Jump to content

[How-To] Emby Server on Windows Server with IIS as Reverse Proxy with Automatic Certificate Renewal


TheITJedi

Recommended Posts

TheITJedi

@travisgreen37, couple questions.

 

1. Are reverse proxy and Emby collocated on the same machine?

2. What ports are Emby running on? 
3. Did you ensure to set public host name in Emby?

Link to comment
Share on other sites

travisgreen37

No, they are on two different servers. The reverse proxy is IIS installed on Windows Server 2016. The emby server is on a Windows 10 computer.

I did set the public DNS in emby server.

image.thumb.png.f0130f48d9520f2e0abd3ec03c548438.png

Link to comment
Share on other sites

travisgreen37

I figured out the problem. The settings in the web.config file needed to be changed since I'm not using them on the same server. 

Link to comment
Share on other sites

TheITJedi

@travisgreen37, configurations in guide are for everything loves on same box, you will need to update where it’s looking for Emby if they aren’t on the same box. 

Link to comment
Share on other sites

  • 1 month later...
TheITJedi

ADD-ON: Rename Emby Server Browser Title

Hey, for those users who wish to change their page title in browser (as discussed here), here is additional Web.Config information that will let you do just that! By using IIS Re-Write rules to change the page title, you don't have to edit files every time you upgrade your Emby Server!

Adding these 3 rules at the bottom of the rules list, replace whole <preConditions> block too.:
NOTE: Make sure you replace ALL 4 instances of NAME_OF_YOUR_SERVER with what you want your server to display in the tab bar. 

<rule name="RewriteTitle" preCondition="ResponseIsHtml1" enabled="true">
	<match filterByTags="None" pattern="&lt;title>(.*)&lt;/title>" />
	<action type="Rewrite" value="&lt;title>NAME_OF_YOUR_SERVER&lt;/title>" />
</rule>
<rule name="RewriteAppHeaderJs" preCondition="ResponseIsJS" enabled="true">
	<match filterByTags="None" pattern="document.title=&quot;Emby&quot;" />
	<action type="Rewrite" value="document.title=&quot;NAME_OF_YOUR_SERVER&quot;" />
</rule>
<rule name="RewriteAppHeaderJs2" preCondition="ResponseIsJS" enabled="true">
	<match filterByTags="None" pattern="title.Name||&quot;Emby&quot;:&quot;Emby&quot;" />
	<action type="Rewrite" value="title.Name||&quot;NAME_OF_YOUR_SERVER&quot;:&quot;NAME_OF_YOUR_SERVER&quot;" />
</rule>
<preConditions>
    <preCondition name="ResponseIsHtml1">
        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" />
    </preCondition>
	<preCondition name="ResponseIsJS">
		<add input="{RESPONSE_CONTENT_TYPE}" pattern="application/javascript|text/javascript" />
	</preCondition>
	<preCondition name="NeedsRestoringAcceptEncoding">
        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
    </preCondition>
</preConditions>

 

 

Edited by TheITJedi
Link to comment
Share on other sites

  • 1 month later...
pepinacosplus

Hi! First of all thank you TheITJedi for this amazing tutorial.

Second, i followed the steps (correctly, i think) until i need to get the certificate. Looks like my machine cant reach the dyndns server. Im using a dual wan setup so i have two public ips and ISP ONT's are in Bridge mode to my main router, ports are open too. I think thats the problem, but i dont know. Any hint on how to resolve this?

Im using a fresh install of Windows 10.

Thank you!

 

EDIT: I can reach the server from outside of my network using "xxxxxx.xxxxx.xxxx:8096"  i can login with my emby account and play material, so my host is accesible, i dont know why it fails when creating the certificate.

"Timeout during connect (likely firewall problem)"

 

Well, did some routing rules and now Emby server is using WAN1 and rest of my house is using WAN2, static IP and dyndns working fine so the public ip is not rotating every minute. Tests of Certify The Web gives me an OK to all but when i try to generate the certificate it fails giving me the same error "Timeout during connect (likely firewall problem)". Some screen caps...

Any help guys? im getting a bit frustrated...

 

Well, after some research, something is blocking port 80 and port 443. My ISP told me that they doesnt block them... i dont know what i can do to resolve this.

 

SOLVED!

