same device. If they are different you are providing another point of failure/bottleneck so connectivity between things is important
  • 1 VM can control this for any service you are running such as Radarr, Sonarr, Emby and anything really. 
  • With exception to Emby as it requires a specific port to connect. You do not need to expose all the service ports to the web such as Radarr's port. You just need 443 & 80. Nginx handles the rest for you
  • Adding new sub domains is fairly simple 

In terms of streaming. I find the reverse proxy really doesn't have any impact at all. Been doing it since day 1 and everything is 👌

If it gains any interest I'll happily post a how to

I would love a how to or even just help on setting mine up!! 

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...