HTTPS Not Working - I'm About To Pull My Hair Out

[csimmons222 1]

I started messing with settings last night trying and now I cannot connect to Emby via HTTPs.  For the life of me, I cannot figure out what is wrong.  Within the Emby Server both my local and public https port is listed at 8920.  

I have tried to access the server using https://<internal ip>:8920 using the Edge browser and I receive the following error:

"Hmmm...can't reach this page.  It looks like <internal ip> closed the connection"

I have tried to access the server using https://media.mydomain.com:8920 using the Edge browser and I receive the following error:

"Forbidden.  You don't have permission to access / on this server."

I have tried to telnet to the server on port 8920 and it tells me that the connection failed.  

Everything noted above works just fine on HTTP.  

Any ideas?

[Luke 42080]

Hi there, have you setup an SSL certificate in Emby Server network settings?

[pwhodges 2012]

Local firewall on machine running the server?

Also, what settings were you fiddling with? - that's the first question any support person asks when behaviour changes!

Paul

[csimmons222 1]

pwhodges,

I wish that I could tell you what settings I was fiddling with.  I was trying to get Cloudflare to redirect my subdomain from https://media.mydomain.com to https://media.mydomain.com:8920.  When I couldn't get that to work, I started tweaking other settings in emby and my firewall.  I thought that I put everything back but apparently I screwed something up.  

Luke and pwhodges,

Here is my current setup:

* Emby is installed in a Docker on my UNRAID server.

* I have a CloudflareDDNS Docker installed on my UNRAID server to update my public IP address with Cloudflare.

* I have Cloudflare setup with an A record to direct media.mydomain.com to my public IP address.

* I am using Sophos UTM Home Edition as my firewall.

* I am using the Sophos UTM firewall to manage my Let's Encrypt SSL Certificates.  Therefore, there is no SSL certificate setting configured in Emby.

As I stated, this was all working before I started messing with it late last night.  

For testing purposes, I setup my firewall to allow all internal traffic to pass all traffic over any port.  This should prevent any firewall setting from blocking the traffic.  I then attempted to go to https://<internal IP address>:8920 but did not have any success.  Between this and the fact that I could not telnet using port 8920 (but I could telnet using port 8096) that it is likely a configuration setting within Emby.

[csimmons222 1]

For what it is worth, I tried changing the SSL port number in Emby from 8920 to 9999 and had the same problems when trying to access the web ui and telnet into the server.  

[Carlo 4561]

Keep in mind if using an SSL cert you need to access the Emby using the domain associated with the cert not by IP address.

If you are trying to set this up to run under Cloudflare you can not use port 8920 as it's not a support port they recognize.

Instead setup your firewall to forward port 443 on the WAN port to 8920 of your Emby Server IP address.
Now use these settings in Emby:

This should allow Cloudflare to work with your Emby setup.

If you can't figure this out send me a PM and we can setup a TeamViewer session and I can help you get this setup and squared away.
I use Cloudflare myself and have helped many a user with this setup.

[csimmons222 1]

1 minute ago, cayars said:

Keep in mind if using an SSL cert you need to access the Emby using the domain associated with the cert not by IP address.

If you are trying to set this up to run under Cloudflare you can not use port 8920 as it's not a support port they recognize.

Instead setup your firewall to forward port 443 on the WAN port to 8920 of your Emby Server IP address.
Now use these settings in Emby:

This should allow Cloudflare to work with your Emby setup.

If you can't figure this out send me a PM and we can setup a TeamViewer session and I can help you get this setup and squared away.
I use Cloudflare myself and have helped many a user with this setup.

Cayars,

When I go to https://media.mydomain.com:8920, I receive a "Service Unavailable.  The server is temporarily unable to service your request due to maintenance downtime or capacity problems.  Please try again later." error.

Prior to me screwing this up, I could go to https://media.mydomain.com:8920.  Cloudflare would redirect my request to https://<my public ip>:8920.  My Sophos firewall would then handle the Let's Encrypt SSL Certificate for media.mydomain.com.  I would then be able to log in to Emby over an encrypted connection.  

