ChrisJ60 10 Posted May 12, 2020 Posted May 12, 2020 (edited) I have an Emby server (4.4.2.0) running on macOS Catalina. I have several users defined in the server. The server is accessible within my home network (via HTTP) and over the Internet (via HTTPS). Most ion my users have passwords defined but I have one, which is the 'family' user which is intended only for use within our home and so has no password defined. For this user I have unticked the box that says 'Allow remote connection to this server' but when I access the server remotely a ) The user still shows on the login screen b ) Clicking the user logs it in. This seems like quite a big security hole? Am I misunderstanding what the 'Allow remote connections to this server' option is supposed to do? How can I have a user that shows up on the login screen when accessed locally but does not show up and cannot log in when accessed remotely? Thanks, Chris Edited May 12, 2020 by ChrisJ60
Happy2Play 9079 Posted May 12, 2020 Posted May 12, 2020 Do you have the option "Hide this user from login screens when connected remotely" enabled? How are you connecting to your server? But testing this on my Windows system, I can not reproduce.
Luke 38528 Posted May 12, 2020 Posted May 12, 2020 Have you customized any of the server network settings?
ChrisJ60 10 Posted May 13, 2020 Author Posted May 13, 2020 (edited) @@Happy2Play Yes, I have the option 'Hide user from login screens when connected remotely' @@Luke Yes, I have made some tweaks to the network settings. I'm happy to share my settings, and a description of my setup, with you privately but I do not want to post them here (for obvious reasons). Please let me know how I can send this info to you. It seems clear that Emby is not correctly detecting the connection as being 'remote'. Edited May 13, 2020 by ChrisJ60
Luke 38528 Posted May 13, 2020 Posted May 13, 2020 It seems clear that Emby is not correctly detecting the connection as being 'remote'. Right, and that's likely being caused by the custom network settings.
ChrisJ60 10 Posted May 13, 2020 Author Posted May 13, 2020 May be. That's why I'd like to share them with you. I don't see anything in my settings that should cause this but since some of the settings are not well documented it is hard to know what the exact effect of them is or whether they need to be set (and if so to what value)... In essence I am using bot HTTP on port 8096 for 'local' connections and HTTPS (with a self-signed cert) on 8920 for 'remote'. Regardless of which one I connect to from my browser I see the offending user and it can log in. Likely Emby is not recognising that the request URL is different in both cases. Are the subnets defined in 'LAN networks:' used by Emby to make thsi local/remote distinction? The help texts suggests this is only used for bandwidth limiting but maybe...? Anyway, if you can provide me a private means to communicate with you I will happily share all the gory details of my setup. I need to get thsi resolved as at the moment I am horribly exposed.
ChrisJ60 10 Posted May 13, 2020 Author Posted May 13, 2020 Also, as a side note does Emby support IPv6? It seems from what I see that it does not, which would be disappointing.
ChrisJ60 10 Posted May 13, 2020 Author Posted May 13, 2020 (edited) Okay, mystery solved. I had imagined/expected that the way that Emby determines if a connection is 'remote' as far as user access goes is to use the value provided in 'External domain' and compare this to the hostname in HTTP(S) requests. If they match the request is 'remote' and if not then it is 'local'. Seems this is not the case. In fact I can't find a situation where the value specified for External domain matters at all (???), even when I am using my own SSL certificate. What *does* matter is the list of subnets specified under 'LAN networks' even though the help text there only talks about bandwidth restrictions. I had specified my local IPv4 subnets and my internal and external IPv6 subnets. The public hostname that I use to access Emby remotely resolves to both an IPv4 and an IPv6 address. Browsers will always use IPv6 before IPv4 if both are available. In my testing I was connecting from within my home network to the public hostname. If I had ended up connecting via IPv4 (very unlikely) then Emby would have considered me 'remote' but as the connection always ended up being made over IPv6 and my public IPv6 /64 was listed in the 'LAN networks' field Emby always thought I was 'local'. If I make a genuinely 'remote' connection then the user in question behaves as it should. If only the help text for the LAN networks field had been more definitive I wouldn't have wasted several hours on this :-) Can you please improve it and also, while you are at it, add some detailed documentation of exactly how the 'External domain' field is intended to be used. As I said, the value I specify in there doesn't seem to affect anything at all... Edited May 13, 2020 by ChrisJ60
Q-Droid 806 Posted May 13, 2020 Posted May 13, 2020 Most people think it's pretty self-explanatory: L(ocal) A(rea) N(etwork) A remote connection would be: W(ide) A(rea) N(etwork) also described as Remote or Public. External Domain is what Emby uses to translate the HTTP responses to include the [host/domain] portion of the URLs. Same for the public Port values.
ChrisJ60 10 Posted May 13, 2020 Author Posted May 13, 2020 I'm very well aware of the terminology; the fact is that software often does not use terminology in as precise a way as it should and/or does not always describe things adequately/correctly (in nearly 40 years in the industry I have seen this so many times...). I'm simply asking for the help text to be clearer and to describe exactly how these values are used. That doesn't seem like an unreasonable request. With regard to external domain, can you elaborate a bit please? I have a specific value set in there, 'xxx.mydomain.org', (not the actual value of course) but I do not see this value appear anywhere in the Emby server log; all the URLs in there (with request and response) have a different value. Remote access is working just fine. Hence my question as to what this value is *really* used for and when it is actually necessary.