 

Edited by pepinacosplus
  • Like 1
Link to comment
Share on other sites

  • 2 months later...
50 minutes ago, Krma said:

Hi, what's is the difference between a normal. Install? I do a normal install on a windows server ands works great. I miss something? 

Hi, a normal install is fine. I think the main point of this topic was automatic SSL renewal.

  • Like 1
Link to comment
Share on other sites

  • 4 weeks later...
TheITJedi
On 10/28/2021 at 2:43 PM, Luke said:

Hi, a normal install is fine. I think the main point of this topic was automatic SSL renewal.

Point of this post was to have a full guide for how to setup Emby on windows server as a an easily consumed service for the people who will use it.

This build includes publicly recognized certificates, auto renewal of certificates, standard web ports, auto redirect from http to https, running the server as a service, adding proper security headers, and rewriting server name.

This may or may not be what you are looking for, but when I set out to setup my instance, it’s how I wanted it built (as IT/Infrastructure/Network/Security professional for 20 years), and since there was no guide for this, I made one. 

  • Like 2
Link to comment
Share on other sites

@TheITJediWill you be creating a step by step video for this? I was following your steps on this thread and hit a roadblock in the Server Manager section.  I am trying to install this on W10, and I'm just banging my head trying to find ways of making my server secure by reverse proxy/SSL. I would very much appreciate assistance on this.

Thanks!

Link to comment
Share on other sites

TheITJedi

No, I don’t plan to make a video. I don’t have needed bits for that. This guide is for windows server. There is no server manager on windows 10. You can however still install IIS! To install IIS on Win 10, you need to go to control panel > programs and features > turn off windows features. In the list, check boxes for IIS. 
 

image.thumb.png.a5afa3f61901ebd2765ecaf4f122ce25.png

3 hours ago, Zerok said:

@TheITJediWill you be creating a step by step video for this? I was following your steps on this thread and hit a roadblock in the Server Manager section.  I am trying to install this on W10, and I'm just banging my head trying to find ways of making my server secure by reverse proxy/SSL. I would very much appreciate assistance on this.

Thanks!

 

Link to comment
Share on other sites

On 11/24/2021 at 11:36 AM, TheITJedi said:

Point of this post was to have a full guide for how to setup Emby on windows server as a an easily consumed service for the people who will use it.

This build includes publicly recognized certificates, auto renewal of certificates, standard web ports, auto redirect from http to https, running the server as a service, adding proper security headers, and rewriting server name.

This may or may not be what you are looking for, but when I set out to setup my instance, it’s how I wanted it built (as IT/Infrastructure/Network/Security professional for 20 years), and since there was no guide for this, I made one. 

I'm struggling to see the benefit of this myself. If you run behind Cloudflare you just open the proper port on your router or setup a tunnel instead for best security (no router ports open from the outside). Set your domain name in Emby, the port as well as reverse proxy mode. Done.

No need to deal with certs or proxies as you leave that up to Cloudflare to handle for you. Alternately, you can get a cert directly from them as well if you really want.  I prefer to use a wild card cert for my domain so any sub-domain I create is covered by default with me having to do anything.

I used to use IIS a lot for large corporate sites and really like it but it would be among my last choices to use for a reverse proxy running on the same machine as Emby. There are far better choices IMHO to use such as ngnix or traefik. It's going to be a whole lot easier to find pre-done proxy settings for other apps as well which is a huge benefit if running a reverse proxy with different apps.

If the only "web server" you run exposed to the Internet is Emby a reverse proxy isn't needed. In that case a script to fetch certs is all that's needed if you don't already sit behind a reverse proxy such as Cloudflare. If you can't write scripts to do this Certify for Windows (other platforms as well) can do this and more for you. It's all point and click so you can get a cert and basically place it anywhere on a drive or network share or use built in APIs already configured for many different apps.

The problem in general with any type of auto renew scripting is the method they use to renew and what ports might be required to be open. If you want to run on non-standard ports it's a no go since they want port 80 and 443 open. If using a wild card cert it's even more involved. You can have a nice locked down network that now requires ports be open just for this purpose.

Let's Encrypt is still having issues on some platforms due to their root cert fiasco. IMHO, It's just easier to let Cloudflare handle all this for you including the renewals. You really don't need to know or understand anything about certs if running behind them for most software.

