What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I just install tailscale at family houses. The limit is 100 machines.
Jellyfin over the internet
Submitted 7 hours ago by TribblesBestFriend@startrek.website to selfhosted@lemmy.world
https://startrek.website/pictrs/image/6d04a3f3-79ec-44cb-9f2e-926280a658f4.png
Comments
Merlin@discuss.tchncs.de 41 minutes ago
swearengen@sopuli.xyz 1 hour ago
I’m just using caddy and a cheap $2 a year .top domain with a $4 a month VPS. Works for my users, I only have 3 users on my server.
spacemanspiffy@lemmy.world 56 minutes ago
OpenVPN into my router
Evil_Shrubbery@lemm.ee 4 hours ago
Wireguard.
WhyJiffie@sh.itjust.works 1 hour ago
and a local reverse proxy that can route through wireguard when you want to watch on a smart tv.
its not as complicated as it sounds, it’s just a wireguard client, and a reverse proxy like on the main server
xnx@slrpnk.net 2 hours ago
Tailscale
Decipher0771@lemmy.ca 1 hour ago
Jellyfin through a traefik proxy, with a WAF as middleware and brute force login protected by fail2ban
oong3Eepa1ae1tahJozoosuu@lemmy.world 7 hours ago
Nginx in front of it, open ports for https (and ssh), nothing more. Let’s encrypt certificate and you’re good to go.
Novi@sh.itjust.works 6 hours ago
I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.
30p87@feddit.org 6 hours ago
fail2ban with endlessh and abuseipdb as actions
Anything that’s not specifically my username or git gets instantly blocked. Same with correct users but trying to use passwords or failing authentication in any way.
oong3Eepa1ae1tahJozoosuu@lemmy.world 5 hours ago
Sorry, misunderstanding here, I’d never open SSH to the internet, I meant it as “don’t block it via your server’s firewall.”
fuckwit_mcbumcrumble@lemmy.dbzer0.com 5 hours ago
Change the port it runs on to be stupid high and they won’t bother.
SapphironZA@sh.itjust.works 2 hours ago
Why would you need to expose SSH for everyday use? Or does Jellyfin require it to function?
Maybe leave that behind some VPN access.
WhyJiffie@sh.itjust.works 1 hour ago
I agree, but SSH is more secure than Jellyfin. it shouldn’t be exposed like that, others in the comments already pointed out why
TribblesBestFriend@startrek.website 7 hours ago
Cool if I understand only some of things that you have said. So you have a beginner guide I could follow?
dataprolet@lemmy.dbzer0.com 6 hours ago
Take a look at Nginx Proxy Manager and how to set it up. But you’ll need a domain for that. And preferably use a firewall of some sort on your server and only allow said ports.
cm0002@lemmy.world 6 hours ago
Also run the reverse proxy on a dedicated box for it in the DMZ
Ptsf@lemmy.world 3 hours ago
Honestly you can usually just static ip the reverse proxy and open up a 1:1 port mapping directly to that box for 80/443. Generally not relevant to roll a whole DMZ for home use and port mapping will be supported by a higher % of home routing infrastructure than DMZs.
oong3Eepa1ae1tahJozoosuu@lemmy.world 5 hours ago
In a perfect world, yes. But not as a beginner, I guess?
ArsonButCute@lemmy.dbzer0.com 2 hours ago
I use a cloudflare tunnel, ISP won’t give me a static IP and I wanna keep my firewall locked down tight.
JRaccoon@discuss.tchncs.de 5 hours ago
I see everyone in this thread recommending a VPN or reverse proxy for accessing Jellyfin from outside the LAN. While I generally agree, I don’t see a realistic risk in exposing Jellyfin directly to the internet. It supports HTTPS and certificates nowadays, so there’s no need for outside SSL termination anymore.
In my setup, which I’ve been running for some time, I’ve port-forwarded only Jellyfin’s HTTPS port to eliminate the possibility of someone ending up on pure HTTP and sending credentials unencrypted. I’ve also changed the default Jellyfin’s default port to a non-standard one to avoid basic port-scanning bots spamming login attempts. I fully understand that this falls into the security through obscurity category, but no harm in it either.
Anyone wanna yell at me for being an idiot and doing everything wrong? I’m genuinely curious, as the sentiment online seems to be that at least a reverse proxy is almost mandatory for this kind of setup, and I’m not entirely sure why.
douglasg14b@lemmy.world 1 hour ago
The jellyfin has a whole host of unresolved and unmitigated security vulnerabilities that make exposing it to the internet. A pretty poor choice.
