What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
OpenVPN into my router
Jellyfin over the internet
Submitted 10 months ago by TribblesBestFriend@startrek.website to selfhosted@lemmy.world
https://startrek.website/pictrs/image/6d04a3f3-79ec-44cb-9f2e-926280a658f4.png
Comments
spacemanspiffy@lemmy.world 10 months ago
swearengen@sopuli.xyz 10 months ago
I’m just using caddy and a cheap $2 a year .top domain with a $4 a month VPS. Works for my users, I only have 3 users on my server.
Decipher0771@lemmy.ca 10 months ago
Jellyfin through a traefik proxy, with a WAF as middleware and brute force login protected by fail2ban
ArsonButCute@lemmy.dbzer0.com 10 months ago
I use a cloudflare tunnel, ISP won’t give me a static IP and I wanna keep my firewall locked down tight.
Agent641@lemmy.world 10 months ago
I tried really hard to get a named CloudFlare tunnel working with a domain name I registered (I share my personal home videos with a non technical family member in Italy) but couldn’t get it working no matter what I tried.
ArsonButCute@lemmy.dbzer0.com 10 months ago
I’m not sure whay the OS you use is, but on linux (debian based) they have a Curl installer that installs their Systemd service preconfigured for your account and the specific tunnel you’re using.
Once that is installed, configuration is pretty easy. Inside their ZeroTrust portal, you will find the options to configure ports.
Always point your tunnel to localhost:port or localhost:port. You can get a TLS cert from lets-encrypt for your first one. New certifications are issued by cloudflare’s partners regularly to prevent expiration. I think I have like 3 for my domain now? 1 from Lets-Encrypt and a couple from Google.
This could be totally unrelated, but when I first configured my domain, I used DuckDNS as my DNS registrar so I could do everything over wireguard. That’s is still set up and in Cloudflare I still have duckdns included in my DNS registry. Could he worth a shot to set that up and add it to your DNS registry on cloudflare.
xnx@slrpnk.net 10 months ago
Tailscale
bmcgonag@lemmy.world 10 months ago
Cheap VPS with Pangolin for Wireguard and reverse proving through the tunnel.
thenose@lemmy.world 10 months ago
I just use tailscale. I am thinking about external share options but for me and my closests just plain simple tailscale
JiveTurkey@lemmy.world 10 months ago
I’m using jf on unraid. I’m allowing remote https only access with Nginx Proxy Manager in a docker container.
Evil_Shrubbery@lemm.ee 10 months ago
Wireguard.
WhyJiffie@sh.itjust.works 10 months ago
and a local reverse proxy that can route through wireguard when you want to watch on a smart tv.
its not as complicated as it sounds, it’s just a wireguard client, and a reverse proxy like on the main server
phx@lemmy.ca 10 months ago
You can also use a router that can run wireguard/openvpn and have that run the tunnel back to home for you. I’ve got a portable GL-Inet router with OpenWRT that I use for this when I’m on the road
rando@lemmy.ml 10 months ago
Headscale server on cheap vps with tailscale clients.
Bruhh@lemmy.world 10 months ago
I’m trying to self host navidrome in docker with a cloudflare domain and reverse proxy on the same network. Still fiddling myself since I keep getting a 403 cloudflare no access error.
Essentially, using cert provided by cloudflare where they proxy to my ip. From there the reverse proxy routes to my service. If I’m understanding it right, anyone with my domain would only see cloudflare ip instead of my own. Someone correct me if I’m wrong. I’m still learning this stuff as well.
Prior to this, I was using tailscale which worked fine but I’d have to connect via tailscale everytime and some instances, it wouldn’t connect properly at all.
chug-capture-ahoy@piefed.social 10 months ago
Tailscale - funnel
Just that
borax7385@lemmy.world 10 months ago
I have had Jellyfin directly open to the Internet with a reverse proxy for years. No problems.
pHr34kY@lemmy.world 10 months ago
If your reverse proxy only acknowledges jellyfin exists if the hostname is correct, you won’t get discovered by an IP scanner.
Mine’s on jellyfin.[domain].com and you get a completely different page if you hit it by IP address.
If it does get found, there’s also a fail2ban to rate-limit someone brute-forcing a login.
