Comment

Comment on Round Two: Can I manage to set up Jellyfin correctly this time?

frongt@lemmy.zip ⁨7⁩ ⁨months⁩ ago

I still don’t recommend putting jellyfin on the Internet. It’s not designed for it. There are some API endpoints you can access without authentication, not to mention potential authentication bypass vulnerabilities.

5 minutes is also probably too frequent. Leases are usually significantly longer. You might hit a rate limit and get blocked.

source

Sort:hotnew top

FreedomAdvocate@lemmy.net.au ⁨7⁩ ⁨months⁩ ago

It’s not designed for it

Yet everyone in here tells everyone to switch from Plex, which is designed for it, to jellyfin lol

source
- Auli@lemmy.ca ⁨7⁩ ⁨months⁩ ago
  Only one of these software has lead to someone hacking into someone’s computer.
  
  source
  - FreedomAdvocate@lemmy.net.au ⁨7⁩ ⁨months⁩ ago
    You have no idea how many breaches jellyfin has been the cause of lol
    
    source
- metaStatic@kbin.earth ⁨7⁩ ⁨months⁩ ago
  I prefer security vulnerabilities I can manage to privacy ones I cannot.
  
  source
  - FreedomAdvocate@lemmy.net.au ⁨7⁩ ⁨months⁩ ago
    What privacy vulnerabilities are you talking about exactly?
    
    source
    FreedomAdvocate@lemmy.net.au ⁨7⁩ ⁨months⁩ ago
    6 downvotes and no answers. Not a single one. Interesting.
    
    source
compostgoblin@lemmy.blahaj.zone ⁨7⁩ ⁨months⁩ ago
Thanks for the tip! I’ll back the refresh rate off to be safe.

I’m not sure I entirely understand your concern about putting Jellyfin on the internet. A large part of my interest in selfhosting is being able host my own music library, my own cloud storage, etc, and access it as an alternative to Spotify or Google Drive. Doesn’t that inherently mean that they need to be on the internet, if I want to be able to access them when I’m away from home?

My goal has been to find a way to do that safely, but if that’s not possible, that’s good to know too, so I don’t keep trying to do the impossible.

source
- DreamlandLividity@lemmy.world ⁨7⁩ ⁨months⁩ ago
  I just finished refining my Jellyfin setup. I use caddy as reverse proxy and use authelia as authentication in front of Jellyfin. This way only users logged in to authelia can access my Jellyfin. And there is an SSO plugin for jellyfin to avoid double login. The tricky part was getting apps to work.
  
  source
- dogs0n@sh.itjust.works ⁨7⁩ ⁨months⁩ ago
  It’s honestly just a matter of how much risk you are comfortable with for using jellyfin on the open internet.
  
  (If i remember correctly:) The unauthenticated routes thing can only be used for streaming your content without a login (if you can guess the contents ids on your server I believe).
  
  In my opinion, it’s not worth the hassle of using a vpn because I don’t think this risk is worth mitigating with one.
  
  But everyone has their own personal risk assesment of course.
  
  source
  - frongt@lemmy.zip ⁨7⁩ ⁨months⁩ ago
    Yes, those are the known vulnerabilities. We don’t know how many unknown vulnerabilities could be discovered in the future.
    
    source
    Auli@lemmy.ca ⁨7⁩ ⁨months⁩ ago
    And are these the ones they let people see what media I have or are there any serious ones?
    
    source
    ITGuyLevi@programming.dev ⁨7⁩ ⁨months⁩ ago
    At least we are more likely to hear about them than we would for PMS. Quickest way to find vulnerabilities is to have as many eyes as possible on it, if you only let the 20 devs you employ look a lot can be missed. Just my opinion though.
    
    source
    dogs0n@sh.itjust.works ⁨7⁩ ⁨months⁩ ago
    Unfortunately no software exists that is fully perfect in this regard (any program could have multiple bugs just waiting to be found), but jellyfin being open source puts it in a better situation for finding vulnerabilities sooner.
    
    source
- AbidanYre@lemmy.world ⁨7⁩ ⁨months⁩ ago
  Wireguard or tailscale are much better ways of accessing jellyfin from outside your network.
  
  source
  - compostgoblin@lemmy.blahaj.zone ⁨7⁩ ⁨months⁩ ago
    What if I want a bunch of people to be able to log into my library via Finamp?
    
    source
    cyberwolfie@lemmy.ml ⁨7⁩ ⁨months⁩ ago
    I use Nginx Proxy Manager and whitelist my remote users. They all have static IPs though, so its a workable solution for me.
    
    Before I used a whitelist I would go through the access logs, and could never find any attempts to exploit the endpoints - only some random bots trying to find some admin page assuming it was another service. Not saying you shouldn’t take it seriously, but you are likely not subject to these attacks the moment you expose it.
    
    That said, there is a discussion about these endpoints on their repo. At some point they will be fixed (my impression is that they are hampered by legacy Emby code). When they do, you could do this more securely.
    
    source
    ExperiencedWinter@lemmy.world ⁨7⁩ ⁨months⁩ ago
    I highly recommend Tailscale, you can share machines/services with unlimited friends on the free tier, and all of the actual auth stuff is handled by someone who isn’t me.
    
    source
    frongt@lemmy.zip ⁨7⁩ ⁨months⁩ ago
    Provide them with VPN access. If that’s too much for them, then they don’t get access. Tough. On the scale of security vs convenience, that’s nothing.
    
    If you really really want, you should at least see if you can put a WAF in front, and put the server itself somewhere it doesn’t have access to the rest of your network (a DMZ) so that if and when it gets hacked, it doesn’t compromise the entire network.
    
    source
    FreedomAdvocate@lemmy.net.au ⁨7⁩ ⁨months⁩ ago
    You use plex instead.
    
    source
    -> View More Comments