rumba
@rumba@lemmy.zip
- Comment on Socialism is the actual teaching of Jesus 19 hours ago:
seemingly oppose Christianity
Christianity doesn’t even believe in Christianity. Behind the scenes in Churches, it’s bitter old people, angry at each other, shaking down patrons for cash, and selling peace to grieving people. Most Democrats want universal healthcare. They want, but are afraid of UBI, and would like it if they could keep their current advantage in the playing field, not becoming poorer while spreading change.
- Comment on Just one more 1 day ago:
and 99% of the US roadways are this or less.
But when a road connects three urban areas with multiple suburbs in every direction, weird things happen. Most traffic horror isn’t in road planning at all, it’s in urban and suburban planning.
Why do 3 million people need to get from one side of LA to the other on a regular basis?
- Comment on How to get rid of swollen batteries? 2 days ago:
The Crux of the standard US problem is that nothing is standard.
So you’ll have one person in a county that has its shit together swearing that we’re set and another person from a county that doesn’t have potable water asking for advice.
The capitalist answer is some store have decided there’s money in getting people in to recycle so voluntarily corporate chain stores are the closest we have to a country wide state of handled it.
- Comment on I'm not okay. 2 days ago:
They were everywhere in the mid-Atlantic 20 years ago.
I saw one little blinky buddy on my back door last night. I looked out, he was the only one. I shut my porch light off in hopes that he would wonder off and find some friends.
- Comment on It's interesting that gun rights were sold on the basis of "resisting unlawful government." They seen to have caused unlawful government. 4 days ago:
Given sufficient time and inaction, the unlawful government will become the lawful government.
- Comment on A reboot of the X-Files but this time Scully is always right. Everything has a totally rational explanation and Mulder slowly looses his believe in the supernatural. 5 days ago:
No, he doesn’t just fade away, slowly converts from a protagonist to an antagonist. At first, everything is naturally explainable. He slowly grows increasingly agitated with that. Is the series progresses, a few paranormal, unexplainable things start to happen. Evidence, proving natural causes slowly wanes. Scully starts to suspect. Occasionally finds a small piece of evidence that is not quite where it should be. Suspicion grows over the run of the show, eventually they end up on the trail of an ever elusive criminal mastermind.
It’s Mulder. He goes whole ham evil and it’s up to her to stop him.
- Comment on What the fuck 5 days ago:
It’s photoshopped to look like this
Guy did a web comic about miscarriage, some people shortened it to a series of lines. Someone took that series of lines iand translated it to this pregnancy test.
- Comment on Hosting virtualbox for my students 5 days ago:
It’ll all be alien to you, But a couple of lines later and it will all just work. Guak is your best option, It supports everything
- Comment on Why is cottage cheese the only cheese defined by some relationship to a building? 5 days ago:
Cottage cheese made in a cottage
Toe cheese …
- Comment on 8999 BC 6 days ago:
Blah blah bc time is backward, 9,000 is older than 8,999, now that we have that out of the way I wonder how they calculate the invention of the bow. Like they just haven’t found one anywhere older then that. It’s just green sticks and ropes at some point. Wonder what the chances are there was something prior that we don’t know because it wasn’t built long enough to last.
- Comment on I'm gonna mute this one 6 days ago:
Don’t mind them, they’re just speed running getting banned from every community.
- Comment on Plex has paywalled my server! 6 days ago:
realistic security concerns
If you’re running a binary installation of Jellyfin on your server and exposing it to the public internet, you can face significant risks:
-
Remote execution vulnerabilities might allow attackers to exploit bugs to run malicious code on your server.
-
Buffer overflows. Poorly handled data can let attackers manipulate memory, Bypass logins, touch things in the host that aren’t meant to be twiddled with
-
Network exposure. If compromised, the server could become a launchpad for attacks on your network.
There might not be any vulnerabilities at this moment, but they might come in a future release. And we might not even know they exist. It’s a small team of volunteers, and they’ll do their best. This is just what is reasonably possible when installing the server as an application on your OS and exposing it to the Internet.
