Jump to content

Noob Alert (Need help securing Emby for Remote access)


Recommended Posts

Posted (edited)

Hi, Im sorry to have to ask this but I think I may have gotten a little bit lost somewhere, I have like many others here came over from Plex and would like to applaud the team behind Emby as it so much of a better user experience and runs smoothly but I have not much networking knowledge. So far I have managed to set up a DDNS accout with DuckDNS I have changed the Network Settings in Emby so that External domain: mydomain.duckdns.org, I then opened up the setting in my modem and added the ddns account and opened up ports 80,443 and 8096 so far so good (I hope) after that I have watched and read so many guides on NginX that I think I may have gotten lost along the way.

I forgot to mention I am using Xubuntu 20.04, I have installed NginX as all the guides show the same method sudo apt-get install nginx I have allowed firewall rules in ufw for nginx (I hope im still doing ok so far lol). After this is followed a guide this guide: sudo nano /etc/nginx/conf.d/emby.conf and put the following in nano txt editor

server {
      listen 80;
      server_name mydomain.duckdns.org;

      location / {
          proxy_pass http://mydomain.duckdns.org:8096;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          #upgrade to WebSocket protocol when requested
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
      }
}

 

when I run nginx -t it says everything is good, So i then installed certbot and python3-certbot-nginx and then run the following command: sudo certbot --nginx --agree-tos --redirect --hsts --staple-ocsp --myemail@example.com -d mydomain.duckdns.org. now everything seems to be going well or is it IDK lol I have ad no errors running the commands when I run the nginx test it says everythins is good when I access the Emby app remotely everything is working but...... when I open a web browser and try remotely Nothing the page doesn't load.

 

I was hoping if anyone checks this out could you please let me know if it's ok or do I need to change somethings if so could you please point me in the right direction please :)

The guide I followed is here - https://www.linuxbabe.com/ubuntu/install-plex-media-server-ubuntu-18-04

all I didwas substitute Plex for Emby.

Any help given is greatly appreciated and thank you for taking the time to read this, Also sorry if I have put this in the wrong section. This is actually my first time posting on a forum lol slightly nervous :D.

Edited by Shirka
Personal
Posted

Hi, beyond SSL, the other thing I would look at is ensuring all of your local server users have passwords.

  • Like 1
Posted

Thank you Luke, Yeah all users have strong passwords generated by Bitwarden. Everything seems to be running very smoothly, when i enter my domain.duckdns.org I get directed to my emby server and it shows it is secure but on the emby dashboard it still shows as http : 8096 it also shows this remotely on the Emby App.

Is there anything I can do to correct this or is this how it should be even with the changes made. Any help is greatly appreciated :)

mastrmind11
Posted
5 hours ago, Shirka said:

Thank you Luke, Yeah all users have strong passwords generated by Bitwarden. Everything seems to be running very smoothly, when i enter my domain.duckdns.org I get directed to my emby server and it shows it is secure but on the emby dashboard it still shows as http : 8096 it also shows this remotely on the Emby App.

Is there anything I can do to correct this or is this how it should be even with the changes made. Any help is greatly appreciated :)

you're only redirecting 80 in your proxy and completely disregarding your ssl setup.  here's mine:

server {
        listen [::]:80 default_server;
        listen 80 default_server;
        listen [::]:443 ssl http2 default_server;
        listen 443 ssl http2 default_server;
        return 444;

        ssl_session_timeout 10m;
        ssl_protocols TLSv1.2 TLSv1.1 TLSv1;
        ssl_certificate /etc/ssl/certs/cert.pem;
        ssl_certificate_key /etc/ssl/private/key.pem;
} 

server {

        # SSL configuration

        include /etc/nginx/proxy.conf;

        listen 443 ssl http2;
        listen [::]:443 ssl http2;

        server_name my.domain.com;

        #Add HSTS Header
        add_header Strict-Transport-Security "max-age=15552000; preload" always;

        add_header X-Content-Type-Options nosniff;
        add_header X-Frame-Options SAMEORIGIN;
        add_header X-XSS-Protection "1; mode=block";
        add_header Referrer-Policy "no-referrer";

        ssl on;
        ssl_certificate /etc/ssl/certs/cert.pem;
        ssl_certificate_key /etc/ssl/private/key.pem;

        # Root location
        root /var/www/html;

        # Add index.php to the list if you are using PHP
        index index.html index.htm index.php index.nginx-debian.html;

        # Change the client side error pages (4xx) to prevent some information disclosure
        error_page 401 403 404 /404.html;

        # Deny access to .htaccess files, if Apache's document
        # root concurs with nginx's one

        location ~ /\.ht {
        deny all;
        }

        location / {
                proxy_pass http://10.0.1.152:8096;

                proxy_set_header Range $http_range;
                proxy_set_header If-Range $http_if_range;
                proxy_set_header X-Real-IP $remote_addr;
                proxy_set_header Host $host;
                proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

                #Next three lines allow websockets
                proxy_http_version 1.1;
                proxy_set_header Upgrade $http_upgrade;
                proxy_set_header Connection $http_connection; 
        }
}

 

Posted

Wow Thank you Mastermind 🤯🤯.

Out of curiosity and stupid question but if I copy and paste that config and edit my info in would that work?.

Posted

OK is this better (Fingers Crossed)

 

server {
      server_name mydomain.duckdns.org;

      location / {
          proxy_pass http://my-ip:8096;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          #upgrade to WebSocket protocol when requested
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
      }

    listen 443 ssl; # managed by Certbot
    ssl_certificate /etc/letsencrypt/live/mydomain.duckdns.org/fullchain.pem; # managed by Certbot
    ssl_certificate_key /etc/letsencrypt/live/mydomain.duckdns.org/privkey.pem; # managed by Certbot
    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot


    add_header Strict-Transport-Security "max-age=31536000" always; # managed by Certbot


    ssl_trusted_certificate /etc/letsencrypt/live/mydomain.duckdns.org/chain.pem; # managed by Certbot
    ssl_stapling on; # managed by Certbot
    ssl_stapling_verify on; # managed by Certbot

 


}
server {
    if ($host = mydomain.duckdns.org) {
        return 301 https://$host$request_uri;
    } # managed by Certbot

        return 301 https://$host$request_uri;
    } # managed by Certbot

 


      listen 80;
      server_name mydomain.duckdns.org;

      location / {
          proxy_pass http://mydomain.duckdns.org:8096;
          proxy_set_header Host $host;
          proxy_set_header X-Real-IP $remote_addr;
          proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;

          #upgrade to WebSocket protocol when requested
          proxy_set_header Upgrade $http_upgrade;
          proxy_set_header Connection "Upgrade";
      }

 


}

 

Again any help is very much greatly appreciated:)

mastrmind11
Posted

seems reasonable.

Create an account or sign in to comment

You need to be a member in order to leave a comment

Create an account

Sign up for a new account in our community. It's easy!

Register a new account

Sign in

Already have an account? Sign in here.

Sign In Now
×
×
  • Create New...