What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I just expose my local machine to the internet, unsecured
Jellyfin over the internet
Submitted 2 weeks ago by TribblesBestFriend@startrek.website to selfhosted@lemmy.world
https://startrek.website/pictrs/image/6d04a3f3-79ec-44cb-9f2e-926280a658f4.png
Comments
burgerchurgarr@lemmus.org 2 weeks ago
TribblesBestFriend@startrek.website 2 weeks ago
Thanks stranger over the internet seems like the best option.
donalonzo@lemmy.world 2 weeks ago
This is absolutely unhinged but god damn it, I respect you.
Evil_Shrubbery@lemm.ee 2 weeks ago
Wireguard.
WhyJiffie@sh.itjust.works 2 weeks ago
and a local reverse proxy that can route through wireguard when you want to watch on a smart tv.
its not as complicated as it sounds, it’s just a wireguard client, and a reverse proxy like on the main server
phx@lemmy.ca 2 weeks ago
You can also use a router that can run wireguard/openvpn and have that run the tunnel back to home for you. I’ve got a portable GL-Inet router with OpenWRT that I use for this when I’m on the road
Vanilla_PuddinFudge@infosec.pub 2 weeks ago
Jellyfin isn’t secure and is full of holes.
That said, here’s how to host it anyway.
- Wireguard tunnel, be it tailscale, netbird, innernet, whatever
- A vps with a proxy on it, I like Caddy
- A PC at home with Jellyfin running on a port, sure, 8096
If you aren’t using Tailscale, make your VPS your main hub for whatever you choose, pivot, wg-easy, etc. Connect the proxy to Jellyfin through your chosen tunnel, with ssl, Caddy makes it easy.
Since Jellyfin isn’t exactly secure, secure it. Give it its own user and make sure your media isn’t writable by the user. Inconvenient for deleting movies in the app, but better for security.
more…
Use fail2ban to stop intruders after failed login attempts, you can force fail2ban to listen in on jellyfin’s host for failures and block ips automatically.
More!
Use Anubis and yes, I can confirm Anubis doesn’t intrude Jellyfin connectivity and just works, connect it to fail2ban and you can cook your own ddos protection.
MORE!
SELinux. Lock Jellyfin down. Lock the system down. It’s work but it’s worth it.
I SAID MORE!
There’s a GeoIP blocking plugin for Caddy that you can use to limit Jellyfin’s access to your city, state, hemisphere, etc. You can also look into whitelisting in Caddy if everyone’s IP is static. If not, ddns-server and a script to update Caddy every round? It can get deep.
Again, don’t do any of this and just use Jellyfin over wireguard like everyone else does(they don’t).
oyzmo@lemmy.world 2 weeks ago
Wow, a “for dummies” guide for doing all this would be great 😊 know of any?
ohshit604@sh.itjust.works 2 weeks ago
If you aren’t already familiarized with the Docker Engine - you can use Play With Docker to fiddle around, spin up a container or two using the
docker runcommand, once you get use to the command structure you can move into Docker Compose which makes handling multiple containers easy using.ymlfiles.Once you’re comfortable with compose I suggest working into Reverse Proxying with something like SWAG or Traefik which offer plugins that give you more control on how requests are handled.
There really is no “guide” for dummies here, you’ve really got to rely on the documentation provided by these services.
Vanilla_PuddinFudge@infosec.pub 2 weeks ago
I figured infodump style was a bit easier for me at the time so anyone could take anything I namedropped and go search to their heart’s content.
lostbit@feddit.nl 2 weeks ago
show me those “holes” this is just fear mongering
Vanilla_PuddinFudge@infosec.pub 2 weeks ago
Here, since you can’t use a search engine: www.cvedetails.com/…/Jellyfin-Jellyfin.html
More, because I’ve been around this lap before, you’ll ask for more and not believe that one, here’s another: www.cvedetails.com/…/Jellyfin-Jellyfin.html
umbrella@lemmy.ml 2 weeks ago
[deleted]ddawg@lemmynsfw.com 2 weeks ago
I’ve recently been working on my own server and a lot of this stuff can be accomplished by just chatting with chatgpt/gemini or any ai agent of your choosing. One thing to note tho is that they have some outdated information due to their training data so you might have to cross reference with the documentation.
