Jump to content

Question about Secure Connections and "Handled by reverse proxy"


Dreakon13

Recommended Posts

Dreakon13

Let me preface this by just saying, I'm really very inexperienced with all of this.

I've recently started allowing remote connections on my Emby server... in a novice effort to try and secure my setup, I followed some instructions on setting up DDNS with the Let's Encrypt certificate through the Synology DSM.  After a night of cursing and anger, I forwarded Emby's https port in my router, told Emby to use the "Handled by reverse proxy" secure connection mode, set up the reverse proxy on my Synology as I've seen other describe around here, and I got to the point where my browser recognized the connection to my Emby server as Secure through the "emby.synology.me:port" that I set up.  Yippee.

I went back and tried my original remote IP address (ie. 123.123.123.123:port) and Emby still worked... but with Not Secure flashing in my face.

To reiterate, using that DDNS on the https port was secure, but using the remote IP address directly on the https port isn't secure and still works for some reason?

 

Am I wrong that the point of this exercise was to eliminate insecure remote connections to the server?  Like connecting with my remote IP address insecurely shouldn't work anymore?  Did I miss a step somewhere on the Synology or Emby side of things?  Or am I just misunderstanding the goal here?

 

Sidenote: I've never run into more "0 result" searches in Google than I have since I started messing with this stuff. 😅  Thanks Internet.

Edited by Dreakon13
Link to comment
Share on other sites

BaukeZwart

Remove the port forward for the default Emby port(s) in your router, only leave ports 443 and 80 forwarded to you Emby servers IP. 

That way Emby can't be accessed on the default port (123.123.123.123:port) from outside your LAN. 

You will always be able to access Emby on the default port on your local LAN.

Edited by BaukeZwart
  • Thanks 1
Link to comment
Share on other sites

Dreakon13
2 hours ago, BaukeZwart said:

Remove the port forward for the default Emby port(s) in your router, only leave ports 443 and 80 forwarded to you Emby servers IP. 

That way Emby can't be accessed on the default port (123.123.123.123:port) from outside your LAN. 

You will always be able to access Emby on the default port on your local LAN.

Thank you for your reply.

If I remove the port forward on the public https Emby port, then both the secure "emby.synology.me:port" and the insecure "123.123.123.123:port" fail to work.  Effectively disabling remote access.

I'd like to keep remote access going, just prevent the insecure connections.

Edited by Dreakon13
Link to comment
Share on other sites

BaukeZwart

Then something isn't ser correct. With a remote proxy and port 443 and 80 forwarded it should work. It does for me. Post your remote proxy settings please. 

Link to comment
Share on other sites

Dreakon13

  

14 minutes ago, BaukeZwart said:

Then something isn't ser correct. With a remote proxy and port 443 and 80 forwarded it should work. It does for me. Post your remote proxy settings please. 

 

image.png.e0e8f4777c541bb430b9c95ad7617469.png

 

image.thumb.png.54cd6006daf831de53b56d67a3862c9e.png

 

I had to change the public https port from Emby's default 8920 to 8921 because the reverse proxy errored claiming it "was already in use by another application".  One of the many error messages I've run into that apparently no one has ever gotten before and Google turned up empty handed lol.

Edited by Dreakon13
Link to comment
Share on other sites

Dreakon13

I changed the Source port to 443 in the DSM's reverse proxy and it seems to have improved the situation.  I tried that a hundred times last night and it kept telling me that 443 was reserved for system use and to choose a different port... not sure why it worked this morning.

Now my "emby.synology.me" (even without a port) is directing me to the secure site and the remote IP doesn't appear to work anymore.  Which is what I wanted.

However... when I try to log into Emby through another device app using that "emby.synology.me" either with no port or 443... it's telling me all my users have the wrong password when a. it's the right password and b. I tried removing the password from my user.

Edited by Dreakon13
Link to comment
Share on other sites

BaukeZwart

Source pprt in dsm reverse proxy should be set to 443, so that's OK now. 

 

You don't use the port number when connecting using the synology.me address. 

Attached my Emby settings. 

Screenshot_20210514-125959.jpg

Edited by BaukeZwart
  • Thanks 1
Link to comment
Share on other sites

Dreakon13

Thank you again for your help.  I've changed the public HTTP/HTTPS ports to match yours, since that seems to be the only difference.

Things still seem to be improved, except I can no longer access my server on devices through the secure "emby.synology.me" site as it claims all users have "Invalid username or password.  Please try again." ... even for the ones with no password that have previously worked.

Edited by Dreakon13
Link to comment
Share on other sites

BaukeZwart

No idea what that causes that, never had that problem. I use the Synology.me url from various devices including my phone. Never any issues. 

