Emby media security inquiry.

[GeneralTsoSo 5]

 

Hello all!

To premise this post, I have been searching google, reddit, and the emby community forum on and off for a few days changing up the keywords to help me understand if my streaming content is secure and not visible to ISP and prying eyes.

Setup:

TrueNAS Scale server hosting all media.

Ubuntu Desktop VM with Emby installed - pulls media from TrueNAS media folders over the local network.

Nginx Proxy Manager Ubuntu server VM - Using this to reverse proxy the emby server to an external URL. 
    

    When running Wireshark, and accessing my Emby server via web browser, it seems that the content is secure. I'm not seeing any local IP addresses (I'll get back to this shortly). Everything seems to be proxied through NPM. I'm seeing one of the two Cloudflare IP addresses or my domain URL serving information to my machine requesting info via web browser using QUIC protocol.

    However, when accessing the Emby server URL via the Emby Theater application, as the app starts, the first few entries show my ISP IP address as the source, and my Emby server internal IP address as the destination. The Wireshark info for this entry is "random port > 8096(http for the Emby server) [SYN]..." Once this SYN is complete, it seems that all data after the local IP address packet resolves to my Emby server's URL or I'll see one of two Cloudflare IP proxy addresses. And I see that the  Application Data packet has TLSv1.2 as the protocol and other TCP packets after the local IP address packet show to be "https(443) > random port" and "random port > https(443)".  When the SYN is complete with Emby Theater, is my family content encrypted or unencrypted as they request to view or stream it through Emby Theater?

    I hope the Emby Theater portion makes sense, apologies if this may be confusing to understand. I'm having a difficult time explaining the Emby Theater portion over text and providing any necessary info. I have attached a picture, the red/orange highlight is the ISP IP address, the green highlight is my Emby server internal IP address. This wireshark info pic is when I connect to my Emby server using my subdomain URL with Emby Theater.

    Ultimately what I would like to know is if my content is secure? I host this for family and they use my subdomain URL to access my Emby server either with a web browser or Emby Theater.

    I very much appreciate everyone's time who click to read this and may provide any educational information that I can use to better protect my server and the family content served over the Internet.

Thank you,

GeneralTsoSo

Edited July 31, 2024 by GeneralTsoSo
Grammar

[Abobader 3464]

Hello GeneralTsoSo,

** This is an auto reply **

Please wait for someone from staff support or our members to reply to you.

It's recommended to provide more info, as it explain in this thread:

Thank you.

Emby Team

[Luke 42079]

Hi, what are the resulting https requests associated with these?

[pwhodges 2012]

What is your actual security concern?  At the start you specify hiding content from the ISP etc, but at the end you are worrying about IP addresses.  These are very different matters.

Paul

[Q-Droid 989]

Are you monitoring clients on LAN, WAN or both? Some apps might behave differently when on the same subnet as the server and not preset a true picture of the remote sessions.

If you want to examine actual WAN traffic you should probably plug Wireshark into the WAN side/mirror port.

 

[GeneralTsoSo 5]

9 hours ago, Luke said:

Hi, what are the resulting https requests associated with these?

Hi Luke, thank you for your time. Packets 14-31 is Emby Theater data loading in, thumbnails, etc as I open the application.

 

Ultimately, my confusion is why am I seeing my internal IP address as the destination for packets 11 and 13 as Emby Theater opens?

 

Thank you.

[GeneralTsoSo 5]

2 hours ago, pwhodges said:

What is your actual security concern?  At the start you specify hiding content from the ISP etc, but at the end you are worrying about IP addresses.  These are very different matters.

Paul

Paul, thank you for your reply.

 

I just replied to Luke. I would like to know why I see my internal IP address and my ISP as the source as Emby Theater is opening and loading thumbnails, etc. My assumed expectation is that I shouldn't be seeing that, and I should be seeing Cloudflare IP addresses or the actual name of my Emby subdomain. 

Thank you!

