Jump to content

Question about reverse proxy configuration for remote visibility


Recommended Posts

ChrisJ60
Posted (edited)

I have an Emby server (4.4.2.0) running on macOS Catalina. I have several users defined in the server. The server is accessible within my home network (via HTTP) and over the Internet (via HTTPS). Most ion my users have passwords defined but I have one, which is the 'family' user which is intended only for use within our home and so has no password defined. For this user I have unticked the box that says 'Allow remote connection to this server' but when I access the server remotely

 

a )    The user still shows on the login screen

 

b )    Clicking the user logs it in.

 

This seems like quite a big security hole? Am I misunderstanding what the 'Allow remote connections to this server' option is supposed to do? How can I have a user that shows up on the login screen when accessed locally but does not show up and cannot log in when accessed remotely?

 

Thanks,

 

Chris

Edited by ChrisJ60
Happy2Play
Posted

Do you have the option "Hide this user from login screens when connected remotely" enabled?  How are you connecting to your server?

 

But testing this on my Windows system, I can not reproduce.

Posted

Have you customized any of the server network settings?

ChrisJ60
Posted (edited)

@@Happy2Play Yes, I have the option 'Hide user from login screens when connected remotely'

 

@@Luke Yes, I have made some tweaks to the network settings. I'm happy to share my settings, and a description of my setup, with you privately but I do not want to post them here (for obvious reasons). Please let me know how I can send this info to you.

 

It seems clear that Emby is not correctly detecting the connection as being 'remote'.

Edited by ChrisJ60
Posted

It seems clear that Emby is not correctly detecting the connection as being 'remote'.

 

Right, and that's likely being caused by the custom network settings.

ChrisJ60
Posted

May be. That's why I'd like to share them with you. I don't see anything in my settings that should cause this but since some of the settings are not well documented it is hard to know what the exact effect of them is or whether they need to be set (and if so to what value)...

 

In essence I am using bot HTTP on port 8096 for 'local' connections and HTTPS (with a self-signed cert) on 8920 for 'remote'. Regardless of which one I connect to from my browser I see the offending user and it can log in. Likely Emby is not recognising that the request URL is different in both cases. Are the subnets defined in 'LAN networks:' used by Emby to make thsi local/remote distinction? The help texts suggests this is only used for bandwidth limiting but maybe...?

 

Anyway, if you can provide me a private means to communicate with you I will happily share all the gory details of my setup. I need to get thsi resolved as at the moment I am horribly exposed.

ChrisJ60
Posted

Also, as a side note does Emby support IPv6? It seems from what I see that it does not, which would be disappointing.

ChrisJ60
Posted (edited)

Okay, mystery solved. I had imagined/expected that the way that Emby determines if a connection is 'remote' as far as user access goes is to use the value provided in 'External domain' and compare this to the hostname in HTTP(S) requests. If they match the request is 'remote' and if not then it is 'local'. Seems this is not the case. In fact I can't find a situation where the value specified for External domain matters at all (???), even when I am using my own SSL certificate.

 

What *does* matter is the list of subnets specified under 'LAN networks' even though the help text there only talks about bandwidth restrictions. I had specified my local IPv4 subnets and my internal and external IPv6 subnets. The public hostname that I use to access Emby remotely resolves to both an IPv4 and an IPv6 address. Browsers will always use IPv6 before IPv4 if both are available. In my testing I was connecting from within my home network to the public hostname. If I had ended up connecting via IPv4 (very unlikely) then Emby would have considered me 'remote' but as the connection always ended up being made over IPv6 and my public IPv6 /64 was listed in the 'LAN networks' field Emby always thought I was 'local'. If I make a genuinely 'remote' connection then the user in question behaves as it should.

 

If only the help text for the LAN networks field had been more definitive I wouldn't have wasted several hours on this :-) Can you please improve it and also, while you are at it, add some detailed documentation of exactly how the 'External domain' field is intended to be used. As I said, the value I specify in there doesn't seem to affect anything at all...

Edited by ChrisJ60
Q-Droid
Posted

Most people think it's pretty self-explanatory: L(ocal) A(rea) N(etwork)

 

A remote connection would be: W(ide) A(rea) N(etwork) also described as Remote or Public.

 

External Domain is what Emby uses to translate the HTTP responses to include the [host/domain] portion of the URLs. Same for the public Port values.

ChrisJ60
Posted

I'm very well aware of the terminology; the fact is that software often does not use terminology in as precise a way as it should and/or does not always describe things adequately/correctly (in nearly 40 years in the industry I have seen this so many times...). I'm simply asking for the help text to be clearer and to describe exactly how these values are used. That doesn't seem like an unreasonable  request.

 

With regard to external domain, can you elaborate a bit please? I have a specific value set in there, 'xxx.mydomain.org', (not the actual value of course) but I do not see this value appear anywhere in the Emby server log; all the URLs in there (with request and response) have a different value. Remote access is working just fine. Hence my question as to what this value is *really* used for and when it is actually necessary.