Use docker as much as you can, this will isolate the process so even if somehow you get hacked, the visibility the hackers get into your server is limited to the docker container.
FrostyCaveman@lemm.ee 2 weeks ago
I think my approach is probably the most insane one, reading this thread…
So the only thing I expose to the public internet is a homemade reverse proxy application which supports both form based and basic authentication. I’m on top of security updates with its dependencies and thus far I haven’t had any issues, ever. It runs in a docker container, on a VM, on Proxmox.
My mum wanted to watch some stuff on my Jellyfin instance on her Chromecast With Google TV, plugged into her ancient Dumb TV. There is a Jellyfin Android TV app. I couldn’t think of a nice way to run a VPN on Android TV or on any of her (non-existent) network infra.
So instead I forked the Jellyfin Android TV app codebase. I found all the places where the API calls are made to the backend (there are multiple). I slapped in basic auth credentials. Recompiled the app. Deployed it to her Chromecast via developer mode.
Solid af so far. I haven’t updated Jellyfin since then (6 months), but when I need to, I’ll update the fork and redeploy it on her Chromecast.
EpicFailGuy@lemmy.world 2 weeks ago
What an absolute gigachad XD
Couldbealeotard@lemmy.world 2 weeks ago
Clever, but very hands on
FrostyCaveman@lemm.ee 2 weeks ago
VERY hands on, wouldn’t recommend it haha.
But that’s the beauty of open source. You CAN do it
_cryptagion@lemmy.dbzer0.com 2 weeks ago
My go to secure method is just putting it behind Cloudflare so people can’t see my IP, same as every other service. Nobody is gonna bother wasting time hacking into your home server in the hopes that your media library isn’t shit, when they can just pirate any media they want to watch themselves with no effort.
EncryptKeeper@lemmy.world 2 weeks ago
Nobody is gonna bother wasting time hacking into your home server
They absolutely will lol. It’s happening to you right now in fact. It’s not to consume your media, it’s just a matter of course when you expose something to the internet publicly.
Auli@lemmy.ca 2 weeks ago
What a bunch of B’s. Sure your up gets probed it’s happening to every ipv4 address all the time. But that is not hacking.
_cryptagion@lemmy.dbzer0.com 2 weeks ago
No, people are probing it right now. But looking at the logs, nobody has ever made it through. And I run a pretty basic setup, just Cloudflare and Authelia hooking into an LDAP server, which powers Jellyfin. Somebody who invests a little more time than me is probably a lot safer. Tailscale is nice, but it’s overkill for most people, and the majority of setups I see posted here are secure enough to stop any random scanning that happens across them, if not dedicated attention.
dbtng@eviltoast.org 2 weeks ago
And this is the start of the longest crypto nerd fight I’ve seen on Lemmy. Well done, people!
JRaccoon@discuss.tchncs.de 2 weeks ago
I see everyone in this thread recommending a VPN or reverse proxy for accessing Jellyfin from outside the LAN. While I generally agree, I don’t see a realistic risk in exposing Jellyfin directly to the internet. It supports HTTPS and certificates nowadays, so there’s no need for outside SSL termination anymore.
In my setup, which I’ve been running for some time, I’ve port-forwarded only Jellyfin’s HTTPS port to eliminate the possibility of someone ending up on pure HTTP and sending credentials unencrypted. I’ve also changed the default Jellyfin’s default port to a non-standard one to avoid basic port-scanning bots spamming login attempts. I fully understand that this falls into the security through obscurity category, but no harm in it either.
