Help with Linux Remote access setup

[Ranse 6]

Hello ,
I am struggling getting HTTPS remote access setup for my emby server.

My setup is the following:
Server - Debian 11 stable
DDNS - I have free DDNS  from duckduck, no IP, and Google DNS , but would prefer running the free ones if  possible.
Server has VPN running (nordvpn will switch to mullvad soon) but can disable it or remove if this would complicate things . ( I have tested my setup with and without VPN)

Also as an option can try using Nvidia Shield as server or Synology NAS.

Port forwarding works, on regular 8096, I could reach the 8096 on both DDNS and public IP, and could see the hit counters increase on fortigate firewall.

I have seen step by step guides for Windows Server using Cloudflare , but can't find anything for Linux.
My main issue is acquiring and automating the SSL renewal, couldn't get the lets encrypt working.

Please recommend some solution, that requires minimal maintenance.
Thanks in advance.
 

[Q-Droid 989]

Some recommend the SWAG docker image for its simple setup and low maintenance. I haven't used it but many in here do. Use this forum's search feature for Emby related setup and options.

https://hub.docker.com/r/linuxserver/swag

[Ranse 6]

Does docker use hardware acceleration for transcoding? Or do you mean use docker only for SWAG?

 

[sargenthp 35]

I do not believe Docker can do hardware acceleration.

 

Install the package certbot.  That is what is used to create letscreate certificates.

This will create your first certificate...

# certbot register
# certbot certonly --manual

Then you will need to create a pfx file for Emby to use, and then update Emby to where you put this file...

# openssl pkcs12 -export -out /path_to_certs/emby_ssl.pfx -inkey /etc/letsencrypt/live/domain_name/privkey.pem -in /etc/letsencrypt/live/domain_name/fullchain.pem -keypbe NONE -certpbe NONE -nomaciter -passout pass:

 

Biggest thing is that the certs are only good for 90 days.  So I disabled the certbot cronjob and created my own script to check and renew the cert and regenerate the pfx file.  I also backup my certificates.

Command to renew the certificate with certbot is just:  /usr/bin/certbot renew

[Ranse 6]

ok so I have managed to get it working with self generated cert ,using reverse proxy on synology and forwarding the port on fortigate.
The remote access is going to be used only on two phones, but I have some concerns regarding security.

I have  "Hide this user from login screens when connected remotely" and "Hide this user from login screens on devices they've never signed into", also these
"Allow remote control of other users"  "Allow remote control of shared devices" are unchecked.

any other tips or suggestions, to improve the privacy and security ?

[Q-Droid 989]

HW accel does work for Emby on docker but the recommendation was for swag in docker, not Emby.  Swag includes a reverse proxy, fail2ban, SSL cert renewal automation and a few other things. Supposedly a set and forget option.

 

[Q-Droid 989]

Caddy is another option some use for Emby.

[CassTG 113]

I would concur with Swag, i swear by it having tried nearly all of them, they have tonnes of presets (including one for emby) and each preset includes commented guides if you need to do anything extra (emby here is an example which has guides)

You can proxy to other docker containers or local services and they have a detailed guide on how to do it.

Swag Setup. << Official Docs

On top of that the swag docker has certbot built in for obtaining certs (either via DNS or http) and can obtain either letsencrypt or zerossl certs (zerossl unlimited certs) and has fail2ban built in so it takes care of a bit of security for you.

And yes you can passthrough GPU's / Intel cpu QS for hardware encoding into a docker container. If you do go docker route (which personally i highly recommend especially if you want to ever move your emby server to new hardware easily!!) Linuxservers Emby docker has always been rock solid for me.

Anyways if you do go Docker route, check my signature for a complete setup guide including, Swag, Emby and portainer (only thing you would need to update is the current docker release versions quoted in the guide)