So far I have documented different approaches to access Emby securely remotely.
This guide uses Cloudflare for DNS records of your domain name, create and maintain your SSL cert and add security to your connection.
So for anyone who doesnt know, Cloudflare acts like a middle man, or more like a big bouncer. Imagine you own a bar and you want security. You hire a bouncer and he lets your customers in but keeps the riff raff out. This is what cloudflare does it adds security to your Server, while allowing authorised people to access your server.
This guide will assume you have Emby Server already setup and working on your LAN.
Getting a Domain Name.
For this to work we need a domain name. You can get a free one from FreeNom or buy your own .com or .co.uk from a registrar such as NameCheap.
For this example I will use Freenom.
Search for the domain name you want. I will use mymedia.cf
Click Checkout. Enter your details. You will then see a button to manage domain, click that. Next click on Management Tools and Nameservers. You will see the below screen. Leave this open for now, we will come back to it.
Head over to Cloudflare Create an account with Cloudflare and then add your Domain name you entered above mymedia.cf. note. when adding your site and starting the scan it might fail due to DNS propagation. Give it 5-15 mins and try again.
Once your Domain Name appears in Cloudflare you can click 'Continue Setup' and you will see the page below.
Create an 'A Record'
Name = emby
Value = your WAN IP
Status = make sure its an Orange cloud
Select Free Plan
You will now be given Nameservers. Copy the 2 name servers from Cloudflare and enter them into FreeNom. If FreeNom has 4 delete all of them and only enter the 2 from cloudflare. Should look something like the below image.
It will take some time for DNS propagation before the Nameservers change to Cloudflare. In this time lets setup Emby Server and Port Forwarding on your router.
Go to your Emby Server and Dashboard Manager > Advanced.
Change your Public HTTP port to 80 and HTTPS port to 443. Enter your new domain name. I get emby.mymedia.cf from the CloudFlare DNS page. Emby was the name of the DNS record, so the full record is emby.mymedia.cf.
Save and Restart Emby.
Log into your router. All routers are different. Find the section to port forward and create a new rule.
Forward External port 443 to internal port 8920 and IP address of your Emby Server. You can also forward 80 to 8096, however this will mean users can connect insecurely to your Emby server.
Head back to CloudFlare and click 'Recheck Nameservers' if successfull you will see a green bar, and Cloudflare Active.
We now need to create a SSL cert for Cloudflare to connect to your Server Securely. On Cloudflare go to 'Crypto', and then 'Origin Certificates'.
Click Create Certificate, on the next screen leave everything default and click next.
You will now be given 2 boxes, A Certificate code and Private Key code.
Copy both of them into separate notepads and Save both. Call them cert.pem and private.key respectively
Click convert and you should end up with a PFX certificate.
Head back to Emby Server > Dashboard > Advanced.
Custom SSL certificate Path = your PFX file
Certificate Password = the one used above "what ever you want"
Save and Restart Emby
Head back to Cloudflare > Crypto Tab
You now need to change SSL from Flexible to Full.
(This means users connect to Cloudflare [uses cloudflare cert] Then Cloudflare connects to your emby server using the Cert we just created). Thus A Full SSL Path from user to server.
go to https://emby.mymedia.cf and enjoy your movies.
On Cloudflare > Crypto
You can enable 'Always use HTTPS' and 'Automatic HTTPS Rewrites'. Anyone trying to browse to HTTP will be forwarded to HTTPS.
On Cloudflare > Page Rules
Add the following rules to cache your images.
If you have a DHCP WAN IP then you will also need to do some additional steps so that Cloudflare forwards to your IP even if it changes. For this you need to use DNS-O-Matic, a Guide can be found HERE.
If like me you are running a Unifi system at home then you will probably want to connect to the controller via HTTPS. This also applies to the Guest Portal, providing them with a Trusted Certificate and not a self signed one.
This guide is for machines running Windows, but has some similarities for other OS.
Unifi Controller installed and running either by a service or the app
A Trusted Certificate and private.key
If you havent already done so, check out my post on how to get a certificate for free Easy Let's Encrypt Certificate
Also you can find out how to install and configure a Unifi Controller here. (Coming Soon!)
