TheITJedi 29 Posted May 27, 2021 Author Share Posted May 27, 2021 @travisgreen37, couple questions. 1. Are reverse proxy and Emby collocated on the same machine? 2. What ports are Emby running on? 3. Did you ensure to set public host name in Emby? Link to comment Share on other sites More sharing options...
travisgreen37 0 Posted May 27, 2021 Share Posted May 27, 2021 No, they are on two different servers. The reverse proxy is IIS installed on Windows Server 2016. The emby server is on a Windows 10 computer. I did set the public DNS in emby server. Link to comment Share on other sites More sharing options...
travisgreen37 0 Posted May 27, 2021 Share Posted May 27, 2021 I figured out the problem. The settings in the web.config file needed to be changed since I'm not using them on the same server. Link to comment Share on other sites More sharing options...
TheITJedi 29 Posted May 27, 2021 Author Share Posted May 27, 2021 @travisgreen37, configurations in guide are for everything loves on same box, you will need to update where it’s looking for Emby if they aren’t on the same box. Link to comment Share on other sites More sharing options...
TheITJedi 29 Posted July 2, 2021 Author Share Posted July 2, 2021 (edited) ADD-ON: Rename Emby Server Browser Title Hey, for those users who wish to change their page title in browser (as discussed here), here is additional Web.Config information that will let you do just that! By using IIS Re-Write rules to change the page title, you don't have to edit files every time you upgrade your Emby Server! Adding these 3 rules at the bottom of the rules list, replace whole <preConditions> block too.: NOTE: Make sure you replace ALL 4 instances of NAME_OF_YOUR_SERVER with what you want your server to display in the tab bar. <rule name="RewriteTitle" preCondition="ResponseIsHtml1" enabled="true"> <match filterByTags="None" pattern="<title>(.*)</title>" /> <action type="Rewrite" value="<title>NAME_OF_YOUR_SERVER</title>" /> </rule> <rule name="RewriteAppHeaderJs" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="document.title="Emby"" /> <action type="Rewrite" value="document.title="NAME_OF_YOUR_SERVER"" /> </rule> <rule name="RewriteAppHeaderJs2" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="title.Name||"Emby":"Emby"" /> <action type="Rewrite" value="title.Name||"NAME_OF_YOUR_SERVER":"NAME_OF_YOUR_SERVER"" /> </rule> <preConditions> <preCondition name="ResponseIsHtml1"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" /> </preCondition> <preCondition name="ResponseIsJS"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="application/javascript|text/javascript" /> </preCondition> <preCondition name="NeedsRestoringAcceptEncoding"> <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" /> </preCondition> </preConditions> Edited July 2, 2021 by TheITJedi Link to comment Share on other sites More sharing options...
pepinacosplus 6 Posted August 17, 2021 Share Posted August 17, 2021 (edited) Hi! First of all thank you TheITJedi for this amazing tutorial. Second, i followed the steps (correctly, i think) until i need to get the certificate. Looks like my machine cant reach the dyndns server. Im using a dual wan setup so i have two public ips and ISP ONT's are in Bridge mode to my main router, ports are open too. I think thats the problem, but i dont know. Any hint on how to resolve this? Im using a fresh install of Windows 10. Thank you! EDIT: I can reach the server from outside of my network using "xxxxxx.xxxxx.xxxx:8096" i can login with my emby account and play material, so my host is accesible, i dont know why it fails when creating the certificate. "Timeout during connect (likely firewall problem)" Well, did some routing rules and now Emby server is using WAN1 and rest of my house is using WAN2, static IP and dyndns working fine so the public ip is not rotating every minute. Tests of Certify The Web gives me an OK to all but when i try to generate the certificate it fails giving me the same error "Timeout during connect (likely firewall problem)". Some screen caps... Any help guys? im getting a bit frustrated... Well, after some research, something is blocking port 80 and port 443. My ISP told me that they doesnt block them... i dont know what i can do to resolve this. SOLVED! Edited August 26, 2021 by pepinacosplus 1 Link to comment Share on other sites More sharing options...
Krma 1 Posted October 28, 2021 Share Posted October 28, 2021 Hi, what's is the difference between a normal. Install? I do a normal install on a windows server ands works great. I miss something? Link to comment Share on other sites More sharing options...
