this post was submitted on 26 Jun 2025
191 points (98.5% liked)

Selfhosted

46677 readers
749 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
HybridSarcasm@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
191
Jellyfin over the internet (startrek.website)
submitted 8 hours ago by TribblesBestFriend@startrek.website to c/selfhosted@lemmy.world
137 comments fedilink hide all child comments
 

What’s your go too (secure) method for casting over the internet with a Jellyfin server.

I’m wondering what to use and I’m pretty beginner at this

top 50 comments
sorted by: hot top controversial new old
[–] Vanilla_PuddinFudge@infosec.pub 2 points 19 minutes ago* (last edited 17 minutes ago)

Jellyfin isn't secure and is full of holes.

That said, here's how to host it anyway.

  1. Wireguard tunnel, be it tailscale, netbird, innernet, whatever
  2. A vps with a proxy on it, I like Caddy
  3. A PC at home with Jellyfin running on a port, sure, 8096

If you aren't using Tailscale, make your VPS your main hub for whatever you choose, pihole, wg-easy, etc. Connect the proxy to Jellyfin through your chosen tunnel, with ssl, Caddy makes it easy.

Since Jellyfin isn't exactly secure, secure it. Give it its own user and make sure your media isn't writable by the user. Inconvenient for deleting movies in the app, but better for security.

more...

Use fail2ban to stop intruders after failed login attempts, you can force fail2ban to listen in on jellyfin's host for failures and block ips automatically.

More!

Use Anubis and yes, I can confirm Anubis doesn't intrude Jellyfin connectivity and just works, connect it to fail2ban and you can cook your own ddos protection.

MORE!

SELinux. Lock Jellyfin down. Lock the system down. It's work but it's worth it.

I SAID MORE!

There's a GeoIP blocking plugin for Caddy that you can use to limit Jellyfin's access to your city, state, hemisphere, etc. You can also look into whitelisting in Caddy if everyone's IP is static. If not, ddns-server and a script to update Caddy every round? It can get deep.

Again, don't do any of this and just use Jellyfin over wireguard like everyone else does(they don't).

[–] nutbutter@discuss.tchncs.de 2 points 21 minutes ago

This is my setup.

Read more, here.

[–] Sgt_choke_n_stroke@lemmy.world 2 points 29 minutes ago (1 children)

Synology worked for me. They have built in reverse proxy. As well as good documentation to install it on their machine. Just gotta configure your wifi router to port forward your device and bam you're ready to rock and roll

[–] TribblesBestFriend@startrek.website 1 points 25 minutes ago

Didn’t they patch their things now that your stuck in their bubble/environment now or something like that ?

[–] Merlin@discuss.tchncs.de 6 points 1 hour ago

I just install tailscale at family houses. The limit is 100 machines.

[–] This2ShallPass@lemmy.world 4 points 1 hour ago (1 children)

I don't host my media outside my local network but, if I did, I would use my go to method of SWAG with Authentik. This is what I have done for my other self-hosted items.

[–] swearengen@sopuli.xyz 6 points 2 hours ago

I'm just using caddy and a cheap $2 a year .top domain with a $4 a month VPS. Works for my users, I only have 3 users on my server.

[–] spacemanspiffy@lemmy.world 2 points 1 hour ago

OpenVPN into my router

[–] Decipher0771@lemmy.ca 5 points 2 hours ago

Jellyfin through a traefik proxy, with a WAF as middleware and brute force login protected by fail2ban

[–] xnx@slrpnk.net 13 points 3 hours ago

Tailscale

[–] ArsonButCute@lemmy.dbzer0.com 6 points 3 hours ago

I use a cloudflare tunnel, ISP won't give me a static IP and I wanna keep my firewall locked down tight.

[–] Evil_Shrubbery@lemm.ee 25 points 5 hours ago (2 children)

Wireguard.

[–] WhyJiffie@sh.itjust.works 3 points 2 hours ago* (last edited 2 hours ago)

and a local reverse proxy that can route through wireguard when you want to watch on a smart tv.

its not as complicated as it sounds, it's just a wireguard client, and a reverse proxy like on the main server.

it can even be your laptop, without hdmi cables

[–] greylinux@lemm.ee 7 points 5 hours ago (1 children)

Exactly this !

[–] Evil_Shrubbery@lemm.ee 4 points 4 hours ago (1 children)

lemm.ee :'''(

[–] 0ops@lemm.ee 4 points 2 hours ago

[–] bmcgonag@lemmy.world 6 points 4 hours ago

Cheap VPS with Pangolin for Wireguard and reverse proving through the tunnel.

[–] r00ty@kbin.life 13 points 5 hours ago (1 children)

Wireguard vpn into my home router. Works on android so fire sticks etc can run the client.

load more comments (1 replies)
[–] thenose@lemmy.world 5 points 4 hours ago

I just use tailscale. I am thinking about external share options but for me and my closests just plain simple tailscale

[–] JRaccoon@discuss.tchncs.de 14 points 6 hours ago* (last edited 6 hours ago) (13 children)

I see everyone in this thread recommending a VPN or reverse proxy for accessing Jellyfin from outside the LAN. While I generally agree, I don't see a realistic risk in exposing Jellyfin directly to the internet. It supports HTTPS and certificates nowadays, so there’s no need for outside SSL termination anymore.

