If it doesn’t have to be exposed, then it shouldn’t be exposed. A Webserver should be exposed: Nginx and co are working on it for decades. Jellyfin on the other hand is a much smaller project, and chances for security issues are significantly higher.
Comment on Round Two: Can I manage to set up Jellyfin correctly this time?
dgdft@lemmy.world 2 days ago
Assuming you’ve forwarded ports 80 & 443 on your router, that’ll do just fine.
Speaking as a hacker and SWE, the cringelords telling you that exposing Jellyfin is some major liability are LARPers who don’t know what they’re talking about.
littleomid@feddit.org 1 day ago
dgdft@lemmy.world 1 day ago
Did you read the thread body? Op is using Caddy to reverse proxy.
The smoothbrain top comment is claiming that Jellyfin “wasn’t designed to be exposed to the internet” AT ALL, reverse proxy or not. You’re poking at a strawman here, and putting words in my mouth that I didn’t say.
littleomid@feddit.org 1 day ago
How does reverse proxy help with security? Reverse proxy is mostly there for the convenience.
ITGuyLevi@programming.dev 1 day ago
Umm… Not sure if you are serious but knowledge is meant to be shared so… A reverse proxy isn’t really for convenience, it sits between two networks and proxies traffic according to specific rules. It also has the benefit of masking the origin server a bit (like its IP) and in a lot of cases can be used as a way to ensure traffic going to a server or service that doesn’t support transport encryption actually transverses the internet within a secure tunnel.
dgdft@lemmy.world 1 day ago
Sorry, I assumed you were intelligent and sanewashed your comment.
I assumed you were talking about the fact that internal web servers that services like Jellyfin run are often DoSable without a proxy.
Jellyfin is quite literally a web app and perfectly safe to host on the web. Wanna prove me wrong? I’ll happily spin up an instance and throw a $500 bounty on there for you.
compostgoblin@lemmy.blahaj.zone 2 days ago
Haha okay, thanks! And I’d just forward ports 80 and 443 from the router to ports 80 and 443 on the Pi’s internal IP address in the router settings, right?
dgdft@lemmy.world 2 days ago
Yeah, you’ll probably want to give your Pi a static internal IP too, but the details for that will depend on the specifics of your router and network.
Onomatopoeia@lemmy.cafe 2 days ago
Meh, I won’t expose ports anymore - last time I did I had someone hammering on it hard enough to slow my consumer router.
I closed the port and would still have someone hammer it occasionally for months, hoping the port was still open.
compostgoblin@lemmy.blahaj.zone 2 days ago
Just for my own education, if you don’t mind - how were you able to tell someone was hammering on the port if it was closed? Would fail2ban have been an option to stop them?
frongt@lemmy.zip 2 days ago
Firewalls can log dropped packets.
dgdft@lemmy.world 2 days ago
Yeah, fair point — I was only talking RCE.
That’s a real risk if you get hit by a lazy stuffing script, and I personally SSH tunnel my self-hosted to a public VPS to avoid that sorta thing.
@Op, if you do notice slowdowns for your whole network & suspicious noise in your Jellyfin logs, the easy move is to configure fail2ban and ask your ISP to rotate your router’s IP for you.