Luke 37064 Posted October 28, 2021 Share Posted October 28, 2021 50 minutes ago, Krma said: Hi, what's is the difference between a normal. Install? I do a normal install on a windows server ands works great. I miss something? Hi, a normal install is fine. I think the main point of this topic was automatic SSL renewal. 1 Link to comment Share on other sites More sharing options...
TheITJedi 29 Posted November 24, 2021 Author Share Posted November 24, 2021 On 10/28/2021 at 2:43 PM, Luke said: Hi, a normal install is fine. I think the main point of this topic was automatic SSL renewal. Point of this post was to have a full guide for how to setup Emby on windows server as a an easily consumed service for the people who will use it. This build includes publicly recognized certificates, auto renewal of certificates, standard web ports, auto redirect from http to https, running the server as a service, adding proper security headers, and rewriting server name. This may or may not be what you are looking for, but when I set out to setup my instance, it’s how I wanted it built (as IT/Infrastructure/Network/Security professional for 20 years), and since there was no guide for this, I made one. 2 Link to comment Share on other sites More sharing options...
Zerok 0 Posted November 26, 2021 Share Posted November 26, 2021 @TheITJediWill you be creating a step by step video for this? I was following your steps on this thread and hit a roadblock in the Server Manager section. I am trying to install this on W10, and I'm just banging my head trying to find ways of making my server secure by reverse proxy/SSL. I would very much appreciate assistance on this. Thanks! Link to comment Share on other sites More sharing options...
TheITJedi 29 Posted November 26, 2021 Author Share Posted November 26, 2021 No, I don’t plan to make a video. I don’t have needed bits for that. This guide is for windows server. There is no server manager on windows 10. You can however still install IIS! To install IIS on Win 10, you need to go to control panel > programs and features > turn off windows features. In the list, check boxes for IIS. 3 hours ago, Zerok said: @TheITJediWill you be creating a step by step video for this? I was following your steps on this thread and hit a roadblock in the Server Manager section. I am trying to install this on W10, and I'm just banging my head trying to find ways of making my server secure by reverse proxy/SSL. I would very much appreciate assistance on this. Thanks! Link to comment Share on other sites More sharing options...
Carlo 4330 Posted November 26, 2021 Share Posted November 26, 2021 On 11/24/2021 at 11:36 AM, TheITJedi said: Point of this post was to have a full guide for how to setup Emby on windows server as a an easily consumed service for the people who will use it. This build includes publicly recognized certificates, auto renewal of certificates, standard web ports, auto redirect from http to https, running the server as a service, adding proper security headers, and rewriting server name. This may or may not be what you are looking for, but when I set out to setup my instance, it’s how I wanted it built (as IT/Infrastructure/Network/Security professional for 20 years), and since there was no guide for this, I made one. I'm struggling to see the benefit of this myself. If you run behind Cloudflare you just open the proper port on your router or setup a tunnel instead for best security (no router ports open from the outside). Set your domain name in Emby, the port as well as reverse proxy mode. Done. No need to deal with certs or proxies as you leave that up to Cloudflare to handle for you. Alternately, you can get a cert directly from them as well if you really want. I prefer to use a wild card cert for my domain so any sub-domain I create is covered by default with me having to do anything. I used to use IIS a lot for large corporate sites and really like it but it would be among my last choices to use for a reverse proxy running on the same machine as Emby. There are far better choices IMHO to use such as ngnix or traefik. It's going to be a whole lot easier to find pre-done proxy settings for other apps as well which is a huge benefit if running a reverse proxy with different apps. If the only "web server" you run exposed to the Internet is Emby a reverse proxy isn't needed. In that case a script to fetch certs is all that's needed if you don't already sit behind a reverse proxy such as Cloudflare. If you can't write scripts to do this Certify for Windows (other platforms as well) can do this and more for you. It's all point and click so you can get a cert and basically place it anywhere on a drive or network share or use built in APIs already configured for many different apps. The problem in general with any type of auto renew scripting is the method they use to renew and what ports might be required to be open. If you want to run on non-standard ports it's a no go since they want port 80 and 443 open. If using a wild card cert it's even more involved. You can have a nice locked down network that now requires ports be open just for this purpose. Let's Encrypt is still having issues on some platforms due to their root cert fiasco. IMHO, It's just easier to let Cloudflare handle all this for you including the renewals. You really don't need to know or understand anything about certs if running behind them for most software. Besides my personal opinions I will say nicely done on the guide. Link to comment Share on other sites More sharing options...
