Jellyfin over the internet
-
and a local reverse proxy that can route through wireguard when you want to watch on a smart tv.
its not as complicated as it sounds, it's just a wireguard client, and a reverse proxy like on the main server.
it can even be your laptop, without hdmi cables
You can also use a router that can run wireguard/openvpn and have that run the tunnel back to home for you. I've got a portable GL-Inet router with OpenWRT that I use for this when I'm on the road
-
good article! thanks for that
-
Anyone wanna yell at me for being an idiot and doing everything wrong?
Not yell, but: Jellyfin is dropping HTTPS support with a future update so you might want to read up on reverse proxies before then.
Additionally, you might want to check if Shodan has your Jellyfin instance listed: https://www.shodan.io/
Jellyfin is dropping HTTPS support with a future update[...]
What's the source for this? I wasn't able to find anything with a quick google search
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
If it’s just so you personally can access it away from home, use tailscale. Less risky than running a publicly exposed server.
-
An $11/yr domain pointed at my IP. Port 443 is open to nginx, which proxies to the desired service depending on subdomain. (and explicitly drops any connection that uses my raw ip or an unrecognized name to connect, without responding at all)
ACME.sh automatically refreshes my free ssl certificate every ~2months via DNS-01 verification and letsencrypt.
And finally, I've got a dynamic IP, so DDClient keeps my domain pointed at the correct IP when/if it changes.
There's also pihole on the local network, replacing the WAN IP from external DNS, with the servers local IP, for LAN devices to use. But that's very much optional, especially if your router performs NAT Hairpinning.
This setup covers all ~24 of the services/web applications I host, though most other services have some additional configuration to make them only accessible from LAN/VPN despite using the same ports and nginx service. I can go into that if there's interest.
Only Emby/Jellyfin, Ombi, and Filebrowser are made accessible from WAN; so I can easily share those with friends/family without having to guide them through/restrict them to a vpn connection.
This is an interesting setup
-
Jellyfin is dropping HTTPS support with a future update[...]
What's the source for this? I wasn't able to find anything with a quick google search
Upgrade notes for 10.11 RCs
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I host it publicly accessible behind a proper firewall and reverse proxy setup.
If you are only ever using Jellyfin from your own, wireguard configured phone, then that's great; but there's nothing wrong with hosting Jellyfin publicly.
I think one of these days I need to make a "myth-busting" post about this topic.
-
I host it publicly accessible behind a proper firewall and reverse proxy setup.
If you are only ever using Jellyfin from your own, wireguard configured phone, then that's great; but there's nothing wrong with hosting Jellyfin publicly.
I think one of these days I need to make a "myth-busting" post about this topic.
Please do so, it'll be very useful
-
Upgrade notes for 10.11 RCs
Thanks. This is kinda important info so I've edited my initial comment.
They are not saying anything on why they are removing it.
-
Jellyfin isn't secure and is full of holes.
That said, here's how to host it anyway.
- Wireguard tunnel, be it tailscale, netbird, innernet, whatever
- A vps with a proxy on it, I like Caddy
- A PC at home with Jellyfin running on a port, sure, 8096
If you aren't using Tailscale, make your VPS your main hub for whatever you choose, pihole, wg-easy, etc. Connect the proxy to Jellyfin through your chosen tunnel, with ssl, Caddy makes it easy.
Since Jellyfin isn't exactly secure, secure it. Give it its own user and make sure your media isn't writable by the user. Inconvenient for deleting movies in the app, but better for security.
more...
Use fail2ban to stop intruders after failed login attempts, you can force fail2ban to listen in on jellyfin's host for failures and block ips automatically.
More!
Use Anubis and yes, I can confirm Anubis doesn't intrude Jellyfin connectivity and just works, connect it to fail2ban and you can cook your own ddos protection.
MORE!
SELinux. Lock Jellyfin down. Lock the system down. It's work but it's worth it.
I SAID MORE!
There's a GeoIP blocking plugin for Caddy that you can use to limit Jellyfin's access to your city, state, hemisphere, etc. You can also look into whitelisting in Caddy if everyone's IP is static. If not, ddns-server and a script to update Caddy every round? It can get deep.