Step 1 - Key Store Explorer
Head over to Keystore Explorer and download the program and install it. This is used to import our certificates to the keystore unifi uses.
Step 2 - Creating a PKCS #12
If you are familiar with creating a PKCS #12 certificate then please create one with your unifi controllers domain name and the guest portals domain name with the password of aircontrolenterprise.
If you arent familiar with creating a PKCS #12 file, see below.
Step 3 - Importing the Certificates
Find the location of the Unifi Controller directory. On Windows the default directory is
C:\Users\%USER NAME%\Ubiquiti UniFi
In the folder 'data' there is a file called keystore. Open the keystore file with key store explorer.
The password is aircontrolenterprise
You should now see the below
Select the unifi key in keystore explorer then click on 'tools' and import key pair and choose 'PKCS #12'.
Decryption password is aircontrolenterprise
Enter the alias 'unifi' in lower case
If it asks to overwrite click 'YES'
Save the Keystore file.
Finally restart your unifi controller and it should now have a working certificate!
This guide assumes you have either setup a DDNS or have an A record setup to point your Domain Name to your WAN IP. If you dont have this setup go here.
Step 1 - Port Forwarding
Every router is different and rather than try to describe how to do this on all the different brands I will simplify it so it is more relevant to all routers.
Log into your router
Head over to port forwarding
Create a new rule to forward port 443 and port 80 to the machine that NGINX will
be running on.
Step 2 - Installing NGINX
Head over to NGINX-Win and download the latest version of NGINX for Windows. As of writing this guide the latest version is 126.96.36.199 Violet.
Extract the .zip folder somewhere easy to find. for my example I will extract it to C:\NGINX\
Open up the config folder C:\NGINX\config
Open up notepad (I recommend Notepad++) and copy the following into it.
This part makes NGINX listen on port 80 and any traffic it receives on port 80 (HTTP) it redirects to port 443 (HTTPS). It forces the connection to use a secure connection. listen [::]:80 is only required if you have users connecting on IPv6 addresses.
The next part is to configure NGINX to forward the traffic it receives to the correct location. Copy the code below into the same notepad.
Most of the above is to do with the ciphers to create the secure connection. ssl_protocols lists in order the protocols to use. TLSv1.2 is the most secure. These have replaced SSL which are now obsolete. In the very near future TLSv1.3 will make all the other versions of TLS obsolete. Preferred ciphers just list in the order of the ciphers used to create the secure connection.
This is the location of our cert.pem and private.key. I have them located in my NGINX folder in the following location C:\NGINX\config\SSL To find out how to create the Certs please use the guide Easy Let's Encrypt Certificates At the bottom it describes how to create .pem certs.
Most of the above is to do with the headers in html. They add extra security to the connection.
X-Xss-Protection - sets the configuration for the cross-site scripting filters built into most browsers. The best configuration is "X-XSS-Protection: 1; mode=block".
X-content-type-options - stops a browser from trying to MIME-sniff the content type and forces it to stick with the declared content-type. The only valid value for this header is "X-Content-Type-Options: nosniff".
Strict-Transport-Security - is an excellent feature to support on your site and strengthens your implementation of TLS by getting the User Agent to enforce the use of HTTPS.
X-Frame - tells the browser whether you want to allow your site to be framed or not. By preventing a browser from framing your site you can defend against attacks like clickjacking.
Referrer Policy - is a new header that allows a site to control how much information the browser includes with navigations away from a document and should be set by all sites.
Content-Security-Policy - is an effective measure to protect your site from XSS attacks. By whitelisting sources of approved content, you can prevent the browser from loading malicious assets. Analyse this policy in more detail.
The location block tells NGINX what to do when it received data and where to forward it to. It is also required for web sockets to work.
Edit the proxy_pass and point it to the location of your Service that you are running. If it is running on the same machine as NGINX you can leave it as http://127.0.0.1:PORT. If its running on another machine you will need to know the IP. http://192.168.1.10:PORT etc.