You can minimize risk with a safer setup, as someone else in the comments here mentioned (and I think they even linked to their setup)
Using a Docker container version of the app significantly reduces your attack surface. This isolates the app from your host system. If they get in, they only get into the container and whatever that container is allowed to do.
Mount your media files as read-only to prevent accidental modifications or potential malicious changes. Now that container can’t do any real harm do your data.
Avoid making the container privileged. A privileged container can interact with the host system in risky ways.
Use reasonable unique usernames and passwords. If the container does manage to get compromised, they will likely be able to read usernames and passwords stored in the container.
Regularly update your container – Ensures you have the latest security patches.
Short of some massive Docker vulnerability, (which is on you to keep updated) the worst case should be public enumeration of your media, exposure of your JF users/passwords, and denial of service. Which IMO isn’t very serious.
For even tighter access control, don’t whitelist the entire world.
Whitelist specific IP addresses. Have users visit WhatIsMyIP to get their IP, then configure port forwarding to allow only trusted addresses. This allows the clients at their houses in without any serious hinderance, but would block them from accessing your media when they’re not at their house.
If they’re accessing you through a phone or PC, setup headscale or tailscale or any VPN and allow them to get to you through VPN
-
- Comment on Mastodon updates terms of service to ban AI model training on user data 1 week ago:
Exactly this, you can only stop scrapers that play by the rules.
Each one of those books powering GPT had like protection on them already.
- Comment on Mastodon updates terms of service to ban AI model training on user data 1 week ago:
Wait, they changed the TOS on a site to say that you can’t scrape it, when the entirety of the site is available without agreeing to the TOS?
- Comment on Plex has paywalled my server! 1 week ago:
That’s awesome and thank you for sharing that
- Comment on Plex has paywalled my server! 1 week ago:
You are doing the https unwrapping in tf/HA proxy. It’s clear text between the proxy process and the JF server
You can do a dump off the entire network stream when it’s working, install the release candidate and do another dump of the network stream with it not working. Sift through to find the changes.
When the person posted that there was a problem with the RC, It was probably a web socket being mishandled by the proxy due to some change. You can’t just go oh there’s a problem with my third party middleware. They’re going to need to know which of their changes broke the problem. Why it breaks it, and what should be done instead if you expect them to make any kind of changes.
The alternative is you ask them to support traffic or HA or NPM, and on a volunteer project I could see that being a bridge too far
- Comment on Plex has paywalled my server! 1 week ago:
They actually do a small login f2b effort right in JF, but it appears to be quite limited.
The container is more secure by default, and if people set up their docker well it reduces the dangers substantially. A lot of people don’t go docker though.
- Comment on Plex has paywalled my server! 1 week ago:
The problem with putting it behind a VPN is then all your users have to be on VPN.
Self-service IP whitelisting would be easy and let all clients work without trying to hack in a separate VPN client.
The only thing that would suck would be if you were on a mobile link while moving and swapping towers your IP would change so you constantly get kicked off.
But if you were so inclined you could VPN to your own house and your IP would stay the same.
- Comment on Plex has paywalled my server! 1 week ago:
Yeah part of doing this is keeping a ci pipeline up and unit testing against rcs and telling them exactly what’s failing. The report in that ticket gave them absolutely no choice but to try to set up an entire system to reproduce whatever the user did which they obviously don’t want to do.
WebSocket relays are poorly implemented in a lot of proxies, Even cloudflare has its fair share of issues.
The downside of using HA is reinventing the let’s encrypt pipeline for the 40th time, the upside is it’s dead simple, web sockets go in, web sockets go out, The logs are good, it’s easy to debug it with TCP dump If things start to get sketchy.
- Comment on Plex has paywalled my server! 1 week ago:
My primary worry for this is that something in the jellyfin stack gets an open vulnerability, like there’s an overflow you can use on a post call to a piece of media allowing remote code execution.
Tautulli had a leak once that provided the user’s private token. Then there was a way in Plex with a private token to pull data from elsewhere on the server. That’s how LastPass got nuked I hear.
