Jump to content

SSL made easy


MikeB111

Recommended Posts

Teknician
10 hours ago, sross44 said:

Seems that this blog/article is down and not working. Does anyone have a copy of these instructions? I had my Emby server set up this way and had to do a clean install of Windows (and with it Emby) so need to reset everything up. Right now nothing is secured with Emby and I've got a lot of remote family members using my server. I'm kind of an idiot when it comes to networking so it was nice to have a breakdown and have everything make sense. 

Showing up on my end. Try it again. Might have just been down, for a bit. 

Link to comment
Share on other sites

sross44

You're correct it was down! Thanks for pointing it out 

2 hours ago, Teknician said:

Showing up on my end. Try it again. Might have just been down, for a bit.

 

Link to comment
Share on other sites

  • 2 weeks later...

I hate to ask, but is anyone able to assist with helping me set this up again? I followed @MikeB111instructions which were great the first time I set this up, but did have trouble with the DDNS.  My cert expired last month, I believe I set up DDNS correctly this time around and generated a new cert a few times now, but I can't seem to connect my server outside of my network.  I do see that 2 other users have, but I am not sure how that is possible.

Willing to buy you a 12pk if I can just have some guidance :).  I am going nuts trying to figure out what the issue is.

Thanks!

Link to comment
Share on other sites

@Zerok Send me a PM (hovre over my avatar and click on message link) and we can setup a remote session that will be quicker then trading messages to figure out what needs adjusting. :)

  • Thanks 1
Link to comment
Share on other sites

  • 4 weeks later...
Fretawekakoep

I'm also experiencing issues with remote connections after following @MikeB111 and @pwhodgesinstructions - I think i've succesfully generated the SSL certificate and Dynamic DNS setup including the Caddy setup for reverse proxy. However, I'm able to connect directly via the IP:8096 port but not via the 8920 port. The domain I've setup via google is not working either, when I did it with noip.com this worked via Port 80 records. Not seeing the same result in Google Domains.. Anyone know where to start looking?

Really keen on getting this to work as I'm seeing a lot of unwanted traffic and some login attempts via my microsoft account, I really enjoy Emby and my family is too but want to be safe than sorry.

 

Many thanks in advance

Link to comment
Share on other sites

pwhodges

As you followed my setup you do not ever use port 8920, because Emby doesn't have https enabled.  You should just use port 443 (standard https) on the machine which is running Caddy.

Recap - router has ports 80 and 443 open, and both are directed to the machine running Caddy (both are required for LetsEnctrypt, but you will not use 80) - so you can access Caddy externally using your domain (with default port 443) and internally using the local name or IP of the machine running Caddy, also with port 443.  Only Caddy talks directly to Emby, and it does it on port 8096, because using https internally is (a) tricky, and (b) unnecessary (Emby's ports are not open in the router/firewall, so there's no danger there).

Paul

Link to comment
Share on other sites

Fretawekakoep
1 hour ago, pwhodges said:

As you followed my setup you do not ever use port 8920, because Emby doesn't have https enabled.  You should just use port 443 (standard https) on the machine which is running Caddy.

Recap - router has ports 80 and 443 open, and both are directed to the machine running Caddy (both are required for LetsEnctrypt, but you will not use 80) - so you can access Caddy externally using your domain (with default port 443) and internally using the local name or IP of the machine running Caddy, also with port 443.  Only Caddy talks directly to Emby, and it does it on port 8096, because using https internally is (a) tricky, and (b) unnecessary (Emby's ports are not open in the router/firewall, so there's no danger there).

Paul

Thanks for the reply again Paul :)

I’ve included my settings from Emby and my Router to verify. Do I need a custom DNS record or do I need an D-DNS record? I’m not sure if the IPv4 adres is getting accepted in the google domain records, since I can’t include the :8086 port for Emby

 

 

 

Edited by Fretawekakoep
Link to comment
Share on other sites

pwhodges

Mistake:  Do not set Emby to listen on 443 - that's Caddy's job, and if they're on the same machine you have a conflict.

Mistake:  Do not set the router to forward port 443 to 8096 - it goes to port 443 in Caddy; it is Caddy that then contacts 8096 in Emby, which the router doesn't know about in any way.   Your clients all talk to Caddy, not Emby.

