Comment on That's all folks, Plex is starting to charge for sharing

• catloaf@lemm.ee ⁨5⁩ ⁨days⁩ ago

  They also need to run a VPN client.

  Because you’re not putting bare jellyfin on the internet, right? You shouldn’t be doing that for most services in the first place, but doubly so for something that has a bunch of APIs that require no authentication: github.com/jellyfin/jellyfin/issues/5415

  source

  • ada@lemmy.blahaj.zone ⁨5⁩ ⁨days⁩ ago

    Put it behind a reverse proxy!

    source

    • catloaf@lemm.ee ⁨4⁩ ⁨days⁩ ago

      Great, so now the unauthenticated APIs are proxied instead of accessed directly. That changes nothing, it is still vulnerable.

      source
    • thundermoose@lemmy.world ⁨4⁩ ⁨days⁩ ago

      I’m not sure if you know this, but…that doesn’t fix most of the security issues in the linked list. All the reverse proxy does is handle hostname resolution and TLS termination (if you are using TLS). If the application being proxies still has an unauthenticated API, anyone can access it. If there’s an RCE vulnerability in any of them, you might get hacked.

      I run Jellyfin publicly, but I do it behind a separate, locked-down reverse proxy (e.g., it explicitly hangs up any request for a Host header other than Jellyfin’s), in a kubernetes cluster, and I keep its pod isolated in its own namespace with restricted access to everything local except to my library via read-only NFS volumes hosted on a separate TrueNAS box. If there is any hack, all they get access to is a container that can read my media files. Even that kind of bothers me, honestly.

      The overwhelming majority of Jellyfin users do not take precautions like this and are likely pretty vulnerable. Plex has a security team to address vulnerabilities when they happen, so those users would likely be a lot safer. I appreciate the love for FOSS on Lemmy, but it is scary how little most folks here acknowledge the tradeoffs they are making.

      source