Anyone wanna yell at me for being an idiot and doing everything wrong? I’m genuinely curious, as the sentiment online seems to be that at least a reverse proxy is almost mandatory for this kind of setup, and I’m not entirely sure why.
domi@lemmy.secnd.me 2 weeks ago
Anyone wanna yell at me for being an idiot and doing everything wrong?
Not yell, but: Jellyfin is dropping HTTPS support with a future update so you might want to read up on reverse proxies before then.
Additionally, you might want to check if Shodan has your Jellyfin instance listed: www.shodan.io
JRaccoon@discuss.tchncs.de 2 weeks ago
Jellyfin is dropping HTTPS support with a future update[…]
What’s the source for this? I wasn’t able to find anything with a quick google search
makeitwonderful@lemmy.sdf.org 2 weeks ago
It feels like everything is a tradeoff and I think a setup like this reduces the complexity for people you share with.
If you added fail2ban along with alert email/notifications you could have a chance to react if you were ever targeted for a brute force attempt. Jellyfin docs talk about setting this up for anyone interested.
Blocking IP segments based on geography of countries you don’t expect connections from adds the cost of a VPN for malicious actors in those areas.
Giving Jellyfin its own VLAN on your network could help limit exposure to your other services and devices if you experience a 0day or are otherwise compromised.
douglasg14b@lemmy.world 2 weeks ago
Fail2ban isn’t going to help you when jellyfin has vulnerable endpoints that need no authentication at all.
frezik@lemmy.blahaj.zone 2 weeks ago
Nah, setting non-standard ports is sound advice in security circles.
People misunderstand the “no security through obscurity” phrase. If you build security as a chain, where the chain is only as good as the weakest link, then it’s bad. But if you build security in layers, like a castle, then it can only help. It’s OK for a layer to be weak when there are other layers behind it.
Even better, non-standard ports will make 99% of threats go away. They automate scans that are just looking for anything they can break. If they don’t see the open ports, they move on. Won’t stop a determined attacker, of course, but that’s what other layers are for.
As long as there’s real security otherwise (TLS, good passwords, etc), it’s fine.
If anyone says “that’s a false sense of security”, ignore them. They’ve replaced thinking with a cliche.
mic_check_one_two@lemmy.dbzer0.com 2 weeks ago
People misunderstand the “no security through obscurity” phrase. If you build security as a chain, where the chain is only as good as the weakest link, then it’s bad. But if you build security in layers, like a castle, then it can only help. It’s OK for a layer to be weak when there are other layers behind it.
And this is what should be sung from the hills and mountaintops. There’s some old infosec advice that you should have two or three honeypots, buried successively deeper behind your security, and only start to worry when the second or third gets hit; The first one getting hit simply means they’re sniffing around with automated port scanners and bots. It’s usually enough for them to go “ah shit I guess I hit a honeypot. They must be looking for me now. Never mind.” The second is when you know they’re actually targeting you specifically. And the third is when you need to start considering pulling plugs.
Ptsf@lemmy.world 2 weeks ago
It’s difficult to say exactly what all a reverse proxy adds to the security conversation for a handful of reasons, so I won’t touch on that, but the realistic risk of exposing your jellyfin instance to the internet is about the same as handing your jellyfin api over to every stranger globally without giving them your user account or password and letting them do whatever they’d like for as long as they’d like. This means any undiscovered or unintentional vulnerability in the api implementation could easily allow for security bypass or full rce (remote code execution, real examples of this can be found by looking at the history of WordPress), but by siloing it behind a vpn you’re far far far more secure because the internet at large cannot access the apis even if there is a known vulnerability. I’m not saying exposing jellyfin to the raw web is so risky it shouldn’t be done, but don’t buy into the misconception that it’s even nearly as secure as running a vpn. They’re entirely different classes of security posture and it should be acknowledged that if you don’t have actual use for internet level access to jellyfin (external users, etc, etc) a vpn like tailscale or zero tier is 100% best practice.
douglasg14b@lemmy.world 2 weeks ago
The jellyfin has a whole host of unresolved and unmitigated security vulnerabilities that make exposing it to the internet. A pretty poor choice.