Besides my personal opinions I will say nicely done on the guide. :)

Link to comment
Share on other sites

  • 1 month later...
cul8rmom1

Instead of doing that run as a service stuff I just set up a task in task scheduler to run it on boot.  Seems like that would be easier and shorten the tutorial.  (In a windows 10 VM.  I dont know if there are other implications doing it this way.)

 

Cheers,

Link to comment
Share on other sites

Turbofiero

Cannot thank you enough for this guide!

A total meatball like myself was able to follow this guide, along with a couple others, to create a webpage for my server where I can access a couple other webui's to manage downloads aswell as watch on Emby

I have one weird quirk however, perhaps just caused by an IIS misconfiguration, my website limits have no effect anymore... so if I download from one of the virtual directories on my site, it tries to gobble up all the bandwidth, any idea whats happening here? limits function on other sites on the server, just not this particular site.

Any Input is appreciated!

Link to comment
Share on other sites

TheITJedi
1 hour ago, Turbofiero said:

Cannot thank you enough for this guide!

A total meatball like myself was able to follow this guide, along with a couple others, to create a webpage for my server where I can access a couple other webui's to manage downloads aswell as watch on Emby

I have one weird quirk however, perhaps just caused by an IIS misconfiguration, my website limits have no effect anymore... so if I download from one of the virtual directories on my site, it tries to gobble up all the bandwidth, any idea whats happening here? limits function on other sites on the server, just not this particular site.

Any Input is appreciated!

Are you saying the reverse proxy isn’t following the limits? 

Link to comment
Share on other sites

Turbofiero

It would seem IIS doesnt follow the set limits, at all... Completely uninstalled IIS, repeated the whole process, same result, IIS's set limits have zero effect

Link to comment
Share on other sites

  • 2 weeks later...
Turbofiero

For those that'd like to increase security ive found a nice way of banning IPs for failed login attempts

IPBan has a custom entry you can use for emby! The 4th post here has a working configuration, only the path to the logfile needs to be changed to wherever youve placed the emby-server folder

if you or one of your users ban themselves all you have to do is drop an unban.txt file containing the ip address into ipbans folder

can be installed from powershell with this command

iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/DigitalRuby/IPBan/master/IPBanCore/Windows/Scripts/install_latest.ps1'))


Couple notes for noobs like myself, its now named ipban.config, not ipban.dll.config, and the custom entry is around line 215

Hope this helps improve somebodys security!

Link to comment
Share on other sites

Turbofiero
  • Correction... my bad, I meant a post further down (11th), not the 4th, the regex is "sServer" not "sHttpServer"
Link to comment
Share on other sites

  • 2 months later...
Turbofiero

I think I've gotten the header rewrite to work, needed a couple small changes.... should look more like this, content type should be application/x-javascript, so I added that to the preconditions, and the pipes need to be made literal with a \ in front of each

 

<rule name="RewriteTitle" preCondition="ResponseIsHtml1" enabled="true">
	<match filterByTags="None" pattern="&lt;title>(.*)&lt;/title>" />
	<action type="Rewrite" value="&lt;title>NAME_OF_YOUR_SERVER&lt;/title>" />
</rule>
<rule name="RewriteAppHeaderJs" preCondition="ResponseIsJS" enabled="true">
	<match filterByTags="None" pattern="document.title=&quot;Emby&quot;" />
	<action type="Rewrite" value="document.title=&quot;NAME_OF_YOUR_SERVER&quot;" />
</rule>
<rule name="RewriteAppHeaderJs2" preCondition="ResponseIsJS" enabled="true">
	<match filterByTags="None" pattern="title.Name\|\|&quot;Emby&quot;:&quot;Emby&quot;" />
	<action type="Rewrite" value="title.Name||&quot;NAME_OF_YOUR_SERVER&quot;:&quot;NAME_OF_YOUR_SERVER&quot;" />
</rule>
<preConditions>
    <preCondition name="ResponseIsHtml1">
        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" />
    </preCondition>
	<preCondition name="ResponseIsJS">
		<add input="{RESPONSE_CONTENT_TYPE}" pattern="application/javascript|text/javascript|application/x-javascript" />
	</preCondition>
	<preCondition name="NeedsRestoringAcceptEncoding">
        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
    </preCondition>
</preConditions>

Edit: also, heres a better IPBan config

 

