Haruko Ishikawa 1 Posted June 22, 2021 Share Posted June 22, 2021 (edited) Well so i have a question. Is there a way to only permit access thru the domain. So what i would like to do is to deny access directly to the server ip and instead only allow connections containing the domain name. Is there away to do this? Do you need a reverse proxy or so internally? I will be happy to hear your thought!! Edited June 22, 2021 by Haruko Ishikawa Link to comment Share on other sites More sharing options...
Luke 37065 Posted June 22, 2021 Share Posted June 22, 2021 Hi, there is no way to configure this in Emby Server but I imagine you could via reverse proxy settings. @pir8radio may have some tips. Link to comment Share on other sites More sharing options...
Carlo 4330 Posted June 22, 2021 Share Posted June 22, 2021 Hi, Probably the easiest way to accomplish this would be to install your server behind Cloudflare. Have you looked into their free service? Link to comment Share on other sites More sharing options...
Haruko Ishikawa 1 Posted June 23, 2021 Author Share Posted June 23, 2021 I am currently using Cloudflare but somehow my IP is still listed. For example Censys still listed the orgin IP. Would you like to tell me how you configured your Cloudflare? Link to comment Share on other sites More sharing options...
Carlo 4330 Posted June 23, 2021 Share Posted June 23, 2021 Basically in Cloudflare you want all DNS records to show as "Proxied" and not "DNS only" only. DNS Only will give away your IP address while Proxied will not. Link to comment Share on other sites More sharing options...
Haruko Ishikawa 1 Posted June 24, 2021 Author Share Posted June 24, 2021 This is how it looks for me. Try to type your own hostname on Censys. https://search.censys.io/ This site can somehow still get the orgin IP. This is why i want to block ip access and only allow form hostname. I may have a solution tho. I can build my own forward proxy internally. Link to comment Share on other sites More sharing options...
Carlo 4330 Posted June 26, 2021 Share Posted June 26, 2021 That can happen if you have a leak in your DNS setup but does it really matter? People don't really target domains for gaining access to your system but instead run port scans of different IPs so with or without a domain name it's not really any different. Link to comment Share on other sites More sharing options...
Haruko Ishikawa 1 Posted June 26, 2021 Author Share Posted June 26, 2021 Hmm? Well you may be right! But i still want to enforce the use of Cloudflare. That can be bypassed with the orgin IP. Link to comment Share on other sites More sharing options...
Haruko Ishikawa 1 Posted June 26, 2021 Author Share Posted June 26, 2021 But thanks for all help tho! I will be closing this if i just find out how am doing that . I have my own idea. I will setup a forward proxy which will enforce the use of the domain name so that cloudflare will be enforced. Link to comment Share on other sites More sharing options...
Carlo 4330 Posted June 26, 2021 Share Posted June 26, 2021 Just trying to understand what you are trying to accomplish. I'm assuming you only have one port open for Emby being the SSL port correct? If you use a cert generated by Cloudflare in Emby and have Emby set for Required the only path that will work is via Coudflare because only Cloudflare will be able to use your server's cert to unencrypt the packets. Link to comment Share on other sites More sharing options...
rodainas 188 Posted June 26, 2021 Share Posted June 26, 2021 (edited) You can set with something like nginx to access your server only by domain, and the ip gives just an error. You can set a server block like this server { listen 80 default_server; listen [::]:80 default_server; #return 301 https://$host$request_uri; } server { listen 443 ssl default_server; listen [::]:443 ssl default_server; ssl_certificate /etc/ssl/certs/nginx-selfsigned.crt; ssl_certificate_key /etc/ssl/private/nginx-selfsigned.key; return 444; } then a specific block for emby: ## Emby server { listen [::]:443 ssl http2; ## Listens on port 443 IPv6 with http2 and ssl enabled listen 443 ssl http2; ## Listens on port 443 IPv4 with http2 and ssl enabled proxy_buffering off; ## Sends data as fast as it can not buffering large chunks. server_name yourservername.com Edited June 26, 2021 by rodainas 1 Link to comment Share on other sites More sharing options...
Haruko Ishikawa 1 Posted June 26, 2021 Author Share Posted June 26, 2021 Yes that was my idea as well yeah! I think I will take that approach! Link to comment Share on other sites More sharing options...
pir8radio 1292 Posted July 1, 2021 Share Posted July 1, 2021 (edited) On 6/23/2021 at 6:27 AM, Haruko Ishikawa said: I am currently using Cloudflare but somehow my IP is still listed. For example Censys still listed the orgin IP. Would you like to tell me how you configured your Cloudflare? Your IP is listed on Censys due to your SSL cert you are using on your origin server.. It probably mentions your domain name DO NOT use the cert cloudflare gives you for your origin and do not create a self signed with your real domain name. So what Censys does is goes out and finds every HTTPS response, logs the SSL cert and what IP that SSL cert responded on. does not care about the domain name it used to find that cert. So now Censys has all of these ssl certs, they all contain domain names they are to secure, Censys links those domain names to the IP the cert was found on. Even though you have certs through cloudflare that are protected and link back to their IP's, you created a back door by using an origin SSL cert that also contains your real domain name, and that cert can be served up over your real ip, leaving bread crumbs. To fix: So since Cloudflare will accept any SSL Cert from an origin server I suggest you make your origin SSL Cert something fake. like make the ssl cert for coolbikes.com or lkjfdslkjfdslkfdslkjsfd.com something like that. so when Censys logs that SSL cert it will be associated to your real server ip, but people and Censys wont be able to link the lkjfdslkjfdslkfdslkjsfd.com SSL cert to your actual domain name. For example my site: https://notallmine.net bet you cant trace that domain to my real internet IP. its hidden, no back-doors no leaks. That said... you still have a problem with hiding your origin IP.. and that is if you EVER had a DNS entry for your domain name that pointed to that ip, its already on the internet. The only way to truly hide a server is to use a fresh IP address that has never been tied to a domain name, or exposed an SSL cert linking that ip to a real domain name. Give me a domain name I can get you a list of every IP that has ever been tied to that domain name, even if that ip is dynamic, I can tell you your ISP and general location, which is usually not good, gets you one step closer to finding who owns the server. But back to your original question, yes using nginx you can prevent direct IP access a few ways.. In NGIX reverse proxy: server { listen [::]:80; listen 80; listen 443 ssl http2 default_server; listen [::]:443 ssl http2 default_server; server_name "PUT YOURE REAL SERVER IP ADDRESS HERE"; return 444; ssl_session_timeout 10m; ssl_protocols TLSv1.2 TLSv1.1 TLSv1; ssl_certificate ssl/kjfdsjlfd_com_pub.pem; ssl_certificate_key ssl/kjfdsjlfd_com_pvt.pem; ssl_session_cache shared:SSL:10m; } Also you will want to use the cloudflare feature shown here: https://developers.cloudflare.com/ssl/origin-configuration/authenticated-origin-pull and you do that in nginx like this: ssl_client_certificate ssl/special_CF_Cert.crt; ssl_verify_client on; Edited July 1, 2021 by pir8radio 1 Link to comment Share on other sites More sharing options...
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now