How to secure Jellyfin hosted over the internet?

Submitted ⁨⁨3⁩ ⁨weeks⁩ ago⁩ by ⁨lambda@programming.dev⁩ to ⁨selfhosted@lemmy.world⁩

I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?

source

Comments

Sort:hotnew top

dan@upvote.au ⁨3⁩ ⁨weeks⁩ ago
Is it just you that uses it, or do friends and family use it too?

The best way to secure it is to use a VPN like Tailscale, which avoids having to expose it to the public internet.

source
- paequ2@lemmy.today ⁨3⁩ ⁨weeks⁩ ago
  
  if the cameras don’t load, open Tailscale and make sure it’s connected
  
  I’ve been using Tailscale for a few months now and this is my only complaint. On Android and macOS, the Tailscale client gets randomly killed. So it’s an extra thing you have to manage.
  
  It’s almost annoying enough to make me want to host my services on the actual internet… almost… but not yet.
  
  source
  - Lem453@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
    I use plain wireguard on me phone, always on essentially with no issues. I wonder why tailscale app can’t stay open.
    
    source
    -> View More Comments
  - Byter@lemmy.one ⁨3⁩ ⁨weeks⁩ ago
    If you make Tailscale your VPN in Android it will never be killed. Mileage may vary depending on flavor of Android. I’ve used this on stock Pixel and GrapheneOS.
    
    Under Settings > Network and internet > VPN
    
    Tap the Cog icon next to Tailscale and select Always-on VPN.
    
    source
    -> View More Comments
  - loutr@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
    Look up your phone on dontkillmyapp.com and make sure tailscale is excluded from battery and network “optimization”.
    
    source
  - kalkhas@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
    Have you tried disabling battery optimization for tailscale?
    
    source
    -> View More Comments
  - dan@upvote.au ⁨3⁩ ⁨weeks⁩ ago
    Yeah my wife and I are both on Android, and I haven’t been able to figure out why it does that.
    
    The Android client is open-source so maybe someone could figure it out. github.com/tailscale/tailscale-android
    
    source
    -> View More Comments
  - fmstrat@lemmy.nowsci.com ⁨3⁩ ⁨weeks⁩ ago
    Try WG Tunnel instead. It will reconnect on loss, but you lose the Tailscale features (no big deal with dynamic DNS)
    
    source
  - 0x0@programming.dev ⁨3⁩ ⁨weeks⁩ ago
    Maybe headscale will do better?
    
    source
    -> View More Comments
skoell13@feddit.org ⁨3⁩ ⁨weeks⁩ ago
My setup:

Locally (all in docker) ** JF for managing and local access ** JF with read only mounted volumes that uses the network of my Wireguard client container ** Wireguard client opening a tunnel to Wireguard server on VPS ** Ping container regularly doing pings to Wireguard Server so the connection stays up (didn’t manage it otherwise)

VPS (Oracle Cloud free tier) ** Caddy as a reverse proxy with https enabled and geolocking (only certain countries are allowed to connect to) ** fail2ban to block IPs that try to bruteforce credentials ** Wireguard server

So my clients just get the URL of my reverse proxy and can access the read only JF through my Wireguard tunnel. Didn’t have to open any ports on my side. If someone is interested I can share the docker compose files later.
source
- CarlosSpicyWiener@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
  I am interested in your docker compose
  
  source
  - skoell13@feddit.org ⁨3⁩ ⁨weeks⁩ ago
    Will share this evening after work.
    
    source
  - skoell13@feddit.org ⁨3⁩ ⁨weeks⁩ ago
    codeberg.org/skjalli/jellyfin-vps-setup here you go, took me longer than expected and I hope it’s helpful, might contain a few errors since I had to remove some settings but I guess this should work.
    
    source
    -> View More Comments
- lambda@programming.dev ⁨3⁩ ⁨weeks⁩ ago
  I’m more interested in the fail2ban setup. How did you do that for Jellyfin? Is it through a plugin?
  
  source
  - skoell13@feddit.org ⁨3⁩ ⁨weeks⁩ ago
    It’s a separate container, currently in the process of writing everything up, will update once done
    
    source
    -> View More Comments
- Enceladus@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
  This seems like a developer/infrastructure level job, any dumb down step by step procedure to recommend?
  
  source
  - skoell13@feddit.org ⁨3⁩ ⁨weeks⁩ ago
    I am currently in the ptocess to document my docker fioes and upload them to codeberg with a readme, it takes a bit, will let you know once I am done
    
    source
  - skoell13@feddit.org ⁨3⁩ ⁨weeks⁩ ago
    codeberg.org/skjalli/jellyfin-vps-setup here you go, took me longer than expected and I hope it’s helpful, might contain a few errors since I had to remove some settings but I guess this should work.
    
    source
    -> View More Comments
Rookeh@startrek.website ⁨3⁩ ⁨weeks⁩ ago
For web access, stick it behind a reverse proxy and use something like Authentik/Authelia/SSO provider of your choice.