cul8rmom1 1 Posted January 14, 2022 Share Posted January 14, 2022 Instead of doing that run as a service stuff I just set up a task in task scheduler to run it on boot. Seems like that would be easier and shorten the tutorial. (In a windows 10 VM. I dont know if there are other implications doing it this way.) Cheers, Link to comment Share on other sites More sharing options...
Turbofiero 4 Posted January 19, 2022 Share Posted January 19, 2022 Cannot thank you enough for this guide! A total meatball like myself was able to follow this guide, along with a couple others, to create a webpage for my server where I can access a couple other webui's to manage downloads aswell as watch on Emby I have one weird quirk however, perhaps just caused by an IIS misconfiguration, my website limits have no effect anymore... so if I download from one of the virtual directories on my site, it tries to gobble up all the bandwidth, any idea whats happening here? limits function on other sites on the server, just not this particular site. Any Input is appreciated! Link to comment Share on other sites More sharing options...
TheITJedi 29 Posted January 19, 2022 Author Share Posted January 19, 2022 1 hour ago, Turbofiero said: Cannot thank you enough for this guide! A total meatball like myself was able to follow this guide, along with a couple others, to create a webpage for my server where I can access a couple other webui's to manage downloads aswell as watch on Emby I have one weird quirk however, perhaps just caused by an IIS misconfiguration, my website limits have no effect anymore... so if I download from one of the virtual directories on my site, it tries to gobble up all the bandwidth, any idea whats happening here? limits function on other sites on the server, just not this particular site. Any Input is appreciated! Are you saying the reverse proxy isn’t following the limits? Link to comment Share on other sites More sharing options...
Turbofiero 4 Posted January 19, 2022 Share Posted January 19, 2022 It would seem IIS doesnt follow the set limits, at all... Completely uninstalled IIS, repeated the whole process, same result, IIS's set limits have zero effect Link to comment Share on other sites More sharing options...
Turbofiero 4 Posted February 3, 2022 Share Posted February 3, 2022 For those that'd like to increase security ive found a nice way of banning IPs for failed login attempts IPBan has a custom entry you can use for emby! The 4th post here has a working configuration, only the path to the logfile needs to be changed to wherever youve placed the emby-server folder if you or one of your users ban themselves all you have to do is drop an unban.txt file containing the ip address into ipbans folder can be installed from powershell with this command iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/DigitalRuby/IPBan/master/IPBanCore/Windows/Scripts/install_latest.ps1')) Couple notes for noobs like myself, its now named ipban.config, not ipban.dll.config, and the custom entry is around line 215 Hope this helps improve somebodys security! Link to comment Share on other sites More sharing options...
Turbofiero 4 Posted February 3, 2022 Share Posted February 3, 2022 Correction... my bad, I meant a post further down (11th), not the 4th, the regex is "sServer" not "sHttpServer" Link to comment Share on other sites More sharing options...
