Comment on Plex is locking remote streaming behind a subscription in April

<- View Parent
couch1potato@lemmy.dbzer0.com ⁨2⁩ ⁨weeks⁩ ago

My interpretation of your linked instruction (granted, I haven’t tried plex) is that it’s the same two scenarios.

Your plex client app login talks directly to your server login. The client app meeting the server is arranged by the plex relay server and nothing more. There is no ‘logging in’ to the plex relay server; it’s function is to arrange a meeting of two tunnels and that’s it, much like a tailscale derp server.

The relay server is serving the same function as caddy on a VPS, hell, they could even be using tailscale under the hood and it’d look exactly the same to a user.

Anyway, attack vectors even with a public facing jellyfin are mitigated because

a) jellyfin is running in a docker container = a successful attacker would only be able to trash my jellyfin container, which ultimately is not that big of a deal (unless there is a different docker exploit that enables access to the server itself, which is an entirely different issue and larger than a jellyfin/plex discussion)

b) fail2ban in conjunction with a reverse proxy bans malicious ip addresses that come back with too many errors too many times (errors that you, the admin, specify) So, for example, brute force login attacks are mitigated.

c) the reverse proxy itself allows access to only one specified internal ip address/port combination. Pending a caddy exploit (again, a different discussion) it is not possible to fish for acrive ip addresses or port scan my internal network.

source
Sort:hotnewtop