Submitted 9 months ago by TribblesBestFriend@startrek.website to selfhosted@lemmy.world
https://startrek.website/pictrs/image/6d04a3f3-79ec-44cb-9f2e-926280a658f4.png
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I use mTLS by adding a reverse proxy between Jellyfin and the Inet. This makes it hard to use the app, but works perfect with a browser. If you still want to use the app. There is a solution by using stunnel (termux) between te app and the Inet or better, a wireguard VPN.
For now just Tailscale but I’m working on setting up a reverse proxy and SSO through Authentik
Even more secure is having a VPS and self hosting Heascale
I’m trying to move away from needing a VPN to connect to make it simpler for less technically inclined family members
Sad that mTLS support is non existent because it solves this problem.
It would cover all phones, pcs and maybe Android TVs.
The barrier to entry would be having to replace the cert every year since we now made that a thing. Maybe spin up a self-sign shirt server and start issuing people 10 years certs
This is absolutely unhinged but god damn it, I respect you.
Thanks stranger over the internet seems like the best option.
Tailscale with self hosted headscale
Any helpful tips or links to tutorials for this method?
Easiest method is Docker, but it heavily depends on your network and tech stacks.
“Technically” my jellyfin is exposed to the internet however, I have Fail2Ban setup blocking public IP’s only allowing private IP ranges.
Cloudflare. No public exposure to the internet.
Are we not worried about their terms of service? I’ve been using pangolin
I run multiple enterprise companies through it who are transferring significantly more sensitive data than me. I’m not as strict as some people here, so no, I don’t really care. I think it’s the best service, especially for free, so until things change, that’s what I’m using.
We are, Batman, we are.
I VPN to my network for it.
If you’re a beginner and you’re looking for the most secure way with least amount of effort, just VPN into your home network using something like WireGuard, or use an off the shelf mesh von like Tailscale to connect directly to your JF server. You can give access to your VPN to other people to use.
What I’ve done in the past is run a reverse proxy on a cloud VPS and tunnel that to the JF server. The cloud VPS acts as a reverse proxy and a web application firewall which blocks common exploits, failed connection attempts etc. you can take it one step beyond that if you want people to authenticate BEFORE they reach your server by using an oauth provider and whatever forward Auth your reverse proxy software supports.
My go to secure method is just putting it behind Cloudflare so people can’t see my IP, same as every other service. Nobody is gonna bother wasting time hacking into your home server in the hopes that your media library isn’t shit, when they can just pirate any media they want to watch themselves with no effort.
Nobody is gonna bother wasting time hacking into your home server
They absolutely will lol. It’s happening to you right now in fact. It’s not to consume your media, it’s just a matter of course when you expose something to the internet publicly.
And this is the start of the longest crypto nerd fight I’ve seen on Lemmy. Well done, people!
What a bunch of B’s. Sure your up gets probed it’s happening to every ipv4 address all the time. But that is not hacking.
No, people are probing it right now. But looking at the logs, nobody has ever made it through. And I run a pretty basic setup, just Cloudflare and Authelia hooking into an LDAP server, which powers Jellyfin. Somebody who invests a little more time than me is probably a lot safer. Tailscale is nice, but it’s overkill for most people, and the majority of setups I see posted here are secure enough to stop any random scanning that happens across them, if not dedicated attention.
I used to do all the things mentioned here. Now, I just use Wireguard. If a family member wants to use a service, they need Wireguard. If they don’t want to install it, they dont get the service.
Came here to say this. I use wireguard and it simply works.
Pangolin could be a solution
I started my homelab with a couple exposed services, but frankly the security upkeep and networking headaches weren’t worth the effort when 99% of this server’s usage is at home anyway.
I’ve considered going the Pangolin route to expose a handful of things for family but even that’s just way too much effort for very little added value (plus moving my reverse proxy to a VPS doesn’t sound ideal in case the internet here goes down).
Getting 2 or 3 extra folks on to wireguard as necessary is just much easier.
We have it open to the public, behind a load balancer URL filtering incomming connection, https proxied through cloudflare with a country filter in place
I use a VPS and a wiregusrd tunnel.
I’m currently using CF Tunnels and I’m thinking about this (I have pretty good offers for VPS as low as $4 a month)
Can you comment on bandwidth expectations? My concern is that I also tunnel Nextcloud and my offsite backups and I may exceed the VPS bandwidth restrictions.
BTW I’m testing Pangolin which looks AWESOME so far.
I am using the free Oracle VPS offer until they block me, so far I have no issue. Alzernatively I wanted to check out IONOS, since you dont have a bandwidth limit there.
for me the easiest option was to set up tailscale on the server or network where jellyfin runs and then on the client/router where you want to watch the stream.
This is also what I do, however, each user creates their own tailnet, not an account on mine and I share the server to them.
This way I keep my 3 free users for me, and other people still get to see jellyfin.
Tailscale and jellyfin in docker, add server to tailnet and share it out to your users emails. They have to install tailscale client in a device, login, then connect to your jellyfin. My users use Walmart Onn $30 streaming boxes. They work great.
I struggled for a few weeks to get it all working, there’s a million people saying “I use this” but never “this is how to do it”. YouTube is useless because it’s filled with “jellyfin vs Plex SHOWDOWN DEATH FIGHT DE GOOGLE UR TOILET”.
For the users you have using Onn TVs, is Tailscale just installed on a device on the network or on the Onn TVs?
This is what I do as well. Works super well
Wireguard VPN to my fritzbox lets me access my jellyfin.
I access it through a reverse proxy (nginx). I guess the only weak point is if someone finds out the domain for it and starts spamming the login screen. But I’ve restricted access to the domain for most of the world anyway. Wireguard would probably be more secure but its not always possible if like on vacation and want to use it on the TV there…
This is the biggest weakness of Jellyfin. Native OIDC support would really be a no brainer at this point.