ShortN0te@lemmy.ml 2 weeks ago
And which one of those are actually vulnerabilities that are exploitable? First, yes ofc unauthenticated endpoints should be fixed, but with those there is no real damage to be done.
If you know the media path then you can request a playback, and if you get the user ids then you can get all users. That’s more or less it.
Good? No. But far from making it a poor choice exposing it.
catloaf@lemm.ee 2 weeks ago
The issue is not encryption, it’s the unauthenticated API. People can interact with your server without an account.
frezik@lemmy.blahaj.zone 2 weeks ago
Specifically these issues: github.com/jellyfin/jellyfin/issues/5415
The big one is that video/audio playing endpoints can be used without authentication. However, you have to guess a UUID. If Jellyfin is using UUIDv4 (fully random), then this shouldn’t be an issue; the search space is too big. However, many of the other types of UUIDs could hypothetically be enumerated through brute force. I’m not sure what Jellyfin uses for UUIDs.
rumba@lemmy.zip 2 weeks ago
You remember when LastPass had a massive leak and it out of their production source code which demonstrated that their encryption security was horrible? That was a Plex vulnerability. All it takes is a zero day and one of the packages they’re using and you’re a prime target for ransomware.
You can see from the number of unauthenticated processes in their security backlog that security really has been an afterthought.
Unless you’re running in a non-privileged container with read only media, I definitely would not put that out on the open network.
anonion@lemmy.anonion.social 2 weeks ago
I think the reason why its generally suggested to use a VPN is because it reduces the risk of intrusion to almost zero. Folks that are not network/sys admin savy would feel safer with the lowest risk solution. Using the port forward method, there could be configuration mistakes made which would unintentionally expose a different service or parts of their home network they don’t want exposed. And then there’s the possibility of application vulnerabilities which is less of an issue when only VPN users can access the application. That being said, I do expose some services via port forwarding but that’s only because I’m comfortable with ensuring its secure.
Reverse proxy is really useful when you have more than one service to expose to the internet because you only have to expose one port. It also automates the certificate creation & simplifies firewall rules inside the home network
BakedCatboy@lemmy.ml 2 weeks ago
Imo that’s perfectly fine and not idiotic if you have a static IP, no ISP blocked ports / don’t care about using alt ports, and don’t mind people who find your domain knowing your IP.
I did basically that when I had a fiber line but then I added a local haproxy in front to handle additional subdomains. I feel like people gravitate towards recommending that because it works regardless of the answers to the other questions, even their security tolerance if recommending access only over VPN.
Novi@sh.itjust.works 2 weeks ago
I don’t disagree, and I am one of the VPN advocates you mention. Generally there is no issue with exposing jellyfin via proxy to the internet.
The original question seemed to imply an over-secure solution so a lot of over-secure solutions exist. There is good cause to operate services, like jellyfin, via some permanent VPN.
egonallanon@lemm.ee 2 weeks ago
Reverse proxies can be useful for hiding your IP if you do something like host it in a VPS and tunnel the traffic back to your self hosted service. There’s also a lot of documentation on attaching things like fail2ban or crowd sec which can be helpful in reducing the threat from attacks. if you’re running lots of services it can reduce the risk of two apps using the same ports as ultimately everything will go through ports 80 and 443 on the public facing side. Finally again if you’re hosting several services having a central place to manage and deal with cert from can save a lot of time rather than having to wrangle it per service/ server.
smiletolerantly@awful.systems 2 weeks ago
I host it publicly accessible behind a proper firewall and reverse proxy setup.
If you are only ever using Jellyfin from your own, wireguard configured phone, then that’s great; but there’s nothing wrong with hosting Jellyfin publicly.
