Can I set up LAN HTTPS/SSL?

[MoviezMcGee 2]

For added security, I'd like to connect to my server with SSL on my LAN. Emby server says it's running HTTPS on port 8920 but why can't I go to https://localhost:8920? Emby server says "In-Home (LAN) access: http://192.168.1.2:8096" but not for HTTPS. Why?! That means technically anyone on LAN could see HTTP requests in plain unencrypted!

 

How do I enable LAN SSL?

[guunter 49]

You need to upload a cert to use the built in ssl. Or you can setup a reverse proxy like caddy or npm to proxy http to https. There are guides around here to do that.

[Lessaj 467]

Yes first you need to get 8920 working with a certificate, however local clients will still try to use 8096. You can try to block the port with firewall rules on your network equipment or the device itself to try to force use of 8920 but I'm not actually sure what local clients will do since I enforce HTTPS with a reverse proxy instead so the behaviour may be different when connecting directly.

[MoviezMcGee 2]

@guunter I use caddy to remotely view my stuff but it works for LAN?! Guess I’ll try it. I was mainly hoping Emby could do SSL natively on LAN and disable HTTP entirely but it doesn’t self sign a cert and IDK where I can even add a cert in the settings to do it natively there’s no cert box.

If I use Caddy, it still means a component of my server is being run unencrypted using HTTP the step before the proxy. Why no easy option for Emby to do self sign SSL on the given HTTPS port for LAN and use that by default? I’d rather use HTTPS ONLY and use the HTTPS port for my Caddy reverse proxy too

if anything, I think would be cool for Emby to handle generating a LetsEncrypt cert automagically like Caddy does so we can have legit SSL in-built that even browsers will enjoy. Maybe a feature request? I just think it’s bad to have a server use HTTP in 2024 and it’s something I figure is doable. I don’t want to host through Emby i still use a reverse proxy but I want the data all encrypted using LetsEncrypt or other legit CA

Edited September 6, 2024 by MoviezMcGee

[MoviezMcGee 2]

@Lessajhow do I certify the port 8920? Only way to add a cert in Emby’s GUI is to enable remote connections but I want my server to be local only and let a reverse proxy handle remote connections. I just want to securify port 8920 with SSL on my LAN similar to how a modern router does it and make my server use an encrypted port exclusively for all LAN activities. I tied finding it in the Emby docs but no use.

[Lessaj 467]

30 minutes ago, MoviezMcGee said:

@Lessajhow do I certify the port 8920? Only way to add a cert in Emby’s GUI is to enable remote connections but I want my server to be local only and let a reverse proxy handle remote connections. I just want to securify port 8920 with SSL on my LAN similar to how a modern router does it and make my server use an encrypted port exclusively for all LAN activities. I tied finding it in the Emby docs but no use.

Oh I didn't realize that prevented that option from appearing since I have it enabled. Well, as long as you don't forward ports from the outside to it then technically it's still not accepting any remote connections. You could always adjust the firewall rule to only allow traffic from your caddy server to your https port as well.

[MoviezMcGee 2]

@Lessaj Well, I reverse proxy using HTTPS to my DNS. I specifically want to have my local net be SSL secured though because else a guest could like see all the traffic and that's not a good way for it to work imo like what if my hacker friend hacks me?! He could just log in to my network and wireshark all my connections. The firewall would help but it seems like a bad way to secure it and i bet my hacker friend would agree lol

Why does Emby have not a option to only use SSL on the LAN? Seems silly! I try to find info online but I only get answers about HTTPS for remote connections. My grandma could be using her virus laptop and someone VPNs in and wiresharks all my Emby security! Bad option imo. We need SSL by default for Emby IMO else it's insecure. Most people don't have very secure WiFi so that needs to be handled by Emby I think

There is just not a good reason to not encrypt local net data. Just because it isn't likely to be attacked doesn't mean it can't like, what if I play Fortnite and someone hack me and sees a bunch of unencrypt data? That would be bad. Who knows, gamers get hacked with anti cheat all the time. We need our data to be secured in the local network for many possibly reasons.

Edited September 6, 2024 by MoviezMcGee

[Lessaj 467]

If you want to keep it limited to the https port you can block incoming connections to the http port on the device after you set up https, but you can't outright turn it off from listening on the port. My server sits on a different subnet so I can block it at both the firewall and local device firewall levels.

[MoviezMcGee 2]

@LessajThanks for the ideas! I made a feature request port for Emby to internally automatically setup a LAN HTTPS server because I think for nerds like us it is possible to secure our server correctly but I worry about common people who have like loads of weird chinese apps on their phones and play video games with anti cheat and so on. Having server traffic unencrypted at all on a normal home internet seems really dangerous for those with bad opsec and Emby needs to accomodate for them by doing some of the heavy lifting for them or at least letting them secure all their LAN traffic easily with docs at a minimum. I think the current solution is not optimal for like 98% of users...

[Q-Droid 989]

There are multiple ways to do what you want. Since you're using Caddy your public certs are likely handled automatically for you. If you want to use an HTTPS upstream for Emby then you can create and configure a long life self-signed cert that can be used for the backend and trusted by Caddy. By generating your own 5 to 10 year cert you can include any names and IP addresses you want for the CN and SANs without having to worry about renewal.

Emby will enable and continue to use the HTTPS port when you add a cert even if you disable remote access later. But the server includes settings for reverse proxies so you don't really have to disable remote access in Emby.

 

[guunter 49]

23 hours ago, MoviezMcGee said:

@guunter I use caddy to remotely view my stuff but it works for LAN?! Guess I’ll try it. I was mainly hoping Emby could do SSL natively on LAN and disable HTTP entirely but it doesn’t self sign a cert and IDK where I can even add a cert in the settings to do it natively there’s no cert box.

If I use Caddy, it still means a component of my server is being run unencrypted using HTTP the step before the proxy. Why no easy option for Emby to do self sign SSL on the given HTTPS port for LAN and use that by default? I’d rather use HTTPS ONLY and use the HTTPS port for my Caddy reverse proxy too

if anything, I think would be cool for Emby to handle generating a LetsEncrypt cert automagically like Caddy does so we can have legit SSL in-built that even browsers will enjoy. Maybe a feature request? I just think it’s bad to have a server use HTTP in 2024 and it’s something I figure is doable. I don’t want to host through Emby i still use a reverse proxy but I want the data all encrypted using LetsEncrypt or other legit CA

Yes you create a second caddy and create dns entries pointing to it. You should really be putting your Emby server in a DMZ and use firewall rules and vlans to segregate access your network if you’re that worried about a hacker. 

Edited September 7, 2024 by guunter