Q-Droid 806 Posted May 13, 2020 Posted May 13, 2020 I see what you're saying about the domain. The external domain value you define in the settings becomes part of the "Remote (WAN) access" URL on the dashboard. However, it appears that it does not get used for HTTP responses when accessing the server. So if you have a different domain that resolves to the same IP address the logs will show the one you used to access Emby, at least from browser sessions. That domain in the Dashboard is the one provided to the Emby apps when they query the server. For example phone apps can transition between LAN and WAN access with this info. It may also be used by Emby Connect but I don't use this feature so I don't know for sure. Yes, you should use it if you want reliable access from Emby apps.
ChrisJ60 10 Posted May 13, 2020 Author Posted May 13, 2020 Okay, that is very useful to know. I actually have a reverse proxy in front of my Emby server and all remote access goes via that. So this information is critical to ensure I can set that up correctly (even though things seem to be working just fine anyway).
a1pilot 2 Posted May 18, 2020 Posted May 18, 2020 I'd like to flag this also: https://emby.media/community/index.php?/topic/86411-password-protected-user-can-log-in-without-password/ It looks like you can log in without a password even remotely if the option is selected. Possible issue with Docker handling of IP addresses so it looks like all logins are local.
Luke 38528 Posted May 18, 2020 Posted May 18, 2020 @@ChrisJ60 were you able to configure your reverse proxy?
ChrisJ60 10 Posted May 18, 2020 Author Posted May 18, 2020 @@Luke yes I have it setup and working fine now. And access via it is correctly identified as ‘remote’ so that’s all good too.
mshaik 2 Posted October 25, 2021 Posted October 25, 2021 @ChrisJ60 Looks like I am facing the same issue. I have a User and wanted to set him for local use only. I removed the check for allow remote connections for this user, for few it works and for few it doesn't. For example, for my wifi I can't login remotely but if I use my Android mobile phone data, it logins, I checked both my Android IP address and Docker start with same initial IP and looks like that's causing the issue. Also I have Ngnix Proxy Manager running infront of Emby and fail2ban is tracking it. Can you please help me how to make the emby recognize it as remote request, my Emby runs in docker. I changed only the following in Emby network, pointed remote http to 80 and https to 443, my local http and https ports 8096 and 8920. I have nginx proxy manager which which runs on port 80 and 443 which redirects to Emby, that's the reason I have emby network configured for Public connection. My Allow remote connections is checked in and also I am using secure conneciton using reverse proxy. My NPM has let's encrypt configured @Luke Can you please chime in too?
Luke 38528 Posted October 25, 2021 Posted October 25, 2021 3 hours ago, mshaik said: @ChrisJ60 Looks like I am facing the same issue. I have a User and wanted to set him for local use only. I removed the check for allow remote connections for this user, for few it works and for few it doesn't. For example, for my wifi I can't login remotely but if I use my Android mobile phone data, it logins, I checked both my Android IP address and Docker start with same initial IP and looks like that's causing the issue. Also I have Ngnix Proxy Manager running infront of Emby and fail2ban is tracking it. Can you please help me how to make the emby recognize it as remote request, my Emby runs in docker. I changed only the following in Emby network, pointed remote http to 80 and https to 443, my local http and https ports 8096 and 8920. I have nginx proxy manager which which runs on port 80 and 443 which redirects to Emby, that's the reason I have emby network configured for Public connection. My Allow remote connections is checked in and also I am using secure conneciton using reverse proxy. My NPM has let's encrypt configured @Luke Can you please chime in too? Hi, I would suggest comparing your nginx configuration to that of @pir8radio: Please let us know if this helps. Thanks.
pir8radio 1301 Posted October 25, 2021 Posted October 25, 2021 13 hours ago, mshaik said: @ChrisJ60 Looks like I am facing the same issue. I have a User and wanted to set him for local use only. I removed the check for allow remote connections for this user, for few it works and for few it doesn't. For example, for my wifi I can't login remotely but if I use my Android mobile phone data, it logins, I checked both my Android IP address and Docker start with same initial IP and looks like that's causing the issue. Also I have Ngnix Proxy Manager running infront of Emby and fail2ban is tracking it. Can you please help me how to make the emby recognize it as remote request, my Emby runs in docker. I changed only the following in Emby network, pointed remote http to 80 and https to 443, my local http and https ports 8096 and 8920. I have nginx proxy manager which which runs on port 80 and 443 which redirects to Emby, that's the reason I have emby network configured for Public connection. My Allow remote connections is checked in and also I am using secure conneciton using reverse proxy. My NPM has let's encrypt configured @Luke Can you please chime in too? make sure your real "LOCAL" network addresses are specified in the emby server network settings. Often times when running in a docker emby just grabs the docker address and assumes thats the actual local network, when sometimes dockers are setup for nat and other crap.. 1
Luke 38528 Posted October 25, 2021 Posted October 25, 2021 2 hours ago, pir8radio said: make sure your real "LOCAL" network addresses are specified in the emby server network settings. Often times when running in a docker emby just grabs the docker address and assumes thats the actual local network, when sometimes dockers are setup for nat and other crap.. Using docker in host networking mode may help avoid that. 1
mshaik 2 Posted October 26, 2021 Posted October 26, 2021 @Luke I am running my Emby in host network mode only but is of no luck. @pir8radio Your solution worked like a gem, thanks a lot. 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now