Link to comment
Share on other sites

Dreakon13
4 minutes ago, BaukeZwart said:

No idea what that causes that, never had that problem. I use the Synology.me url from various devices including my phone. Never any issues. 

I forgot to include the "https://" at the beginning when setting up the server connection on the Emby device app.  I deleted the server, entered it again correctly, and it seems to be working now.

Is there any way to confirm that users access through devices are connected securely?  It doesn't have that nice little lock symbol in the corner like browsers do. :P

Edited by Dreakon13
Link to comment
Share on other sites

BaukeZwart

If you use the synology.me address its https trafic so encrypted. Using a reverse proxy adds extra security because a pprt scan won't work. 

Edited by BaukeZwart
  • Thanks 1
Link to comment
Share on other sites

Q-Droid

Not secure warning means your certificate doesn't match the url. It never will for IP addresses in the navigation bar. The connection is still encrypted. 

You were fine at the beginning. 

 

  • Thanks 1
Link to comment
Share on other sites

I never touched anything on Emby's side related to remote connections. All you need to do is to make sure that Emby is reachable and working fine on your LAN. Synology's (DSM) reverse proxy will make remote connections look local to Emby, so it's all transparent (and secure), and that's the best part. So no need for that "handled by reverse proxy" setting or any other remote settings on Emby (at least from my experience).

What I've noticed is that you've configured emby.synology.me on your reverse proxy. You'll need to configure something for Emby as a subdomain (on the proxy server settings).

emby.synology.me (or whatever you choose), points to your public address (the external WAN address assigned to you by your ISP as it appears on the Synology DDNS server when updated by your Synology NAS). So you'll need something to take it further "internally" when it's intercepted by DSM's reverse proxy and that would be the subdomain (you can use whatever you want), like mymedia.mynas.synology.me or emby.mynas.synology.me…

It’s like dialing a company’s main board and then punching in an extension number. The main board number is your public IP address, the extension is your Emby server (or any other services you want to expose over the reverse proxy, like File Station or the DSM management interface for example).

Use https/443. https://mymedia.mynas.synology.me

I posted the below screenshot on another thread too. I hope the above helps, in addition to the excellent guidance you’ve already received.

79F9CA71-C369-4BA0-A4B1-EC0DF2707EBB.thumb.jpeg.7e044fe82df07b59d197b97fb8b125b3.jpeg

  • Thanks 1
Link to comment
Share on other sites

Dreakon13
1 hour ago, Q-Droid said:

Not secure warning means your certificate doesn't match the url. It never will for IP addresses in the navigation bar. The connection is still encrypted. 

You were fine at the beginning. 

 

How do I know it's encrypted if it's flagged as not secure?  Because it's using "https://" and/or because it's on the designated HTTPS port I was forwarding?

Unless there's something technically wrong security-wise with the changes I've made, I guess I prefer forcing remote access down the certificate matching/visibly secure route... but it sounds like maybe it wasn't a terribly important change to make.  Thank you for the info.

 

1 hour ago, A32 said:

I never touched anything on Emby's side related to remote connections. All you need to do is to make sure that Emby is reachable and working fine on your LAN. Synology's (DSM) reverse proxy will make remote connections look local to Emby, so it's all transparent (and secure), and that's the best part. So no need for that "handled by reverse proxy" setting or any other remote settings on Emby (at least from my experience).

What I've noticed is that you've configured emby.synology.me on your reverse proxy. You'll need to configure something for Emby as a subdomain (on the proxy server settings).

emby.synology.me (or whatever you choose), points to your public address (the external WAN address assigned to you by your ISP as it appears on the Synology DDNS server when updated by your Synology NAS). So you'll need something to take it further "internally" when it's intercepted by DSM's reverse proxy and that would be the subdomain (you can use whatever you want), like mymedia.mynas.synology.me or emby.mynas.synology.me…

It’s like dialing a company’s main board and then punching in an extension number. The main board number is your public IP address, the extension is your Emby server (or any other services you want to expose over the reverse proxy, like File Station or the DSM management interface for example).

Use https/443. https://mymedia.mynas.synology.me

I posted the below screenshot on another thread too. I hope the above helps, in addition to the excellent guidance you’ve already received.

79F9CA71-C369-4BA0-A4B1-EC0DF2707EBB.thumb.jpeg.7e044fe82df07b59d197b97fb8b125b3.jpeg

I'm not totally sure how to do this, but is this beneficial for security reasons, or just organization-wise so I can use other subdomains for other things and leave the root/"main board" for general purpose and not Emby specifically?  I appreciate the insights and the example.