For full access including native clients, set up a VPN.

source
- lambda@programming.dev ⁨3⁩ ⁨weeks⁩ ago
  I use Tailscale right now. Which, in fairness, I didn’t state in the post. However, I was hoping to share it more similarly to how I used to with Plex. But, it would appear, I would have to share it through Tailscale only at this point.
  
  source
  - Rookeh@startrek.website ⁨3⁩ ⁨weeks⁩ ago
    Right now none of the native clients support SSO. It is a frequently requested feature but, unfortunately, it doesn’t look like it will be implemented any time soon. As with many OSS projects it is probably a case of “you want it, you build it” - but nobody has actually stepped up.
    
    source
borax7385@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
I use fail2ban to ban IPs that fall to login and also IPs that perform common scans in the reverse proxy

source
- nullPointer@programming.dev ⁨3⁩ ⁨weeks⁩ ago
  also have jellyfin disable the account after a number of failed logins.
  
  source
drmoose@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
Tailscale is awesome. Alternatively if you’re more technically inclined you can make your own wireguard tailscale and all you need is to get a static IP for your home network. Wireguard will always be safer than each individual service.

source
- irmadlad@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
  Love tailscale. The only issue I had with it is making it play nice with my local, daily driver VPN. Got it worked out tho. So, now everything is jippity jippity.
  
  source
- SpaceCadet@feddit.nl ⁨3⁩ ⁨weeks⁩ ago
  
  all you need is to get a static IP for your home network
  
  Don’t even need a static IP. Dyndns is enough.
  
  source
softcat@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
CloudFlare tunnel with Zero Trust, plus their bot and abuse blocking. Users can get in with the right oauth, plus only allowed from the countries I know they’re in. Then just their username and password on jellyfin.

source
- Dhs92@programming.dev ⁨3⁩ ⁨weeks⁩ ago
  Doesn’t streaming media over a cloudflare tunnel/proxy violate their ToS
  
  source
  - guy@piefed.social ⁨3⁩ ⁨weeks⁩ ago
    🤫
    
    source
  - Dave@lemmy.nz ⁨3⁩ ⁨weeks⁩ ago
    No, they removed that clause some 2 or 3 years back.
    
    source
  - softcat@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
    They prohibit large amounts of media being streamed, and they reserve the right to suspend or terminate accounts for it. Multiple years in, that has not happened.
    
    source
    -> View More Comments
- ftbd@feddit.org ⁨3⁩ ⁨weeks⁩ ago
  I hate the cloudflare stuff making me do captchas or outright denying me with a burning passion. My fault for committing the heinous crime of using a VPN!
  
  source
  - softcat@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
    Skill issue
    
    source
- Netrunner@programming.dev ⁨3⁩ ⁨weeks⁩ ago
  Using cloudflare means nothing is encrypted and cloudflare sees all.
  
  source
  - softcat@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
    Oh no they’ll see I’m watching TNG
    
    source
- rice@lemmy.org ⁨3⁩ ⁨weeks⁩ ago
  just run wireguard on the jelly server…
  
  source
  - softcat@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
    My users aren’t going to figure that out.
    
    source
    -> View More Comments
  - jagged_circle@feddit.nl ⁨3⁩ ⁨weeks⁩ ago
    Can’t use double VPN on mobile.
    
    source
gagootron@feddit.org ⁨3⁩ ⁨weeks⁩ ago
I use good ol’ obscurity. My reverse proxy requires that the correct subdomain is used to access any service that I host and my domain has a wildcard entry. So if you access asdf.example.com you get an error, the same for directly accessing my ip, but going to jellyfin.example.com works. And since i don’t post my valid urls anywhere no web-scraper can find them. This filters out 99% of bots and the rest are handled using authelia and crowdsec

source
- andreluis034@bookwormstory.social ⁨3⁩ ⁨weeks⁩ ago
  Are you using HTTPS? It’s highly likely that your domains/certificates are being logged for certificate transparency. Unless you’re using wildcard domains, it’s very easy to enumerate your sub-domains.
  
  source
- sludge@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
  
  And since i don’t post my valid urls anywhere no web-scraper can find them
  
  You would, ah… be surprised. My website isn’t published anywhere and I currently have 4 active decisions and over 300 alerts from crowdsec.
  
  source
  - gagootron@feddit.org ⁨3⁩ ⁨weeks⁩ ago
    Of course i get a bunch of scanners hitting ports 80 and 443. But if they don’t use the correct domain they all end up on an Nginx server hosting a static error page. Not much they can do there
    
    source
    -> View More Comments
- ocean@lemmy.selfhostcat.com ⁨3⁩ ⁨weeks⁩ ago
  That’s not how web scrappers work lol. No such thing as obscurity except for humans
  
  source
  - gagootron@feddit.org ⁨3⁩ ⁨weeks⁩ ago
    It seems to that it works. I don’t get any web-scrapers hitting anything but my main domain. I can’t find any of my subdomains on google.
    
