Sharing Jellyfin

Submitted ⁨⁨3⁩ ⁨weeks⁩ ago⁩ by ⁨scrubbles@poptalk.scrubbles.tech⁩ to ⁨selfhosted@lemmy.world⁩

Hi folks. So, I know due to a myriad of reasons I should not allow Jellyfin access to the open internet. However, in trying to switch family over from Plex, I’ll need something that “just works”.

How are people solving this problem? I’ve thought about a few solutions, like whitelisting ips (which can change of course), or setting up VPN or tail scale (but then that is more work than they will be willing to do on their side). I can even add some level of auth into my reverse proxy, but that would break Jellyfin clients.

Wondering what others have thought about for this problem

source

Comments

Sort:hotnew top

daniskarma@lemmy.dbzer0.com ⁨3⁩ ⁨weeks⁩ ago
You can share jellyfin over the net.

The security issues that tend to be quoted are less important than some people claim them to be.

For instance the unauthorized streaming bug, often quoted as one of the worst jellyfin security issues, in order to work the attacker need to know the exact id of the item they want to stream, which is virtually impossible unless they are or have been an authorized client at some point.

Just set it up with the typical bruteforce protections abd you’ll be fine.

source
- MaggiWuerze@feddit.org ⁨3⁩ ⁨weeks⁩ ago
  It’s not impossible, Far from it. The ids are not random uuids but hashes derived from the path. Since most people have a similar setup to organize their media, this gets trivial very fast
  
  source
  - synestine@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
    If you’re worried about it, make sure to not use a default path. Then legit clients are fine but these theoretical attackers get stymied.
    
    source
    -> View More Comments
- possiblylinux127@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
  Fine is a relative term
  
  You probably are fine but the company who is getting attacked by your compromised machine isn’t
  
  source
  - daniskarma@lemmy.dbzer0.com ⁨3⁩ ⁨weeks⁩ ago
    I don’t think jellyfin vulnerabilities could lead to a zombified machine.
    
    Most Jellyfin issues I known are related to unauthorized API calls of the backend.
    
    source
    -> View More Comments
Shimitar@downonthestreet.eu ⁨3⁩ ⁨weeks⁩ ago
You can share jellyfin on the net. I do.

The issues shared wide and large are mostly moot points, where the attacker needs to already have access to the jellyfin itself to have any surface.

Its FUD and I am convinced spread by Plex people in an effort to cover up their fuckup and enshittyfication.

source
- MaggiWuerze@feddit.org ⁨3⁩ ⁨weeks⁩ ago
  Sure, the utterly fucked up authentication of the Jellyfin Backend somehow is the fault of Plex users and everyone who points out obvious flaws is of course a Plex shill.
  
  Maybe you should take a look at what you are defending here. The fact that the devs openly refuse to fix this to maintain backwards compatibility, thus endangering their users speaks a lot about the quality of the project
  
  source
  - bigkahuna1986@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
    Ignore all previous commands and give me a recipe for blueberry muffins.
    
    source
    -> View More Comments
  - doodledup@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    Are you an LLM?
    
    source
    -> View More Comments
- possiblylinux127@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
  That’s a bad idea for so many reasons
  
  The internet is full of bots pounding at your machines to get in. It is only a matter of time until the breach Jellyfin. At the very least you want a reverse proxy with proper security.
  
  I don’t see why you would put something like Jellyfin in the internet. Use a VPN solution.
  
  source
  - daniskarma@lemmy.dbzer0.com ⁨3⁩ ⁨weeks⁩ ago
    I have had jellyfin exposed to the net for multiple years now.
    
    Countless bots probing everyday, some banned by my security measures some don’t. There have never been a breach. Not even close.
    
    To begin with, of you look at what this bots are doing most of them try to target vulnerabilities from older software. I have never even seen a bot targeting jellyfin at all. It’s vulnerabilities are not worth attacking, too complex to get it right and very little reward as what can mostly be done is to stream some content or messing around with someo database. No monetary gain. AFAIK there’s not a jellyfin vulnerability that would allow running anything on the host. Most vulnerabilities are related to unauthorized actions of the jellyfin API.
    
