Hello. I have just recently started with self hosting my media with Jellyfin… and I am LOVING it! I had been carrying around media players for decades, with everyone looking at me like an insane crank for not giving up on my hundreds of gigs of media for SAS things like spotify… now they’re jealous! We’ve come full circle!

Annnyway. Obviously, I want to access the server anywhere, and don’t want to just raw-dog an open port to the internet- yikes!

There are SO MANY ways and guides and thoughts on this, I’m a bit overwhelmed and looking for your thoughts on the best way to start off… it doesn’t have to be ‘fort knox’ and I am sure I’ll adjust and pivot as I learn more… but here are the options I know of (did I miss any?):

  • Tailscale VPN connection

  • Reverse Proxy with Caddy or similar (this is recommended as easy in the jellyfin official guides and thus is my current leading contender!)

  • Docker/VM ‘containerized’ server with permissions/access control

What are your thoughts on the beginner-friendly-ness and ease of setup/management of these? This is exclusively for use by me and my family, so I don’t need something that’s easy for anyone to access with credentials… just our handful of devices.

Please don’t laugh, but I’m currently hosting on a Raspberry Pi5 with a big-ass harddrive attached (using CasaOS on a headless Ubuntu Server). I know this is JANK as far as self-hosting goes, and plan to upgrade to something like NAS in the future, but I’m still researching and learning, and aside from shitty video transcoding, it’s working fine for now… Thank you in advance for your advice, help and thoughts!

EDIT: Thanks all for the helpful comments & Suggestions. I’m all set up with Tailscale, setting up Caddy with it soon, and so far, as advertised! EZPZ and soooo good!

  • Possibly linux@lemmy.zipEnglish
    0·
    8 months ago

    Put Jellyfin behind something else that requires authentication before you can access Jellyfin at all

    • MaggiWuerze@feddit.orgEnglish
      0·
      8 months ago

      Which breaks basically every client, since none of them can deal with basic auth getting in the way

  • glizzyguzzler@piefed.blahaj.zoneEnglish
    0·
    8 months ago

    Reading jellyfin’s issues it’s clear its web ui and API cannot be allowed to talk to the general internet.

    I’d push for a VPN solution first. Tailscale or wireguard. If you’re happy with cloudflare sniffing all traffic and that they make take it away suddenly someday use their tunnel with authentication.

    The only other novel solution I’d suggest is putting jellyfin behind an Authentik wall (not OIDC, though you can use OIDC for users after the wall). That puts security on Authentik, and that’s their only job so hopefully that works. I’d use that if VPN (tailscale or wireguard) are problematic for access. The downside is that jellyfin apps will not be able to connect, only web browsers that can log into the Authentik web ui wall.

    Flow would go caddy/other reverse proxy -> Authentik wall for jellyfin -> jellyfin

    I’d put everything in docker, I’d put caddy and Authentik in a VM for a DMZ (incus + Zabbly repo web ui to manage the VM), I’d set all 3 in the compose to read-only, user:####:####, cap-drop all, no new privileges, limited named networks.

    Podman quadlets would be even better security than docker, but there’s less help for that (for now). Do docker and get something working to start, then grow from there

    • Profligate_parasite@lemmy.worldOPEnglish
      0·
      8 months ago

      Thanks for your comment. There are several things/products/methods you mention that I’m not familiar with and/or don’t understand:

      Authentik Wall OIDC DMZ Incus Zabbly “in the compose” cap-drop all Podman quadlets

      As I mentioned, I’m new here. I could just put each of these in duckduckgo in succession, but do you have a particular guide or link that describes any of this for someone less familiar with the process than yourself?

      • MaggiWuerze@feddit.orgEnglish
        0·
        8 months ago

        The general jist is, do not expose Jellyfin to the internet. Neither via a port nor through a reverse proxy. Its simply not build secure enough for that.

        Use docker to make the setup easier, then use tailscale or whatever VPN solution to allow users from outside your network to access it.

        All of the additional authentication solutions mentioned break client compatibility. Then you could only watch through a browser.

        Install docker, deploy Jellyfin to it, test it. They both have good guides on their respective websites.

  • buffing_lecturer@leminal.spaceEnglish
    0·
    8 months ago

    I don’t mean to question the sincerity of your post when I ask this. Did you use a LLM, like chatgpt, to edit/phrase your question? This style of writing is also used by humans, so I absolutely could be wrong. I am just checking my AI detection calibration.

    • BlueÆther@no.lastname.nzEnglish
      0·
      8 months ago

      Look for the double em dash, chatGPT loves it.

      I have no real issue with someone passing a post through a LLM to expand on a thought or to help with English writing (as someone with dyslexia this can be very handy)

    • Profligate_parasite@lemmy.worldOPEnglish
      0·
      8 months ago

      umm, no. This is just the way I write. I get what you mean, reading over it. It’s something about tone. Sadly, here we are where any generically “cheery” writing style seems suspect.

  • frongt@lemmy.zipEnglish
    0·
    8 months ago

    VPN. Jellyfin is not intended for direct exposure to the Internet.

