Disable webaccess to emby server?

[pünktchen 1410]

2 hours ago, C.S. said:

What are the good reasons for whitelisting based on device? Is that not added complexity?

It adds a third layer of security: user + password + device id. It also prevents your friends and family to share their accounts with other friends or to use their credentials with devices in hotels and similar public areas where they maybe forget to logout after use. It also gives you some kind of control over your premiere device limit.

Edited 7 hours ago by pünktchen

[C.S. 95]

So to really make use of that feature, I would need to add every single device for every user individually. Each time anyone gets a new phone, TV, tablet - they would need to call me so I can temporarily enable access for them from all devices, wait for them to log in* on the new device, then (remember to) go back and lock them down again.

That's a nightmare. Does anyone actually do this? Does my suggestion sound more complex than the above scenario?

All I'm saying is I might like to ban LG given their security issues, or browsers because unreliable playback, or something else because something else. There are a million reasons anyone might want to ban anything. None of them are anyone else's business any more than it is why you could be - not saying you are, just saying you could be - restricting grandma to the TV in the basement.

*I skipped the part where I reset their password because of course they don't know their password because I gave them a good password.

[darkassassin07 672]

Alright, this is getting silly, so lets provide a solution here. I still don't think this is necessary, but to each their own.

 

The easiest way I can think of to effectively disable the web app without disrupting anything else is to replace the index.html file served at both /web/index.html and /emby/web/index.html (the former being the one primarily used). Without this, the browser doesn't know how to load the rest of the app and is stuck displaying whatever you put in that file.

I already replace some files using the following method, so I'm just going to list how I do that. It uses nginx to check a folder for files to replace, if a replacement file exists that is what gets served, if not nginx proxies to emby as usual serving whatever emby server responds with. I'm sure you could do the same with other proxies, but nginx is what I'm familiar with so that's what I'll list. I primarily use this to replace a few images like the favicon and some of the emby badging with my own server name, but it works just fine for this too. (I did test this solution before posting)

 

 

First is the nginx config. I'm just listing the relevant parts, you''ll still need your ssl configs, headers, log files, etc. Checkout the nginx thread pinned in general for further instruction there.

server {
	server_name example.domain.com;
	listen 443 ssl;

	root /etc/nginx/html/emby;	#look in this folder for replacment files
	
	location / {
		try_files $uri @proxy; # check for files to replace, if none exist proxy instead
	}
	location @proxy {
		proxy_pass http://172.18.0.94:8096; #address of emby server to proxy
	}
}

 

Then inside the folder /etc/nginx/html/emby/web/ and inside /etc/nginx/html/emby/emby/web/ you'll create a file called index.html with whatever contents you want displayed instead of the web app. Here's an example:

<!DOCTYPE html>
<html><head><meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title>Unavailable</title>
</head>
<body>
<h1 align="center">Unavailable</h1>
<h2 align="center">The web app is disabled, please use Emby for Android/IOS.</h2>
<h2 align="center"></h2>
</body></html>

 

Again: All this does is prevent regular users, ALL regular users, from being able to use the web app. It does not improve security.

 

I also have not tested this with Emby Connect as I do not use that feature. I think Emby Connect loads the app from emby.media, so this would not prevent that loading in a browser AFAIK.

Edited 19 minutes ago by darkassassin07