Quick & Dirty Emby SSL Configuration (socat reverse proxy) using sslforfree

[devz3ro 2]

I am going to be brief about a lot of things. If you need me to elaborate on anything, please ask.

 

You will need: socat 

(Note 1: And a http server if you haven't obtained your ssl files already).

(Note 2: You can use socat to serve http files (needed to verify your domain on https://www.sslforfree.com/) instead of setting up a http server, but I haven't tested it. See the following if you're interested: https://gist.github.com/ramn/58a1e0df9689f9563d07)

 

Windows: https://sourceforge.net/projects/unix-utils/files/socat/1.7.3.2/socat-1.7.3.2-1-x86_64.zip/download

macOS: brew install socat (brew must be installed first via https://brew.sh/)

debian / ubuntu: apt install socat

centos8+ / fedora31+: dnf install socat (replace dnf with yum if you're using a older version)

 

I performed this on a macOS machine, but it should work on Windows and Linux.

 

I'm going to assume you already have your own domain name or obtained a free subdomain name at a place like: https://www.noip.com/remote-access and it resolves to your ip address.

 

If you haven't done so already, obtain your SSL files for your domain / subdomain from https://www.sslforfree.com/. Here is a great tutorial on how to do so: https://emby.media/community/index.php?/topic/44757-setting-up-ssl-for-emby-wip/&do=findComment&comment=419089.

I personally used a Windows box + HFS (https://www.rejetto.com/hfs/) to do the Manual Verification option on https://www.sslforfree.com/. I temporarily port forwarded 80 to the Windows box and temporarily disabled it's firewall.

 

Once the above is done you will have a zip file:

(sslforfree.zip): which contains ca_bundle.crt, certificate.crt, and private.key

 

1. Unzip sslforfree.zip and create a certificate that will work with socat

 

macOS / Linux: 

cat private.key certificate.crt > certificate.pem

Windows:

type private.key certificate.crt > certificate.pem

 

2. Create a script that looks like the following, chmod +x, and execute it.

 

macOS / Linux:

(Note 1: replace /home/user/pathto/ with the actual path to your file)

(Note 2: the openssl listen port does not have to be 58920, change it if you like)

(Note 3: if your emby server isn't the same machine you will be running socat from, change localhost:8096 to your emby server's internal ip address and non-ssl port - Ex: 192.168.1.X:8096)

(Note 4: Type: which bash on your command line and replace /bin/bash with the correct path below (if it's not that)

  

#!/bin/bash
socat OPENSSL-LISTEN:58920,cert=/home/user/pathto/certificate.pem,cafile=/home/user/pathto/ca_bundle.crt,verify=0,reuseaddr,fork TCP4-CONNECT:localhost:8096 >/dev/null 2>&1 &

 

Windows:

(Note 1: I haven't tested this, but you should only have to create a bat file and place it in the same folder as the unzipped sslforfree.zip and socat-1.7.3.2-1-x86_64.zip)

(Note 2: if your emby server isn't the same machine you will be running socat from, change localhost:8096 to your emby server's internal ip address and non-ssl port - Ex: 192.168.1.X:8096)

 

Bat file contents (please let me know if you find this to be incorrect):

 

socat OPENSSL-LISTEN:58920,cert=certificate.pem,cafile=ca_bundle.crt,verify=0,reuseaddr,fork TCP4-CONNECT:localhost:8096

 

3. Port forward (from your router) port 58920 (or whatever port you chose) to the machine that's executing the socat, also verify that port isn't being blocked by a software firewall.

 

4. In emby login to your manage server dashboard, go to Network on the left and add the following:

 

A. Public https port number: 58920 (or whatever port you chose to port forward to the server running the socat)

B. External domain: the domain name you have or subdomain name that resolves to your ip address

C. Secure connection mode: Handled by reverse proxy.

D. Save

E. Test: Open a browser to your address, Ex. https://your.subdomain.com:58920

Edited February 27, 2020 by devz3ro

[Luke 42083]

Cool, thanks for the info.

[devz3ro 2]

np, hopefully it's useful to someone.