Ptsf@lemmy.world 2 hours ago
It’s difficult to say exactly what all a reverse proxy adds to the security conversation for a handful of reasons, so I won’t touch on that, but the realistic risk of exposing your jellyfin instance to the internet is about the same as handing your jellyfin api over to every stranger globally without giving them your user account or password and letting them do whatever they’d like for as long as they’d like. This means any undiscovered or unintentional vulnerability in the api implementation could easily allow for security bypass or full rce (remote code execution, real examples of this can be found by looking at the history of WordPress), but by siloing it behind a vpn you’re far far far more secure because the internet at large cannot access the apis even if there is a known vulnerability. I’m not saying exposing jellyfin to the raw web is so risky it shouldn’t be done, but don’t buy into the misconception that it’s even nearly as secure as running a vpn. They’re entirely different classes of security posture and it should be acknowledged that if you don’t have actual use for internet level access to jellyfin (external users, etc, etc) a vpn like tailscale or zero tier is 100% best practice.
domi@lemmy.secnd.me 3 hours ago
Anyone wanna yell at me for being an idiot and doing everything wrong?
Not yell, but: Jellyfin is dropping HTTPS support with a future update so you might want to read up on reverse proxies before then.
Additionally, you might want to check if Shodan has your Jellyfin instance listed: www.shodan.io
makeitwonderful@lemmy.sdf.org 5 hours ago
It feels like everything is a tradeoff and I think a setup like this reduces the complexity for people you share with.
If you added fail2ban along with alert email/notifications you could have a chance to react if you were ever targeted for a brute force attempt. Jellyfin docs talk about setting this up for anyone interested.
Blocking IP segments based on geography of countries you don’t expect connections from adds the cost of a VPN for malicious actors in those areas.
Giving Jellyfin its own VLAN on your network could help limit exposure to your other services and devices if you experience a 0day or are otherwise compromised.
douglasg14b@lemmy.world 1 hour ago
Fail2ban isn’t going to help you when jellyfin has vulnerable endpoints that need no authentication at all.
catloaf@lemm.ee 2 hours ago
The issue is not encryption, it’s the unauthenticated API. People can interact with your server without an account.
frezik@lemmy.blahaj.zone 5 hours ago
Nah, setting non-standard ports is sound advice in security circles.
People misunderstand the “no security through obscurity” phrase. If you build security as a chain, where the chain is only as good as the weakest link, then it’s bad. But if you build security in layers, like a castle, then it can only help. It’s OK for a layer to be weak when there are other layers behind it.
Even better, non-standard ports will make 99% of threats go away. They automate scans that are just looking for anything they can break. If they don’t see the open ports, they move on. Won’t stop a determined attacker, of course, but that’s what other layers are for.
As long as there’s real security otherwise (TLS, good passwords, etc), it’s fine.
If anyone says “that’s a false sense of security”, ignore them. They’ve replaced thinking with a cliche.
Novi@sh.itjust.works 2 hours ago
I don’t disagree, and I am one of the VPN advocates you mention. Generally there is no issue with exposing jellyfin via proxy to the internet.
The original question seemed to imply an over-secure solution so a lot of over-secure solutions exist. There is good cause to operate services, like jellyfin, via some permanent VPN.
anonion@lemmy.anonion.social 5 hours ago
I think the reason why its generally suggested to use a VPN is because it reduces the risk of intrusion to almost zero. Folks that are not network/sys admin savy would feel safer with the lowest risk solution. Using the port forward method, there could be configuration mistakes made which would unintentionally expose a different service or parts of their home network they don’t want exposed. And then there’s the possibility of application vulnerabilities which is less of an issue when only VPN users can access the application. That being said, I do expose some services via port forwarding but that’s only because I’m comfortable with ensuring its secure.
Reverse proxy is really useful when you have more than one service to expose to the internet because you only have to expose one port. It also automates the certificate creation & simplifies firewall rules inside the home network
egonallanon@lemm.ee 5 hours ago
Reverse proxies can be useful for hiding your IP if you do something like host it in a VPS and tunnel the traffic back to your self hosted service. There’s also a lot of documentation on attaching things like fail2ban or crowd sec which can be helpful in reducing the threat from attacks. if you’re running lots of services it can reduce the risk of two apps using the same ports as ultimately everything will go through ports 80 and 443 on the public facing side. Finally again if you’re hosting several services having a central place to manage and deal with cert from can save a lot of time rather than having to wrangle it per service/ server.