    Please tell me how you believe that it works. Maybe i overlooked something…
    
    source
    -> View More Comments
- Nibodhika@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
  If you’re using jellyfin as the url, that’s an easily guessable name, however if you use random words not related to what’s being hosted chances are less, e.g. salmon.example.com . Also ideally your server should reply with a 200 to * subdomains so scrappers can’t tell valid from invalid domains. Also also, ideally it also sends some random data on each of those so they don’t look exactly the same. But that’s approaching paranoid levels of security.
  
  source
jagged_circle@feddit.nl ⁨3⁩ ⁨weeks⁩ ago
I have another site on a different port that sits behind basic auth and adds the IP to a short ipset whitelist.

So first I have to auth into that site with basic auth, then I load jellyfin on the other port.

source
- Overboard8171@startrek.website ⁨3⁩ ⁨weeks⁩ ago
  I don’t understand how that isn’t widely deployed. I call it poor man’s Zero Trust.
  
  source
  - jagged_circle@feddit.nl ⁨3⁩ ⁨weeks⁩ ago
    I mean I’d rather jellyfin fix the bug and let me just put that behind basic auth
    
    source
sludge@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
I use Pangolin (github.com/fosrl/pangolin)

source
- jagged_circle@feddit.nl ⁨3⁩ ⁨weeks⁩ ago
  URL is 404
  
  source
  - ThetaDev@lemm.ee ⁨3⁩ ⁨weeks⁩ ago
    remove the brace at the end
    
    source
  - sludge@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
    It’s not, though?
    
    source
- darkknight@discuss.online ⁨3⁩ ⁨weeks⁩ ago
  I was thinking of setting this up recntly after seeing it on Jim’s garage. Do you use it for all your external services or just jellyfin? How does it compare to a fairly robust WAF like bunkerweb?
  
  source
  - sludge@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
    I use it for all of my external services. It’s just wireguard and traefik under the hood. I have no familiarity with bunkerweb, but pangolin integrates with crowdsec. Specifically it comes out of the box with traefik bouncer, but it is relatively straightforward to add the crowdsec firewall bouncer on the host machine which I have found to be adequate for my needs.
    
    source
- doeknius_gloek@discuss.tchncs.de ⁨3⁩ ⁨weeks⁩ ago
  Uhh, interesting! Thanks for sharing.
  
  source
SpaceCadet@feddit.nl ⁨3⁩ ⁨weeks⁩ ago
What I used to do was: I put jellyfin behind an nginx reverse proxy, on a separate vhost (so on a unique domain). Then I added basic authentication (a htpasswd file) with an unguessable password on the whole domain. Then I added geoip firewall rules so that port 443 was only reachable from the country I was in. I live in small country, so this significantly limits exposure.

Downside of this approach: basic auth is annoying. The jellyfin client doesn’t like it … so I had to use a browser to stream.

Nowadays, I put all my services behind a wireguard VPN and I expose nothing else. Only issue I’ve had is when I was on vacation in a bnb and they used the same IP range as my home network :-|

source
Kusimulkku@lemm.ee ⁨3⁩ ⁨weeks⁩ ago
I’ve put it behind WireGuard since only my wife and I use it. Otherwise I’d just use Caddy or other such reverse proxy that does https and then keep Jellyfin and Caddy up to date.

source
Batman@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
I am using tailscale but I went a little further to let my family log in with their Gmail( they will not make any account for 1 million dollars)

Tailscale funneled Jellyfin Keycloak (adminless)

Private Tailscale Keycloak admin Postgres dB

I hook up jellyfin to Keycloak (adminless) using the sso plugin. And hook Keycloak up (using the private instance) to use Google as an identity provider with a private app.

source
- lambda@programming.dev ⁨3⁩ ⁨weeks⁩ ago
  SSO plugin is good to know about. Does that address any of the issues with security that someone was previously talking about?
  
