flof 0 Posted June 7, 2020 Posted June 7, 2020 (edited) Hello Emby community! So today I decided to give Emby a try in order to maybe replace Plex that I have been using for years. So far, I loved almost everything about Emby (maybe not the fact that we can't change the green accent in the AndroidTV app, but that's a story for another day ). I have one question though, for which I couldnt seem to find precise info. I run all my services from a machine in my house, which runs OpenMediaVault (i.e. Debian). I use Docker for most of the services, with bridge mode for their network interface. I also have, among those services, an Nginx container that serves as a reverse-proxy, so I can access my services more easily. The OpenMediaVault web interface proposes the option to connect using a self-signed SSL certificate, which I decided to use when I set it all up. I then re-used this same SSL certificate for all my other reverse-proxies, by mounting the certificate files as read-only into the Nginx container, so that I only had one exception to add to my browsers in order to reach all my services like so: https://servicename.hostname.lan So far, so good, as I only access these services from my home lan, and since I used Plex until now, I never had to mess with secure remote access: since the connection is routed through their servers, it was an easy setup with no configuration on my side (only authorizing the default Plex port for outgoing connections in my machine's iptables as well as ESTABLISHED,RELATED incoming connections, then once it was connected I had nothing more to do for their servers to detect my machine, not even setting port redirection on my router or allowing anything through my router's firewall). But now, I'd like to switch to Emby, and here's my question: am I not able to allow secure remote access if I don't have a domain name pointing to my home router's IP? What else could I do? I can post the nginx configs (with purged personal info) if needed. Many thanks in advance! Edited June 7, 2020 by flof
BAlGaInTl 279 Posted June 8, 2020 Posted June 8, 2020 You might be able to do something with a Dynamic DNS provider and letsencrypt, but I recommend just getting your own FQDN. With your own domain, you can use cloudflare for free DDNS, certs, and a first line of defense for your site. Considering that most of it can be done for free, the cost of a domain name is pretty small.
flof 0 Posted June 8, 2020 Author Posted June 8, 2020 These are good points. However, I am not planning to have a site, it would be only for accessing emby from outside. Isn't that less secure if I have a domain name pointing to my home NAS ?
BAlGaInTl 279 Posted June 8, 2020 Posted June 8, 2020 These are good points. However, I am not planning to have a site, it would be only for accessing emby from outside. Isn't that less secure if I have a domain name pointing to my home NAS ? If you want to access Emby from outside, it "is" a site. It's really just a web application. If you use strong passwords and hide your user accounts it helps. You can probably do something similar to what you have with plex using Emby Connect.
cmacfarlane93 10 Posted June 10, 2020 Posted June 10, 2020 (edited) These are good points. However, I am not planning to have a site, it would be only for accessing emby from outside. Isn't that less secure if I have a domain name pointing to my home NAS ? Even without a domain you still have an "address" on the net. Also if you use cloudflare, you can "proxy" the connection to your home NAS so the IP isn't exposed. I used this guide:https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby it was very helpful. Edit: If you encounter an issue where you can access your domain and see emby but can't see emby when connecting through emby connect, add an A record in cloudflare for emby.yourdomainhere.com pointed at your WAN IP. Make sure this record like your others is set to "proxied" mode so your IP isn't exposed. Cloudflare's firewall can block all connections from outside the country you choose, under the firewall section and rules. And as mentioned above you can hide users from your emby login screen so that unwanted vistors would have to guess both the user and password for an account. Additionally you can setup your admin account to be only accessible locally. Also set non admin users to not be able to delete anything. This way, under the worst possible scenario a user account is breached, the attacker can only really watch content until the password is changed. TLDR: I would argue that with cloudflare's added DDoS protection, firewall configure ability and proxying your domain to WAN IP, you may actually be safer with this route than your current method. You would also get the benefit of having all your traffic encrypted to and from your server. Edited June 10, 2020 by cmacfarlane93 1
flof 0 Posted June 10, 2020 Author Posted June 10, 2020 Even without a domain you still have an "address" on the net. Also if you use cloudflare, you can "proxy" the connection to your home NAS so the IP isn't exposed. I used this guide:https://blog.awelswynol.co.uk/2018/01/setting-up-cloudflare-with-emby it was very helpful. Edit: If you encounter an issue where you can access your domain and see emby but can't see emby when connecting through emby connect, add an A record in cloudflare for emby.yourdomainhere.com pointed at your WAN IP. Make sure this record like your others is set to "proxied" mode so your IP isn't exposed. Cloudflare's firewall can block all connections from outside the country you choose, under the firewall section and rules. And as mentioned above you can hide users from your emby login screen so that unwanted vistors would have to guess both the user and password for an account. Additionally you can setup your admin account to be only accessible locally. Also set non admin users to not be able to delete anything. This way, under the worst possible scenario a user account is breached, the attacker can only really watch content until the password is changed. TLDR: I would argue that with cloudflare's added DDoS protection, firewall configure ability and proxying your domain to WAN IP, you may actually be safer with this route than your current method. You would also get the benefit of having all your traffic encrypted to and from your server. Wow okay now you totally convinced me. Thank you so much for the details!!
flof 0 Posted June 10, 2020 Author Posted June 10, 2020 Alright thank you all, I'll do that Now that I think about it, if I want to keep the reverse proxy all my apps in local-only and use a reverse proxy for emby facing the outside, I have to use two nginx containers, right?
BAlGaInTl 279 Posted June 10, 2020 Posted June 10, 2020 Alright thank you all, I'll do that Now that I think about it, if I want to keep the reverse proxy all my apps in local-only and use a reverse proxy for emby facing the outside, I have to use two nginx containers, right? I'm pretty sure you can do it with one reverse proxy.
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now