I’ve always exposed my home IP to the internet. Haven’t had an issue in the last 15 years.
douglasg14b@lemmy.world 10 months ago
Please to see: github.com/jellyfin/jellyfin/issues/5415
Someone doesn’t necessarily have to brute Force a login if they know about pre-existing vulnerabilities, that may be exploited in unexpected ways
JRaccoon@discuss.tchncs.de 10 months ago
I see everyone in this thread recommending a VPN or reverse proxy for accessing Jellyfin from outside the LAN. While I generally agree, I don’t see a realistic risk in exposing Jellyfin directly to the internet. It supports HTTPS and certificates nowadays, so there’s no need for outside SSL termination anymore.
In my setup, which I’ve been running for some time, I’ve port-forwarded only Jellyfin’s HTTPS port to eliminate the possibility of someone ending up on pure HTTP and sending credentials unencrypted. I’ve also changed the default Jellyfin’s default port to a non-standard one to avoid basic port-scanning bots spamming login attempts. I fully understand that this falls into the security through obscurity category, but no harm in it either.
Anyone wanna yell at me for being an idiot and doing everything wrong? I’m genuinely curious, as the sentiment online seems to be that at least a reverse proxy is almost mandatory for this kind of setup, and I’m not entirely sure why.
rumba@lemmy.zip 10 months ago
You remember when LastPass had a massive leak and it out of their production source code which demonstrated that their encryption security was horrible? That was a Plex vulnerability. All it takes is a zero day and one of the packages they’re using and you’re a prime target for ransomware.
You can see from the number of unauthenticated processes in their security backlog that security really has been an afterthought.
Unless you’re running in a non-privileged container with read only media, I definitely would not put that out on the open network.
douglasg14b@lemmy.world 10 months ago
The jellyfin has a whole host of unresolved and unmitigated security vulnerabilities that make exposing it to the internet. A pretty poor choice.
ShortN0te@lemmy.ml 10 months ago
And which one of those are actually vulnerabilities that are exploitable? First, yes ofc unauthenticated endpoints should be fixed, but with those there is no real damage to be done.
If you know the media path then you can request a playback, and if you get the user ids then you can get all users. That’s more or less it.
Good? No. But far from making it a poor choice exposing it.
Novi@sh.itjust.works 10 months ago
I don’t disagree, and I am one of the VPN advocates you mention. Generally there is no issue with exposing jellyfin via proxy to the internet.
The original question seemed to imply an over-secure solution so a lot of over-secure solutions exist. There is good cause to operate services, like jellyfin, via some permanent VPN.
catloaf@lemm.ee 10 months ago
The issue is not encryption, it’s the unauthenticated API. People can interact with your server without an account.
frezik@lemmy.blahaj.zone 10 months ago
Specifically these issues: github.com/jellyfin/jellyfin/issues/5415
The big one is that video/audio playing endpoints can be used without authentication. However, you have to guess a UUID. If Jellyfin is using UUIDv4 (fully random), then this shouldn’t be an issue; the search space is too big. However, many of the other types of UUIDs could hypothetically be enumerated through brute force. I’m not sure what Jellyfin uses for UUIDs.
Ptsf@lemmy.world 10 months ago
It’s difficult to say exactly what all a reverse proxy adds to the security conversation for a handful of reasons, so I won’t touch on that, but the realistic risk of exposing your jellyfin instance to the internet is about the same as handing your jellyfin api over to every stranger globally without giving them your user account or password and letting them do whatever they’d like for as long as they’d like. This means any undiscovered or unintentional vulnerability in the api implementation could easily allow for security bypass or full rce (remote code execution, real examples of this can be found by looking at the history of WordPress), but by siloing it behind a vpn you’re far far far more secure because the internet at large cannot access the apis even if there is a known vulnerability. I’m not saying exposing jellyfin to the raw web is so risky it shouldn’t be done, but don’t buy into the misconception that it’s even nearly as secure as running a vpn. They’re entirely different classes of security posture and it should be acknowledged that if you don’t have actual use for internet level access to jellyfin (external users, etc, etc) a vpn like tailscale or zero tier is 100% best practice.
domi@lemmy.secnd.me 10 months ago
Anyone wanna yell at me for being an idiot and doing everything wrong?
Not yell, but: Jellyfin is dropping HTTPS support with a future update so you might want to read up on reverse proxies before then.
Additionally, you might want to check if Shodan has your Jellyfin instance listed: www.shodan.io
JRaccoon@discuss.tchncs.de 10 months ago
Jellyfin is dropping HTTPS support with a future update[…]
What’s the source for this? I wasn’t able to find anything with a quick google search
makeitwonderful@lemmy.sdf.org 10 months ago
It feels like everything is a tradeoff and I think a setup like this reduces the complexity for people you share with.