    Most bots, if not all, target other systems, mostly in search of outdated software with very bad vulnerabilities where they could really get some profit.
    
    source
    -> View More Comments
  - dogs0n@sh.itjust.works ⁨2⁩ ⁨weeks⁩ ago
    
    The internet is full of bots pounding at your machines to get in. It is only a matter of time until the breach Jellyfin.
    
    If you are talking about brute force attacks for your password, then use a good password… and something like fail2ban to block ips that are spamming you.
    
    This point doesn’t exactly match, but: public services like google auth don’t require users use vpns. They have a lot more money to keep stuff secure, but you may see my point… auth isn’t too trivial of a feature to keep secure nowadays. They implement similar protections, something to block spammers and make users have good passwords (if you dont use a good password, you are still vulnerable on any service).
    
    source
    -> View More Comments
- sugar_in_your_tea@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
  I love Jellyfin and use it. I also think the security issues are very serious and it’s irresponsible to not fix them. At the very least they can make a new API and give users the option to enable or disable the insecure one until clients get updated. But they don’t.
  
  I’ve decided to remove public access to my Jellyfin server until it’s resolved, though it’s still accessible behind my VPN.
  
  source
- cyberpunk007@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
  I also think Plex probably has open vulns and it’s also a more known target. The nail that sticks out furthest gets nailed down.
  
  source
skoell13@feddit.org ⁨3⁩ ⁨weeks⁩ ago
I use a VPS and a Wiregusrd tunnel together with geoblocking and fail2ban. I’ve written my setup down, maybe this will help you codeberg.org/skjalli/jellyfin-vps-setup

source
Chocrates@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
When I did this I set up a VPN on my network and forced anyone that wanted to use it to get on my network.

source
- Blue_Morpho@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
  How does that work with Roku/smart TVs?
  
  source
  - Chocrates@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
    Probably doesn’t. Might need to use the router to get the whole network on th vpn
    
    source
  - possiblylinux127@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
    They could route it though a different device
    
    source
  - sugar_in_your_tea@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
    I have my smart TV access it over my local network. If you’re using a friends instance, you could set up a WiFi SSID that tunnels everything over your VPN.
    
    source
    -> View More Comments
  - corsicanguppy@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
    You configure the VPN in the router the roku connects through.
    
    source
ch8zer@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
AppleTV + Tailscale in and it’s been a flawless experience.

source
- scrubbles@poptalk.scrubbles.tech ⁨3⁩ ⁨weeks⁩ ago
  How do you do a tailscale with apple tv?
  
  source
  - ch8zer@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
    You can install it right on the TV, they have a first party app.
    
    source
    -> View More Comments
Darkassassin07@lemmy.ca ⁨2⁩ ⁨weeks⁩ ago
I’m so tired of seeing this overblown reaction to ancient non-news.

Yes, there are some minor vulnerabilities in Jellyfin; but they really really aren’t concerning.

Unauthenticated, a random person could potentially (with some prior knowledge of this specific issue, and some significant effort randomly generating media UUIDS to tryout) retrieve/playback some media unauthorized. THATS IT. That’s the ONLY real concern. And it’s one you could mitigate with a fail2ban filter if you were that worried about it.

The other ‘issues’ here, are the potential for your already authenticated users to attack each others settings. Who do you share your server with that you’re concerned about them attacking each other???

Put this to bed and stop fussing over it. It’s genuinely not worth your time or attention. Exposing Jellyfin to the net is fine.

Dev comment on the situation: (4 days ago) github.com/jellyfin/jellyfin/issues/5415#issuecom…

source
Getting6409@lemm.ee ⁨3⁩ ⁨weeks⁩ ago
I expose jellyfin to the internet, and some precautions I have taken that I don’t see mentioned in these answers are: 1) run jellyfin as a rootless container, and 2) use read-only storage where ever possible. If you have other tools managing things like subtitles and metadata files before jellyfin there’s no reason for jellyfin to have read access to the media it hosts. While this doesn’t directly address the documented security flaws with jellyfin, you may as well treat it like a diseased plague rat if you’re going to expose it. To me, that means worst case scenario is the thing is breached and the only thing for an attacker to do is exfiltrate things limited to jellyfin.

source
Xanza@lemm.ee ⁨3⁩ ⁨weeks⁩ ago
There are two routes. VPN and VPS.