[GeneralTsoSo 5]

11 minutes ago, Q-Droid said:

Are you monitoring clients on LAN, WAN or both? Some apps might behave differently when on the same subnet as the server and not preset a true picture of the remote sessions.

If you want to examine actual WAN traffic you should probably plug Wireshark into the WAN side/mirror port.

 

Hi Q-Droid,

The Wireshark picture is me using my phone's mobile hotspot and connecting my desktop to it.

 

I noticed this same thing happening when I was using Wireshark at work and having Emby Theater opens and connect using my subdomain URL.

 

Thank you!

[Q-Droid 989]

Does your Hotspot use the same private  subnet as your home LAN? I ask because ET should not have tried to access a private network URL unless it was local to the server. But if the same thing happened on a completely different subnet then ET and other Emby apps might be making plain text calls to unroutable networks when they shouldn't.

 

[GeneralTsoSo 5]

Question outside of my issue. What is the time allowed to edit a post? I was going to edit my original with additional info. But realized I need to make a new post.

I come with some new, maybe not new information.

I had some time this morning to test while at work, using my PC there. I have noticed a few ways that I see my internal IP address when using ET.

1. Upon opening ET, I will see my work PC as the source and home internal IP as the destination.

2. When ET is open (and we've seen packets with my local IP as destination), if I change server and click on the server that is already available. I will see work/source and localIP/destination. However, if I click change server > add server > and type the server info and login, Wireshark doesn't see those packets. Not sure why this is the case.

The image ws_et_opening I have added shows two instances of opening ET back to back. There are always two grey entries first when initially opening ET, then the black lines occur when the ET home page is loading. However, no additional black lines are loaded when I open different media folders, and select content before actually playing it. And when playing media, no additional black lines occur either. This seems to only happen upon some initial connection.

Additionally, when reading the packet information under Transmission Control Protocol I see that Conversation completeness was incomplete, as seen in the convo image. Would this mean that the syn packet didn't reach my server, the server didn't reply, or something else? It's the same error in the picture in my initial post. The colors for wireshark are different, apologies if this caused any confusion.

In the last image, allsharknobite, the green marks(packets 277, 298) are the two local ip entries as ET is opening on my PC. The purple/pink marks(packets 284, 285) is the Cloudflare exchange. You can see the IP address in line 283 matches lines below it with Application Data and and TCP packets.

From what I'm seeing, it seems that a connection is attempting to be made, but is dropped or doesn't resolve? I do not see any other local IP entries after the two initial opening packets(277, 298) unless they are the black TCP retransmission lines as seen in the first image. I guess security should be ok?

I hope this information helps.

Thank you,

GeneralTsoSo

 

Edited July 31, 2024 by GeneralTsoSo

[GrimReaper 4740]

1 minute ago, GeneralTsoSo said:

Question outside of my issue. What is the time allowed to edit a post? I was going to edit my original with additional info. But realized I need to make a new post.

For "Rookie" (your current) Member group: 15 minutes. 

 

[GeneralTsoSo 5]

2 minutes ago, GrimReaper said:

For "Rookie" (your current) Member group: 15 minutes. 

 

Thank you, Mr. Reaper. I hope the soul hunting goes well for you today!

[ebr 16184]

44 minutes ago, GeneralTsoSo said:

From what I'm seeing, it seems that a connection is attempting to be made, but is dropped or doesn't resolve?

Hi.  Our apps will always attempt to connect to your server with the local address because that will be the most efficient if it is possible.  If that fails, they try the remote address.

Does that answer your question?

[GeneralTsoSo 5]

5 minutes ago, ebr said:

Hi.  Our apps will always attempt to connect to your server with the local address because that will be the most efficient if it is possible.  If that fails, they try the remote address.

Does that answer your question?

Ebr,

Thank you for your reply. I actually believe that it does!

From what you're saying and what I'm seeing with wireshark, your statement seems to be the case. It seems to look for a local address, but doesn't sync to anything, then moves onto what I see are the cloudflare addresses.

I feel ok to mark this request as closed.

I hope this information helps others who are curious about this as well.

Thank you ebr, and thank you everyone else that commented!