It's right to set Emby to accept remote connections, because Caddy passes the remote client's address through for it to assess.

You haven't shown the setting in Emby for "Secure connection mode", which should be set to "Handled by reverse proxy".

Paul

Edited by pwhodges
posted unfinished by mistake
Link to comment
Share on other sites

It's going to depend on other settings as well.

If you don't need a local Proxy or presently not using one it's probably not needed.  You can port forward your router 80 to 8096 and 443 to 8920 so that you use original ports.  Without the proxy inline you will need to setup a local cert on Emby Server to use secured sockets but that gives you 100% encrypted transmissions.

IMHO using a proxy as a secured to non-secured (open) connection is a decision that should be given a lot of thought. Even though it's taking place in your network you have to keep in mind that many exploits happen from inside the network as a person brought in something with a download, email or some other method that didn't trip a virus/malware check. It can lie around for months or years doing nothing or doing a slow probe looking to see what activity is present on the network.  I might be looking for username/passwords only which are easy pickings when you use non-encrypted streams anywhere.

Unless it's not possible you should have every part encrypted from start to finish which means doing the encryption/description on the Emby Server.

Link to comment
Share on other sites

pwhodges

If your system is compromised, worrying about encryption on a local connection to something as inconsequential as a media server should be the least of your worries.  Preventing compromise in the first place is far, far more important.

Paul

Link to comment
Share on other sites

Yes but a lot of people use the same passwords for multiple services so if you can easily grab that info from a media server it's information gained that can be tried against other service inside or outside your network. It's just good security.

Link to comment
Share on other sites

  • 4 weeks later...
Teknician

@MikeB111 Just had to update after my 90 was up, copied the string to my domain record and waited.....BOOM..FLAWLESS. You are a genius, Thank You!!

Didn't use the renew_bat, and maybe I'll try that later down the road.

Link to comment
Share on other sites

  • 4 weeks later...
pepinacosplus

Hi! Can anyone help me to setup this? I created the cert, registered a domain, added a DNS to my router and google domain, openned the port 8920 to my emby server but im not able to connect outside of my house. Any hint?

Link to comment
Share on other sites

Teknician

Did you use Google Domains? I created a custom record in the DNS section and I see the host name as _acme-challenge, being a TXT type and there is a DATA string that you'll need to copy from your SSL Cert script into the DATA string record that you created at Domains.

When I ran the script on my PC (do not close it,yet), it created that string and waited..I copied that string into my domains record @ Google Domains and saved it. then I watched the script and it connected and said successful. The only other thing I'd done was forward 8920 in my router. Nothing more. Open your redirect address in your browser (https://somethingemby.com:8920) and you should see your secure lock up in the url.

Don't know if this will help, but worked great on my side.

  • Agree 1
Link to comment
Share on other sites

pepinacosplus

Yes, the cerficicate at google domains connected succesfully and the script ended without a problem. Then i forwarded the port in my router and also created a Dynamic DNS in google domains and then logged in in my asus router to help google domains to obtain my public IP.

But still cant connect from outside and emby sais that my remote connection is with the port 8096.

I feel like an stupid because this seems so easy to do and im messing up with something that i cant figure out.

Edited by pepinacosplus
Link to comment
Share on other sites

Step back from the domain/cert for a minute.

If you setup forwarding of port 8096 on your router to your Emby server does that work?
Let's make sure there's nothing blocking you before diving into the certs and domains.
Once we know that's working it shouldn't be hard.

Link to comment
Share on other sites

pepinacosplus

Yes cayars if i forward the port 8096 i can remotely access to my server.

Link to comment
Share on other sites

Teknician

Did you add your certificate info, in Emby? I did change my secure connection to Required To Connect, after I looked at it. That would be a good idea. 

Screenshot_20220622-211238_Emby.jpg

Edited by Teknician
Link to comment
Share on other sites

VirulentPip

I followed the steps for renewal as have 2 weeks left (received 16 day reminder from LetsEncrypt) completed the TXT thingy with my Google Domain,  but I am unsure how to check if it actually renewed. 

- Edit - Found out how :) All good and renewed. 

Edited by VirulentPip
Found out
Link to comment
Share on other sites

So are you are squared away now and have remote access working over secured connections?

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...