Again, don't do any of this and just use Jellyfin over wireguard like everyone else does(they don't).
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
Or you could use Plex and jump through zero of these hoops
-
I use a cloudflare tunnel, ISP won't give me a static IP and I wanna keep my firewall locked down tight.
I tried really hard to get a named CloudFlare tunnel working with a domain name I registered (I share my personal home videos with a non technical family member in Italy) but couldn't get it working no matter what I tried.
-
Wow, a "for dummies" guide for doing all this would be great
know of any?wrote last edited by [email protected]If you aren’t already familiarized with the Docker Engine - you can use Play With Docker to fiddle around, spin up a container or two using the
docker runcommand, once you get comfortable with the command structure you can move into Docker Compose which makes handling multiple containers easy using.ymlfiles.Once you’re comfortable with compose I suggest working into Reverse Proxying with something like SWAG or Traefik which let you put an domain behind the IP, ssl certificates and offer plugins that give you more control on how requests are handled.
There really is no “guide for dummies” here, you’ve got to rely on the documentation provided by these services.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
wrote last edited by [email protected]I think my approach is probably the most insane one, reading this thread…
So the only thing I expose to the public internet is a homemade reverse proxy application which supports both form based and basic authentication. The only thing anonymous users have access to is the form login page. I’m on top of security updates with its dependencies and thus far I haven’t had any issues, ever. It runs in a docker container, on a VM, on Proxmox. My Jellyfin instance is in k8s.
My mum wanted to watch some stuff on my Jellyfin instance on her Chromecast With Google TV, plugged into her ancient Dumb TV. There is a Jellyfin Android TV app. I couldn’t think of a nice way to run a VPN on Android TV or on any of her (non-existent) network infra.
So instead I forked the Jellyfin Android TV app codebase. I found all the places where the API calls are made to the backend (there are multiple). I slapped in basic auth credentials. Recompiled the app. Deployed it to her Chromecast via developer mode.
Solid af so far. I haven’t updated Jellyfin since then (6 months), but when I need to, I’ll update the fork and redeploy it on her Chromecast.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I use a wire guard tunnel into my Fritz box and from there I just log in because I'm in my local network.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
Full guide to setting up Jellyfin with Reverse Proxy using Caddy and DuckDNS
I followed this video and modified some things like ports
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
VPN or Tailscale
-
And which one of those are actually vulnerabilities that are exploitable? First, yes ofc unauthenticated endpoints should be fixed, but with those there is no real damage to be done.
If you know the media path then you can request a playback, and if you get the user ids then you can get all users. That's more or less it.
Good? No. But far from making it a poor choice exposing it.
wrote last edited by [email protected]These are all holes in the Swiss cheese model.
Just because you and I cannot immediately consider ways of exploiting these vulnerabilities doesn't mean they don't exist or are not already in use (Including other endpoints of vulnerabilities not listed)
This is one of the biggest mindset gaps that exist in technology, which tends to result in a whole internet filled with exploitable services and devices. Which are more often than not used as proxies for crime or traffic, and not directly exploited.
Meaning that unless you have incredibly robust network traffic analysis, you won't notice a thing.
There are so many sonarr and similar instances out there with minor vulnerabilities being exploited in the wild because of the same"Well, what can someone do with these vulnerabilities anyways" mindset. Turns out all it takes is a common deployment misconfiguration in several seedbox providers to turn it into an RCE, which wouldn't have been possible if the vulnerability was patched.
Which is just holes in the swiss cheese model lining up. Something as simple as allowing an admin user access to their own password when they are logged in enables an entirely separate class of attacks. Excused because "If they're already logged in, they know the password". Well, not of there's another vulnerability with authentication....
See how that works?
-
Or you could use Plex and jump through zero of these hoops
I think paying for remote access counts as a hoop.
As in "that's a pain in my hoop"
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I access it through a reverse proxy (nginx). I guess the only weak point is if someone finds out the domain for it and starts spamming the login screen. But I've restricted access to the domain for most of the world anyway. Wireguard would probably be more secure but its not always possible if like on vacation and want to use it on the TV there..