BakedCatboy@lemmy.ml 5 hours ago
Imo that’s perfectly fine and not idiotic if you have a static IP, no ISP blocked ports / don’t care about using alt ports, and don’t mind people who find your domain knowing your IP.
I did basically that when I had a fiber line but then I added a local haproxy in front to handle additional subdomains. I feel like people gravitate towards recommending that because it works regardless of the answers to the other questions, even their security tolerance if recommending access only over VPN.
hietsu@sopuli.xyz 6 hours ago
Use a reverse proxy (caddy or nginx proxy manager) with a subdomain, like myservice.mydomain.com (maybe even configure a subdir too, so …domain.com/guessthis/). Don’t put anything on the main domain / root dir / the IP address.
If you’re still unsure setup Knockd to whitelist only IP addresses that touch certain one or two random ports first.
So security through obscurity :) But good luck for the bots to figure all that out.
VPN is of course the actually secure option, I’d vote for Tailscale.
Alk@sh.itjust.works 6 hours ago
I kept the main domain open, but redirected it to a rickroll
hietsu@sopuli.xyz 4 hours ago
Nice, but the bots may not understand the joke.
And not only that but they will tag the domain with ”there is something here”, and maybe some day someone will take a closer look and see if you are all up-to-date or would there maybe be a way in. So better to just drop everything and maybe also ban the IP if they happen to try poke some commonly scanned things (like /wp-admin, /git, port 22 etc.) GoAccess is a pretty nice tool to show you what they are after.
TribblesBestFriend@startrek.website 6 hours ago
Look pretty interesting. Do you have guide I could follow ?
hietsu@sopuli.xyz 4 hours ago
Not at hand no, but I’m sure any of the LLMs can guide you through the setup if googling does not give anything good.
Nothing very special about all this, well maybe the subdir does require some extra spells to reverse proxy config.
gravitywell@sh.itjust.works 6 hours ago
I rent a cheap $5/mo VPS and use it to run a wireguard server with wgeasy and nginx proxy manager. Everything else runs on my home server connected by wireguard.
TwiddleTwaddle@lemmy.blahaj.zone 5 hours ago
I was just trying to get a setup like this going yesterday. I used standard Wiregaurd and got that working between the VPS and home server, but I was trying to set up Caddy as a reverse proxy to direct the incoming traffic through the WG VPN to my services. I wasnt able to figure it out yesterday. Everyone online says Caddy is so simple, but I’m such a noob I just have no idea what it’s doing or how to troubleshoot.
gravitywell@sh.itjust.works 2 hours ago
I havent tried caddy but i might be able to help get it figured out if you wanna chat some time. My contact info is on my website.
No_Bark@lemmy.dbzer0.com 2 hours ago
I’ve also really struggled with Caddy despite everyone saying its so simple. I’m pretty new to all this, but I had better luck with Traefik - I now actually have a reverse proxy up and running correctly, which I haven’t been able replicate with Caddy.
Traefik labels make sense to me in a way Caddy does not.
Machinist0938@piefed.social 5 hours ago
Is Nginx Proxy Manager running on the VPS itself and then the proxy routes across the wireguard to your home server? Or is the VPS just port forwarding to your home server which runs the proxy?
gravitywell@sh.itjust.works 2 hours ago
My goal was to have no ports exposed on my home network so the proxy is on the VPS. My home server connects over wireguad to the vps, then all the traffic is routed over wireguard to the home server which only listens on wireguard.
Bruhh@lemmy.world 5 hours ago
I also would like to know
BakedCatboy@lemmy.ml 5 hours ago
This is 99% my setup, just with a traefik container attached to my wifeguard container.
Can recommend especially because I can move apartments any time, not care about CGNAT (my current situation which I predicted would be the case), and easily switch to any backup by sticking my boxes on any network with DHCP that can reach the Internet (like a 4G hotspot or a nanobeam pointed at a public wifi down the road) in a pinch without reconfiguring anything.
bmcgonag@lemmy.world 3 hours ago
Cheap VPS with Pangolin for Wireguard and reverse proving through the tunnel.
thenose@lemmy.world 3 hours ago
I just use tailscale. I am thinking about external share options but for me and my closests just plain simple tailscale
Darkassassin07@lemmy.ca 6 hours ago
An $11/yr domain pointed at my IP. Port 443 is open to nginx, which proxies to the desired service depending on subdomain. (and explicitly drops any connection that uses my raw ip or an unrecognized name to connect, without responding at all)
ACME.sh automatically refreshes my free ssl certificate every ~2months via DNS-01 verification and letsencrypt.
