Round Two: Can I manage to set up Jellyfin correctly this time?

Submitted ⁨⁨2⁩ ⁨days⁩ ago⁩ by ⁨compostgoblin@lemmy.blahaj.zone⁩ to ⁨selfhosted@lemmy.world⁩

Hi y’all, thanks for the help with my question yesterday. I did a bit of homework, and I think I’ve got things figured out. Here’s my revised plan:

configure a cron job to update DuckDNS with my IP address every 5 minutes
use ufw to block all incoming traffic, except to ports 80 and 443, to allow incoming traffic to reach Caddy
configure the Caddyfile to direct traffic from my DuckDNS subdomain to Jellyfin’s port

Does this seem right this time? Am I missing anything, or unnecessarily adding steps? Thanks in advance, I’ll get the hang of all this someday!

source

Comments

Sort:hotnew top

frongt@lemmy.zip ⁨2⁩ ⁨days⁩ ago
I still don’t recommend putting jellyfin on the Internet. It’s not designed for it. There are some API endpoints you can access without authentication, not to mention potential authentication bypass vulnerabilities.

5 minutes is also probably too frequent. Leases are usually significantly longer. You might hit a rate limit and get blocked.

source
- compostgoblin@lemmy.blahaj.zone ⁨2⁩ ⁨days⁩ ago
  Thanks for the tip! I’ll back the refresh rate off to be safe.
  
  I’m not sure I entirely understand your concern about putting Jellyfin on the internet. A large part of my interest in selfhosting is being able host my own music library, my own cloud storage, etc, and access it as an alternative to Spotify or Google Drive. Doesn’t that inherently mean that they need to be on the internet, if I want to be able to access them when I’m away from home?
  
  My goal has been to find a way to do that safely, but if that’s not possible, that’s good to know too, so I don’t keep trying to do the impossible.
  
  source
  - dogs0n@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
    It’s honestly just a matter of how much risk you are comfortable with for using jellyfin on the open internet.
    
    (If i remember correctly:) The unauthenticated routes thing can only be used for streaming your content without a login (if you can guess the contents ids on your server I believe).
    
    In my opinion, it’s not worth the hassle of using a vpn because I don’t think this risk is worth mitigating with one.
    
    But everyone has their own personal risk assesment of course.
    
    source
    -> View More Comments
  - AbidanYre@lemmy.world ⁨2⁩ ⁨days⁩ ago
    Wireguard or tailscale are much better ways of accessing jellyfin from outside your network.
    
    source
    -> View More Comments
- FreedomAdvocate@lemmy.net.au ⁨2⁩ ⁨days⁩ ago
  
  It’s not designed for it
  
  Yet everyone in here tells everyone to switch from Plex, which is designed for it, to jellyfin lol
  
  source
  - Auli@lemmy.ca ⁨9⁩ ⁨hours⁩ ago
    Only one of these software has lead to someone hacking into someone’s computer.
    
    source
  - metaStatic@kbin.earth ⁨2⁩ ⁨days⁩ ago
    I prefer security vulnerabilities I can manage to privacy ones I cannot.
    
    source
    -> View More Comments
dgdft@lemmy.world ⁨2⁩ ⁨days⁩ ago
Assuming you’ve forwarded ports 80 & 443 on your router, that’ll do just fine.

Speaking as a hacker and SWE, the cringelords telling you that exposing Jellyfin is some major liability are LARPers who don’t know what they’re talking about.

source
- Onomatopoeia@lemmy.cafe ⁨2⁩ ⁨days⁩ ago
  Meh, I won’t expose ports anymore - last time I did I had someone hammering on it hard enough to slow my consumer router.
  
  I closed the port and would still have someone hammer it occasionally for months, hoping the port was still open.
  
  source
  - compostgoblin@lemmy.blahaj.zone ⁨2⁩ ⁨days⁩ ago
    Just for my own education, if you don’t mind - how were you able to tell someone was hammering on the port if it was closed? Would fail2ban have been an option to stop them?
    
    source
    -> View More Comments
  - dgdft@lemmy.world ⁨2⁩ ⁨days⁩ ago
    Yeah, fair point — I was only talking RCE.
    
