Skip to content
  • Categories
  • Recent
  • Tags
  • Popular
  • World
  • Users
  • Groups
Skins
  • Light
  • Cerulean
  • Cosmo
  • Flatly
  • Journal
  • Litera
  • Lumen
  • Lux
  • Materia
  • Minty
  • Morph
  • Pulse
  • Sandstone
  • Simplex
  • Sketchy
  • Spacelab
  • United
  • Yeti
  • Zephyr
  • Dark
  • Cyborg
  • Darkly
  • Quartz
  • Slate
  • Solar
  • Superhero
  • Vapor

  • Default (No Skin)
  • No Skin
Collapse
Brand Logo

agnos.is Forums

  1. Home
  2. Selfhosted
  3. How to secure Jellyfin hosted over the internet?

How to secure Jellyfin hosted over the internet?

Scheduled Pinned Locked Moved Selfhosted
selfhosted
138 Posts 62 Posters 1.8k Views
  • Oldest to Newest
  • Newest to Oldest
  • Most Votes
Reply
  • Reply as topic
Log in to reply
This topic has been deleted. Only users with topic management privileges can see it.
  • S [email protected]

    CloudFlare tunnel with Zero Trust, plus their bot and abuse blocking. Users can get in with the right oauth, plus only allowed from the countries I know they're in. Then just their username and password on jellyfin.

    ? Offline
    ? Offline
    Guest
    wrote on last edited by
    #52

    just run wireguard on the jelly server..

    S jagged_circle@feddit.nlJ 2 Replies Last reply
    0
    • L [email protected]

      For me it's always been busted both on AOSP and Miui/HyperOS...

      D This user is from outside of this forum
      D This user is from outside of this forum
      [email protected]
      wrote on last edited by
      #53

      Works great and has been for some time on my P7P.

      Ensure you've allowed background usage and turn off manage app if unused.

      Keep the notification on and allow notifications.

      1 Reply Last reply
      0
      • paequ2@lemmy.todayP [email protected]

        if the cameras don’t load, open Tailscale and make sure it’s connected

        I've been using Tailscale for a few months now and this is my only complaint. On Android and macOS, the Tailscale client gets randomly killed. So it's an extra thing you have to manage.

        It's almost annoying enough to make me want to host my services on the actual internet....... almost... but not yet.

        B This user is from outside of this forum
        B This user is from outside of this forum
        [email protected]
        wrote on last edited by
        #54

        If you make Tailscale your VPN in Android it will never be killed. Mileage may vary depending on flavor of Android. I've used this on stock Pixel and GrapheneOS.

        Under Settings > Network and internet > VPN

        Tap the Cog icon next to Tailscale and select Always-on VPN.

        paequ2@lemmy.todayP 1 Reply Last reply
        0
        • R [email protected]

          For web access, stick it behind a reverse proxy and use something like Authentik/Authelia/SSO provider of your choice.

          For full access including native clients, set up a VPN.

          lambda@programming.devL This user is from outside of this forum
          lambda@programming.devL This user is from outside of this forum
          [email protected]
          wrote on last edited by
          #55

          I use Tailscale right now. Which, in fairness, I didn't state in the post. However, I was hoping to share it more similarly to how I used to with Plex. But, it would appear, I would have to share it through Tailscale only at this point.

          R 1 Reply Last reply
          0
          • S [email protected]

            My setup:

            • Locally (all in docker)
              ** JF for managing and local access
              ** JF with read only mounted volumes that uses the network of my Wireguard client container
              ** Wireguard client opening a tunnel to Wireguard server on VPS
              ** Ping container regularly doing pings to Wireguard Server so the connection stays up (didn't manage it otherwise)
            • VPS (Oracle Cloud free tier)
              ** Caddy as a reverse proxy with https enabled and geolocking (only certain countries are allowed to connect to)
              ** fail2ban to block IPs that try to bruteforce credentials
              ** Wireguard server

            So my clients just get the URL of my reverse proxy and can access the read only JF through my Wireguard tunnel. Didn't have to open any ports on my side. If someone is interested I can share the docker compose files later.

            lambda@programming.devL This user is from outside of this forum
            lambda@programming.devL This user is from outside of this forum
            [email protected]
            wrote on last edited by
            #56

            I'm more interested in the fail2ban setup. How did you do that for Jellyfin? Is it through a plugin?