  source
  - Batman@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    I’d say it’s nearly as secure as basic authentication. If you restrict deletion to admin users and use role (or group) based auth to restrict that jellyfin admin ability to people with strong passwords in keycloak, i think you are good. Still the only risk is people could delete your media if an adminusers gmail is hacked.
    
    source
    -> View More Comments
KingThrillgore@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
Use a VPN like Tailscale

source
LainTrain@lemmy.dbzer0.com ⁨3⁩ ⁨weeks⁩ ago
OpenVPN

source
- Evil_Shrubbery@lemm.ee ⁨3⁩ ⁨weeks⁩ ago
  Or wireguard, depending where & how they want to implement it might be sampler or better/worse on hardware.
  
  source
ocean@lemmy.selfhostcat.com ⁨3⁩ ⁨weeks⁩ ago
You could put authentik in front of it too

source
- exu@feditown.com ⁨3⁩ ⁨weeks⁩ ago
  I think that breaks most clients
  
  source
  - ocean@lemmy.selfhostcat.com ⁨3⁩ ⁨weeks⁩ ago
    ? How does putting something before it break it? It most certainly doesn’t.
    
    source
    -> View More Comments
  - Svinhufvud@sopuli.xyz ⁨3⁩ ⁨weeks⁩ ago
    Yes, it breaks native login, but you can authenticate with Authentik on your phone for example, and use Quick connect to authorize non-browser sessions with it.
    
    source
fennec@lemm.ee ⁨3⁩ ⁨weeks⁩ ago
Whats your setup? I just Ngnix Proxy Manager, Jellyfin etc in Docker. Modify ufw rules and also install this on the server (linux) github.com/friendly-bits/geoip-shell

source
GreenKnight23@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
[deleted]
source
- lambda@programming.dev ⁨3⁩ ⁨weeks⁩ ago
  WAF??
  
  source
geography082@lemm.ee ⁨3⁩ ⁨weeks⁩ ago
My setup is: Proxmox - restricted LXC running docker which runs jellyfin, tailscale funnel as reverse proxy and certificate provider. So so don’t care about jellyfin security, it can get hacked / broken , its an end road. If so i will delete the LXC and bring it up again using backups. Also i dont think someone will risk or use time to hack a jellyfin server. My strategy is, with webservices that don’t have critical personal data, i have them isolated in instances. I don’t rely on security on anything besides the firewall. And i try not to have services with personal sensitive data, and if i do, on my local lan with the needed protections. If i need access to it outside my local lan, vpn.

source
Mubelotix@jlai.lu ⁨3⁩ ⁨weeks⁩ ago
Jellyfin is secure by default, as long as you have https. Just chose a secure password

source
- doeknius_gloek@discuss.tchncs.de ⁨3⁩ ⁨weeks⁩ ago
  No, it isn’t.
  
  source
Hawk@lemmynsfw.com ⁨3⁩ ⁨weeks⁩ ago
Wireguard (or tailscale) would be best here.

source
SplashJackson@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
Mostly via empty threats

source
CapitalNumbers@lemm.ee ⁨3⁩ ⁨weeks⁩ ago
So i’ve been trying to set this up this exact thing for the past few weeks - tried all manner of different Nginx/Tailscale/VPS/Traefik/Wireguard/Authelia combos, but to no avail

I was lost in the maze

However, I realised that it was literally as simple as setting up a CloudFlare Tunnel on my particular local network I wanted exposed (in my case, the Docker network that runs the JellyFin container) and then linking that domain/ip:port within CloudFlare’s Zero Trust dashboard

And you can even set up what looks like pretty robust authentication (2FA, limited to only certain emails, etc)

Not sure what your use case is, but as mine is shared with only me and my partner, this worked like a charm

source
- chriscrutch@lemm.ee ⁨3⁩ ⁨weeks⁩ ago
  I’m pretty sure that using Jellyfin over Cloudflare tunnels is against their TOS, just FYI. I’m trying to figure out an alternative myself right now because of that.
  
  source
- vodka@lemm.ee ⁨3⁩ ⁨weeks⁩ ago
  Pay attention to your email, when cloudflare decides to warn you for this (they will, it’s very very much against TOS) they’ll send you an email, if you don’t remove the tunnel ASAP, your entire account will be terminated.
  
  source
jagged_circle@feddit.nl ⁨3⁩ ⁨weeks⁩ ago
Kinda hard because they have an ongoing bug where if you put it behind a reverse proxy with basic auth (typical easy button to secure X web software on Internet), it breaks jellyfin.

Best thing is to not. Put it on your local net and connect in with a vpn

source
- satans_methpipe@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
  I’m not experiencing that bug. My reverse proxy is only accessed locally at the moment though. I did have to play with headers a bit in nginx to get it working.
  
  source