NIIcK 9 Posted April 8, 2025 Posted April 8, 2025 (edited) Hello, I have a setup on Windows, with a lifetime subscription, where I have a static IP via PPPoE and a LAN network via Wi-Fi. In Emby, network I have the external ports as 80 and 443. On a netstat -a I don't have ports 80 and 443 open. Emby is only binding to the LAN or localhost. How can I set it up to bind to my static, external IP as well? Thank you. Edited April 8, 2025 by NIIcK
Abobader 3464 Posted April 8, 2025 Posted April 8, 2025 Hello NIIcK, ** This is an auto reply ** Please wait for someone from staff support or our members to reply to you. It's recommended to provide more info, as it explain in this thread: Thank you. Emby Team
Solution Lessaj 467 Posted April 8, 2025 Solution Posted April 8, 2025 You would need to configure the local ports to be the same, or configure your port forwarding to forward 80 and 443 to the respective ports configured for local.
Luke 42078 Posted April 8, 2025 Posted April 8, 2025 Right there’s no such thing as binding to external port. You’re just telling Emby server what port number you setup in your router’s port forwarding.
NIIcK 9 Posted April 9, 2025 Author Posted April 9, 2025 Thank you for your replies! I have a static IP that is directly connected... it doesn't need a port forward. In the Network section I have the local and external ports plus the LAN net and LAN IP but there is no actual set up for a static, directly connected IP. Port 443 doesn't work either. I have never managed to get it open unless I open it on the LAN side. Is Emby made so it will only work on LAN, behind a router and not on a proper server? Thank you!
Luke 42078 Posted April 9, 2025 Posted April 9, 2025 It will work on anything that provides a network connection. 443 is the ssl port. Did you setup ssl? How?
NIIcK 9 Posted April 9, 2025 Author Posted April 9, 2025 I've followed this tutorial for Let's Encrypt in Windows, generated the SSL certs and added them into the "Custom SSL certificate path" field in Emby's Network section. So all I need to do is to set the same ports (80,443) on both local and external pots fields?
NIIcK 9 Posted April 9, 2025 Author Posted April 9, 2025 Ref. SSL, after creating the Let's Encrypt full chain .pm and key.pem I have converted them to PKCS#12 with: openssl pkcs12 -export -in fullchain.pem -inkey privkey.pem -out domain.pfx
NIIcK 9 Posted April 9, 2025 Author Posted April 9, 2025 (edited) Coming back, it now works if both LAN and external ports are set as 80 and 443 plus the SSL setup above. Edited April 9, 2025 by NIIcK
rbjtech 5284 Posted April 9, 2025 Posted April 9, 2025 (edited) I would STRONGLY recommend you research and setup other defences (such as a reverse proxy, IPS, firewall etc) between your Public IP and Emby. Directly connecting it may 'work' but you are opening your home network to cyber risks - for example, enabling port 80 without https redirect is simply asking for trouble. Using NAT and a firewall on a router will give you 'some' protection, but you'll still need to port forward to the LAN. Edited April 9, 2025 by rbjtech
NIIcK 9 Posted April 9, 2025 Author Posted April 9, 2025 Thank you for the recommendations, @rbjtech I have set up Emby "Secure connection mode" as "Required for all connections". The traffic is monitored by a firewall at the GPON level plus another firewall running on the windows machine. I have not forwarded the LAN ports at all; LAN is using a different GW anyway (different static IP set up at the LAN/WAN router level). This direct connection is done via a separate optical fiber via a firewalled GPON and a Layer3 w. management switch. In the interest of sharing info I will update should such a setup gets penetrated (of course I cannot talk about the Emby code quality because I simply don't know). Best, Nick
rbjtech 5284 Posted April 9, 2025 Posted April 9, 2025 Without an ips etc, how are you going to know ? Emby itself is the direct listener on https - any rogue packet is being answered - thus any vulnerabilities/probes will not be challenged (the firewall will do nothing as it's a valid tcp 443 packet). A simple but secure setup would be to use a reverse proxy/firewall/ips combo - which your PPPoE will directly terminate on (WAN) - you then route onto your LAN. The bonus is using the Reverse Proxy, you can set it up for multiple services using the same Public IP etc.
NIIcK 9 Posted April 9, 2025 Author Posted April 9, 2025 The machine Emby sits on is a Windows machine with a full IPS solution installed and running. True, port 443 is directly exposed; if something happens it will only come from this port (anything else being firewalled) and it will be picked up, machine wise, by the existing IPS solution. I found that forwarding 8290 (or whatever LAN port Emby was operating under for HTTPS) is not working in conjunction with 443 set for external connections because Embly simply doesn't listen on it if not matched with the LAN one.
rbjtech 5284 Posted April 9, 2025 Posted April 9, 2025 And this is where a reverse proxy is imo a critical part of the chain. The RP will listen on 443, terminate the IP connection and then re-initate the connection itself to the local emby server on whatever port you specify. Thus you can limit the 'emby' firewall to only accept connections from your RP and your termination point/probe from any WAN is always the RP (ideally isolated from your private LAN) - thus you can limit what it responds. Properly setting up a secure public internet service needs research if you are going it alone with your own design - the very last thing you want is to make a rookie error and your entire home network compromised - and you not even know about it. Not trying to scare here - just being open. ps - Glad you have an ips - that is good news. 1
Q-Droid 989 Posted April 9, 2025 Posted April 9, 2025 Emby server listens (binds) to the local ports. The public port settings are intended for configurations where port translation or forwarding is involved. Since your case is a server with a public IP then the local and public should have matching values, as you've set them. The vast majority are running their servers behind some form of perimeter device or software in a private IP space. 1
NIIcK 9 Posted April 9, 2025 Author Posted April 9, 2025 (edited) 4 hours ago, rbjtech said: And this is where a reverse proxy is imo a critical part of the chain. The RP will listen on 443, terminate the IP connection and then re-initate the connection itself to the local emby server on whatever port you specify. Thus you can limit the 'emby' firewall to only accept connections from your RP and your termination point/probe from any WAN is always the RP (ideally isolated from your private LAN) - thus you can limit what it responds. Properly setting up a secure public internet service needs research if you are going it alone with your own design - the very last thing you want is to make a rookie error and your entire home network compromised - and you not even know about it. Not trying to scare here - just being open. ps - Glad you have an ips - that is good news. I listened ... and set up nginx reverse proxy -> Emby is only listening locally with nginx listening on 80 and 443 and doing: 301 on HTTP proxy_pass http://127.0.0.1:8096 Thank you everyone for your support! Great community! Edited April 9, 2025 by NIIcK 2 1
Recommended Posts
Create an account or sign in to comment
You need to be a member in order to leave a comment
Create an account
Sign up for a new account in our community. It's easy!
Register a new accountSign in
Already have an account? Sign in here.
Sign In Now