Turbofiero 4 Posted April 21, 2022 Share Posted April 21, 2022 (edited) I think I've gotten the header rewrite to work, needed a couple small changes.... should look more like this, content type should be application/x-javascript, so I added that to the preconditions, and the pipes need to be made literal with a \ in front of each <rule name="RewriteTitle" preCondition="ResponseIsHtml1" enabled="true"> <match filterByTags="None" pattern="<title>(.*)</title>" /> <action type="Rewrite" value="<title>NAME_OF_YOUR_SERVER</title>" /> </rule> <rule name="RewriteAppHeaderJs" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="document.title="Emby"" /> <action type="Rewrite" value="document.title="NAME_OF_YOUR_SERVER"" /> </rule> <rule name="RewriteAppHeaderJs2" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="title.Name\|\|"Emby":"Emby"" /> <action type="Rewrite" value="title.Name||"NAME_OF_YOUR_SERVER":"NAME_OF_YOUR_SERVER"" /> </rule> <preConditions> <preCondition name="ResponseIsHtml1"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" /> </preCondition> <preCondition name="ResponseIsJS"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="application/javascript|text/javascript|application/x-javascript" /> </preCondition> <preCondition name="NeedsRestoringAcceptEncoding"> <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" /> </preCondition> </preConditions> Edit: also, heres a better IPBan config <LogFile> <Source>Emby</Source> <PathAndMask>C:/Emby Server/programdata/logs/embyserver.txt</PathAndMask> <Recursive>true</Recursive> <FailedLoginRegex> <![CDATA[ (?<timestamp>\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d).+for\s(?<username>.+)\shas.+\n.+AUTH-ERROR:\s(?<ipaddress>.+)\s-\s|(?<timestamp>\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d).+AUTH-ERROR:\s(?<ipaddress>.+)\s-\sInvalid\susername\sor\spassword ]]> </FailedLoginRegex> <SuccessfulLoginRegex> <![CDATA[ (?<timestamp>\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d).+IP=(?<ipaddress>.+),\sX-O.+\n.+Authentication\srequest\sfor\s(?<username>.+)\shas\ssucceeded ]]> </SuccessfulLoginRegex> <PlatformRegex>Windows</PlatformRegex> <PingInterval>10000</PingInterval> <MaxFileSize>16777216</MaxFileSize> <FailedLoginThreshold>7</FailedLoginThreshold> </LogFile> aaaand the command i posted above is missing the first half, unsure why, this is the right command to install IPBan [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/DigitalRuby/IPBan/master/IPBanCore/Windows/Scripts/install_latest.ps1')) Edited April 21, 2022 by Turbofiero Link to comment Share on other sites More sharing options...
drashna 46 Posted April 22, 2022 Share Posted April 22, 2022 This is brilliant! Is it possible to get this working as a subdirectory, rather than a full site? Eg, "https://sitename.local/emby/" ? Link to comment Share on other sites More sharing options...
Turbofiero 4 Posted April 22, 2022 Share Posted April 22, 2022 54 minutes ago, drashna said: This is brilliant! Is it possible to get this working as a subdirectory, rather than a full site? Eg, "https://sitename.local/emby/" ? I had it under a subdirectory, worked fine, you may need to change the "Proxy to Emby" rule to include the subdirectory though Link to comment Share on other sites More sharing options...
drashna 46 Posted April 23, 2022 Share Posted April 23, 2022 5 hours ago, Turbofiero said: I had it under a subdirectory, worked fine, you may need to change the "Proxy to Emby" rule to include the subdirectory though just tested this out and yeah, can confirm that, as well. Awesome! Link to comment Share on other sites More sharing options...
drashna 46 Posted April 23, 2022 Share Posted April 23, 2022 On 7/2/2021 at 12:05 AM, TheITJedi said: ADD-ON: Rename Emby Server Browser Title Hey, for those users who wish to change their page title in browser (as discussed here), here is additional Web.Config information that will let you do just that! By using IIS Re-Write rules to change the page title, you don't have to edit files every time you upgrade your Emby Server! Adding these 3 rules at the bottom of the rules list, replace whole <preConditions> block too.: NOTE: Make sure you replace ALL 4 instances of NAME_OF_YOUR_SERVER with what you want your server to display in the tab bar. <rule name="RewriteTitle" preCondition="ResponseIsHtml1" enabled="true"> <match filterByTags="None" pattern="<title>(.*)</title>" /> <action type="Rewrite" value="<title>NAME_OF_YOUR_SERVER</title>" /> </rule> <rule name="RewriteAppHeaderJs" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="document.title="Emby"" /> <action type="Rewrite" value="document.title="NAME_OF_YOUR_SERVER"" /> </rule> <rule name="RewriteAppHeaderJs2" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="title.Name||"Emby":"Emby"" /> <action type="Rewrite" value="title.Name||"NAME_OF_YOUR_SERVER":"NAME_OF_YOUR_SERVER"" /> </rule> <preConditions> <preCondition name="ResponseIsHtml1"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" /> </preCondition> <preCondition name="ResponseIsJS"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="application/javascript|text/javascript" /> </preCondition> <preCondition name="NeedsRestoringAcceptEncoding"> <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" /> </preCondition> </preConditions> This doesn't look to be fully functional anymore. I have noticed it will flash the name you want and then switch back to "emby". Link to comment Share on other sites More sharing options...