In my setup, which I've been running for some time, I've port-forwarded only Jellyfin's HTTPS port to eliminate the possibility of someone ending up on pure HTTP and sending credentials unencrypted. I've also changed the Jellyfin's default port to a non-standard one to avoid basic port-scanning bots spamming login attempts. I fully understand that this falls into the security through obscurity category, but no harm in it either.

Anyone wanna yell at me for being an idiot and doing everything wrong? I'm genuinely curious, as the sentiment online seems to be that at least a reverse proxy is almost mandatory for this kind of setup, and I'm not entirely sure why.

[–] rumba@lemmy.zip 3 points 40 minutes ago

You remember when LastPass had a massive leak and it out of their production source code which demonstrated that their encryption security was horrible? That was a Plex vulnerability. All it takes is a zero day and one of the packages they're using and you're a prime target for ransomware.

You can see from the number of unauthenticated processes in their security backlog that security really has been an afterthought.

Unless you're running in a non-privileged container with read only media, I definitely would not put that out on the open network.

[–] douglasg14b@lemmy.world 5 points 2 hours ago* (last edited 2 hours ago)

Jellyfin has a whole host of unresolved and unmitigated security vulnerabilities that make exposing it to the internet. A pretty poor choice.

https://github.com/jellyfin/jellyfin/issues/5415

[–] Ptsf@lemmy.world 11 points 3 hours ago

It's difficult to say exactly what all a reverse proxy adds to the security conversation for a handful of reasons, so I won't touch on that, but the realistic risk of exposing your jellyfin instance to the internet is about the same as handing your jellyfin api over to every stranger globally without giving them your user account or password and letting them do whatever they'd like for as long as they'd like. This means any undiscovered or unintentional vulnerability in the api implementation could easily allow for security bypass or full rce (remote code execution, real examples of this can be found by looking at the history of WordPress), but by siloing it behind a vpn you're far far far more secure because the internet at large cannot access the apis even if there is a known vulnerability. I'm not saying exposing jellyfin to the raw web is so risky it shouldn't be done, but don't buy into the misconception that it's even nearly as secure as running a vpn. They're entirely different classes of security posture and it should be acknowledged that if you don't have actual use for internet level access to jellyfin (external users, etc, etc) a vpn like tailscale or zero tier is 100% best practice.

[–] catloaf@lemm.ee 5 points 3 hours ago

The issue is not encryption, it's the unauthenticated API. People can interact with your server without an account.

[–] domi@lemmy.secnd.me 10 points 4 hours ago

Anyone wanna yell at me for being an idiot and doing everything wrong?

Not yell, but: Jellyfin is dropping HTTPS support with a future update so you might want to read up on reverse proxies before then.

Additionally, you might want to check if Shodan has your Jellyfin instance listed: https://www.shodan.io/

[–] makeitwonderful@lemmy.sdf.org 14 points 6 hours ago (1 children)

It feels like everything is a tradeoff and I think a setup like this reduces the complexity for people you share with.

If you added fail2ban along with alert email/notifications you could have a chance to react if you were ever targeted for a brute force attempt. Jellyfin docs talk about setting this up for anyone interested.

Blocking IP segments based on geography of countries you don't expect connections from adds the cost of a VPN for malicious actors in those areas.

Giving Jellyfin its own VLAN on your network could help limit exposure to your other services and devices if you experience a 0day or are otherwise compromised.

[–] douglasg14b@lemmy.world 3 points 2 hours ago (1 children)

Fail2ban isn't going to help you when jellyfin has vulnerable endpoints that need no authentication at all.

[–] makeitwonderful@lemmy.sdf.org 1 points 42 minutes ago

Your comment got me looking through the jellyfin github issues. Are the bugs listed for unauthenticated endpoints what you're referencing? It looks like the 7 open mention being able to view information about the jellyfin instance or view the media itself. But this is just what was commented as possible, there could be more possibilities especially if combined with other vulnerabilities.

Now realizing there are parts of Jellyfin that are known to be accessible without authentication, I'm thinking Fail2ban is going to do less but unless there are ways to do injection with the known bugs/a new 0day they will still need to brute force a password to be able to make changes. I'm curious if there is anything I'm overlooking.

[–] Novi@sh.itjust.works 1 points 3 hours ago

I don't disagree, and I am one of the VPN advocates you mention. Generally there is no issue with exposing jellyfin via proxy to the internet.

The original question seemed to imply an over-secure solution so a lot of over-secure solutions exist. There is good cause to operate services, like jellyfin, via some permanent VPN.

load more comments (6 replies)
load more comments
view more: next ›