生成证书
证书使用在线签发或者自签发都行,记得要先保存根证书,服务器端客户端需要安装
搭建伪站
建议使用nginx,使用如下配置,都无需改什么,证书使用上面生成的证书
server {
listen 443 ssl;
server_name mb3admin.com;
ssl_certificate /etc/pki/tls/mb3admin.com.cert.pem;
ssl_certificate_key /etc/pki/tls/mb3admin.com.key.pem;
ssl_session_timeout 5m;
ssl_protocols TLSv1 TLSv1.1 TLSv1.2;
ssl_ciphers ECDHE-RSA-AES128-GCM-SHA256:HIGH:!aNULL:!MD5:!RC4:!DHE;
ssl_prefer_server_ciphers on;
# location = /webdefault/images/logo.jpg {
# alias /usr/syno/share/nginx/logo.jpg;
# }
# location @error_page {
# root /usr/syno/share/nginx;
# rewrite (.*) /error.html break;
# }
# location ^~ /.well-known/acme-challenge {
# root /var/lib/letsencrypt;
# default_type text/plain;
# }
location / {
rewrite ^ / redirect;
}
location ~ ^/$ {
rewrite / https://$host:443/ redirect;
}
add_header Access-Control-Allow-Origin *;
add_header Access-Control-Allow-Headers *;
add_header Access-Control-Allow-Method *;
add_header Access-Control-Allow-Credentials true;
location /admin/service/registration/validateDevice {
default_type application/json;
return 200 '{"cacheExpirationDays": 365,"message": "Device Valid","resultCode": "GOOD"}';
}
location /admin/service/registration/validate {
default_type application/json;
return 200 '{"featId":"","registered":true,"expDate":"2099-01-01","key":""}';
}
location /admin/service/registration/getStatus {
default_type application/json;
return 200 '{"deviceStatus":"0","planType":"Lifetime","subscriptions":{}}';
}
}劫持域名
客户端及服务端修改hosts,使得mb3admin.com及www.mb3admin.com域名指向伪站,如果是软路由可直接进行域名劫持,我使用的adguardhome。劫持后访问如下地址,正常返回json数据就代表劫持成功,打开emby页面查看应该就是会员了。
https://mb3admin.com/admin/service/registration/validateDevice
https://mb3admin.com/admin/service/registration/validateDevice/666
emby的验证是在使用会员功能的时候客户端会向mb3admin.com发送带有设备id和激活码的请求,服务器返回设备已激活的信息,客户端收到信息后启用会员功能
请求地址如下:
https://mb3admin.com/admin/service/registration/getStatus
https://mb3admin.com/admin/service/registration/validate
https://mb3admin.com/admin/service/registration/validateDevice返回信息如下:
{"deviceStatus":"","planType":"","subscriptions":[]}
{"featId":"","registered":true,"expDate":"2099-01-01","key":""}
{"cacheExpirationDays": 7,"message": "Device Valid","resultCode": "GOOD"}对应的是用户的会员状态,会员过期日期,会员设备验证。
收尾
非常重要,能不能使用硬解等功能还得看这一步,上面的会员验证用户浏览器层面,在服务器上curl https://mb3admin.com/admin/service/registration/validateDevice/666验证,因为根证书不信任,所以curl不能正确返回json信息,此时服务器端并没有验证成功;还需在服务器上添加信任根证书,否则硬解功能无法正常使用,将上面保存的根证书进行如下操作。
centos7
yum install ca-certificates cp GMCert_RSACA01.cert.pem /etc/pki/ca-trust/source/anchors/mb3admin.pem ln -s /etc/pki/ca-trust/source/anchors/mb3admin.pem /etc/ssl/certs/mb3admin.pem update-ca-trust cp /opt/emby-server/etc/ssl/certs/ca-certificates.crt /opt/emby-server/etc/ssl/certs/ca-certificates.crt.bak #cp GMCert_RSACA01.cert.pem /opt/emby-server/etc/ssl/certs/ca-certificates.crt cat GMCert_RSACA01.cert.pem >> /opt/emby-server/etc/ssl/certs/ca-certificates.crt systemctl restart emby-serverDebian11
cp GMCert_RSACA01.cert.pem /usr/local/share/ca-certificates/mb3admin.crt dpkg-reconfigure ca-certificates 选择yes后选新放入的证书然后回车 update-ca-certificates cp /opt/emby-server/etc/ssl/certs/ca-certificates.crt /opt/emby-server/etc/ssl/certs/ca-certificates.crt.bak #cp GMCert_RSACA01.cert.pem /opt/emby-server/etc/ssl/certs/ca-certificates.crt cat GMCert_RSACA01.cert.pem >> /opt/emby-server/etc/ssl/certs/ca-certificates.crt systemctl restart emby-server此时再次
curl https://mb3admin.com/admin/service/registration/validateDevice/666可以正常返回json信息,代表服务器端验证成功。
截止2022.1.27本文更新,最新版本4.6.7.0还可正常使用,且用且珍惜。什么时候彻底不能用了就转jellyfin吧,虽说字幕功能做的差了点,起码免费,其他功能也和emby差不多。
新版本的emby-server已经自带Intel的Vaap及Qsv驱动,如果使用常见intel的集显进行硬解,基本无需再额外装驱动即可正常硬解。使用本方法验证会员,无需修改emby组件即可达到开心目的。
如果出现无法正常刮削的情况,把/opt/emby-server/etc/ssl/certs/ca-certificates.crt换回原本的证书即可。
参考文章1 https://www.qzkyl.cn/post-515.html
参考文章2 https://www.imzhp.com/post/hacker-emby-for-pc
参考文章3 https://blog.jiawei.xin/?p=469