Q-Droid
Posted

I see what you're saying about the domain.

 

The external domain value you define in the settings becomes part of the "Remote (WAN) access" URL on the dashboard. However, it appears that it does not get used for HTTP responses when accessing the server. So if you have a different domain that resolves to the same IP address the logs will show the one you used to access Emby, at least from browser sessions.

 

That domain in the Dashboard is the one provided to the Emby apps when they query the server. For example phone apps can transition between LAN and WAN access with this info. It may also be used by Emby Connect but I don't use this feature so I don't know for sure.

 

Yes, you should use it if you want reliable access from Emby apps.

ChrisJ60
Posted

Okay, that is very useful to know. I actually have a reverse proxy in front of my Emby server and all remote access goes via that. So this information is critical to ensure I can set that up correctly (even though things seem to be working just fine anyway).

Posted

@@ChrisJ60 were you able to configure your reverse proxy?

ChrisJ60
Posted

@@Luke yes I have it setup and working fine now. And access via it is correctly identified as ‘remote’ so that’s all good too.

Posted

Thanks for the feedback.

  • 1 year later...
Posted

@ChrisJ60 Looks like I am facing the same issue.  I have a User and wanted to set him for local use only. I removed the check for allow remote connections for this user, for few it works and for few it doesn't. For example, for my wifi I can't login remotely but if I use my Android mobile phone data, it logins, I checked both my Android IP address and Docker start with same initial IP and looks like that's causing the issue. Also I have Ngnix Proxy Manager running infront of Emby and fail2ban is tracking it. 

 

Can you please help me how to make the emby recognize it as remote request, my Emby runs in docker. I changed only the following in Emby network, pointed remote http to 80 and https to 443, my local http and https ports 8096 and 8920. I have nginx proxy manager which which runs on port 80 and 443 which redirects to Emby, that's the reason I have emby network configured for Public connection. My Allow remote connections is checked in and also I am using secure conneciton using reverse proxy. My NPM has let's encrypt configured

@Luke Can you please chime in too?

Posted
3 hours ago, mshaik said:

@ChrisJ60 Looks like I am facing the same issue.  I have a User and wanted to set him for local use only. I removed the check for allow remote connections for this user, for few it works and for few it doesn't. For example, for my wifi I can't login remotely but if I use my Android mobile phone data, it logins, I checked both my Android IP address and Docker start with same initial IP and looks like that's causing the issue. Also I have Ngnix Proxy Manager running infront of Emby and fail2ban is tracking it. 

 

Can you please help me how to make the emby recognize it as remote request, my Emby runs in docker. I changed only the following in Emby network, pointed remote http to 80 and https to 443, my local http and https ports 8096 and 8920. I have nginx proxy manager which which runs on port 80 and 443 which redirects to Emby, that's the reason I have emby network configured for Public connection. My Allow remote connections is checked in and also I am using secure conneciton using reverse proxy. My NPM has let's encrypt configured

@Luke Can you please chime in too?

Hi, I would suggest comparing your nginx configuration to that of @pir8radio:

Please let us know if this helps. Thanks.

pir8radio
Posted
13 hours ago, mshaik said:

@ChrisJ60 Looks like I am facing the same issue.  I have a User and wanted to set him for local use only. I removed the check for allow remote connections for this user, for few it works and for few it doesn't. For example, for my wifi I can't login remotely but if I use my Android mobile phone data, it logins, I checked both my Android IP address and Docker start with same initial IP and looks like that's causing the issue. Also I have Ngnix Proxy Manager running infront of Emby and fail2ban is tracking it. 

 

Can you please help me how to make the emby recognize it as remote request, my Emby runs in docker. I changed only the following in Emby network, pointed remote http to 80 and https to 443, my local http and https ports 8096 and 8920. I have nginx proxy manager which which runs on port 80 and 443 which redirects to Emby, that's the reason I have emby network configured for Public connection. My Allow remote connections is checked in and also I am using secure conneciton using reverse proxy. My NPM has let's encrypt configured

@Luke Can you please chime in too?

make sure your real "LOCAL" network addresses are specified in the emby server network settings. Often times when running in a docker emby just grabs the docker address and assumes thats the actual local network, when sometimes dockers are setup for nat and other crap..  

image.png.5446b317f08f71d6180be48961cdc405.png

  • Thanks 1
Posted
2 hours ago, pir8radio said:

make sure your real "LOCAL" network addresses are specified in the emby server network settings. Often times when running in a docker emby just grabs the docker address and assumes thats the actual local network, when sometimes dockers are setup for nat and other crap..  

image.png.5446b317f08f71d6180be48961cdc405.png

Using docker in host networking mode may help avoid that.

  • Agree 1
Posted

@Luke I am running my Emby in host network mode only but is of no luck.

 

@pir8radio Your solution worked like a gem, thanks a lot. 

  • Thanks 1

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...