Local Access Allowed over Internet

[Tony B. 38]

Any way to solve this?

I have blocked all the addresses that come from the firewall, and even not allowed remote connections, it still allows access over the internet.

[Happy2Play 9783]

If remote connections are seen as local, there is a configuration problem somewhere.  Is there a vpn or reverse proxy involved?

[Tony B. 38]

1 minute ago, Happy2Play said:

If remote connections are seen as local, there is a configuration problem somewhere.  Is there a vpn or reverse proxy involved?

Yes, reverse proxy. But I also blocked the address that comes from the reverse proxy.

 

[Happy2Play 9783]

Don't know anything about reverse proxies, but have you made any changes on Dashboard-Network?

I guess last resort is you assign LAN Networks.

LAN networks:

Comma separated list of IP addresses or IP/netmask entries for networks that will be considered on local network when enforcing bandwidth restrictions. If set, all other IP addresses will be considered to be on the external network and will be subject to the external bandwidth restrictions. If left blank, only the server's subnet and common private IP subnets (10.0.0.0/8, 192.168.0.0/24, etc.) are considered to be on the local network.

 

[Luke 42081]

This means that emby server thinks the remote connections are actually inside your local network. Your server network settings and/or reverse proxy settings could be causing this.

[Tony B. 38]

How do I solve it? I have already told blacklist to deny anything from my router..

[pünktchen 1409]

5 hours ago, Tony B. said:

Yes, reverse proxy. But I also blocked the address that comes from the reverse proxy.

 

What reverse proxy, Nginx or Caddy? Maybe you can post the config file.

[Tony B. 38]

HAProxy with pfSense

[pünktchen 1409]

And you are passing the real IP through HAProxy to Emby? Google suggests something like this:

option forwardfor header X-Real-IP
http-request set-header X-Real-IP %[src]

[Tony B. 38]

3 hours ago, pünktchen said:

And you are passing the real IP through HAProxy to Emby? Google suggests something like this:

option forwardfor header X-Real-IP
http-request set-header X-Real-IP %[src]

Perfect answer, problem solved. Hope that this will help someone in the future.

 

HAProxy has an option on the Front End for forwardfor and the header also is good for second measure.

 

Thank you again. Merry Christmas and Happy New Year.

[Luke 42081]

Thanks for the feedback !

[Tony B. 38]

This probably could go into an FAQ for Reverse Proxies and Security.

Subtitled: HAProxy with or without pfSense

 

[Carlo 4561]

18 hours ago, Tony B. said:

How do I solve it? I have already told blacklist to deny anything from my router..

Block the ports on your firewall so no remote connections make it through.  Done!

[Tony B. 38]

Not that easy Cayers.
It's done

 

[Carlo 4561]

Hi, if you're block ports on your router then no traffic will make it through, else it's not blocked.

[Tony B. 38]

Cayers.
 

I understand what you are thinking but I don't want to close my emby server off. This fix that was listed above makes sure that the server isn't getting local access by internet.

 

[Carlo 4561]

6 minutes ago, Tony B. said:

Cayers.
 

I understand what you are thinking but I don't want to close my emby server off. This fix that was listed above makes sure that the server isn't getting local access by internet.

 

Got ya.  I thought you just wanted to stop ALL internet based traffic.  Sorry about that.