My emby server has been flagged as a Deceptive site.

[Q-Droid 643]

55 minutes ago, rbjtech said:

I'm referring to the reason for Google flagging the site (the word - 'emby' being used which Google is flagging as 'impersonating' emby.com (ie Phishing)  - I don't believe this has anything to do with the security headers ?

As far as I can tell the only static reference to Emby that is left is the one below. The rest are derived from settings such as domain and server name. So if you do use emby in the domain or server name those will be included in headers and page content.

 

Quote

    <div class="mainDrawer hide focuscontainer-y padded-bottom-page" is="emby-scroller" data-horizontal="false" data-centerfocus="true" data-navcommands="card" data-bindheader="false" data-skipfocuswhenvisible="true">

 

Edited July 17, 2023 by Q-Droid

[Spaceboy 2493]

47 minutes ago, cypher0117 said:

I have a nearly identical setup as you.  HAproxy, acme certs, CAA, A+ ssl labs, etc.  I have so far - knock on wood - not been flagged.  I've added extra configurations to the security headers in my HAproxy that have given my site an A grade on https://securityheaders.com.  I can't say that it's the reason for sure, but my site is has been used close to daily for the last few years without being flagged.

 - edited for spelling

same here, almost identical setup and i've made no changes since this issue was first noticed. I did one day see the deceptive site warning and thought i was going to have some work on my hands but despite checking since (a couple of months ago) it hasnt appeared further.

[lucian.pearce 0]

Well I have been delisted again let see how long it lasts

Review successful for domain.tld

To: Webmaster of domain.tld,

Google has received and processed your security review request. Google systems indicate that domain.tld no longer contains links to harmful sites or downloads. The warnings visible to users are being removed from your site. This may take a few hours to happen.

[plupien79 2]

I just setup another frontend on my HAproxy to be media.domain.tld.

And it's instantly flagged. However my other sites sonarr, radarr, nextcloud ETC all work just fine.

[Guest simon_hancock]

My domain has been working fine with SSL, until today when I updated my certificate and encountered this same problem with google flagging my domain as deceptive. 

[harrv 88]

On 5/23/2023 at 12:44 PM, Luke said:

We're looking at putting together a new stable maintenance release with this update. Thanks guys.

Thanks to Luke and the whole team for the changes! I  see that Emby was updated to use the server name (or friendly name if you set it in Emby settings) of the Emby server. It is used for the html <title> (seen in your browser tab) and is also used as the value of several meta tags:

<link rel="manifest" href="manifest.json">
<meta name="description" content="Your Server Name">
<meta name="application-name" content="Your Server Name">

<meta property="og:title" content="Your Server Name">
<meta property="og:site_name" content="Your Server Name">
<meta property="og:description" content="Energize your media.">

<title>Your Server Name</title>

My server was flagged by Google as "deceptive" a couple of times back in March before you'd made these changes, and in an attempt to get around that problem I made the same changes you did, but additionally I updated the contents of manifest.json to remove references to Emby (with the exception of the iPhone and Android app links). I also replaced all of the Emby logo images with custom ones I made, including favicon.ico. My site hasn't been flagged as deceptive in the five months since I did that!

I really have no idea if the reason my server has not been re-flagged is because I also updated those images, and replaced Emby references in the manifest.json, or if that is not necessary. But until we know for sure, do you think you could also use the server name inside manifest.json? And perhaps give us a folder where we can put custom images and use those if present? The ones I replaced are:

/app/emby/dashboard-ui/favicon.ico
/app/emby/dashboard-ui/images/icon-72x72.png
/app/emby/dashboard-ui/images/icon-96x96.png
/app/emby/dashboard-ui/images/icon-128x128.png
/app/emby/dashboard-ui/images/icon-144x144.png
/app/emby/dashboard-ui/images/icon-152x152.png
/app/emby/dashboard-ui/images/icon-192x192.png
/app/emby/dashboard-ui/images/icon-384x384.png
/app/emby/dashboard-ui/images/icon-512x512.png
/app/emby/dashboard-ui/images/splash.png
/app/emby/dashboard-ui/modules/themes/logowhite.png
/app/emby/dashboard-ui/modules/themes/logodark.png

To avoid losing my changes whenever Emby Server is updated, I used a combination of docker volume mapping (for whole file replacement) and a rewrite-body middleware with traefik ingress to make the html changes that you have now made for us. So I shouldn't need the rewrite-body middleware anymore, but I'm still concerned about the image and manifest.json files until we know for sure those don't need to be changed too.

[Luke 37067]

Quote

But until we know for sure, do you think you could also use the server name inside manifest.json?

Yea it makes sense. Thanks.

[rbjtech 4265]

Until we know what Google are actually flagging for - then guessing is just making work for everybody.

@LukeAs owner of the original emby domain - can Google not provide you guidelines on how to go about configurating a related self hosted website without triggering these issues ?

As a side note, I've made no website changes to emby (beta), have 'emby' in my fqdn and yet I have never been flagged - go figure .. 

Edited August 3, 2023 by rbjtech

[Luke 37067]

7 hours ago, rbjtech said:

Until we know what Google are actually flagging for - then guessing is just making work for everybody.

@LukeAs owner of the original emby domain - can Google not provide you guidelines on how to go about configurating a related self hosted website without triggering these issues ?

