Comment on That's all folks, Plex is starting to charge for sharing
thundermoose@lemmy.world 6 days agoIf you want to be on the hook for all IT requests from folks you share with, this is a fine approach. There are people out there who honestly don’t have a problem with that and more power to them. I doubt they are the majority, and a lot of selfhosters completely ignore this aspect of software. There is a reason non-free services exist beyond just “capitalism bad.” I mean, capitalism indeed bad, but your time is worth something.
ada@lemmy.blahaj.zone 5 days ago
I guess I haven’t noticed that. The non technically literate folk I know use smart TVs, or can download Jellyfin from an app store. Then they just use the URL when the app asks for it.
There’s no other configuring to do on their end.
catloaf@lemm.ee 5 days ago
They also need to run a VPN client.
Because you’re not putting bare jellyfin on the internet, right? You shouldn’t be doing that for most services in the first place, but doubly so for something that has a bunch of APIs that require no authentication: github.com/jellyfin/jellyfin/issues/5415
ada@lemmy.blahaj.zone 5 days ago
Put it behind a reverse proxy!
catloaf@lemm.ee 5 days ago
Great, so now the unauthenticated APIs are proxied instead of accessed directly. That changes nothing, it is still vulnerable.
thundermoose@lemmy.world 5 days ago
I’m not sure if you know this, but…that doesn’t fix most of the security issues in the linked list. All the reverse proxy does is handle hostname resolution and TLS termination (if you are using TLS). If the application being proxies still has an unauthenticated API, anyone can access it. If there’s an RCE vulnerability in any of them, you might get hacked.
I run Jellyfin publicly, but I do it behind a separate, locked-down reverse proxy (e.g., it explicitly hangs up any request for a Host header other than Jellyfin’s), in a kubernetes cluster, and I keep its pod isolated in its own namespace with restricted access to everything local except to my library via read-only NFS volumes hosted on a separate TrueNAS box. If there is any hack, all they get access to is a container that can read my media files. Even that kind of bothers me, honestly.
The overwhelming majority of Jellyfin users do not take precautions like this and are likely pretty vulnerable. Plex has a security team to address vulnerabilities when they happen, so those users would likely be a lot safer. I appreciate the love for FOSS on Lemmy, but it is scary how little most folks here acknowledge the tradeoffs they are making.