    That’s a real risk if you get hit by a lazy stuffing script, and I personally SSH tunnel my self-hosted to a public VPS to avoid that sorta thing.
    
    @Op, if you do notice slowdowns for your whole network & suspicious noise in your Jellyfin logs, the easy move is to configure fail2ban and ask your ISP to rotate your router’s IP for you.
    
    source
- littleomid@feddit.org ⁨1⁩ ⁨day⁩ ago
  If it doesn’t have to be exposed, then it shouldn’t be exposed. A Webserver should be exposed: Nginx and co are working on it for decades. Jellyfin on the other hand is a much smaller project, and chances for security issues are significantly higher.
  
  source
  - dgdft@lemmy.world ⁨1⁩ ⁨day⁩ ago
    Did you read the thread body? Op is using Caddy to reverse proxy.
    
    The smoothbrain top comment is claiming that Jellyfin “wasn’t designed to be exposed to the internet” AT ALL, reverse proxy or not. You’re poking at a strawman here, and putting words in my mouth that I didn’t say.
    
    source
    -> View More Comments
- compostgoblin@lemmy.blahaj.zone ⁨2⁩ ⁨days⁩ ago
  Haha okay, thanks! And I’d just forward ports 80 and 443 from the router to ports 80 and 443 on the Pi’s internal IP address in the router settings, right?
  
  source
  - dgdft@lemmy.world ⁨2⁩ ⁨days⁩ ago
    Yeah, you’ll probably want to give your Pi a static internal IP too, but the details for that will depend on the specifics of your router and network.
    
    source
TarantulaFudge@startrek.website ⁨1⁩ ⁨day⁩ ago
It’s perfectly fine to host jellyfin online. Use a proxy server to enable TLS and do not use default ports 80/443. Use letsencrypt for free certificates. No need for VPN to access here either. Do not expose any other ports such as SSH on default ports. Lock down your jellyfin server and any other related services behind a VPN service and block access to Internet through other interfaces (except for port forwards on your ISP for jelly). Go high on port ranges since they typically aren’t scanned or blocked.

source
- dogs0n@sh.itjust.works ⁨1⁩ ⁨day⁩ ago
  
  do not use default ports 80/443.
  
  In my opinion, you’d be fine using default ports. Guess there’s no harm in using other ports though, other than the pain of having the remember which port to use if you ever forget when adding a new device, etc.
  
  source
- possiblylinux127@lemmy.zip ⁨1⁩ ⁨day⁩ ago
  Do not expose Jellyfin. It has unauthenticated endpoints that will be exploited by bots
  
  source
AbsolutelyNotAVelociraptor@sh.itjust.works ⁨2⁩ ⁨days⁩ ago
If it’s for your personal use and no one else is going to connect, why don’t you just configure a wireguard tunnel to remotely connect to your server as if you were in LAN without exposing anything?

source
- compostgoblin@lemmy.blahaj.zone ⁨2⁩ ⁨days⁩ ago
  I’d like to be able to share it with friends and family
  
  source
  - Onomatopoeia@lemmy.cafe ⁨2⁩ ⁨days⁩ ago
    Tailscale has the Funnel feature too, which puts the endpoint on Tailscale’s servers.
    
    source
    -> View More Comments
  - AbsolutelyNotAVelociraptor@sh.itjust.works ⁨2⁩ ⁨days⁩ ago
    Tailscale allows you to do the same except you can create keys with limited access to only certain ports (just in case you don’t want them peeking around your server).
    
    source
Creat@discuss.tchncs.de ⁨2⁩ ⁨days⁩ ago
You don’t need to hard update your IP every 5 minutes. The typical DNS updaters (just use ddclient) can simply check if your IP is up to date and only update if it isn’t.

source
3dcadmin@lemmy.relayeasy.com ⁨1⁩ ⁨day⁩ ago
I forgot duckdns still exists to be fair

source