And finally, I’ve got a dynamic IP, so DDClient keeps my domain pointed at the correct IP when/if it changes.
There’s also pihole on the local network, replacing the WAN IP from external DNS, with the servers local IP, for LAN devices to use. But that’s very much optional, especially if your router performs NAT Hairpinning.
This setup covers all ~24 of the services/web applications I host, though most other services have some additional configuration to make them only accessible from LAN/VPN despite using the same ports and nginx service. I can go into that if there’s interest.
Only Emby/Jellyfin, Ombi, and Filebrowser are made accessible from WAN; so I can easily share those with friends/family.
JiveTurkey@lemmy.world 4 hours ago
I’m using jf on unraid. I’m allowing remote https only access with Nginx Proxy Manager in a docker container.
NuXCOM_90Percent@lemmy.zip 6 hours ago
I don’t use jellyfin but my general approach is either:
- Expose it over a VPN only. I usually use Tailscale for this so that I can expose individual machines but you do you
- Cloudflare tunnel that exposes a single port on a single internal machine to a subdomain I own
There are obviously ways to do this all on your own but… if you are asking this question you probably want to use one of those to roll it. Because you can leave yourself ridiculously vulnerable if you do it yourself.
TribblesBestFriend@startrek.website 6 hours ago
That’s my feeling too
SmoothLiquidation@lemmy.world 5 hours ago
I would look into Tailscale based on your responses here. I don’t know what your use case is exactly but you set TS up on your server and then again on your phone/laptop and you can connect them through the vpn directly. No extra exposed ports or making a domain or whatnot.
If you want other people to access the server they will need to make a TS account and you can authorize them.
bl_r@lemmy.dbzer0.com 6 hours ago
Tailscale, with nginx for https.
Very easy, very simple, just works, and i can share my jellyfin server with my friends
Novi@sh.itjust.works 6 hours ago
Over the top for security would be to setup a personal VPN and only watch it over the VPN. If you are enabling other users and you don’t want them on your network; using a proxy like nginx is the way.
Being new to this I would look into how to set these things up in docker using docker-compose.
chug-capture-ahoy@piefed.social 5 hours ago
Tailscale - funnel
Just that
hellequin67@lemmy.zip 7 hours ago
Personally I use twingate, free for 5 users and relatively straightforward to set up.
TribblesBestFriend@startrek.website 6 hours ago
I’m fidgeting with Tailscale right now, only to stream on a AppleTV at a friend house. So far no luck but that’s not me that set up Infuse, so could be an operator error on my friend part
ladfrombrad@lemdro.id 5 hours ago
The way I do it for a family member with Tailscale is them having a couple of boxes down there (n100 with their Jellyfin server, and a RPI4 with a TVHServer) with my Tailnet signed in, and those boxes running both a “subnet router” and an "exit node"that both me and said fam member can use.
This means she has permissions to use the exit node wherever like I do to my own local LAN, to connect to her LAN and access things locally since you can assign them via the ACL’s / device perms.
I know reading docs can suck sometimes but honest to god the ones that Tailscale put up are pretty awesome.
Along with all the YT videos about it I didn’t even have to go nagging on forums to get it to work, and that’s a general first for me.
hellequin67@lemmy.zip 6 hours ago
I tried tailscale first but to be honest wasn’t a fan. I moved to Twingate and found it much simpler to set up
cupcakezealot@piefed.blahaj.zone 7 hours ago
for me i just needed a basic system so my family could share so I have it on my pc, then I registered a subdomain and pointed it to my existing ec2 server with apache using a proxy which points to my local ip and port then I opened the jellyfin port on my router
femtech@midwest.social 7 hours ago
Who are you using for your domain? I was told if I used cloudfair they would ban me for having streaming traffic over their DNS.
Darkassassin07@lemmy.ca 6 hours ago
You can use cloudflares DNS and not use their WAF (the proxy bit) just fine. I have been for almost a decade.
superglue@lemmy.dbzer0.com 6 hours ago
That would only be if you use their cloudflare tunnel feature
cupcakezealot@piefed.blahaj.zone 6 hours ago
for me I just registered through route 53 its a subdomain of my personal domain.
