Jump to content

Recommended Posts

Posted (edited)

Hello Emby community!

 

So today I decided to give Emby a try in order to maybe replace Plex that I have been using for years.

 

So far, I loved almost everything about Emby (maybe not the fact that we can't change the green accent in the AndroidTV app, but that's a story for another day :P ).

 

I have one question though, for which I couldnt seem to find precise info. I run all my services from a machine in my house, which runs OpenMediaVault (i.e. Debian). I use Docker for most of the services, with bridge mode for their network interface.

I also have, among those services, an Nginx container that serves as a reverse-proxy, so I can access my services more easily.

 

The OpenMediaVault web interface proposes the option to connect using a self-signed SSL certificate, which I decided to use when I set it all up. I then re-used this same SSL certificate for all my other reverse-proxies, by mounting the certificate files as read-only into the Nginx container, so that I only had one exception to add to my browsers in order to reach all my services like so: https://servicename.hostname.lan

 

So far, so good, as I only access these services from my home lan, and since I used Plex until now, I never had to mess with secure remote access: since the connection is routed through their servers, it was an easy setup with no configuration on my side (only authorizing the default Plex port for outgoing connections in my machine's iptables as well as ESTABLISHED,RELATED incoming connections, then once it was connected I had nothing more to do for their servers to detect my machine, not even setting port redirection on my router or allowing anything through my router's firewall).

 

But now, I'd like to switch to Emby, and here's my question: am I not able to allow secure remote access if I don't have a domain name pointing to my home router's IP? What else could I do?

 

I can post the nginx configs (with purged personal info) if needed.

 

Many thanks in advance!

Edited by flof
BAlGaInTl
Posted

You might be able to do something with a Dynamic DNS provider and letsencrypt, but I recommend just getting your own FQDN.  With your own domain, you can use cloudflare for free DDNS, certs, and a first line of defense for your site.

 

Considering that most of it can be done for free, the cost of a domain name is pretty small.

Posted

These are good points.

 

However, I am not planning to have a site, it would be only for accessing emby from outside. Isn't that less secure if I have a domain name pointing to my home NAS ?

BAlGaInTl
Posted

These are good points.

 

However, I am not planning to have a site, it would be only for accessing emby from outside. Isn't that less secure if I have a domain name pointing to my home NAS ?

 

If you want to access Emby from outside, it "is" a site.  It's really just a web application.

 

If you use strong passwords and hide your user accounts it helps.  

 

You can probably do something similar to what you have with plex using Emby Connect.

cmacfarlane93
Posted (edited)

These are good points.

 

However, I am not planning to have a site, it would be only for accessing emby from outside. Isn't that less secure if I have a domain name pointing to my home NAS ?

 

Even without a domain you still have an "address" on the net. Also if you use cloudflare, you can "proxy" the connection to your home NAS so the IP isn't exposed. I used this guide:https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby it was very helpful. Edit: If you encounter an issue where you can access your domain and see emby but can't see emby when connecting through emby connect, add an A record in cloudflare for emby.yourdomainhere.com pointed at your WAN IP. Make sure this record like your others is set to "proxied" mode so your IP isn't exposed.

 

Cloudflare's firewall can block all connections from outside the country you choose, under the firewall section and rules. And as mentioned above you can hide users from your emby login screen so that unwanted vistors would have to guess both the user and password for an account. Additionally you can setup your admin account to be only accessible locally. Also set non admin users to not be able to delete anything. This way, under the worst possible scenario a user account is breached, the attacker can only really watch content until the password is changed.

 

TLDR: I would argue that with cloudflare's added DDoS protection, firewall configure ability and proxying your domain to WAN IP, you may actually be safer with this route than your current method. You would also get the benefit of having all your traffic encrypted to and from your server.

Edited by cmacfarlane93
  • Like 1
Posted

Even without a domain you still have an "address" on the net. Also if you use cloudflare, you can "proxy" the connection to your home NAS so the IP isn't exposed. I used this guide:https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby it was very helpful. Edit: If you encounter an issue where you can access your domain and see emby but can't see emby when connecting through emby connect, add an A record in cloudflare for emby.yourdomainhere.com pointed at your WAN IP. Make sure this record like your others is set to "proxied" mode so your IP isn't exposed.

 

Cloudflare's firewall can block all connections from outside the country you choose, under the firewall section and rules. And as mentioned above you can hide users from your emby login screen so that unwanted vistors would have to guess both the user and password for an account. Additionally you can setup your admin account to be only accessible locally. Also set non admin users to not be able to delete anything. This way, under the worst possible scenario a user account is breached, the attacker can only really watch content until the password is changed.

 

TLDR: I would argue that with cloudflare's added DDoS protection, firewall configure ability and proxying your domain to WAN IP, you may actually be safer with this route than your current method. You would also get the benefit of having all your traffic encrypted to and from your server.

Wow okay now you totally convinced me. Thank you so much for the details!! :)

mastrmind11
Posted

yeah cloudflare really is the way to go.

Posted

Alright thank you all, I'll do that

 

Now that I think about it, if I want to keep the reverse proxy all my apps in local-only and use a reverse proxy for emby facing the outside, I have to use two nginx containers, right?

BAlGaInTl
Posted

Alright thank you all, I'll do that

 

Now that I think about it, if I want to keep the reverse proxy all my apps in local-only and use a reverse proxy for emby facing the outside, I have to use two nginx containers, right?

 

I'm pretty sure you can do it with one reverse proxy.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...