Save the notepad as nginx.config in the following location
Step 3 - Set NGINX as a Windows Service
To get NGINX to start with Windows we need to donwload an application called NSSM (Non-sucking service manager).
Download it and extract it. You will have a choice to use win32 or win64 version. Choice the version that relates to your Windows installation.
Copy the nssm.exe to C:\Windows\System32
Open up a command prompt (Run as administrator)
type the following
nssm install NGINX
It will now display this
Fill in the Path to the NGINX.exe and the Startup Directory as above.
Open up Service.msc and find the NGINX Service we just installed.
Right click and Start.
To Test, we can navigate to emby.mysite.com and it should bring up your Emby Server!
If you have any problems drop a comment below. I will also be creating a Troubleshooting NGINX post soon.
So you run a website or services and at the moment they are accessible over HTTP (port 80). However you want a secure connection and a nice green padlock to be displayed in your web browser. In that case you need to create a HTTPS (port 443) connection which requires the webpage/service and the user to communicate over a encrypted connection using secure protocols such as SSL (Secure Sockets Layer) or TLS (Transport Layer Security).
Normally you would have to pay a fee to get a certificate and pay a yearly fee. However Let's Encrypt are dishing out free certificates with the only catch being they are valid for 90 days. The cert will need to be renewed every 90 days. I tend to renew with at least 15-20 days left before expiry just incase I have any issues with the new cert and it gives me time to install and test it.
Having your own Domain Name. My example *.mysite.com
Access to your Domain Registrars DNS settings
Step 1 - Generate the cert.
Head over to ZeroSSL and click on Online Tools and free SSL Certificate Wizard
Enter the details it asks for.
In the Domain box enter all the domains and subdomains you require the certificate to cover separated by a space. Example:-
mysite.com blog.mysite.com test.mysite.com
Accept both the TOS and SA and change the verification from HTTP to DNS.
Click next and it will generate a CSR key. Copy the CSR and save it as you will need this when it comes time to renew.
Click next again and it will generate an account key (RSA PRIVATE KEY). Again Copy and save the private key, we will need it to renew.
We should now see the Verification screen like below.
Step 2 - DNS Verification.
For this step we need to prove to ZeroSSL that we own the domain name we are trying to create the cert for.
Head over to your domain registrar. For this example I will user namecheap.com
Login and head over to DNS or Advanced DNS. We need to create a TXT Record for each of our domains and subdomains. Like in the example below. Set TTL (Time to Live) to 1min or the lowest setting.
IMPORTANT - We should now leave it 15mins to allow the TXT Records we created above to propagate through the internet. If you click 'Next' on the ZeroSSL page too soon then it will fail to find the TXT Records. To test to see whether the Records have updated you can run a command prompt on your PC and type
nslookup -q=TXT _acme-challenge.blog.mysite.com
It should reply with the TXT Record Value. If it replies with:-
Eventually you can click 'Next' and it should take you to your Certificates.
They are available to download on the right or you can copy and paste the keys.
The Certificate includes 2 parts, you can see this from the 2 sections
Your Domain Certificate
Your Certificate Authority
The first part is your Certificate for the domain/subdomain you listed The second Part is the Issuing Authorities Certificate or CA Root you listed. You can either keep these together as 1 certificate (ca_bundle.crt) or split them into 2, (cert.crt) and (ca_root.crt).
Finally the second box is your Private key. Save this key as private.key
Congratulations you now have your own Certificate signed by Let's Encrypt.
Step 3 - Certificate Formats (Optional)
crt to pem
We currently have the certificates in a .crt format. To create a .pem file we need to include the cert.crt and ca_root.crt into one file. You can use notepad to do this.
Copy both your cert and the ca_root into notepad like below.
Your Domain Certificate
Your Certificate Authority
and then save the file as cert.pem. Simple as that!
crt to pfx
Creating a .pfx certificate isnt as simple as a pem. A pfx file contains your cert, the CA root cert and your private.key into one file. It also usually contains a password to open/import and export.
If you have access to OpenSSL you can use the command below