For testing purposes, I can do all of this over HTTP using http://media.mydomain.com:8096 and everything works great.  It's just HTTPS that is giving me the problem.  

[pwhodges 2012]

1 hour ago, csimmons222 said:

* I am using the Sophos UTM firewall to manage my Let's Encrypt SSL Certificates.  Therefore, there is no SSL certificate setting configured in Emby.

So you should be accessing Emby using port 8096 (because it won't work with 8920 unless it's handling the certificate), assuming the firewall is handling the certificate and effectively proxying to your server.  But I guess I'd need to look at the firewall documentation to verify that - it's the first time I've come across a firewall doing the certificate handling.

It seems to me that the Sophos settings are where you need to look hardest.

Paul

[Carlo 4561]

Cloudflare won't use port 8920.  You need to do what I mentioned above and switch things over to port 443 which it will use.

[Carlo 4561]

35 minutes ago, csimmons222 said:

Cayars,

When I go to https://media.mydomain.com:8920, I receive a "Service Unavailable.  The server is temporarily unable to service your request due to maintenance downtime or capacity problems.  Please try again later." error.

Prior to me screwing this up, I could go to https://media.mydomain.com:8920.  Cloudflare would redirect my request to https://<my public ip>:8920.  My Sophos firewall would then handle the Let's Encrypt SSL Certificate for media.mydomain.com.  I would then be able to log in to Emby over an encrypted connection.  

For testing purposes, I can do all of this over HTTP using http://media.mydomain.com:8096 and everything works great.  It's just HTTPS that is giving me the problem.  

Assuming you are using Cloudflare you have them generate the CERT for you then you convert it and use that for Emby.

Cloudflare and your Emby server need to both use the shared cert so they can talk back and forth if you want Cloudflare proxy and it's security.

To get things working I'd turn off your local firewall software so it's not in the way or blocking you in any manner.

[csimmons222 1]

20 minutes ago, pwhodges said:

So you should be accessing Emby using port 8096 (because it won't work with 8920 unless it's handling the certificate), assuming the firewall is handling the certificate and effectively proxying to your server.  But I guess I'd need to look at the firewall documentation to verify that - it's the first time I've come across a firewall doing the certificate handling.

It seems to me that the Sophos settings are where you need to look hardest.

Paul

Paul,

In emby my secure mode is set to "Handles by reverse proxy."  Should I not be able to go to https://<my internal server ip>:8920 using a web browser and then see a warning that stating that this page is not secure and then giving me an option to continue onto the site.  Instead, I am getting a "Service Unavailable" error.  

Chris

[pwhodges 2012]

My understanding is that the setting you mention enables Emby to issue https links even though it's not handling https itself, because it knows (as a result of the setting) that they will return on the http channel because of the reverse proxy.  I have that setting enabled, and I cannot connect to Emby on its secure channel - hence my suggestion that you shouldn't be trying to access it on that port.

But I guess a session with @cayars will get you sorted out while I (in Europe) sleep!  Probably differently from how I'd suggest, because CloudFlare does most of it for you.

Paul

[Luke 42080]

Hi there, has this advice helped you?

[csimmons222 1]

Okay.  I think I was able to figure out how I had things setup before.  Also after two days of messing around and experimenting with this, I think that i have improved my setup as well.  

After some testing today, I believe this is how my "working" setup was configured in the past:

1.  Cloudflare had an A record setup for media.mydomain.com that pointed to my public IP.  I was not using the Cloudflare proxy and just had this setup as DNS Only.  