Bruhh@lemmy.world 5 hours ago
I’m trying to self host navidrome in docker with a cloudflare domain and reverse proxy on the same network. Still fiddling myself since I keep getting a 403 cloudflare no access error.
Essentially, using cert provided by cloudflare where they proxy to my ip. From there the reverse proxy routes to my service. If I’m understanding it right, anyone with my domain would only see cloudflare ip instead of my own. Someone correct me if I’m wrong. I’m still learning this stuff as well.
Prior to this, I was using tailscale which worked fine but I’d have to connect via tailscale everytime and some instances, it wouldn’t connect properly at all.
Alk@sh.itjust.works 6 hours ago
SWAG reverse proxy with a custom domain+subdomain, protected by authentik and fail2ban. Easy access from anywhere once it’s set up. No vpn required, just type in the short subdomain.domain.com and sign in (or the app keeps me signed in)
iAmTheTot@sh.itjust.works 5 hours ago
What’s the point of authentik when Jellyfin already has authentication?
Alk@sh.itjust.works 3 hours ago
While technically not strictly necessary, it adds more robust authentication methods, and makes it easier to build out other apps if you want to in the future without having to re-do the sign-in process for all of your users. You can have things like 2fa and other things that make it harder for bots to get in and easier for users to stay in. It also makes it easier to keep track of login attempts and notice compromised accounts.
TribblesBestFriend@startrek.website 6 hours ago
That’s probably this type of setup I would want but I miss the technical know how, so if you have a cool beginner guide
Alk@sh.itjust.works 3 hours ago
Here is the video I followed for SWAG. Note that this (and most of IBRACORP’s guides, which are all fantastic) uses Unraid as the OS, which automates a lot of the processes.
And here is a written guide by the same group to go with or replace the video if this is more your speed: docs.ibracorp.io/swag-2/
Alk@sh.itjust.works 5 hours ago
I used several separate guides plus help from a friend. Check out space invader one’s YouTube channel. I’m not at my pc right now but I can gather some of the tutorials I used when I get back.
HeyJoe@lemmy.world 6 hours ago
Synology with Emby (do not use the connect service they offer) running behind my fortinet firewall. DDNS with my own domain name and ssl cert. Open 1 custom port (not 443) for it, and that’s it. Geoblock every country but my own, which basically eliminated all random traffic that was hitting hit. I’ve been running it this way for 5 years now and have no issues to report.
AMillionMonkeys@lemmy.world 5 hours ago
How are you geoblocking?
HeyJoe@lemmy.world 5 hours ago
Sadly, it may not be an option for a lot of people, but on the fortinet firewall you can make policies and set up geoblocking.
borax7385@lemmy.world 5 hours ago
I have had Jellyfin directly open to the Internet with a reverse proxy for years. No problems.
pHr34kY@lemmy.world 3 hours ago
If your reverse proxy only acknowledges jellyfin exists if the hostname is correct, you won’t get discovered by an IP scanner.
Mine’s on jellyfin.[domain].com and you get a completely different page if you hit it by IP address.
If it does get found, there’s also a fail2ban to rate-limit someone brute-forcing a login.
I’ve always exposed my home IP to the internet. Haven’t had an issue in the last 15 years.
douglasg14b@lemmy.world 1 hour ago
Please to see: github.com/jellyfin/jellyfin/issues/5415
Someone doesn’t necessarily have to brute Force a login if they know about pre-existing vulnerabilities, that may be exploited in unexpected ways
cloudless@piefed.social 7 hours ago
Unifi teleport. A zero configuration VPN to my home network.
TribblesBestFriend@startrek.website 6 hours ago
I’m fidgeting with Tailscale but I find this solution some what lacking
lycanrising@lemmy.world 6 hours ago
no idea how safe or secure but i use cloudflare tunnel to point my jellyfin port on my computer
StopSpazzing@lemmy.world 5 hours ago
Someone mentioned above that cloudflare will ban you for streaming through their tunnel. Just be warned.
KingThrillgore@lemmy.ml 6 hours ago
Set up a VPN, use PiVPN
rando@lemmy.ml 4 hours ago
Headscale server on cheap vps with tailscale clients.
This2ShallPass@lemmy.world 32 minutes ago
I don’t host my media outside my local network but, if I did, I would use my go to method of SWAG with Authentik. This is what I have done for my other self-hosted items.
underline960@sh.itjust.works 22 minutes ago
Image