- Comment on Plex has paywalled my server! 1 week ago:
I just put it behind an HAProxy a few minutes ago, It appears to be fine. You just need something capable enough to handle web sockets. I’ve made it all the way through an episode of The real monsters without any problems.
Again, you’re not going to be able to 2FA it that way, what I’m looking at doing is IP whitelisting it in HAProxy using a small web helper that is 2FA, accessed via the same port but on a separate path.
- Comment on Plex has paywalled my server! 1 week ago:
This will work fine over the web, but won’t work with clients.
They have instructions on jellyfin forums on setting up HAProxy, that part totally works.
But you don’t put 2FA on the jellyfin server, for that you just deny all IPs except whitelisted.
You did the 2FA on the whitelister only using path-based routing.
You don’t have access to the root site, you go to a path and login to a separate database to whitelist yourself then your client should work from that IP.
edit:
I just tried it, it appears to work so far.
I can send websocket traffic inbound to 8096: to the JF server and it loads on web, Android and Roku clients with an ACL limiter on originating ips. and send 8096/whitelist to another server altogether with no ACL limits.
On that process, I’d load nginx, authelia, fail2ban and what flask? Surely someone has a python longin/admin framework that I could hijack for this. Then have that app reack over in shared container storage to twiddle the haproxy config to add some ip’s and reload it?
I wonder if I could do something to the haproxy side to detect non-use of an IP and remove it.
- Comment on Plex has paywalled my server! 1 week ago:
The term SSL has been colloquially used for the last decade, and it would be difficult, if not impossible, to confuse the two and issue the wrong type of security at this point. Are there even packages that old available to Docker?
We’re having an informal discussion here about how to make Jellyfin security less daunting to the average user. Taldan is apparently knowledgeable about the situation and could lend a conceptual hand to the process, but I suspect they chose instead to nitpick terminology that’s still used in common parlance. Since I have some doubts, but don’t wish to assume, I asked a simple question.
- Comment on Plex has paywalled my server! 1 week ago:
They have instructions on jellyfin forums on setting up HAProxy, that part totally works.
But you don’t put 2FA on the jellyfin server, for that you just deny all IPs except whitelisted.
You did the 2FA on the whitelister only using path-based routing.
You don’t have access to the root site, you go to a path and login to a separate database to whitelist yourself then your client should work from that IP.
- Comment on Plex has paywalled my server! 1 week ago:
Would you consider this a particularly constructive comment?
- Comment on Plex has paywalled my server! 1 week ago:
Current Idea:
Whitelisted?
- user: bob.com:9901 -> jellyfin
Not Whitelisted?
- user: bob.com:9901 -> 404
Whitelisted or Not whitelisted?
- user: bob.com/whitelist -> nginx/python, authelia, fail2ban, traefik whitelist modifier
- Comment on Plex has paywalled my server! 1 week ago:
Basic functionality, I’ve heard good things about the crappy Walmart ONN branded ones.
I know there are Alibaba options, But I’m awfully afraid of a lot of those have worst security issues than opening up jellyfin.
- Comment on Plex has paywalled my server! 1 week ago:
Now that’s an interesting thought.
A web page with Authelia, login and a firewall.
If you’re not logged in, All you get is a login page. If you are logged in, It passes you straight through to jellyfin.
So any device and client would be able to access it without issue once a phone or computer on the network had logged in just once.
The web page modifies the HA proxy ACL and forces a reload.
- Comment on Plex has paywalled my server! 1 week ago:
Authelia is super easy, if the clients can handle it
- Comment on Plex has paywalled my server! 1 week ago:
That’s what I do myself but in a lot of cases VPN is beyond the grasp of the grasp of the friends and family that are being shared with.
Tailscale is somewhat approachable for this, there are a number of streaming devices that support TS clients. But then tailscale will eventually enshittify their free offering. Wrapping headscale into this will add yet another layer of complication. VPN is far more secure but I think it makes it unapproachably complicated for many.