            S 1 Reply Last reply
            0
            • F [email protected]

              I hate the cloudflare stuff making me do captchas or outright denying me with a burning passion. My fault for committing the heinous crime of using a VPN!

              S This user is from outside of this forum
              S This user is from outside of this forum
              [email protected]
              wrote on last edited by
              #57

              Skill issue

              1 Reply Last reply
              0
              • F [email protected]

                Some of these are bonkers. The argument not to fix them because of backwards compatibility is even wilder. Which normal client would need the ability to get data for any other account that it hasn't the Auth token for.

                S This user is from outside of this forum
                S This user is from outside of this forum
                [email protected]
                wrote on last edited by
                #58

                Just make a different API prefix that's secure and subject to change, and once the official clients are updated, deprecate the insecure API (off by default).

                That way you preserve backwards compatibility without forcing everyone to be insecure.

                M 1 Reply Last reply
                0
                • D [email protected]

                  Doesn't streaming media over a cloudflare tunnel/proxy violate their ToS

                  S This user is from outside of this forum
                  S This user is from outside of this forum
                  [email protected]
                  wrote on last edited by
                  #59

                  They prohibit large amounts of media being streamed, and they reserve the right to suspend or terminate accounts for it. Multiple years in, that has not happened.

                  Edit: here, you can read https://blog.cloudflare.com/updated-tos/

                  M 1 Reply Last reply
                  0
                  • netrunner@programming.devN [email protected]

                    Using cloudflare tunnels means nothing is encrypted and cloudflare sees all.

                    S This user is from outside of this forum
                    S This user is from outside of this forum
                    [email protected]
                    wrote on last edited by
                    #60

                    Oh no they'll see I'm watching TNG

                    1 Reply Last reply
                    0
                    • ? Guest

                      just run wireguard on the jelly server..

                      S This user is from outside of this forum
                      S This user is from outside of this forum
                      [email protected]
                      wrote on last edited by
                      #61

                      My users aren't going to figure that out.

                      ? 1 Reply Last reply
                      0
                      • S [email protected]

                        My users aren't going to figure that out.

                        ? Offline
                        ? Offline
                        Guest
                        wrote on last edited by
                        #62

                        they don't have to figure it out, you are the one running it

                        S 1 Reply Last reply
                        0
                        • ? Guest

                          they don't have to figure it out, you are the one running it

                          S This user is from outside of this forum
                          S This user is from outside of this forum
                          [email protected]
                          wrote on last edited by
                          #63

                          They'd have to connect to it, and possibly reconnect. That aspect is the issue.

                          1 Reply Last reply
                          0
                          • S [email protected]

                            My setup:

                            • Locally (all in docker)
                              ** JF for managing and local access
                              ** JF with read only mounted volumes that uses the network of my Wireguard client container
                              ** Wireguard client opening a tunnel to Wireguard server on VPS
                              ** Ping container regularly doing pings to Wireguard Server so the connection stays up (didn't manage it otherwise)
                            • VPS (Oracle Cloud free tier)
                              ** Caddy as a reverse proxy with https enabled and geolocking (only certain countries are allowed to connect to)
                              ** fail2ban to block IPs that try to bruteforce credentials
                              ** Wireguard server

                            So my clients just get the URL of my reverse proxy and can access the read only JF through my Wireguard tunnel. Didn't have to open any ports on my side. If someone is interested I can share the docker compose files later.

                            E This user is from outside of this forum
                            E This user is from outside of this forum
                            [email protected]
                            wrote on last edited by
                            #64

                            This seems like a developer/infrastructure level job, any dumb down step by step procedure to recommend?