EDIT: I'm using my NAS primarily for Emby and media streaming purposes so I'm not opposed to having the main(?) domain pointing to Emby specifically.  As long as it isn't inherently a security risk.

Edited by Dreakon13
Link to comment
Share on other sites

The browser verifies if the host header matches the fully qualified domain name (FQDN) on the certificate. if it doesn’t (like when you use the IP address to access it on your LAN via https) it gives a warning. Internally, I use http and the IP address and port. If you want to use https internally –I don't see why since it's your LAN and you're streaming video/audio– and you don't want to receive a warning (that you can instruct your browser to trust BTW), then you'll need a way to resolve the domain name to the IP address internally (DNS server, a router with static DNS service or a loopback capable router). So when you type your domain it matches the presented certificate.

I trust that you've already configured a certificate on your NAS (e.g. the free Let's Encrypt).

When connecting remotely, do you receive a warning on your browser? If you don't then you should be fine.
You can also use a free tool (this is for iOS) to check your domain and any others. TLS Inspector (https://www.tlsinspector.com/).

As for whether it's organizational or for security. It's for both. It's easier to remember embymedia.mynas.synology.me, for example, instead of your domain and some port number (e.g. https://mynas.synology.me:31586). And for security, it adds an extra layer to your remote access by “reverse funneling” everything through the reverse proxy over a single standard secure port (443) and hiding what's behind the proxy. So (as mentioned by @BaukeZwart), port scans don't reveal much, and unless someone knows that you have a subdomain called embymedia for example, they won't be able to reach your Emby’s login screen.

On the topic of security, I highly recommend enabling DSM's firewall (unless you have a dedicated firewall appliance). Just make sure you understand how it works, otherwise you might lock yourself out. However, the basic idea with any firewall is to block the whole world and allow only what you want (e.g. your local subnet and your country, certain protocols or ports).

 

1 hour ago, Dreakon13 said:

EDIT: I'm using my NAS primarily for Emby and media streaming purposes so I'm not opposed to having the main(?) domain pointing to Emby specifically.  As long as it isn't inherently a security risk.

It’ll work but it’s not as secure and as elegant as using a Reverse Proxy. Your domain name (or public IP address) will take anyone to your Emby’s login screen.

Once you start opening remote access, you should secure as much (layers) as you can on your device IMHO.

Edited by A32
  • Thanks 1
Link to comment
Share on other sites

Dreakon13
41 minutes ago, A32 said:

The browser verifies if the host header matches the fully qualified domain name (FQDN) on the certificate. if it doesn’t (like when you use the IP address to access it on your LAN via https) it gives a warning. Internally, I use http and the IP address and port. If you want to use https internally –I don't see why since it's your LAN and you're streaming video/audio– and you don't want to receive a warning (that you can instruct your browser to trust BTW), then you'll need a way to resolve the domain name to the IP address internally (DNS server, a router with static DNS service or a loopback capable router). So when you type your domain it matches the presented certificate.

I trust that you've already configured a certificate on your NAS (e.g. the free Let's Encrypt).

When connecting remotely, do you receive a warning on your browser? If you don't then you should be fine.
You can also use a free tool (this is for iOS) to check your domain and any others. TLS Inspector (https://www.tlsinspector.com/).

To clarify, the original concern wasn't that my LAN IP was not secure... I expected that and wasn't worried about it.  It was that the remote IP I was using to access was warning me as being not secure, and was still usable.  @Q-Droid suggested it was still secure despite the warning so I was clarifying what made it secure, if not the certificate.

 

Quote

As for whether it's organizational or for security. It's for both. It's easier to remember embymedia.mynas.synology.me, for example, instead of your domain and some port number (e.g. https://mynas.synology.me:31586). And for security, it adds an extra layer to your remote access by “reverse funneling” everything through the reverse proxy over a single standard secure port (443) and hiding what's behind the proxy. So (as mentioned by @BaukeZwart), port scans don't reveal much, and unless someone knows that you have a subdomain called embymedia for example, they won't be able to reach your Emby’s login screen.

On the topic of security, I highly recommend enabling DSM's firewall (unless you have a dedicated firewall appliance). Just make sure you understand how it works, otherwise you might lock yourself out. However, the basic idea with any firewall is to block the whole world and allow only what you want (e.g. your local subnet and your country, certain protocols or ports).

 

It’ll work but it’s not as secure and as elegant as using a Reverse Proxy. Your domain name (or public IP address) will take anyone to your Emby’s login screen.

Once you start opening remote access, you should secure as much (layers) as you can on your device IMHO.

