Network Settings and Video Encryption

[RonTactay 0]

Hi,

I decided to move from Plex to Emby and also purchased an Emby Premier license. I must say, everything looks good, and I'm really liking it.

I'm planning to share this with a few family members and friends.

My question is below:

Q1: Is my network settings correct, or do I need to add an SSL certificate manually?

Note: I replaced my actual domain with mydomain.com.

SSL is handled by NGINX Reverse Proxy.

 

 

Q2: I'm thinking of enforcing all users to connect to my server via Emby client apps. Since HTTPS is enabled, does this encrypt the actual video content once played on the Emby client app? Or does Emby create another connection to the server when playing a video?

Is there a way I can validate that the connection between my server and client apps is secured? Meaning, no one can see the actual content being played aside from the Emby server and Emby client app.

 

Thanks!

[Abobader 3464]

Hello RonTactay,

** This is an auto reply **

Please wait for someone from staff support or our members to reply to you.

It's recommended to provide more info, as it explain in this thread:

Thank you.

Emby Team

[Q-Droid 989]

You have to obtain your own domain and certificates then configure them directly in Emby or via a reverse proxy.

Disregard the above. My reading comprehension resets for the week every Sunday morning.

You might want to change this setting to this option:

 

Edited January 5, 2025 by Q-Droid

[rbjtech 5284]

4 hours ago, RonTactay said:

Q2: I'm thinking of enforcing all users to connect to my server via Emby client apps. Since HTTPS is enabled, does this encrypt the actual video content once played on the Emby client app? Or does Emby create another connection to the server when playing a video?

Is there a way I can validate that the connection between my server and client apps is secured? Meaning, no one can see the actual content being played aside from the Emby server and Emby client app.

All https traffic will be encrypted incl the actual video transport.

If you are using nginx, then configure it to force https only - ie http > https redirect.

re Q1 - If using nginx (and it's handling the tls and redirection to the emby host over http), then there is nothing more for you to do - it should work fine.     Check the dashboard to see if you have both the http (lan) and https (remote - using your domain) listed.

Edited January 5, 2025 by rbjtech

[js28194 36]

If everything is truly behind Nginx Reverse Proxy, then everything can remain blank.  I actually recommend it and don't do unnecessary settings to further confusing things down the road.  I am behind Caddy SSL Reverse Proxy.

 

Spoiler

 

 

[js28194 36]

Honestly, in my humble opinion, this entire section is Null and Void for people behind a reverse proxy SSL, be it Nginx or Caddy.  Now, should Emby team put a button at the very top to check off "Are you behind an SSL Proxy" checked yes, then grey out this entire section.  Would that be a high priority?  Absolutely NOT.

What is that addage?  KISS?  Keep it Simple Stupid or something like that?

This section is for people who actually use true port 8096/8092 (defaults) forwarding in their router directly to server.

Edited January 5, 2025 by js28194

[rbjtech 5284]

4 minutes ago, js28194 said:

Honestly, in my humble opinion, this entire section is Null and Void for people behind a reverse proxy SSL, be it Nginx or Caddy.  Now, should Emby team put a button at the very top to check off "Are you behind an SSL Proxy" checked yes, then grey out this entire section.  Would that be a high priority?  Absolutely NOT.

What is that addage?  KISS?  Keep it Simple Stupid or something like that?

This section is for people who actually use true port 8096/8092 (defaults) forwarding in their router directly to server.

Some questions are still required - re ports to use, proxy headers and connection mode.   So yes, I agree some could be removed by asking if an RP is being used but anybody who has setup a RP is likely to know that they are not required.

[js28194 36]

OP - this is what my caddy profile file looks like for Emby specifically.  Caddy is running on the same box as Emby itself.  is Sorry I cannot assist with Nginx.  Logging is optional, and infact very stupid.  I have yet to find something that can easily parse out or make it easier to read.  On Windows it's a mess and probably just me, who hasn't found the right tool to look at it correctly.

{
    email myemail@gmail.com
}

emby.mydomain.com {
  log {
        output file C:\caddy\logs\emby_access.log {
            roll_size     5MiB       # Set max size 5 MB
            roll_keep     2          # Keep at most 2 log files
            roll_keep_for 96h        # Keep log files for 4 days
        }
    }
    reverse_proxy http://localhost:8096
    }

 

You could do additional things in the Caddy file as exampled below, but for Emby, I found the above is enough.

 

nextcloud.mydomain.com {
    log {
        output file C:\caddy\logs\nextcloud_access.log {
            roll_size     5MiB       # Set max size 5 MB
            roll_keep     2          # Keep at most 2 log files
            roll_keep_for 96h        # Keep log files for 4 days
        }
    }
    header {
         Strict-Transport-Security "max-age=15552000; includeSubDomains; preload"
         Referrer-Policy no-referrer
         Referrer-Policy same-origin
         Referrer-Policy strict-origin
         Referrer-Policy strict-origin-when-cross-origin
         Referrer-Policy no-referrer-when-downgrade
       }
    redir /.well-known/carddav /remote.php/dav 301
    redir /.well-known/caldav /remote.php/dav 301
    redir /.well-known/webfinger /index.php/.well-known/webfinger
    redir /.well-known/nodeinfo /index.php/.well-known/nodeinfo
    reverse_proxy http://192.168.xxx.5
    }

Edited January 5, 2025 by js28194

[Q-Droid 989]

1 hour ago, js28194 said:

If everything is truly behind Nginx Reverse Proxy, then everything can remain blank.  I actually recommend it and don't do unnecessary settings to further confusing things down the road.  I am behind Caddy SSL Reverse Proxy.

  Reveal hidden contents

 

 

Not quite because some of that information is advertised to Emby apps so that they can find the server when switching between LAN and WAN connections. Browsers are fine, apps can have issues. Also, HTTP redirects work for browsers but not most apps so there are a few things worth knowing and avoiding when using a reverse proxy.

 

[js28194 36]

I am not sure, that is my setup and I use Emby on my phone but locally in the LAN, and it automatically switchs to my domain name when I am offsite in a WAN environment.  Also, tested this on Emby Theatre both in LAN and WAN and they work perfectly fine.  Looking at the Server Dashboard, they report the external IP address of remote connection just fine.  Inside the LAN I exclusively use Android Shield devices, and the Android TV app (1% of the time, Kodi 99% of the time).  On my Google Pixel I use whatever is downloaded from the App Store and I can assure you, it works fine.  The one thing I have noticed, and maybe to your point is that when I am offsite and I am switch servers, sometimes my personal server still lists as a local LAN address, however it connects to the domain name just perfectly fine.  I cannot be bothered to report it as it works fine.

I can only share with you my experience in my setup.  Like I said, KISS, then go exotic.

[Q-Droid 989]

Understood. You're relying on detection to provide the right IP addresses. If your dashboard looks fine then good. But if a server is multi-homed then there's no guarantee that the interface chosen and advertised via detection will be the desired one. Same for Docker containers running with the bridged network, in that case you'd want to set and advertise the host IP. Keeping it simple is a good approach for most and until it isn't.

 

[RonTactay 0]

Thanks everyone, appreciate it! I'll keep my current settings and enjoy emby! cheers