      <LogFile>

        <Source>Emby</Source>
        <PathAndMask>C:/Emby Server/programdata/logs/embyserver.txt</PathAndMask>
        <Recursive>true</Recursive>
        <FailedLoginRegex>
          <![CDATA[
            (?<timestamp>\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d).+for\s(?<username>.+)\shas.+\n.+AUTH-ERROR:\s(?<ipaddress>.+)\s-\s|(?<timestamp>\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d).+AUTH-ERROR:\s(?<ipaddress>.+)\s-\sInvalid\susername\sor\spassword
          ]]>
        </FailedLoginRegex>
        <SuccessfulLoginRegex>
          <![CDATA[
            (?<timestamp>\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d).+IP=(?<ipaddress>.+),\sX-O.+\n.+Authentication\srequest\sfor\s(?<username>.+)\shas\ssucceeded
          ]]>
        </SuccessfulLoginRegex>
        <PlatformRegex>Windows</PlatformRegex>
        <PingInterval>10000</PingInterval>
        <MaxFileSize>16777216</MaxFileSize>
        <FailedLoginThreshold>7</FailedLoginThreshold>

      </LogFile>


aaaand the command i posted above is missing the first half, unsure why, this is the right command to install IPBan

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/DigitalRuby/IPBan/master/IPBanCore/Windows/Scripts/install_latest.ps1'))

 

Edited by Turbofiero
Link to comment
Share on other sites

drashna

This is brilliant!

Is it possible to get this working as a subdirectory, rather than a full site?  

Eg, "https://sitename.local/emby/" ? 

Link to comment
Share on other sites

Turbofiero
54 minutes ago, drashna said:

This is brilliant!

Is it possible to get this working as a subdirectory, rather than a full site?  

Eg, "https://sitename.local/emby/" ? 

I had it under a subdirectory, worked fine, you may need to change the "Proxy to Emby" rule to include the subdirectory though

Link to comment
Share on other sites

drashna
5 hours ago, Turbofiero said:

I had it under a subdirectory, worked fine, you may need to change the "Proxy to Emby" rule to include the subdirectory though

just tested this out and yeah, can confirm that, as well.  Awesome!

Link to comment
Share on other sites

drashna
On 7/2/2021 at 12:05 AM, TheITJedi said:

ADD-ON: Rename Emby Server Browser Title

Hey, for those users who wish to change their page title in browser (as discussed here), here is additional Web.Config information that will let you do just that! By using IIS Re-Write rules to change the page title, you don't have to edit files every time you upgrade your Emby Server!

Adding these 3 rules at the bottom of the rules list, replace whole <preConditions> block too.:
NOTE: Make sure you replace ALL 4 instances of NAME_OF_YOUR_SERVER with what you want your server to display in the tab bar. 

<rule name="RewriteTitle" preCondition="ResponseIsHtml1" enabled="true">
	<match filterByTags="None" pattern="&lt;title>(.*)&lt;/title>" />
	<action type="Rewrite" value="&lt;title>NAME_OF_YOUR_SERVER&lt;/title>" />
</rule>
<rule name="RewriteAppHeaderJs" preCondition="ResponseIsJS" enabled="true">
	<match filterByTags="None" pattern="document.title=&quot;Emby&quot;" />
	<action type="Rewrite" value="document.title=&quot;NAME_OF_YOUR_SERVER&quot;" />
</rule>
<rule name="RewriteAppHeaderJs2" preCondition="ResponseIsJS" enabled="true">
	<match filterByTags="None" pattern="title.Name||&quot;Emby&quot;:&quot;Emby&quot;" />
	<action type="Rewrite" value="title.Name||&quot;NAME_OF_YOUR_SERVER&quot;:&quot;NAME_OF_YOUR_SERVER&quot;" />
</rule>
<preConditions>
    <preCondition name="ResponseIsHtml1">
        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" />
    </preCondition>
	<preCondition name="ResponseIsJS">
		<add input="{RESPONSE_CONTENT_TYPE}" pattern="application/javascript|text/javascript" />
	</preCondition>
	<preCondition name="NeedsRestoringAcceptEncoding">
        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
    </preCondition>
</preConditions>

 

This doesn't look to be fully functional anymore.  I have noticed it will flash the name you want and then switch back to "emby".