2.  On Cloudflare SSL was turned off.

3.  On my Sophos firewall, I configured a Real Web Server with the following settings:

     a.  Name: Emby

     b.  Host: Unraid Server <internal IP>

     c.  Type:  HTTPS

     d.  Port:  8920

3.  On my Sophos firewall, I had a Virtual Web Server setup.  This was configured with the following settings:

     a.  Name:  Emby VWS

     b.  Interface:  External WAN

     c.  Type:  Encrypted (HTTPS)

     d.  Port:  8920 

     e.  Certificate:  Let's Encrypt - Emby

     f.  Real Web Server:  Emby

Note:  The "Let's Encrypt - Emby" certificate was created within the Sophos firewall.  It is managed and renewed automatically within the Sophos firewall.  The certificate was not  installed on the Emby server.

From my testing this worked fine and I could connect to my Emby server outside of the network by going to emby.mydomain.com.  I was not sure if this was the best setup or not but it seemed to work.

So, after two days of messing with this, I have learned a bit more and changed my setup to the following:

1.  Cloudflare had an A record setup for media.mydomain.com that pointed to my public IP.  I have the record setup to use the Cloudflare proxy.  

2.  On Cloudflare SSL is turned on to Full (Strict).

3.  On my Sophos firewall, I configured a Real Web Server with the following settings:

     a.  Name: Emby

     b.  Host: Unraid Server <internal IP>

     c.  Type:  HTTP

     d.  Port:  8096

3.  On my Sophos firewall, I have a Virtual Web Server setup.  This was configured with the following settings:

     a.  Name:  Emby VWS

     b.  Interface:  External WAN

     c.  Type:  Encrypted (HTTPS) & Redirect (NOTE: this redirects any http:// requests to https://)

     d.  Port:  443 

     e.  Certificate:  Let's Encrypt - Emby

     f.  Real Web Server:  Emby

I have setup all of my other programs, such as Sonarr, Radarr, NZBGet, etc., the same way as I noted above....with all the Virtual Web Servers using port 443 and a Let's Encrypt SSL certificate created for each Virtual Web Server.  I can now go to emby.mydomain.com, sonarr.mydomain.com, nzbget.mydomain.com, etc. from outside my my network and I will be taken to the correct application and the Sophos firewall will also redirect the browser to the https version so everything is encrypted.

In addition, I was able to setup Reverse Authentication for these Virtual Web Servers within the Sophos Firewall.  I configured the Virtual Web Servers to use Two Factor Authentication.  Therefore, when I go to emby.mydomain.com, I am presented with the Sophos splash screen containing a login form.  I login with my username and password for an account that exists within the Sophos firewall. 

My Sophos firewall syncs with my on-prem Windows Active Directory.  Therefore, I login with my domain username.  The password is my domain password, plus the random 6 digits from my authentication app appended to the password for 2FA purposes.

Once, I get through the Sophos login, I am then taken to my Emby server.  I then need to log into Emby to access my media and settings.  Obviously, everything is encrypted along the way.  

I am not in the process of playing around with running Organizr as a docker.  That way, I can simply go to organizr.mydomain.com and have a portal to all of my applications.  The only "downside" that I am finding is that within Organizr, when I click on Emby, NZBGet, or any of my other applications,  I am first presented with the Sophos 2FA login screen within the iFrame.  I have to log in using the Sophos credentials and then I am taken to the actual application to log into.  

It's a little bit cumbersome but I guess that extra layer of security comes at a slight price.

With having reverse authentication turned on, which requires someone to know my domain username / password + 6 random digits from authentication app for 2FA purposes, plus then having to know my username / password for each web application, plus everything being encrypted, do you see any glaring security risks to exposing all my applications to the web?

 

[Luke 42080]

Have you gotten any further @csimmons222 ?

[Carlo 4561]

On 12/29/2020 at 7:13 PM, csimmons222 said:

With having reverse authentication turned on, which requires someone to know my domain username / password + 6 random digits from authentication app for 2FA purposes, plus then having to know my username / password for each web application, plus everything being encrypted, do you see any glaring security risks to exposing all my applications to the web?

Have you tried this with any of the Emby apps and not just web/browser?

I don't see how the apps will function in this environment.