Happy2Play 9780 Posted December 22, 2022 Posted December 22, 2022 4 hours ago, justinrh said: @Happy2Play what do you get if Emby is configured with a well-known (TLS) port? Changing Emby to 443 made no difference.. 1
bandit8623 213 Posted September 28, 2023 Author Posted September 28, 2023 Version 4.8.0.47 beta getting B- now only thing now is this
rbjtech 5284 Posted September 28, 2023 Posted September 28, 2023 (edited) If you want the very latest and timely resolution of security vulnerabilities/standard changes (from pcidss,hipaa,nist etc), then you need to use a well supported reverse proxy as has been said earlier on this thread. nginx, caddy etc. Configured correctly, they will also get you an A+ using this testing suite and will decouple all of these security responsibilities/dependencies away from emby. Edited September 28, 2023 by rbjtech 1
Q-Droid 989 Posted September 28, 2023 Posted September 28, 2023 (edited) 3 hours ago, rbjtech said: If you want the very latest and timely resolution of security vulnerabilities/standard changes (from pcidss,hipaa,nist etc), then you need to use a well supported reverse proxy as has been said earlier on this thread. nginx, caddy etc. Configured correctly, they will also get you an A+ using this testing suite and will decouple all of these security responsibilities/dependencies away from emby. This is the way! Regardless of the Emby version and platform. Millions use Apache, nginx, Caddy, etc. in publicly facing sites/applications. They are heavily scrutinized and continually updated to fix security findings. Edited September 28, 2023 by Q-Droid
bandit8623 213 Posted September 28, 2023 Author Posted September 28, 2023 8 hours ago, rbjtech said: If you want the very latest and timely resolution of security vulnerabilities/standard changes (from pcidss,hipaa,nist etc), then you need to use a well supported reverse proxy as has been said earlier on this thread. nginx, caddy etc. Configured correctly, they will also get you an A+ using this testing suite and will decouple all of these security responsibilities/dependencies away from emby. That's fine if that's what it takes currently. But if you make a good product it should include all that in the app itself. 1
Luke 42077 Posted September 29, 2023 Posted September 29, 2023 On 9/28/2023 at 1:59 PM, bandit8623 said: That's fine if that's what it takes currently. But if you make a good product it should include all that in the app itself. You're saying we should have our own reverse proxy built-in? I think that would turn us into bloatware.
pwhodges 2012 Posted September 29, 2023 Posted September 29, 2023 No, he's saying that as you provide an https interface, he feels that you should ensure that it is as secure and up to date as that of the best purpose-made web servers. Personally, I'd rather you concentrate on the media server and encourage us to use a specialised (and free!) reverse proxy if we want (and can justify) a higher level of security. I'd even be happy if you removed the SSL stuff so that we had to use a reverse proxy to provide it! Paul 1 2
bandit8623 213 Posted September 29, 2023 Author Posted September 29, 2023 (edited) 2 hours ago, Luke said: You're saying we should have our own reverse proxy built-in? I think that would turn us into bloatware. emby is a webserver. but clearly its not secure on its own ( I think you should make it secure on its own). you are making us do that part too. on top of the ssl certs (cert i get are needed for us to host standalone). If a reverse proxy is needed for our servers to be secure then i would say you should require a reverse proxy... when u add extra steps in the middle like this you open us up to security issues. if you made emby a standalone and secure(no need for proxy) you now control how secure it is vs everyone doing it a different way. Edited September 29, 2023 by bandit8623
Luke 42077 Posted September 30, 2023 Posted September 30, 2023 1 hour ago, bandit8623 said: emby is a webserver. but clearly its not secure on its own ( I think you should make it secure on its own). you are making us do that part too. on top of the ssl certs (cert i get are needed for us to host standalone). If a reverse proxy is needed for our servers to be secure then i would say you should require a reverse proxy... when u add extra steps in the middle like this you open us up to security issues. if you made emby a standalone and secure(no need for proxy) you now control how secure it is vs everyone doing it a different way. A reverse proxy is not required, but much of this depends on the dotnet runtime and what it supports. For example, I notice that starting in .net 7, renegotiation will not be allowed by default anymore. We're currently on .net 6, but we can configure that, so for the next beta server build I'll add a hidden config switch that you can set in the server config file. AllowRenegotiation if you set it to false, then it won't be allowed and that last mention will go away. 1
bandit8623 213 Posted September 30, 2023 Author Posted September 30, 2023 29 minutes ago, Luke said: A reverse proxy is not required, but much of this depends on the dotnet runtime and what it supports. For example, I notice that starting in .net 7, renegotiation will not be allowed by default anymore. We're currently on .net 6, but we can configure that, so for the next beta server build I'll add a hidden config switch that you can set in the server config file. AllowRenegotiation if you set it to false, then it won't be allowed and that last mention will go away. I appreciate your efforts! Thanks
bandit8623 213 Posted September 30, 2023 Author Posted September 30, 2023 18 hours ago, Luke said: A reverse proxy is not required, but much of this depends on the dotnet runtime and what it supports. For example, I notice that starting in .net 7, renegotiation will not be allowed by default anymore. We're currently on .net 6, but we can configure that, so for the next beta server build I'll add a hidden config switch that you can set in the server config file. AllowRenegotiation if you set it to false, then it won't be allowed and that last mention will go away. i also rebooted . no change. did i edit the right file?
Luke 42077 Posted September 30, 2023 Posted September 30, 2023 49 minutes ago, bandit8623 said: i also rebooted . no change. did i edit the right file? What version number?
bandit8623 213 Posted September 30, 2023 Author Posted September 30, 2023 1 minute ago, Luke said: What version number? 49
Luke 42077 Posted September 30, 2023 Posted September 30, 2023 9 minutes ago, bandit8623 said: 49 OK please try again with the next build. Thanks.
bandit8623 213 Posted September 30, 2023 Author Posted September 30, 2023 29 minutes ago, Luke said: OK please try again with the next build. Thanks. Will do.thx 1
bandit8623 213 Posted October 3, 2023 Author Posted October 3, 2023 On 9/30/2023 at 3:45 PM, Luke said: OK please try again with the next build. Thanks. build 51
Luke 42077 Posted October 3, 2023 Posted October 3, 2023 27 minutes ago, bandit8623 said: build 51 OK well there's not much documentation around this, so we may just have to wait on this until we update to .net 7 when it will be disabled out of the box. 1
bandit8623 213 Posted October 4, 2023 Author Posted October 4, 2023 17 hours ago, Luke said: OK well there's not much documentation around this, so we may just have to wait on this until we update to .net 7 when it will be disabled out of the box. sounds good. thx for looking into 1
bandit8623 213 Posted January 24, 2024 Author Posted January 24, 2024 (edited) just wanted to say thx as now im A+. .net 7 plus using https://www.nartac.com/Products/IISCrypto this fixed all the issues. Edited January 24, 2024 by bandit8623 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now