Its very easy to deploy fail2ban for Jellyfin: jellyfin.org/docs/general/…/fail2ban/
Indeed a good recommendation. I’ve not set it up yet but I’m probably going to do so in the near future.
It is possible if you get something like an nvidia shield tho. But of course not everyone has it or the money for it
VPN or Tailscale
Full guide to setting up Jellyfin with Reverse Proxy using Caddy and DuckDNS
I followed this video and modified some things like ports
I use a wire guard tunnel into my Fritz box and from there I just log in because I’m in my local network.
I think my approach is probably the most insane one, reading this thread…
So the only thing I expose to the public internet is a homemade reverse proxy application which supports both form based and basic authentication. I’m on top of security updates with its dependencies and thus far I haven’t had any issues, ever. It runs in a docker container, on a VM, on Proxmox.
My mum wanted to watch some stuff on my Jellyfin instance on her Chromecast With Google TV, plugged into her ancient Dumb TV. There is a Jellyfin Android TV app. I couldn’t think of a nice way to run a VPN on Android TV or on any of her (non-existent) network infra.
So instead I forked the Jellyfin Android TV app codebase. I found all the places where the API calls are made to the backend (there are multiple). I slapped in basic auth credentials. Recompiled the app. Deployed it to her Chromecast via developer mode.
Solid af so far. I haven’t updated Jellyfin since then (6 months), but when I need to, I’ll update the fork and redeploy it on her Chromecast.
What an absolute gigachad XD
Clever, but very hands on
VERY hands on, wouldn’t recommend it haha.
But that’s the beauty of open source. You CAN do it
Or you could use Plex and jump through zero of these hoops
Plex is slowly changing is terms & conditions to sell more and more of our data. That’s kind of a no no for me
Either comment OP hasn’t followed the news, or they forgot this was the Fediverse.
I think paying for remote access counts as a hoop.
As in “that’s a pain in my hoop”
I host it publicly accessible behind a proper firewall and reverse proxy setup.
If you are only ever using Jellyfin from your own, wireguard configured phone, then that’s great; but there’s nothing wrong with hosting Jellyfin publicly.
I think one of these days I need to make a “myth-busting” post about this topic.
Same for me. But according to everyone I should be destroyed.
Please do so, it’ll be very useful
If it’s just so you personally can access it away from home, use tailscale. Less risky than running a publicly exposed server.
OpenVPN into my own LAN. Stream from there to my device.
Is putting it behind an Oauth2 proxy and running the server in a rootless container enough?
Tailscale + Caddy (automatic certificates FTW).
Jellyfin isn’t secure and is full of holes.
That said, here’s how to host it anyway.
If you aren’t using Tailscale, make your VPS your main hub for whatever you choose, pivot, wg-easy, etc. Connect the proxy to Jellyfin through your chosen tunnel, with ssl, Caddy makes it easy.
Since Jellyfin isn’t exactly secure, secure it. Give it its own user and make sure your media isn’t writable by the user. Inconvenient for deleting movies in the app, but better for security.
more…
Use fail2ban to stop intruders after failed login attempts, you can force fail2ban to listen in on jellyfin’s host for failures and block ips automatically.
More!
Use Anubis and yes, I can confirm Anubis doesn’t intrude Jellyfin connectivity and just works, connect it to fail2ban and you can cook your own ddos protection.
MORE!
SELinux. Lock Jellyfin down. Lock the system down. It’s work but it’s worth it.
I SAID MORE!
There’s a GeoIP blocking plugin for Caddy that you can use to limit Jellyfin’s access to your city, state, hemisphere, etc. You can also look into whitelisting in Caddy if everyone’s IP is static. If not, ddns-server and a script to update Caddy every round? It can get deep.
Again, don’t do any of this and just use Jellyfin over wireguard like everyone else does(they don’t).
show me those “holes” this is just fear mongering
Here, since you can’t use a search engine: www.cvedetails.com/…/Jellyfin-Jellyfin.html
More, because I’ve been around this lap before, you’ll ask for more and not believe that one, here’s another: www.cvedetails.com/…/Jellyfin-Jellyfin.html
I’ve recently been working on my own server and a lot of this stuff can be accomplished by just chatting with chatgpt/gemini or any ai agent of your choosing. One thing to note tho is that they have some outdated information due to their training data so you might have to cross reference with the documentation.
Use docker as much as you can, this will isolate the process so even if somehow you get hacked, the visibility the hackers get into your server is limited to the docker container.
Wow, a “for dummies” guide for doing all this would be great 😊 know of any?
I figured infodump style was a bit easier for me at the time so anyone could take anything I namedropped and go search to their heart’s content.
If you aren’t already familiarized with the Docker Engine - you can use Play With Docker to fiddle around, spin up a container or two using the docker run command, once you get use to the command structure you can move into Docker Compose which makes handling multiple containers easy using .yml files.
Once you’re comfortable with compose I suggest working into Reverse Proxying with something like SWAG or Traefik which offer plugins that give you more control on how requests are handled.
There really is no “guide” for dummies here, you’ve really got to rely on the documentation provided by these services.
good article! thanks for that
Synology worked for me. They have built in reverse proxy. As well as good documentation to install it on their machine. Just gotta configure your wifi router to port forward your device and bam you’re ready to rock and roll
Didn’t they patch their things now that your stuck in their bubble/environment now or something like that ?
Not sure what what you mean. Plex has a bubble you can get stuck in. Jellyfin is free and open source
confusedbytheBasics@lemmy.world 9 months ago
I keep jellyfin up to date in a container and forward tcp/8920 on my router to the container. Easy and plenty secure. People in this thread are wildly overthinking it.