Comment on How do I host Jellyfin in the most secure manner possible?
catloaf@lemm.ee 1 week ago
Just run it on the LAN and don’t expose it to the Internet. That’s 99% of the way there. HTTPS only secures the connection, and I doubt you’re sending any sensitive info to or from Jellyfin (but you can still run it in docker and use caddy or something with Let’s Encrypt).
The bigger target is making sure jellyfin itself and the host it runs on are updated and protected. You could use a WAF too.
Charger8232@lemmy.ml 1 week ago
This would require paying for a VPN to allow LAN connections, which is an option but not my preferred one.
This is a matter of threat model, and I would prefer not to expose my TV preferences unencrypted over the network.
Does Caddy require a custom DNS in order to point the domain to a local IP address?
This is easy with securecore, since it updates daily. The rest of the semantics for the actual hosting side aren’t too difficult.
catloaf@lemm.ee 1 week ago
You don’t need a VPN for LAN connections. You’re already on the LAN. You’d only need it for access from the WAN.
If you’re using Let’s Encrypt, you should probably purchase a domain. I don’t think they support .internal domains. Or you could set up your own CA and run it however you want, even issuing certs to access by IP address if you wanted.
Charger8232@lemmy.ml 1 week ago
ProtonVPN by default blocks LAN connections, and can only be changed using their paid tier.
catloaf@lemm.ee 1 week ago
For that aspect, I would recommend changing to a provider that doesn’t have such ridiculous restrictions.
Tolookah@discuss.tchncs.de 1 week ago
But if you don’t plan to access it anywhere but home (your words), then it doesn’t have outside access, and putting it on your LAN is done.
Charger8232@lemmy.ml 1 week ago
I still want security in transit, no matter where it is being broadcast from.
Tolookah@discuss.tchncs.de 1 week ago
You don’t trust your home network?
Johanno@feddit.org 1 week ago
You could do a vpn hosting by yourself.
Meaning your server is basically a vpn tunnel server and you can connect from the Internet to it. Once you are in the encrypted vpn connection you have access to the local network.
If you have dynamic ip you need dns though. But no one can connect just because they know the ip)/dns
Charger8232@lemmy.ml 1 week ago
I’m uneasy about this, because I don’t trust myself to do it securely. VPNs are a very complex piece of software, so I highly prefer to stick with widely used setups (i.e. “stock” VPN software such as ProtonVPN, Mullvad VPN, etc.)
otacon239@lemmy.world 1 week ago
A self-hosted VPN is the most secure free way to host your Jellyfin. I’ve had to learn the hard way over the years, but all the features and control you gain for hosting services yourself comes with all the same responsibilities and risk that the provider would be taking on for you.
The money you spend on their service is the alternative to the many hours it takes to learn how to properly host your own server.
You can definitely learn how to do it and it will be difficult and confusing at times, but that’s what the community is there for. I recommend joining a Matrix server or similar so you can get more real-time feedback for when you’re just getting started.
Totally understand not wanting to take the risk, though. Just something worth considering.