If you added fail2ban along with alert email/notifications you could have a chance to react if you were ever targeted for a brute force attempt. Jellyfin docs talk about setting this up for anyone interested.
Blocking IP segments based on geography of countries you don’t expect connections from adds the cost of a VPN for malicious actors in those areas.
Giving Jellyfin its own VLAN on your network could help limit exposure to your other services and devices if you experience a 0day or are otherwise compromised.
douglasg14b@lemmy.world 10 months ago
Fail2ban isn’t going to help you when jellyfin has vulnerable endpoints that need no authentication at all.
frezik@lemmy.blahaj.zone 10 months ago
Nah, setting non-standard ports is sound advice in security circles.
People misunderstand the “no security through obscurity” phrase. If you build security as a chain, where the chain is only as good as the weakest link, then it’s bad. But if you build security in layers, like a castle, then it can only help. It’s OK for a layer to be weak when there are other layers behind it.
Even better, non-standard ports will make 99% of threats go away. They automate scans that are just looking for anything they can break. If they don’t see the open ports, they move on. Won’t stop a determined attacker, of course, but that’s what other layers are for.
As long as there’s real security otherwise (TLS, good passwords, etc), it’s fine.
If anyone says “that’s a false sense of security”, ignore them. They’ve replaced thinking with a cliche.
mic_check_one_two@lemmy.dbzer0.com 10 months ago
People misunderstand the “no security through obscurity” phrase. If you build security as a chain, where the chain is only as good as the weakest link, then it’s bad. But if you build security in layers, like a castle, then it can only help. It’s OK for a layer to be weak when there are other layers behind it.
And this is what should be sung from the hills and mountaintops. There’s some old infosec advice that you should have two or three honeypots, buried successively deeper behind your security, and only start to worry when the second or third gets hit; The first one getting hit simply means they’re sniffing around with automated port scanners and bots. It’s usually enough for them to go “ah shit I guess I hit a honeypot. They must be looking for me now. Never mind.” The second is when you know they’re actually targeting you specifically. And the third is when you need to start considering pulling plugs.
anonion@lemmy.anonion.social 10 months ago
I think the reason why its generally suggested to use a VPN is because it reduces the risk of intrusion to almost zero. Folks that are not network/sys admin savy would feel safer with the lowest risk solution. Using the port forward method, there could be configuration mistakes made which would unintentionally expose a different service or parts of their home network they don’t want exposed. And then there’s the possibility of application vulnerabilities which is less of an issue when only VPN users can access the application. That being said, I do expose some services via port forwarding but that’s only because I’m comfortable with ensuring its secure.
Reverse proxy is really useful when you have more than one service to expose to the internet because you only have to expose one port. It also automates the certificate creation & simplifies firewall rules inside the home network
egonallanon@lemm.ee 10 months ago
Reverse proxies can be useful for hiding your IP if you do something like host it in a VPS and tunnel the traffic back to your self hosted service. There’s also a lot of documentation on attaching things like fail2ban or crowd sec which can be helpful in reducing the threat from attacks. if you’re running lots of services it can reduce the risk of two apps using the same ports as ultimately everything will go through ports 80 and 443 on the public facing side. Finally again if you’re hosting several services having a central place to manage and deal with cert from can save a lot of time rather than having to wrangle it per service/ server.
BakedCatboy@lemmy.ml 10 months ago
Imo that’s perfectly fine and not idiotic if you have a static IP, no ISP blocked ports / don’t care about using alt ports, and don’t mind people who find your domain knowing your IP.
I did basically that when I had a fiber line but then I added a local haproxy in front to handle additional subdomains. I feel like people gravitate towards recommending that because it works regardless of the answers to the other questions, even their security tolerance if recommending access only over VPN.
lycanrising@lemmy.world 10 months ago
no idea how safe or secure but i use cloudflare tunnel to point my jellyfin port on my computer
StopSpazzing@lemmy.world 10 months ago
Someone mentioned above that cloudflare will ban you for streaming through their tunnel. Just be warned.
lycanrising@lemmy.world 9 months ago
yeah it’s in the terms of service but my usage will be so small it’s not even going to register on their charts so i’m happy with the risk.
NuXCOM_90Percent@lemmy.zip 10 months ago
I don’t use jellyfin but my general approach is either:
- Expose it over a VPN only. I usually use Tailscale for this so that I can expose individual machines but you do you
- Cloudflare tunnel that exposes a single port on a single internal machine to a subdomain I own
There are obviously ways to do this all on your own but… if you are asking this question you probably want to use one of those to roll it. Because you can leave yourself ridiculously vulnerable if you do it yourself.
