Thats not what I meant. I of course have wireguard set up for administration and my own streaming needs. But friends of mine who were able to use plex by just making an account but now they cant because of course there is no relay server etc. I’ll have to think of a way to make it available to them (easily!) without putting my network at risk.
That is pretty much how I imagined it. Sadly, its A TON of work. I have most of this set up in many VPSs for both me and customers (with other services of course) and I can imagine its probably the best solution. I still hate my life when thinking of implementing it. :D I bet its gonna be easier than I think but you may get my point here. Thank you very much for sharing.
Hell I know what you mean, it was so much trial and error until it worked, hence this guide/template to help others. Plus at some point it feels more like work than a hobby 😅
My primary worry for this is that something in the jellyfin stack gets an open vulnerability, like there’s an overflow you can use on a post call to a piece of media allowing remote code execution.
Tautulli had a leak once that provided the user’s private token. Then there was a way in Plex with a private token to pull data from elsewhere on the server. That’s how LastPass got nuked I hear.
I get you and I know that there can be security issues (especially in Jellyfin) that might give you access. This is the reason I only mount the media and config folders, and nothing else into the docker container. The media folders are mounted as read only and don’t contain sensitive information. For the config folder I created a separate user. Plus I block non-German IP addresses which already blocks quite some bots. If your friends have fixed IP addresses you could also just whitelist them and block everything else.
You could also probably sniff the network and define more strict rules on ‘allowed’ requests in fail2ban but this is bridle because requests might change with different versions.
Mine is public, but I block every state but the one all of my users live in(family) and I never get unwanted visitors. Couldn’t say the same if I lived in NY or CA.
If they have static IP addresses, you may be able to whitelist them in your proxy, or maybe there’s some sort of dyndns client/relay software you can run if their ips change.
yeah, thanks. but thats not gonna work for me. i live in a big city and none of us (me and my server included) have static IPs nor am I gonna get them (at all) and I dont want to pay for them either (because ISPs here want you to pay for them). in any case, thanks for trying to suggest something. it might help someone else who has a different setup. :)
haui_lemmy@lemmy.giftedmc.com 8 months ago
Thats not what I meant. I of course have wireguard set up for administration and my own streaming needs. But friends of mine who were able to use plex by just making an account but now they cant because of course there is no relay server etc. I’ll have to think of a way to make it available to them (easily!) without putting my network at risk.
skoell13@feddit.org 8 months ago
This is how I do it: codeberg.org/skjalli/jellyfin-vps-setup
haui_lemmy@lemmy.giftedmc.com 8 months ago
That is pretty much how I imagined it. Sadly, its A TON of work. I have most of this set up in many VPSs for both me and customers (with other services of course) and I can imagine its probably the best solution. I still hate my life when thinking of implementing it. :D I bet its gonna be easier than I think but you may get my point here. Thank you very much for sharing.
skoell13@feddit.org 8 months ago
Hell I know what you mean, it was so much trial and error until it worked, hence this guide/template to help others. Plus at some point it feels more like work than a hobby 😅
rumba@lemmy.zip 8 months ago
My primary worry for this is that something in the jellyfin stack gets an open vulnerability, like there’s an overflow you can use on a post call to a piece of media allowing remote code execution.
Tautulli had a leak once that provided the user’s private token. Then there was a way in Plex with a private token to pull data from elsewhere on the server. That’s how LastPass got nuked I hear.
skoell13@feddit.org 8 months ago
I get you and I know that there can be security issues (especially in Jellyfin) that might give you access. This is the reason I only mount the media and config folders, and nothing else into the docker container. The media folders are mounted as read only and don’t contain sensitive information. For the config folder I created a separate user. Plus I block non-German IP addresses which already blocks quite some bots. If your friends have fixed IP addresses you could also just whitelist them and block everything else.
You could also probably sniff the network and define more strict rules on ‘allowed’ requests in fail2ban but this is bridle because requests might change with different versions.
dbtng@eviltoast.org 8 months ago
Thanks. That’s well laid out, straightforward. I have resources at home that I want to share. This is a good blueprint.
Vanilla_PuddinFudge@infosec.pub 8 months ago
Mine is public, but I block every state but the one all of my users live in(family) and I never get unwanted visitors. Couldn’t say the same if I lived in NY or CA.
If they have static IP addresses, you may be able to whitelist them in your proxy, or maybe there’s some sort of dyndns client/relay software you can run if their ips change.
haui_lemmy@lemmy.giftedmc.com 8 months ago
yeah, thanks. but thats not gonna work for me. i live in a big city and none of us (me and my server included) have static IPs nor am I gonna get them (at all) and I dont want to pay for them either (because ISPs here want you to pay for them). in any case, thanks for trying to suggest something. it might help someone else who has a different setup. :)
Vanilla_PuddinFudge@infosec.pub 8 months ago
Welp, I guess they’ll just have to start their own servers or you’ll have to get out your credit card. Pity.