Emby
Installation
The emby-server
package is available for Arch Linux, other systems may require a different routine:
pacman -Sy emby-server
Configuration
After its initial start, emby-server
should be reachable at port :8096
and can be configured with a web browser. However, we may want to adjust its PROGRAM_DATA
directory and its network bindings before we set it up for production:
$ grep ^P /etc/conf.d/emby-server PROGRAM_DATA=/var/lib/emby
Most (all?) of these can be controlled from the web interface also:
$ cat /var/lib/emby/config/system.xml [...] <EnableUPnP>false</EnableUPnP> <PublicPort>8096</PublicPort> <PublicHttpsPort>8920</PublicHttpsPort> <HttpServerPortNumber>8096</HttpServerPortNumber> <HttpsPortNumber>8920</HttpsPortNumber> <EnableHttps>true</EnableHttps> <CertificatePath>/var/lib/emby/config/emby.p12</CertificatePath> <CertificatePassword>s3cr3t</CertificatePassword> <EnableRemoteAccess>true</EnableRemoteAccess>
The emby.p12
(a private key and a self-signed certificate) must be generated for HTTPS to work:
SUBJECT='/C=CZ/ST=PR/L=PR/O=Emby/OU=None/CN=localhost/emailAddress=emby@example.org' openssl req -newkey rsa:2048 -nodes -keyout emby-key.pem -x509 -days 3650 -out emby-cert.pem -subj $SUBJECT openssl pkcs12 -inkey emby-key.pem -in emby-cert.pem -export -out emby.p12 # Display with openssl pkcs12 -in emby.p12 -nodes
The PKCS 12 export password then needs to be provided to the Emby server as shown above.
We don't want to list all existing users in the login screen:[1], so we set IsHidden
to true in all policy files:
for p in $(awk -F= '/^PROGRAM_DATA/ {print $2}' /etc/conf.d/emby-server)/config/users/*/policy.xml; do sed 's/IsHidden>false</IsHidden>true</' -i "${p}" done
Reverse Proxy
A reverse proxy configuration with Nginx:[2]
location /emby { rewrite /emby/(.*) /$1 break; proxy_pass http://127.0.0.1:8096; proxy_redirect off; proxy_set_header Host $host; proxy_set_header X-Real-IP $remote_addr; proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for; # proxy_set_header If-Range $http_if_range; # proxy_set_header Range $http_range; # # WebSockets # proxy_http_version 1.1; # proxy_set_header Upgrade $http_upgrade; # proxy_set_header Connection "upgrade"; auth_basic "Restricted"; auth_basic_user_file "/etc/nginx/.htpasswd";
TODO
A missing feature would be Offline Access, as this only works with a paid subscription, even for private libraries. We shall look to other media servers for other reasons[3] too: