Auto-SSL

April 22, 2022

Plex has it built in that you can have it setup to use SSL without having to create and install your own certificates. They teamed up with Let's Encypt. Any chance you would make that an option on Emby. Even if it was just for those that pay for Emby Premier.

April 22, 2022

Plex runs all your traffic through their own server.

April 22, 2022

58 minutes ago, crusher11 said:

Plex runs all your traffic through their own server.

Not to mention that the equivalent of this at Emby Connect already leverages a proper wildcard cert:

April 22, 2022

Hi. Yes, we would like to provide this but it is much harder for us to do. The other guys control your connection to your server. We do not.

April 22, 2022

8 minutes ago, ebr said:

Hi. Yes, we would like to provide this but it is much harder for us to do. The other guys control your connection to your server. We do not.

It would be nice if you could find a way, but understand the challenge.

April 22, 2022

2 hours ago, mbarylski said:

It would be nice if you could find a way, but understand the challenge.

Not that this addresses your request, and it's not particularly easy but in my case I have a Linux server that hosts docker containers for Emby and Linuxserver Swag (Nginx, Let's Encrypt/Certbot, and fail2ban). In my case, I mapped the path from the exported private keys in Let's Encrypt to a container path for Emby. If you have a similar setup, I could provide put up a set of sanitized instructions for how I did this.

April 22, 2022

7 minutes ago, sydlexius said:

Not that this addresses your request, and it's not particularly easy but in my case I have a Linux server that hosts docker containers for Emby and Linuxserver Swag (Nginx, Let's Encrypt/Certbot, and fail2ban). In my case, I mapped the path from the exported private keys in Let's Encrypt to a container path for Emby. If you have a similar setup, I could provide put up a set of sanitized instructions for how I did this.

Yeah, I have A Pi running an NGINX reverse proxy on the front of my network, it controls my Emby connections among other things. In which case I'm just using CertBot to maintain SSL certificates automatically.

There are a ton of guides here (searchable) on how to do this. It's not very difficult. And gives you more control of the traffic and ability to log more.

April 22, 2022

24 minutes ago, Dazik said:

Yeah, I have A Pi running an NGINX reverse proxy on the front of my network, it controls my Emby connections among other things. In which case I'm just using CertBot to maintain SSL certificates automatically.

There are a ton of guides here (searchable) on how to do this. It's not very difficult. And gives you more control of the traffic and ability to log more.

My scale-of-ease was rated against an "easy button" in Emby that does all of this automagically. For Windows-based users, going down the road of embedded devices that handle reverse-proxy (which still leaves Emby with self-signed certs on its secured port) is harder...even if that embedded device is a NAS such as Synology or QNAP.

May 14, 2022

On 4/22/2022 at 12:23 PM, sydlexius said:

My scale-of-ease was rated against an "easy button" in Emby that does all of this automagically. For Windows-based users, going down the road of embedded devices that handle reverse-proxy (which still leaves Emby with self-signed certs on its secured port) is harder...even if that embedded device is a NAS such as Synology or QNAP.

Understandable. My server is run off Windows. The whole reason I stuck a Pi in front of it is so I can do more with the connections.

Pi 3+LCD Screen was $89 total.
Debian, install nginx + certbot, one simple config to route to the local IP/PORT, then 1 command to auto-setup the certificate (and renew it without you needing to touch it when its due).

My config is not as complex as some others here. I just need it to work.

Nginx Config to be created in /etc/nginx/sites-enabled:

server {
    server_name  www.your.domain.com your.domain.com;

    location / {
        proxy_pass http://192.168.1.2:8096; //The local Emby server
        proxy_set_header Host YOUR.DOMAIN.COM;
        proxy_set_header Range $http_range;
        proxy_set_header If-Range $http_if_range;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

        #Next three lines allow websockets
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";
    }
}

After creating, run /etc/init.d/nginx restart "OK Status" means your config is good.

Now run certbot to create/maintain the certificate:

certbot --authenticator standalone --installer nginx -d your.domain.com -d www.your.domain.com  --pre-hook "systemctl stop nginx" --post-hook "systemctl start nginx"

When opted by certbot, select option 2. Redirect all traffic to https (port 443)
Once working, setup any clients to connect to https://your.domain.com and port 443

All you need to do for local network is insure the local connection is going to the NGINX server instead of the emby server. The NGINX server will connect over LAN and serve the pages via reverse proxy.