I think one of these days I need to make a “myth-busting” post about this topic.
greywolf0x1@lemmy.ml 2 weeks ago
Please do so, it’ll be very useful
Auli@lemmy.ca 2 weeks ago
Same for me. But according to everyone I should be destroyed.
fmstrat@lemmy.nowsci.com 2 weeks ago
I used to do all the things mentioned here. Now, I just use Wireguard. If a family member wants to use a service, they need Wireguard. If they don’t want to install it, they dont get the service.
MehBlah@lemmy.world 2 weeks ago
Came here to say this. I use wireguard and it simply works.
keinsinn@lemmy.zip 2 weeks ago
Pangolin could be a solution
nfreak@lemmy.ml 2 weeks ago
I started my homelab with a couple exposed services, but frankly the security upkeep and networking headaches weren’t worth the effort when 99% of this server’s usage is at home anyway.
I’ve considered going the Pangolin route to expose a handful of things for family but even that’s just way too much effort for very little added value (plus moving my reverse proxy to a VPS doesn’t sound ideal in case the internet here goes down).
Getting 2 or 3 extra folks on to wireguard as necessary is just much easier.
Scavenger8294@feddit.org 2 weeks ago
for me the easiest option was to set up tailscale on the server or network where jellyfin runs and then on the client/router where you want to watch the stream.
MrTolkinghoen@lemmy.zip 2 weeks ago
Tailscale with self hosted headscale
EncryptKeeper@lemmy.world 2 weeks ago
If you’re a beginner and you’re looking for the most secure way with least amount of effort, just VPN into your home network using something like WireGuard, or use an off the shelf mesh von like Tailscale to connect directly to your JF server. You can give access to your VPN to other people to use.
What I’ve done in the past is run a reverse proxy on a cloud VPS and tunnel that to the JF server. The cloud VPS acts as a reverse proxy and a web application firewall which blocks common exploits, failed connection attempts etc. you can take it one step beyond that if you want people to authenticate BEFORE they reach your server by using an oauth provider and whatever forward Auth your reverse proxy software supports.
PieMePlenty@lemmy.world 2 weeks ago
I access it through a reverse proxy (nginx). I guess the only weak point is if someone finds out the domain for it and starts spamming the login screen. But I’ve restricted access to the domain for most of the world anyway. Wireguard would probably be more secure but its not always possible if like on vacation and want to use it on the TV there…
xnx@slrpnk.net 2 weeks ago
Tailscale
gravitywell@sh.itjust.works 2 weeks ago
I rent a cheap $5/mo VPS and use it to run a wireguard server with wgeasy and nginx proxy manager. Everything else runs on my home server connected by wireguard.
hietsu@sopuli.xyz 2 weeks ago
Use a reverse proxy (caddy or nginx proxy manager) with a subdomain, like myservice.mydomain.com (maybe even configure a subdir too, so …domain.com/guessthis/). Don’t put anything on the main domain / root dir / the IP address.
If you’re still unsure setup Knockd to whitelist only IP addresses that touch certain one or two random ports first.
So security through obscurity :) But good luck for the bots to figure all that out.
VPN is of course the actually secure option, I’d vote for Tailscale.
snowflocke@feddit.org 2 weeks ago
We have it open to the public, behind a load balancer URL filtering incomming connection, https proxied through cloudflare with a country filter in place
recall519@lemm.ee 2 weeks ago
Cloudflare. No public exposure to the internet.
captainastronaut@seattlelunarsociety.org 2 weeks ago
If it’s just so you personally can access it away from home, use tailscale. Less risky than running a publicly exposed server.
circledot@feddit.org 2 weeks ago
I use a wire guard tunnel into my Fritz box and from there I just log in because I’m in my local network.
This2ShallPass@lemmy.world 2 weeks ago
swearengen@sopuli.xyz 2 weeks ago
I’m just using caddy and a cheap $2 a year .top domain with a $4 a month VPS. Works for my users, I only have 3 users on my server.
bl_r@lemmy.dbzer0.com 2 weeks ago
Tailscale, with nginx for https.
