Submitted 10 months ago by TribblesBestFriend@startrek.website to selfhosted@lemmy.world
https://startrek.website/pictrs/image/6d04a3f3-79ec-44cb-9f2e-926280a658f4.png
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I use LSIO container stack so SWAG for the proxy. They have really good documentation and active discord docs.linuxserver.io
I’m fidgeting with Tailscale but I find this solution some what lacking
for me i just needed a basic system so my family could share so I have it on my pc, then I registered a subdomain and pointed it to my existing ec2 server with apache using a proxy which points to my local ip and port then I opened the jellyfin port on my router
Who are you using for your domain? I was told if I used cloudfair they would ban me for having streaming traffic over their DNS.
You can use cloudflares DNS and not use their WAF (the proxy bit) just fine. I have been for almost a decade.
That would only be if you use their cloudflare tunnel feature
for me I just registered through route 53 its a subdomain of my personal domain.
Nginx in front of it, open ports for https (and ssh), nothing more. Let’s encrypt certificate and you’re good to go.
Why would you need to expose SSH for everyday use? Or does Jellyfin require it to function?
Maybe leave that behind some VPN access.
I agree, but SSH is more secure than Jellyfin. it shouldn’t be exposed like that, others in the comments already pointed out why
Also run the reverse proxy on a dedicated box for it in the DMZ
Honestly you can usually just static ip the reverse proxy and open up a 1:1 port mapping directly to that box for 80/443. Generally not relevant to roll a whole DMZ for home use and port mapping will be supported by a higher % of home routing infrastructure than DMZs.
In a perfect world, yes. But not as a beginner, I guess?
I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.
Ssh has nothing to do with scanning. Your IP and everyone else up is being scanned constantly. In ipv4 space at least.
i have ssh on a random port and only get so many scan, so low that fail2ban never banned anyone that was not myself (accidentally).
Sorry, misunderstanding here, I’d never open SSH to the internet, I meant it as “don’t block it via your server’s firewall.”
Change the port it runs on to be stupid high and they won’t bother.
fail2ban with endlessh and abuseipdb as actions
Anything that’s not specifically my username or git gets instantly blocked. Same with correct users but trying to use passwords or failing authentication in any way.
Cool if I understand only some of things that you have said. So you have a beginner guide I could follow?
Take a look at Nginx Proxy Manager and how to set it up. But you’ll need a domain for that. And preferably use a firewall of some sort on your server and only allow said ports.
hellequin67@lemmy.zip 10 months ago
Personally I use twingate, free for 5 users and relatively straightforward to set up.
TribblesBestFriend@startrek.website 10 months ago
I’m fidgeting with Tailscale right now, only to stream on a AppleTV at a friend house. So far no luck but that’s not me that set up Infuse, so could be an operator error on my friend part
ladfrombrad@lemdro.id 10 months ago
The way I do it for a family member with Tailscale is them having a couple of boxes down there (n100 with their Jellyfin server, and a RPI4 with a TVHServer) with my Tailnet signed in, and those boxes running both a “subnet router” and an "exit node"that both me and said fam member can use.
This means she has permissions to use the exit node wherever like I do to my own local LAN, to connect to her LAN and access things locally since you can assign them via the ACL’s / device perms.
I know reading docs can suck sometimes but honest to god the ones that Tailscale put up are pretty awesome.
tailscale.com/kb
Along with all the YT videos about it I didn’t even have to go nagging on forums to get it to work, and that’s a general first for me.
hellequin67@lemmy.zip 10 months ago
I tried tailscale first but to be honest wasn’t a fan. I moved to Twingate and found it much simpler to set up