I like mine mostly because if there are any connection issues I will see a red line behind my monitor which alerts me to an error. Then it's just a matter of checking the logs.

Spoiler

Edited May 14, 2022 by Dazik

May 19, 2022

wouldn't it be easiest to use the nginx proxy manager via docker?

May 19, 2022

On 22/04/2022 at 04:53, sydlexius said:

Not to mention that the equivalent of this at Emby Connect already leverages a proper wildcard cert:

i'm a bit confused by this.
indeed app.emby.media does have a cert, but when i log in using my emby connect account, and try to select my server i get the following error

https://app.emby.media/#!/startup/selectserver.html
"We're unable to connect to the selected server right now. Please ensure it is running and try again."

but if i go via http://app.emby.media/#!/startup/selectserver.html then there are no problems

May 19, 2022

6 minutes ago, chenks said:

but if i go via http://app.emby.media/#!/startup/selectserver.html then there are no problems

You can only use the secure (https) version of the web app if your own server is also secured with SSL. Otherwise you will only be able to use the non-secure version.

May 19, 2022

1 hour ago, seanbuff said:

You can only use the secure (https) version of the web app if your own server is also secured with SSL. Otherwise you will only be able to use the non-secure version.

ah, that's quite disappointing.
i was comparing it to Plex and Plex doesn't require your own server to have SSL when using the hosted web app

May 19, 2022

31 minutes ago, chenks said:

ah, that's quite disappointing.
i was comparing it to Plex and Plex doesn't require your own server to have SSL when using the hosted web app

Plex operates on a different principle; with Emby, you are always connecting directly to your server, you're just loading hosted web app but the traffic is not routed through external servers.

May 19, 2022

35 minutes ago, GrimReaper said:

Plex operates on a different principle; with Emby, you are always connecting directly to your server, you're just loading hosted web app but the traffic is not routed through external servers.

i get that, and i already have a cert installed on my NAS for own domain hosted on the NAS (and manged certs on other webservers), however to say "you are always connecting directly to your server" is a little incorrect, as if you are connecting to it via app.emby.media then you are not connecting DIRECTLY to your server, you're connecting to it via app.emby.media, which is then, i presume, re-directing you on to your own server.

having to add yet another cert if another hassle in an already busy NAS

Edited May 19, 2022 by chenks

May 19, 2022

27 minutes ago, chenks said:

i get that, and i already have a cert installed on my NAS for own domain hosted on the NAS (and manged certs on other webservers), however to say "you are always connecting directly to your server" is a little incorrect, as if you are connecting to it via app.emby.media then you are not connecting DIRECTLY to your server, you're connecting to it via app.emby.media, which is then, i presume, re-directing you on to your own server.

having to add yet another cert if another hassle in an already busy NAS

Once you log in, it is still a direct connection to your server so the creation and management of certificates becomes much more difficult. For us to to this, we'd have to provide the domain you use to communicate with your server.

May 19, 2022

1 hour ago, ebr said:

Once you log in, it is still a direct connection to your server

yeah i get that, but as far as the browser is concerned, i'm connecting to app.emby.media which reports are being insecure.
i assume what you are doing is a reverse proxy or similar?

is there a step-by-step guide for setting one up for emby on a synology NAS?

Edited May 19, 2022 by chenks

May 19, 2022

7 hours ago, slevin7 said:

wouldn't it be easiest to use the nginx proxy manager via docker?

That's certainly an easy solution to use, but I'm old school and like knowing exactly what's been applied. I prefer config files to handle this, and leverage SWAG instead. To each their own though!

October 2, 2023

I also would like an easy way to encrypt the traffic between host-client

Sign In

Auto-SSL

Recommended Posts

therock12 4

crusher11 1101

sydlexius 297

ebr 16171

MBSki 1114

sydlexius 297

Dazik 46

sydlexius 297

Dazik 46

slevin7 86

chenks 21

seanbuff 1316

chenks 21

GrimReaper 4739

chenks 21

ebr 16171

chenks 21

sydlexius 297

Tank_Killer 7

Create an account or sign in to comment

Create an account

Sign in

Activity