TheITJedi 29 Posted April 23, 2022 Author Share Posted April 23, 2022 On 4/21/2022 at 12:47 PM, Turbofiero said: I think I've gotten the header rewrite to work, needed a couple small changes.... should look more like this, content type should be application/x-javascript, so I added that to the preconditions, and the pipes need to be made literal with a \ in front of each <rule name="RewriteTitle" preCondition="ResponseIsHtml1" enabled="true"> <match filterByTags="None" pattern="<title>(.*)</title>" /> <action type="Rewrite" value="<title>NAME_OF_YOUR_SERVER</title>" /> </rule> <rule name="RewriteAppHeaderJs" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="document.title="Emby"" /> <action type="Rewrite" value="document.title="NAME_OF_YOUR_SERVER"" /> </rule> <rule name="RewriteAppHeaderJs2" preCondition="ResponseIsJS" enabled="true"> <match filterByTags="None" pattern="title.Name\|\|"Emby":"Emby"" /> <action type="Rewrite" value="title.Name||"NAME_OF_YOUR_SERVER":"NAME_OF_YOUR_SERVER"" /> </rule> <preConditions> <preCondition name="ResponseIsHtml1"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" /> </preCondition> <preCondition name="ResponseIsJS"> <add input="{RESPONSE_CONTENT_TYPE}" pattern="application/javascript|text/javascript|application/x-javascript" /> </preCondition> <preCondition name="NeedsRestoringAcceptEncoding"> <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" /> </preCondition> </preConditions> Edit: also, heres a better IPBan config <LogFile> <Source>Emby</Source> <PathAndMask>C:/Emby Server/programdata/logs/embyserver.txt</PathAndMask> <Recursive>true</Recursive> <FailedLoginRegex> <![CDATA[ (?<timestamp>\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d).+for\s(?<username>.+)\shas.+\n.+AUTH-ERROR:\s(?<ipaddress>.+)\s-\s|(?<timestamp>\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d).+AUTH-ERROR:\s(?<ipaddress>.+)\s-\sInvalid\susername\sor\spassword ]]> </FailedLoginRegex> <SuccessfulLoginRegex> <![CDATA[ (?<timestamp>\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d).+IP=(?<ipaddress>.+),\sX-O.+\n.+Authentication\srequest\sfor\s(?<username>.+)\shas\ssucceeded ]]> </SuccessfulLoginRegex> <PlatformRegex>Windows</PlatformRegex> <PingInterval>10000</PingInterval> <MaxFileSize>16777216</MaxFileSize> <FailedLoginThreshold>7</FailedLoginThreshold> </LogFile> aaaand the command i posted above is missing the first half, unsure why, this is the right command to install IPBan [Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/DigitalRuby/IPBan/master/IPBanCore/Windows/Scripts/install_latest.ps1')) Thanks for updating that! Life has been super busy lately and I haven’t gotten around to posting updates for web.config and an auto-updater PowerShrell script (works with stable & beta, also supports copying custom/edited files back). When time allows, I’ll get them posted! Link to comment Share on other sites More sharing options...
drashna 46 Posted April 28, 2022 Share Posted April 28, 2022 A couple of thingsI've noticed. I have IIS10 (Server 2022), and I've found a few settings that remove the need for IISCrypt, at least on this version. The server farm isn't needed, and adds additional complexity/issues. under the binding for the site, you can disable "legacy TLS", eg, v1.0, and 1.1. The advanced settings have HSTS configuration, removing the need for both the "force SSL" and "HSTS" url rewrite rules. These may not be available depending on the version of IIS used. But less is more, IMO. And this only gets you an A rating, because some of the cyphers are still available, I think. However, I don't like using IISCrypt, as it can cause issues and has for me both in the past and currently (broke RD Gateway on my server) Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now