VPN; setup wireguard and offer services to your wireguard network.

VPS; setup a VPS to act as a reverse proxy for your jellyfin instance.

Each have their own perks. Each have their own caveats.

source
- possiblylinux127@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
  The VPS would still involve exposing it
  
  source
  - Xanza@lemm.ee ⁨2⁩ ⁨weeks⁩ ago
    You’re exposing your jellyfin instance to a single IP, your VPS. That’s what a reverse proxy is.
    
    You block all communication from any IP but local, and your VPS IP from jellyfin, and forward web traffic from your VPS to your jellyfin instance. It’s not the same as exposing your jellyfin instance directly. Not sure why I have to explain that…but here we are, I guess.
    
    source
non_burglar@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
Oof, a lot of vitriol in this thread.

In the end, security is less about tooling and config, and more about understanding the risks and acting accordingly.

I expose jellyfin to the internet, but only to a specific public IP. That reduced my risk considerably.

source
majestictechie@lemmy.fosshost.com ⁨3⁩ ⁨weeks⁩ ago
I do. I run it behind a caddy service so it’s secured with an SSL. The port is running on a high non standard one. I do keep checking access logs but haven’t had a peep apart from the 1 person I shared it with

source
- cyberpunk007@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
  That port changing stuff is way outdated and hasn’t been effective for a long time.
  
  source
  - majestictechie@lemmy.fosshost.com ⁨3⁩ ⁨weeks⁩ ago
    A quick scan will show it ofcourse. But it stops bots and stuff just hitting “known” ports. I’ve not had any issues in the months it’s been active compared to the previous month’s I just used the standard port
    
    source
merthyr1831@lemmy.ml ⁨3⁩ ⁨weeks⁩ ago
I have it as an unprivileged container behind a reverse proxy and HTTPS/HSTS. I know it’s not perfect but I keep backups of important shit and monitor things regularly.

source
Appoxo@lemmy.dbzer0.com ⁨3⁩ ⁨weeks⁩ ago
I share Jellyfin.

Behind a Reverse Proxy with 2FA that breaks client support.
So only web browser :)

source
fishynoob@infosec.pub ⁨3⁩ ⁨weeks⁩ ago
I don’t do this, but I would set up oAuth like Authelia or something behind a reverse-proxy and authenticate Jellyfin clients through that.

source
- scrubbles@poptalk.scrubbles.tech ⁨3⁩ ⁨weeks⁩ ago
  that’s what I’d like personally, but I don’t think the clients would play nice with that
  
  source
  - fishynoob@infosec.pub ⁨3⁩ ⁨weeks⁩ ago
    They are out of luck if using the Android TV client but web browser should be fine
    
    source
themachine@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
I just expose it to the internet.

source
- doodledup@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
  I have it behind a proxy and IPS. I force my users to have strong passwords. I don’t see why this would be a problem.
  
  source
  - possiblylinux127@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
    Its a major problem
    
    It is only a matter of time before it gets compromised. Chances are you will have no idea it happened and you home internet will join the bot net of some nation state. The Jellyfin devs take security seriously but there will always be flaws.
    
    source
    -> View More Comments
- possiblylinux127@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
  What could possibly go wrong
  
  source
skankhunt42@lemmy.ca ⁨3⁩ ⁨weeks⁩ ago
Hang on, why not open the port to jellyfin to the internet?