TribblesBestFriend@startrek.website 10 months ago
That’s my feeling too
SmoothLiquidation@lemmy.world 10 months ago
I would look into Tailscale based on your responses here. I don’t know what your use case is exactly but you set TS up on your server and then again on your phone/laptop and you can connect them through the vpn directly. No extra exposed ports or making a domain or whatnot.
If you want other people to access the server they will need to make a TS account and you can authorize them.
gravitywell@sh.itjust.works 10 months ago
I rent a cheap $5/mo VPS and use it to run a wireguard server with wgeasy and nginx proxy manager. Everything else runs on my home server connected by wireguard.
TwiddleTwaddle@lemmy.blahaj.zone 10 months ago
I was just trying to get a setup like this going yesterday. I used standard Wiregaurd and got that working between the VPS and home server, but I was trying to set up Caddy as a reverse proxy to direct the incoming traffic through the WG VPN to my services. I wasnt able to figure it out yesterday. Everyone online says Caddy is so simple, but I’m such a noob I just have no idea what it’s doing or how to troubleshoot.
Vittelius@feddit.org 10 months ago
You should try pangolin. It uses Traefik instead of Caddy under the hood but it automates approximately 80 % of setup. It’s what I use for my setup.
gravitywell@sh.itjust.works 10 months ago
I havent tried caddy but i might be able to help get it figured out if you wanna chat some time. My contact info is on my website.
No_Bark@lemmy.dbzer0.com 10 months ago
I’ve also really struggled with Caddy despite everyone saying its so simple. I’m pretty new to all this, but I had better luck with Traefik - I now actually have a reverse proxy up and running correctly, which I haven’t been able replicate with Caddy.
Traefik labels make sense to me in a way Caddy does not.
Machinist0938@piefed.social 10 months ago
Is Nginx Proxy Manager running on the VPS itself and then the proxy routes across the wireguard to your home server? Or is the VPS just port forwarding to your home server which runs the proxy?
gravitywell@sh.itjust.works 10 months ago
My goal was to have no ports exposed on my home network so the proxy is on the VPS. My home server connects over wireguad to the vps, then all the traffic is routed over wireguard to the home server which only listens on wireguard.
Bruhh@lemmy.world 10 months ago
I also would like to know
BakedCatboy@lemmy.ml 10 months ago
This is 99% my setup, just with a traefik container attached to my wifeguard container.
Can recommend especially because I can move apartments any time, not care about CGNAT (my current situation which I predicted would be the case), and easily switch to any backup by sticking my boxes on any network with DHCP that can reach the Internet (like a 4G hotspot or a nanobeam pointed at a public wifi down the road) in a pinch without reconfiguring anything.
Alk@sh.itjust.works 10 months ago
SWAG reverse proxy with a custom domain+subdomain, protected by authentik and fail2ban. Easy access from anywhere once it’s set up. No vpn required, just type in the short subdomain.domain.com and sign in (or the app keeps me signed in)
iAmTheTot@sh.itjust.works 10 months ago
What’s the point of authentik when Jellyfin already has authentication?
Alk@sh.itjust.works 10 months ago
While technically not strictly necessary, it adds more robust authentication methods, and makes it easier to build out other apps if you want to in the future without having to re-do the sign-in process for all of your users. You can have things like 2fa and other things that make it harder for bots to get in and easier for users to stay in. It also makes it easier to keep track of login attempts and notice compromised accounts.
TribblesBestFriend@startrek.website 10 months ago
That’s probably this type of setup I would want but I miss the technical know how, so if you have a cool beginner guide
Alk@sh.itjust.works 10 months ago
Here is the video I followed for SWAG. Note that this (and most of IBRACORP’s guides, which are all fantastic) uses Unraid as the OS, which automates a lot of the processes.
And here is a written guide by the same group to go with or replace the video if this is more your speed: docs.ibracorp.io/swag-2/
Alk@sh.itjust.works 10 months ago
I used several separate guides plus help from a friend. Check out space invader one’s YouTube channel. I’m not at my pc right now but I can gather some of the tutorials I used when I get back.
HeyJoe@lemmy.world 10 months ago
Synology with Emby (do not use the connect service they offer) running behind my fortinet firewall. DDNS with my own domain name and ssl cert. Open 1 custom port (not 443) for it, and that’s it. Geoblock every country but my own, which basically eliminated all random traffic that was hitting hit. I’ve been running it this way for 5 years now and have no issues to report.