Link to comment
Share on other sites

TheITJedi
On 4/21/2022 at 12:47 PM, Turbofiero said:

I think I've gotten the header rewrite to work, needed a couple small changes.... should look more like this, content type should be application/x-javascript, so I added that to the preconditions, and the pipes need to be made literal with a \ in front of each

 

<rule name="RewriteTitle" preCondition="ResponseIsHtml1" enabled="true">
	<match filterByTags="None" pattern="&lt;title>(.*)&lt;/title>" />
	<action type="Rewrite" value="&lt;title>NAME_OF_YOUR_SERVER&lt;/title>" />
</rule>
<rule name="RewriteAppHeaderJs" preCondition="ResponseIsJS" enabled="true">
	<match filterByTags="None" pattern="document.title=&quot;Emby&quot;" />
	<action type="Rewrite" value="document.title=&quot;NAME_OF_YOUR_SERVER&quot;" />
</rule>
<rule name="RewriteAppHeaderJs2" preCondition="ResponseIsJS" enabled="true">
	<match filterByTags="None" pattern="title.Name\|\|&quot;Emby&quot;:&quot;Emby&quot;" />
	<action type="Rewrite" value="title.Name||&quot;NAME_OF_YOUR_SERVER&quot;:&quot;NAME_OF_YOUR_SERVER&quot;" />
</rule>
<preConditions>
    <preCondition name="ResponseIsHtml1">
        <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/(.+)" />
    </preCondition>
	<preCondition name="ResponseIsJS">
		<add input="{RESPONSE_CONTENT_TYPE}" pattern="application/javascript|text/javascript|application/x-javascript" />
	</preCondition>
	<preCondition name="NeedsRestoringAcceptEncoding">
        <add input="{HTTP_X_ORIGINAL_ACCEPT_ENCODING}" pattern=".+" />
    </preCondition>
</preConditions>

Edit: also, heres a better IPBan config

 

      <LogFile>

        <Source>Emby</Source>
        <PathAndMask>C:/Emby Server/programdata/logs/embyserver.txt</PathAndMask>
        <Recursive>true</Recursive>
        <FailedLoginRegex>
          <![CDATA[
            (?<timestamp>\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d).+for\s(?<username>.+)\shas.+\n.+AUTH-ERROR:\s(?<ipaddress>.+)\s-\s|(?<timestamp>\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d).+AUTH-ERROR:\s(?<ipaddress>.+)\s-\sInvalid\susername\sor\spassword
          ]]>
        </FailedLoginRegex>
        <SuccessfulLoginRegex>
          <![CDATA[
            (?<timestamp>\d\d\d\d-\d\d-\d\d\s\d\d:\d\d:\d\d).+IP=(?<ipaddress>.+),\sX-O.+\n.+Authentication\srequest\sfor\s(?<username>.+)\shas\ssucceeded
          ]]>
        </SuccessfulLoginRegex>
        <PlatformRegex>Windows</PlatformRegex>
        <PingInterval>10000</PingInterval>
        <MaxFileSize>16777216</MaxFileSize>
        <FailedLoginThreshold>7</FailedLoginThreshold>

      </LogFile>


aaaand the command i posted above is missing the first half, unsure why, this is the right command to install IPBan

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12; iex ((New-Object System.Net.WebClient).DownloadString('https://raw.githubusercontent.com/DigitalRuby/IPBan/master/IPBanCore/Windows/Scripts/install_latest.ps1'))

 

Thanks for updating that! Life has been super busy lately and I haven’t gotten around to posting updates for web.config and an auto-updater PowerShrell script (works with stable & beta, also supports copying custom/edited files back). When time allows, I’ll get them posted!

Link to comment
Share on other sites

drashna

A couple of thingsI've noticed.  I have IIS10 (Server 2022), and I've found a few settings that remove the need for IISCrypt, at least on this version.

  1. The server farm isn't needed, and adds additional complexity/issues. 
  2. under the binding for the site, you can disable "legacy TLS", eg, v1.0, and 1.1.  
  3. The advanced settings have HSTS configuration, removing the need for both the "force SSL" and "HSTS" url rewrite rules.

These may not be available depending on the version of IIS used.  But less is more, IMO.  And this only gets you an A rating, because some of the cyphers are still available, I think.    However, I don't like using IISCrypt, as it can cause issues and has for me both in the past and currently (broke RD Gateway on my server)

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...