Comment on Your fav guide/method for securing Jellyfin?
glizzyguzzler@piefed.blahaj.zone 1 day ago
Reading jellyfin’s issues it’s clear it’s web ui and API cannot be allowed to talk to the general internet.
I’d push for a VPN solution first. Tailscale or wireguard. If you’re happy with cloudflare sniffing all traffic and that they make take it away suddenly someday use their tunnel with authentication.
The only other novel solution I’d suggest is putting jellyfin behind an Authentik wall (not OIDC, though you can use OIDC for users after the wall). That puts security on Authentik, and that’s their only job so hopefully that works. I’d use that if VPN (tailscale or wireguard) are problematic for access. The downside is that jellyfin apps will not be able to connect, only web browsers that can log into the Authentik web ui wall.
Flow would go caddy/other reverse proxy -> Authentik wall for jellyfin -> jellyfin
I’d put everything in docker, I’d put caddy and Authentik in a VM for a DMZ (incus + Zabbly repo web ui to manage the VM), I’d set all 3 in the compose to read-only, user:####:####, cap-drop all, no new privileges, limited named networks.
Podman quadlets would be even better security than docker, but there’s less help for that (for now). Do docker and get something working to start, then grow from there
Thanks for your comment. There are several things/products/methods you mention that I’m not familiar with and/or don’t understand:
Authentik Wall OIDC DMZ Incus Zabbly “in the compose” cap-drop all Podman quadlets
As I mentioned, I’m new here. I could just put each of these in duckduckgo in succession, but do you have a particular guide or link that describes any of this for someone less familiar with the process than yourself?
The general jist is, do not expose Jellyfin to the internet. Neither via a port nor through a reverse proxy. Its simply not build secure enough for that.
Use docker to make the setup easier, then use tailscale or whatever VPN solution to allow users from outside your network to access it.
All of the additional authentication solutions mentioned break client compatibility. Then you could only watch through a browser.
Install docker, deploy Jellyfin to it, test it. They both have good guides on their respective websites.
Other user summarized very well.
No I have accrued knowledge of those things over time, no one stop shop that I know of. But knowing these things exist and their general use are half the battle!
I was lazy with the “Authentik wall” because I couldn’t remember what they called it. It is the “proxy” option in their “provider” section https://docs.goauthentik.io/add-secure-apps/providers/proxy/ . There are many guides for Authentik at least, it’s complicated but you only need to do specific things for it to work - and most tell you and the rest are applicable via matching similar looking things.
OIDC is an open login protocol many things support. I think jellyfin can use it with a plugin, but keep in mind that regular user creation still exists so it’s not a security and convenience feature like for most things, it’s just a convenience feature.
DMZ is de militarized zone. I used the acronym to mean a gap between your system and a system that deals directly with the outside Internet. That gap is the VM separation. LXC containers and docker containers do not have that separation, I deploy Internet-facing stuff in a VM as extra insurance in case they get zero-day-hacked; it means the rest of my server will hopefully not get ransomwared.
Incus is an alternative to proxmox, but less needy since it doesn’t require its own Linux kernel. Zabbly is a package source (vs built-in Debian sources) that has the web ui in it. See their documentation for installation, it tells you how to add the Zabbly package; use the “stable” version if you do use incus.
“In the compose” means in the docker-compose.yml file.
‘Cap-drop: all’ is an entry you can make in the docker-compose file. It increases security. All of the ones I listed are entries you can add to the docker-compose file. You’ll likely need a
tmpfs:
/tmp
In the compose file you use read only.
Podman is the superior alternative to docker, and Podman quadlets are a way to deploy containers (they have a couple ways, like docker does - you don’t need a docker-compose.yml file to run docker containers). But it’s new and doesn’t have the community knowledge support via searching like docker does.
Hope that helps!
Thats very helpful, thank you!
I’m working on deploying Client side certificates that are validated by Caddy
I’ve been thinking about using client-side certificates that are validated by Caddy to bypass the Authentik wall (proxy provider) I use. I’ll give it a shot some time, it’s a good idea
I am not familiar with deploying client side certificates unfortunately. I hope it works, if the certificate is at the OS level and the application will use it, I feel it will work… not sure, in-browser feels straight forward at least
jjlinux@lemmy.zip 1 day ago
This is absolutely critical. Jellyfin is not made with security as an important factor.