    You should run it in docker anyway for convenience. A reverse proxy is optional, but I use traefik also for convenience (so that I can just use domain names on the same port, and so that it can automatically fetch certs).

    • Saik0@lemmy.saik0.comEnglish
      0·
      8 months ago

      Jellyfin is not intended for direct exposure to the Internet.

      https://jellyfin.org/docs/general/post-install/networking/

      There are multiple ways of exposing Jellyfin to the outside - the most common ones are:
      forwarding its Ports directly to the internet (not recommended!)
      forwarding through a Reverse Proxy
      using a VPN connection to enter the Network
      use a VPS to Reverse Proxy to your home network

      Intended… not recommended. The reverse proxy one should also not be recommended until they resolve the unauthed endpoints issue as well really. Security is a weak point on Jellyfin in general.

      • fmstrat@lemmy.nowsci.comEnglish
        0·
        8 months ago

        I’ve tested the worst of these endpoints and they were already secured, just the issues haven’t been updated.

        For instance, from the security split-out issue list: https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2825369811

        I took the only one that could lead to admin/system infiltration (LDAP config escalation, others are about media access), and found it to have already been secured: https://github.com/jellyfin/jellyfin/issues/13989

        • Saik0@lemmy.saik0.comEnglish
          0·
          8 months ago

          others are about media access

          Yup, and these are the biggest risks IMO. I find the well organized, big media companies with deep pockets and a few basic scripts that we know to work to be the biggest vector of liability.

          https://github.com/jellyfin/jellyfin/issues/1501
          https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2071798575 (and the following comments)
          https://github.com/jellyfin/jellyfin/issues/13984

          A person’s biggest threat running Jellyfin is going to be the media companies themselves. Sony (the company known for installing rootkits on people’s computers) can pre-hash a list of their movies with commonly config’d locations/name schemas for their content and enumerate your system for if you have their content. Since you don’t have any authentication on the endpoint, they’re likely not violating any law through circumvention. The “random UUID” is just the MD5 hash of the path/filename. So it’s actually highly guessable… especially for people using default docker configs and *arr stacks and you normalize names using these tools.

          Their response was “this attack isn’t in the wild”(as if they actually know… running a script and checking a few hundred thousand requests to go through a list of movies isn’t all that taxing and users won’t even notice it to report it… let alone have enough logging to notice it to begin with) and “it breaks compatability, so we don’t want to do it”. Which I find laughable. It turned me off from Jellyfin all together.

          Edit: And because every time I bring up the issue I get downvoted for “fear mongering”… There are answers to resolve it… you need to use non-standard naming schemes in your files/folder structure and fail2ban. But that expects users to do that… And I could do that… but it’s a security risk non-the-less and the developers response to the risk being what it is is what’s scary to me.

          Edit2: The LDAP one… I should clarify I don’t care about that one since well… requires you to additionally config stuff that most users won’t. But the media exposure issues are default and universal and require setting things “non-standard” to have any protection from, which users generally WON’T do.

          • fmstrat@lemmy.nowsci.comEnglish
            0·
            8 months ago

            Well, I wouldn’t say the media issues are worse than a full domain access issue, but despite my comment above, I agree with you.

            The security split-issue feels reminiscent of when Plex didn’t use SSL and wouldn’t implement it until a white-hat POC token exploit was produced and provided to them (of which I was the author). If JF was my project, these would be top of my list.

        • Saik0@lemmy.saik0.comEnglish
          0·
          8 months ago

          Yeah the API token exposure in the URLs is another thing… And that can expose itself in all sorts of ways.

      • frongt@lemmy.zipEnglish
        0·
        8 months ago

        I don’t think jellyfin supports that either. I tried it a while back and only saw partial success.

        • cyberwolfie@lemmy.mlEnglish
          0·
          8 months ago

          What does Jellyfin have to do with that? If you implement acess control in the reverse proxy, requests from non-whitelisted IPs are just not forwarded to Jellyfin.

  • bootstrap@slrpnk.netEnglish
    0·
    8 months ago

    I have used Tailscale for about a year now. Flawless for a small ecosystem and couple of people and doesnt expose anything.

    Bonus of routing all my traffic through pi-hole at home and then through VPN client on router

  • ctry21@sh.itjust.worksEnglish
    0·
    8 months ago

    I’ve tried tailscale and cloudflare tunnels in the past and ended up just using PiVPN to set up a WireGuard VPN on my Pi5. Tailscale for some reason was very slow for me, and cloudflare tunnels have a 100mb limit iirc which isn’t ideal for streaming. PiVPN is quite straightforward, it sets everything up for you and all you have to do is forward a UDP port. That was the bit I was most worried about, but, unless I’ve misunderstood something, because a UDP port will just ignore invalid requests to the outside world it will appear closed so it’s not very risky. It then generates a key for each device which you can scan from a QR code onto your VPN client. I have my phone set to auto-connect to the tunnel when I disconnect from my home wifi network and the tunnel is fast enough that I’ve accidentally turned off my phone’s wifi connection before and streamed a TV show through the tunnel over mobile data and not noticed any difference in speed.