                            S 2 Replies Last reply
                            0
                            • lambda@programming.devL [email protected]

                              I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?

                              D This user is from outside of this forum
                              D This user is from outside of this forum
                              [email protected]
                              wrote on last edited by
                              #65

                              Tailscale is awesome. Alternatively if you're more technically inclined you can make your own wireguard tailscale and all you need is to get a static IP for your home network. Wireguard will always be safer than each individual service.

                              irmadlad@lemmy.worldI spacecadet@feddit.nlS 2 Replies Last reply
                              0
                              • S [email protected]

                                Just make a different API prefix that's secure and subject to change, and once the official clients are updated, deprecate the insecure API (off by default).

                                That way you preserve backwards compatibility without forcing everyone to be insecure.

                                M This user is from outside of this forum
                                M This user is from outside of this forum
                                [email protected]
                                wrote on last edited by
                                #66

                                Even just basic API versioning would be sufficient. .NET offers a bunch of ways to handle breaking changes in APIs

                                1 Reply Last reply
                                0
                                • S [email protected]

                                  They prohibit large amounts of media being streamed, and they reserve the right to suspend or terminate accounts for it. Multiple years in, that has not happened.

                                  Edit: here, you can read https://blog.cloudflare.com/updated-tos/

                                  M This user is from outside of this forum
                                  M This user is from outside of this forum
                                  [email protected]
                                  wrote on last edited by
                                  #67

                                  Cloudflare is known for being unreliable with how and when it enforces the ToS (especially for paying customers!). Just because they haven't cracked down on everyone doesn't mean they won't arbitrarily pick out your account from thousands of others just to slap a ban on. There's inherent risk to it

                                  1 Reply Last reply
                                  0
                                  • lambda@programming.devL [email protected]

                                    Clients are built to speak directly to the Jellyfin API. if you put an auth service in front it won't even ask you to try and authenticate with that.

                                    O This user is from outside of this forum
                                    O This user is from outside of this forum
                                    [email protected]
                                    wrote on last edited by
                                    #68

                                    Sorry, when out of the house I only use web not clients.

                                    1 Reply Last reply
                                    0
                                    • lambda@programming.devL [email protected]

                                      I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?

                                      jagged_circle@feddit.nlJ This user is from outside of this forum
                                      jagged_circle@feddit.nlJ This user is from outside of this forum
                                      [email protected]
                                      wrote on last edited by
                                      #69

                                      Kinda hard because they have an ongoing bug where if you put it behind a reverse proxy with basic auth (typical easy button to secure X web software on Internet), it breaks jellyfin.

                                      Best thing is to not. Put it on your local net and connect in with a vpn

                                      S 1 Reply Last reply
                                      0
                                      • ? Guest

                                        I use Pangolin (https://github.com/fosrl/pangolin)

                                        jagged_circle@feddit.nlJ This user is from outside of this forum
                                        jagged_circle@feddit.nlJ This user is from outside of this forum
                                        [email protected]
                                        wrote on last edited by
                                        #70

                                        URL is 404

                                        ? ? 2 Replies Last reply
                                        0
                                        • ? Guest

                                          just run wireguard on the jelly server..

                                          jagged_circle@feddit.nlJ This user is from outside of this forum
                                          jagged_circle@feddit.nlJ This user is from outside of this forum
                                          [email protected]
                                          wrote on last edited by
                                          #71

                                          Can't use double VPN on mobile.

                                          1 Reply Last reply
                                          0
                                          Reply
                                          • Reply as topic
                                          Log in to reply
                                          • Oldest to Newest
                                          • Newest to Oldest
                                          • Most Votes


                                          • Login

                                          • Login or register to search.
                                          • First post
                                            Last post
                                          0
                                          • Categories
                                          • Recent
                                          • Tags
                                          • Popular
                                          • World
                                          • Users
                                          • Groups