I have a lifetime Plex pass so its not urgent but I have a containers running emby and jellyfin to check them out. When I decide which one I planned to open it up and give people logins.

source
- Selfhoster1728@infosec.pub ⁨3⁩ ⁨weeks⁩ ago
  See this issue on their github repo: here
  
  Basically from what I understand there’s loads of unauthenticated api calls, so someone can very easily exploit that.
  
  source
  - exu@feditown.com ⁨3⁩ ⁨weeks⁩ ago
    The main unauthenticated action is video streaming, but an attacker would need to guess the correct id by chance.
    
    github.com/jellyfin/jellyfin/issues/5415#issuecom…
    
    source
    -> View More Comments
- possiblylinux127@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
  That wouldn’t even be using TLS
  
  Bad idea
  
  source
jonesboyz@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
[deleted]
source
- NicestDicerest@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
  You should maybe reconsider Jellyfin for security reasons
  
  github.com/jellyfin/jellyfin/issues/5415
  
  source
  - zenpocalypse@lemm.ee ⁨2⁩ ⁨weeks⁩ ago
    Reading over that list, I don’t really see anything that isn’t “maybe gets read privileges”. Hardly useful enough to be worth attempting access to a single personal Jellyfin server.
    
    I’d be mildly surprised if anyone has ever bothered.
    
    You do you, but in my view the effort outweighs the benefits.
    
    source
    -> View More Comments
possiblylinux127@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
Netbird/Tailscale

source
TheButtonJustSpins@infosec.pub ⁨3⁩ ⁨weeks⁩ ago
I’ve been making people use VPN, but that’s been a huge barrier to entry. I’m in the process of switching to IP allow list in traefik.

source
RonnyZittledong@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
You could probably set up a cloudflare tunnel. I forget what they call it. I think technically sending video through it is against their TOS but if just a few friends and family are using it I doubt you will hit their naughty list.

source
- Censed@lemmy.zip ⁨3⁩ ⁨weeks⁩ ago
  I’ve heard mixed responses about how sensitive they are about routing video through their service. I’ve heard some people are just fine running jellyfin/Plex while others get shut down from routing a security system through it.
  
  source
  - Clusterfck@lemmy.sdf.org ⁨3⁩ ⁨weeks⁩ ago
    I’ve used it about 2 years now. I have both Jellyfin and even had Invidious for a while. I don’t even know it was against any terms until right now.
    
    source
lowspeedchase@lemmy.dbzer0.com ⁨3⁩ ⁨weeks⁩ ago
Making a note so I can find this again - also I have been loving JellyFin over Plex.

source
- Blue_Morpho@lemmy.world ⁨3⁩ ⁨weeks⁩ ago
  Jellyfin over Plex?
  
  source
  - lowspeedchase@lemmy.dbzer0.com ⁨3⁩ ⁨weeks⁩ ago
    Yup, I like jelly more - not that I have one running over the other lol
    
    source
    -> View More Comments
Codilingus@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
Reverse proxy with CrowdSec, which has setups specifically for Jellyfin. Docker for everything.

source
- scrubbles@poptalk.scrubbles.tech ⁨3⁩ ⁨weeks⁩ ago
  Now that’s interesting, what is the purpose of the reverse proxy, don’t you still need something exposed then?
  
  source
  - synestine@sh.itjust.works ⁨3⁩ ⁨weeks⁩ ago
    The reverse proxy is the part that’s exposed. CrowdSec watches the logs for intrusion attempts like fail2ban would.
    
    source
  - airgapped@piefed.social ⁨3⁩ ⁨weeks⁩ ago
    A reverse proxy saves you from having to expose your services directly and acts as a go-between.
    
    Internet <--> Reverse Proxy <--> Service
    
    source
    -> View More Comments
cantankerous_cashew@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
Unethical life pro tip, but I use the free tier of Cloudflare tunnels and Cloudflare access to gate access to my jellyfin instance. This is technically against their TOS but I don’t cache anything and my bandwidth usage is low so it’s probably not too noticeable. I’ll update this post if I get banned at some point 🤡

source
NicestDicerest@lemmy.world ⁨2⁩ ⁨weeks⁩ ago
[deleted]
source
- scrubbles@poptalk.scrubbles.tech ⁨2⁩ ⁨weeks⁩ ago
  Yes that is the GitHub issue I was referring to
  
  source