I won't bother you too much more and I appreciate all of the info... but I'm not following this totally.  Is what I'm doing not using a reverse proxy?  I don't currently need to use the port since I made the 443 change (and unforwarded Emby's HTTPS port), so I think we're speaking the same language just without the subdomain.

Is the subdomain just more secure because its harder to guess?  Or is there something more to it.

Edited by Dreakon13
Link to comment
Share on other sites

BaukeZwart

I can't see if you are using a sub domain or not. 

What I have done is i have domain say mynas.synology.me, for Emby in the reverse proxy setting I use sub domain emby. So the url is emby.mynas.synology.me.

The nice this you can add any number of applications just by adding them to the reverse proxy with a different sub domain. 

app1.mynas.synology.me

app2.mynas.synology.me

app3.mynas.synology.me

And no need to add any port forwards.

  • Thanks 1
Link to comment
Share on other sites

Q-Droid
38 minutes ago, Dreakon13 said:

To clarify, the original concern wasn't that my LAN IP was not secure... I expected that and wasn't worried about it.  It was that the remote IP I was using to access was warning me as being not secure, and was still usable.  @Q-Droid suggested it was still secure despite the warning so I was clarifying what made it secure, if not the certificate.

 

The security warning means that the client (you) should not trust the connection to the endpoint (your server) because the certificate could not be validated for said endpoint. Basically the mismatch means the browser doesn't really know if your connection is to your server. But you do know it's your server, so not an issue. 

The warning message doesn't mean your server itself is not secure or open to hacks. Doesn't mean it's secure either.

If you want to see the details from a browser like Chrome (or Chromium) go to your site via IP to trigger the warning then press f12. The browser developer tools will open with a security overview showing the reason for the warning and the negotiated secure connection settings.

 

  • Thanks 1
Link to comment
Share on other sites

Dreakon13

I decided to re-configure my DDNS to something else and set up the reverse proxy to operate on a subdomain instead.  It came through as not secure initially so I replaced the cert with one that allowed for a wildcard for subdomains in front of my DDNS domain.  It all seems to be working, and generally makes sense to me.  Hopefully I did it right. 😁

I learned a lot, thanks for the help all!

  • Like 2
Link to comment
Share on other sites

  • 2 months later...
Tremas
On 5/14/2021 at 11:57 AM, Dreakon13 said:

I decided to re-configure my DDNS to something else and set up the reverse proxy to operate on a subdomain instead.  It came through as not secure initially so I replaced the cert with one that allowed for a wildcard for subdomains in front of my DDNS domain.  It all seems to be working, and generally makes sense to me.  Hopefully I did it right. 😁

I learned a lot, thanks for the help all!

Hi @Dreakon13. I'm in a very similar situation configuring my first Synology NAS and getting up to speed on modern servers. I'm planning on using Emby, Photostation and maybe Audiostation remotely. I am at the same point you were having configured a static IP, DDNS and SSL cert but am getting hung up on the sub domains. May I ask where you decided to get your wildcard cert? I had hoped to use Synology's Let's Encrypt service since the system will automatically renew it, but from what I'm reading their automated service doesn't cover a wildcard cert. I'm using my own domain name, not synology.me and was hoping to avoid running a separate script to update the cert every few months. Any suggestions?

Link to comment
Share on other sites

Dreakon13
12 hours ago, Tremas said:

Hi @Dreakon13. I'm in a very similar situation configuring my first Synology NAS and getting up to speed on modern servers. I'm planning on using Emby, Photostation and maybe Audiostation remotely. I am at the same point you were having configured a static IP, DDNS and SSL cert but am getting hung up on the sub domains. May I ask where you decided to get your wildcard cert? I had hoped to use Synology's Let's Encrypt service since the system will automatically renew it, but from what I'm reading their automated service doesn't cover a wildcard cert. I'm using my own domain name, not synology.me and was hoping to avoid running a separate script to update the cert every few months. Any suggestions?

Hey, reading around it sounds like the wildcard cert only worked because I'm using synology.me.  Looks like I just included the wildcard as part of the Subject Alternate Name when re-adding the new cert.

Edited by Dreakon13
Link to comment
Share on other sites

Tremas
On 7/16/2021 at 10:08 PM, Dreakon13 said:

Hey, reading around it sounds like the wildcard cert only worked because I'm using synology.me.  Looks like I just included the wildcard as part of the Subject Alternate Name when re-adding the new cert.

OK, thanks. That's what I'm running into. Looks like I'm in for another layer of complexity to use a domain other than synology.me.

Link to comment
Share on other sites

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...