A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I'm using jf on unraid. I'm allowing remote https only access with Nginx Proxy Manager in a docker container.
I don't use jellyfin but my general approach is either:
There are obviously ways to do this all on your own but... if you are asking this question you probably want to use one of those to roll it. Because you can leave yourself ridiculously vulnerable if you do it yourself.
Personally I use twingate, free for 5 users and relatively straightforward to set up.
I’m fidgeting with Tailscale right now, only to stream on a AppleTV at a friend house. So far no luck but that’s not me that set up Infuse, so could be an operator error on my friend part
The way I do it for a family member with Tailscale is them having a couple of boxes down there (n100 with their Jellyfin server, and a RPI4 with a TVHServer) with my Tailnet signed in, and those boxes running both a "subnet router" and an "exit node"that both me and said fam member can use.
This means she has permissions to use the exit node wherever like I do to my own local LAN, to connect to her LAN and access things locally since you can assign them via the ACL's / device perms.
I know reading docs can suck sometimes but honest to god the ones that Tailscale put up are pretty awesome.
Along with all the YT videos about it I didn't even have to go nagging on forums to get it to work, and that's a general first for me.
I tried tailscale first but to be honest wasn't a fan. I moved to Twingate and found it much simpler to set up
Will look into it, thanks !
SWAG reverse proxy with a custom domain+subdomain, protected by authentik and fail2ban. Easy access from anywhere once it's set up. No vpn required, just type in the short subdomain.domain.com and sign in (or the app keeps me signed in)
What's the point of authentik when Jellyfin already has authentication?
While technically not strictly necessary, it adds more robust authentication methods, and makes it easier to build out other apps if you want to in the future without having to re-do the sign-in process for all of your users. You can have things like 2fa and other things that make it harder for bots to get in and easier for users to stay in. It also makes it easier to keep track of login attempts and notice compromised accounts.
Edit: There are also alternatives like authelia that may be easier to implement. I don't really trust most web apps to be ultra secure with internet-facing sign-in pages so it just feels like "good practice" to hide behind an auth service whose sole purpose is to be written and built securely. Plus once you learn how to set up fail2ban with an auth service, there will be no need to re-learn or re-implement it if you add a 2nd app/service. Very modular and makes testing and adding new things much easier.
Another benefit is that it has a nice GUI. I can look at logins, add services, stuff like that without touching config files which will be nice for those who don't like wading through text files to change config.
Can authentik pass through the authentication to Jellyfin, or do you just log in twice?
Nobody here with a tailscale funnel?? It's such a simple way to get https access from anywhere without being on the tailnet.
for me i just needed a basic system so my family could share so I have it on my pc, then I registered a subdomain and pointed it to my existing ec2 server with apache using a proxy which points to my local ip and port then I opened the jellyfin port on my router
and I have certbot for my domain on ec2 :)
Who are you using for your domain? I was told if I used cloudfair they would ban me for having streaming traffic over their DNS.
You can use cloudflares DNS and not use their WAF (the proxy bit) just fine. I have been for almost a decade.
Ahh ok, I have as going to route Plex over 443 to see if that helped streaming on T-Mobile home Internet.
For my travel devices, I use Tailscale to talk to the server. For raw internet, I use their funnel feature to expose the service over HTTPS. Then just have fail2ban watching the port to make sure no shenanigans or have the entire service offlined until I can check it.
Headscale server on cheap vps with tailscale clients.
I'm trying to self host navidrome in docker with a cloudflare domain and reverse proxy on the same network. Still fiddling myself since I keep getting a 403 cloudflare no access error.
Essentially, using cert provided by cloudflare where they proxy to my ip. From there the reverse proxy routes to my service. If I'm understanding it right, anyone with my domain would only see cloudflare ip instead of my own. Someone correct me if I'm wrong. I'm still learning this stuff as well.
Prior to this, I was using tailscale which worked fine but I'd have to connect via tailscale everytime and some instances, it wouldn't connect properly at all.
Synology with Emby (do not use the connect service they offer) running behind my fortinet firewall. DDNS with my own domain name and ssl cert. Open 1 custom port (not 443) for it, and that's it. Geoblock every country but my own, which basically eliminated all random traffic that was hitting hit. I've been running it this way for 5 years now and have no issues to report.
How are you geoblocking?
Sadly, it may not be an option for a lot of people, but on the fortinet firewall you can make policies and set up geoblocking.
I'm using a cheap VPS that connects over Tailscale to my home server. The VPS runs Nginx Proxy Manager, has a firewall and the provider offers DDOS protection and that's it.
Unifi teleport. A zero configuration VPN to my home network.
I’m fidgeting with Tailscale but I find this solution some what lacking
Tailscale is great for not opening your ports to the internet. Having it playable on a friend's appletv adds some extra complexity. Reverse proxy on a subdomain with something like fail2ban would work, but it does leave you more vulnerable.
no idea how safe or secure but i use cloudflare tunnel to point my jellyfin port on my computer
Someone mentioned above that cloudflare will ban you for streaming through their tunnel. Just be warned.
My router has a VPN server built-in. I usually use that.
With wireguard i set up an easy VPN, then vpn to the home network and use jellyfin.
If i cant use vpn, i have Jellyfin behind a caddy server with automatic https and some security settings.
I use LSIO container stack so SWAG for the proxy. They have really good documentation and active discord docs.linuxserver.io