Comment on How do I host Jellyfin in the most secure manner possible?
Charger8232@lemmy.ml 1 year agoJust run it on the LAN and don’t expose it to the Internet.
This would require paying for a VPN to allow LAN connections, which is an option but not my preferred one.
HTTPS only secures the connection, and I doubt you’re sending any sensitive info to or from Jellyfin
This is a matter of threat model, and I would prefer not to expose my TV preferences unencrypted over the network.
but you can still run it in docker and use caddy or something
Does Caddy require a custom DNS in order to point the domain to a local IP address?
The bigger target is making sure jellyfin itself and the host it runs on are updated and protected.
This is easy with securecore, since it updates daily. The rest of the semantics for the actual hosting side aren’t too difficult.
You could do a vpn hosting by yourself.
Meaning your server is basically a vpn tunnel server and you can connect from the Internet to it. Once you are in the encrypted vpn connection you have access to the local network.
If you have dynamic ip you need dns though. But no one can connect just because they know the ip)/dns
You could do a vpn hosting by yourself.
I’m uneasy about this, because I don’t trust myself to do it securely. VPNs are a very complex piece of software, so I highly prefer to stick with widely used setups (i.e. “stock” VPN software such as ProtonVPN, Mullvad VPN, etc.)
A self-hosted VPN is the most secure free way to host your Jellyfin. I’ve had to learn the hard way over the years, but all the features and control you gain for hosting services yourself comes with all the same responsibilities and risk that the provider would be taking on for you.
The money you spend on their service is the alternative to the many hours it takes to learn how to properly host your own server.
You can definitely learn how to do it and it will be difficult and confusing at times, but that’s what the community is there for. I recommend joining a Matrix server or similar so you can get more real-time feedback for when you’re just getting started.
Totally understand not wanting to take the risk, though. Just something worth considering.
But if you don’t plan to access it anywhere but home (your words), then it doesn’t have outside access, and putting it on your LAN is done.
I still want security in transit, no matter where it is being broadcast from.
catloaf@lemm.ee 1 year ago
You don’t need a VPN for LAN connections. You’re already on the LAN. You’d only need it for access from the WAN.
If you’re using Let’s Encrypt, you should probably purchase a domain. I don’t think they support .internal domains. Or you could set up your own CA and run it however you want, even issuing certs to access by IP address if you wanted.
Charger8232@lemmy.ml 1 year ago
ProtonVPN by default blocks LAN connections, and can only be changed using their paid tier.
catloaf@lemm.ee 1 year ago
For that aspect, I would recommend changing to a provider that doesn’t have such ridiculous restrictions.
AbidanYre@lemmy.world 1 year ago
I kind of get it from Proton’s POV. If they have a free tier that allows a limited number of devices they’ll want to make for you don’t tunnel all you devices through that one.
Charger8232@lemmy.ml 1 year ago
The only other providers I would use are Mullvad VPN or IVPN, both of which are paid.