As a side note, I've made no website changes to emby (beta), have 'emby' in my fqdn and yet I have never been flagged - go figure .. 

We can try to reach out to them for guidance, yes, but certainly right now it seems anything with emby your url is going to be a problem.

[embeclal 0]

Got flagged recently as well. Only emby subdomain got flagged. It could be after I have migrated from cloudflare per subdomain proxy to wildcard proxy, but don't remember exact order of events. Waiting for appeal. Emby is behind nginx, A+ SSL result (obviously because of cloudflare). Running latest (nonbeta) emby.

Edited August 6, 2023 by embeclal

[bkzland 3]

On 7/14/2023 at 7:25 PM, sLIDez0rz said:

Got flagged in March, then unflagged after about 5 days, then flagged again after 2 hours (whole domain).

Had Emby accessible through https://emby.domain.tld, https://domain.tld/emby and https://ip:8096 before. After 2nd flag left only https://emby.domain.tld No problems since then. Running through Nginx proxy manager with Let's encrypt certificate. The only other thing I did was to replace default 302 redirect to 301 redirect in Nginx Proxy Manager configuration (as Google doesn't really like 302 redirects that is there by default)

location = / {
    return 301 https://$host/web/index.html;
}

At the same time also got my instance of Picoshare flagged which was on separate subdomain. Changed nothing there, just submitted that it was a false positive on Google Search Console and everything is fine.

I suppose that only appeals through Google Search Console does anything and the ones through browser does nothing. So if you get flagged, check Google Search Console as it could be other services too that got you flagged.

I don't know if this is the answer, but I added the 301 override to my setup as well, currently flagged by the same malicious warning, and still waiting for repeated check by Google after adding the 301 redirect.

For anyone running behind nginx-proxy docker container who wants to add this change:

You want to 301 redirect the root URL of / only, so it's not forwarded by emby as 302 anymore, while still maintaing proxy-pass forwardings for every other request URI with more than just the root / present.

Create a text file called <VIRTUALHOST>_location_override (as per the env variable your docker-compose uses) with contents:

    location = / {
        return 301 https://$host/web/index.html;
    }

    location ~ ^/.+ {
        proxy_pass http://$host$request_uri;
    }

and add it as a mount in your docker run or docker-compose file:

docker run ... -v <VIRTUALHOST>_location_override:/etc/nginx/conf.d/<VIRTUALHOST>_location_override

 

Check that the content was correctly added in your nginx-proxy container with something like

docker exec -it nginx-proxy more /etc/nginx/conf.d/default # look for your vhost block, it should contain an include statement to the override file you added, but no default location block in the default file.

 

[FancyNerd92 9]

I have the same problem on Chrome and if I go from incognito on Chrome the ssl it works fine.

Any ideas?

I clear the cache but nothing...

[Luke 37067]

11 hours ago, FancyNerd92 said:

I have the same problem on Chrome and if I go from incognito on Chrome the ssl it works fine.

Any ideas?

I clear the cache but nothing...

HI, did you submit a ticket with google to get unflagged?

[FancyNerd92 9]

2 hours ago, Luke said:

HI, did you submit a ticket with google to get unflagged?

I did that, but it's not flagged. In Chrome incognito tab mode it works SSL normaly. Only in the main Chrome i'm getting this...  

[Luke 37067]

6 minutes ago, FancyNerd92 said:

I did that, but it's not flagged. In Chrome incognito tab mode it works SSL normaly. Only in the main Chrome i'm getting this...  

Getting what exactly?

[FancyNerd92 9]

On 19/08/2023 at 04:33, Luke said:

Getting what exactly?

I got the red page with the messege like this and must to click on details and visit this site.

On Sunday it fixed itself without to do nothing... i had this problem 4 months now... and i did everything (clear cache, delete cookies etc.) but nothing. I cross fingers to keep it works!

Edited August 21, 2023 by FancyNerd92

[cappapp 7]

On 19/08/2023 at 11:26, FancyNerd92 said:

I did that, but it's not flagged. In Chrome incognito tab mode it works SSL normaly. Only in the main Chrome i'm getting this...  

Same here, flagged in normal chrome, not other browsers. But also chrome incognito mode is fine. I'll try waiting it out, as it's a first for me.

[plupien79 2]

Mine was unflagged, and has already be re-flagged.

[DarkZrobe 3]

Had a user post it was flagged, but when I go to the google search console no warning there and nothing listed on the safe search website.

 

Running 4.8.0.44

[plupien79 2]

I actually added the subdomain to my Google account in the search tools.

I was then able to trigger a review to which I got the attached response.

 

 

Edited September 17, 2023 by plupien79
Redact url

[bkzland 3]

After adding the workaround to prevent 302 redirect to the login page around 30 days ago, my emby server has not been re-flagged yet. Knock on wood.

[ARGO1960 0]

Seems google does not like emby at all :-(..

I'm having this issue also but rememberd I had installed some plugins to play with.

Like "IPTV" and "XMLTV" also M3U TV Tuner, and that google warning abot my internal LAN only enby site started after that.

(Anyway nothing of those 3 I got to work..)

So I uninstalled those 3 and rebooted the server 

Issue gone.

When I wanted to post this message Google did not like the avtivation mail also see below.

Try to figure out witch of those plugins make this tiggers google's "Safe Browsing" and update if I find it.

[Luke 37067]

HI, the plugins that you've installed won't matter.