Very easy, very simple, just works, and i can share my jellyfin server with my friends
Novi@sh.itjust.works 2 weeks ago
Over the top for security would be to setup a personal VPN and only watch it over the VPN. If you are enabling other users and you don’t want them on your network; using a proxy like nginx is the way.
Being new to this I would look into how to set these things up in docker using docker-compose.
ohshit604@sh.itjust.works 2 weeks ago
“Technically” my jellyfin is exposed to the internet however, I have Fail2Ban setup blocking public IP’s only allowing private IP ranges.
WhatThaFudge@lemmy.sdf.org 2 weeks ago
Full guide to setting up Jellyfin with Reverse Proxy using Caddy and DuckDNS
I followed this video and modified some things like ports
Merlin@discuss.tchncs.de 2 weeks ago
I just install tailscale at family houses. The limit is 100 machines.
ArsonButCute@lemmy.dbzer0.com 2 weeks ago
I use a cloudflare tunnel, ISP won’t give me a static IP and I wanna keep my firewall locked down tight.
Player2@lemm.ee 2 weeks ago
For now just Tailscale but I’m working on setting up a reverse proxy and SSO through Authentik
skoell13@feddit.org 2 weeks ago
I use a VPS and a wiregusrd tunnel.
oong3Eepa1ae1tahJozoosuu@lemmy.world 2 weeks ago
Nginx in front of it, open ports for https (and ssh), nothing more. Let’s encrypt certificate and you’re good to go.
Novi@sh.itjust.works 2 weeks ago
I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.
30p87@feddit.org 2 weeks ago
fail2ban with endlessh and abuseipdb as actions
Anything that’s not specifically my username or git gets instantly blocked. Same with correct users but trying to use passwords or failing authentication in any way.
oong3Eepa1ae1tahJozoosuu@lemmy.world 2 weeks ago
Sorry, misunderstanding here, I’d never open SSH to the internet, I meant it as “don’t block it via your server’s firewall.”
fuckwit_mcbumcrumble@lemmy.dbzer0.com 2 weeks ago
Change the port it runs on to be stupid high and they won’t bother.
Everyday0764@lemmy.zip 2 weeks ago
i have ssh on a random port and only get so many scan, so low that fail2ban never banned anyone that was not myself (accidentally).
Auli@lemmy.ca 2 weeks ago
Ssh has nothing to do with scanning. Your IP and everyone else up is being scanned constantly. In ipv4 space at least.
TribblesBestFriend@startrek.website 2 weeks ago
Cool if I understand only some of things that you have said. So you have a beginner guide I could follow?
dataprolet@lemmy.dbzer0.com 2 weeks ago
Take a look at Nginx Proxy Manager and how to set it up. But you’ll need a domain for that. And preferably use a firewall of some sort on your server and only allow said ports.
SapphironZA@sh.itjust.works 2 weeks ago
Why would you need to expose SSH for everyday use? Or does Jellyfin require it to function?
Maybe leave that behind some VPN access.
WhyJiffie@sh.itjust.works 2 weeks ago
I agree, but SSH is more secure than Jellyfin. it shouldn’t be exposed like that, others in the comments already pointed out why
oong3Eepa1ae1tahJozoosuu@lemmy.world 2 weeks ago
lemmy.world/post/32059264/17905111
cm0002@lemmy.world 2 weeks ago
Also run the reverse proxy on a dedicated box for it in the DMZ
Ptsf@lemmy.world 2 weeks ago
Honestly you can usually just static ip the reverse proxy and open up a 1:1 port mapping directly to that box for 80/443. Generally not relevant to roll a whole DMZ for home use and port mapping will be supported by a higher % of home routing infrastructure than DMZs.
oong3Eepa1ae1tahJozoosuu@lemmy.world 2 weeks ago
In a perfect world, yes. But not as a beginner, I guess?