AMillionMonkeys@lemmy.world 10 months ago
How are you geoblocking?
HeyJoe@lemmy.world 10 months ago
Sadly, it may not be an option for a lot of people, but on the fortinet firewall you can make policies and set up geoblocking.
Darkassassin07@lemmy.ca 10 months ago
An $11/yr domain pointed at my IP. Port 443 is open to nginx, which proxies to the desired service depending on subdomain. (and explicitly drops any connection that uses my raw ip or an unrecognized name to connect, without responding at all)
ACME.sh automatically refreshes my free ssl certificate every ~2months via DNS-01 verification and letsencrypt.
And finally, I’ve got a dynamic IP, so DDClient keeps my domain pointed at the correct IP when/if it changes.
There’s also pihole on the local network, replacing the WAN IP from external DNS, with the servers local IP, for LAN devices to use. But that’s very much optional, especially if your router performs NAT Hairpinning.
This setup covers all ~24 of the services/web applications I host, though most other services have some additional configuration to make them only accessible from LAN/VPN despite using the same ports and nginx service. I can go into that if there’s interest.
Only Emby/Jellyfin, Ombi, and Filebrowser are made accessible from WAN; so I can easily share those with friends/family.
josefo@leminal.space 10 months ago
This is an interesting setup
bjoern_tantau@swg-empire.de 10 months ago
My router has a VPN server built-in. I usually use that.
hietsu@sopuli.xyz 10 months ago
[deleted]Alk@sh.itjust.works 10 months ago
I kept the main domain open, but redirected it to a rickroll
hietsu@sopuli.xyz 10 months ago
Nice, but the bots may not understand the joke.
And not only that but they will tag the domain with ”there is something here”, and maybe some day someone will take a closer look and see if you are all up-to-date or would there maybe be a way in. So better to just drop everything and maybe also ban the IP if they happen to try poke some commonly scanned things (like /wp-admin, /git, port 22 etc.) GoAccess is a pretty nice tool to show you what they are after.
TribblesBestFriend@startrek.website 10 months ago
Look pretty interesting. Do you have guide I could follow ?
hietsu@sopuli.xyz 10 months ago
Not at hand no, but I’m sure any of the LLMs can guide you through the setup if googling does not give anything good.
Nothing very special about all this, well maybe the subdir does require some extra spells to reverse proxy config.
johannes@lemmy.jhjacobs.nl 10 months ago
With wireguard i set up an easy VPN, then vpn to the home network and use jellyfin.
If i cant use vpn, i have Jellyfin behind a caddy server with automatic https and some security settings.
KingThrillgore@lemmy.ml 10 months ago
Set up a VPN, use PiVPN
TribblesBestFriend@startrek.website 10 months ago
I’ll try looking into that
KingThrillgore@lemmy.ml 10 months ago
Just remember to test with something better than your phone, T-Mobile aggressively filters VPNs. Try a coffee shop.
comrade_twisty@feddit.org 10 months ago
Pangolin with Newt on a VPS hosted in Europe, domain registered through cloudflare.
bl_r@lemmy.dbzer0.com 10 months ago
Tailscale, with nginx for https.
Very easy, very simple, just works, and i can share my jellyfin server with my friends
overload@sopuli.xyz 10 months ago
This is the easiest way for sure.
dataprolet@lemmy.dbzer0.com 10 months ago
I’m using a cheap VPS that connects over Tailscale to my home server. The VPS runs Nginx Proxy Manager, has a firewall and the provider offers DDOS protection and that’s it.
a@91268476.xyz 10 months ago
@TribblesBestFriend @selfhosted Tailscale. I also use a reverse proxy because I like nice names
TribblesBestFriend@startrek.website 10 months ago
I’m using Tailscale right now but so far no luck on my friend AppleTV. But like I said elsewhere it’s probably a operator error
a@91268476.xyz 10 months ago
@TribblesBestFriend @selfhosted I don’t use appletv but a workaround could be using airplay maybe?
Novi@sh.itjust.works 10 months ago
Over the top for security would be to setup a personal VPN and only watch it over the VPN. If you are enabling other users and you don’t want them on your network; using a proxy like nginx is the way.
Being new to this I would look into how to set these things up in docker using docker-compose.
Merlin@discuss.tchncs.de 10 months ago
I just install tailscale at family houses. The limit is 100 machines.