Jellyfin over the internet
-
I see everyone in this thread recommending a VPN or reverse proxy for accessing Jellyfin from outside the LAN. While I generally agree, I don't see a realistic risk in exposing Jellyfin directly to the internet.
It supports HTTPS and certificates nowadays, so there’s no need for outside SSL termination anymore.(See Edit 2)In my setup, which I've been running for some time, I've port-forwarded only Jellyfin's HTTPS port to eliminate the possibility of someone ending up on pure HTTP and sending credentials unencrypted. I've also changed the Jellyfin's default port to a non-standard one to avoid basic port-scanning bots spamming login attempts. I fully understand that this falls into the security through obscurity category, but no harm in it either.
Anyone wanna yell at me for being an idiot and doing everything wrong? I'm genuinely curious, as the sentiment online seems to be that at least a reverse proxy is almost mandatory for this kind of setup, and I'm not entirely sure why.
Edit: Thank you everyone for your responses. While I don't agree with everything, the new insight is appreciated.
Edit 2: I've been informed that infact the support for HTTPS will be removed in a future version. From v10.11 release notes:
Deprecation Notice: Jellyfin’s internal handling of TLS/SSL certificates and configuration in the web server will be removed in a future version. No changes to the current system have been made in 10.11, however future versions will remove the current system and instead will provide advanced instructions to configure the Kestrel webserver directly for this relatively niche usecase. We strongly advise anyone using the current TLS options to use a Reverse Proxy for TLS termination instead if at all possible, as this provides a number of benefits
Reverse proxies can be useful for hiding your IP if you do something like host it in a VPS and tunnel the traffic back to your self hosted service. There's also a lot of documentation on attaching things like fail2ban or crowd sec which can be helpful in reducing the threat from attacks. if you're running lots of services it can reduce the risk of two apps using the same ports as ultimately everything will go through ports 80 and 443 on the public facing side. Finally again if you're hosting several services having a central place to manage and deal with cert from can save a lot of time rather than having to wrangle it per service/ server.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I have had Jellyfin directly open to the Internet with a reverse proxy for years. No problems.
-
Reverse proxies can be useful for hiding your IP if you do something like host it in a VPS and tunnel the traffic back to your self hosted service. There's also a lot of documentation on attaching things like fail2ban or crowd sec which can be helpful in reducing the threat from attacks. if you're running lots of services it can reduce the risk of two apps using the same ports as ultimately everything will go through ports 80 and 443 on the public facing side. Finally again if you're hosting several services having a central place to manage and deal with cert from can save a lot of time rather than having to wrangle it per service/ server.
Yes I love the fact that I set up letsencrypt in only 2 places (1 traefik instance per 2 different boxes) and it handles SSL for a dozen services.
-
SWAG reverse proxy with a custom domain+subdomain, protected by authentik and fail2ban. Easy access from anywhere once it's set up. No vpn required, just type in the short subdomain.domain.com and sign in (or the app keeps me signed in)
What's the point of authentik when Jellyfin already has authentication?
-
I see everyone in this thread recommending a VPN or reverse proxy for accessing Jellyfin from outside the LAN. While I generally agree, I don't see a realistic risk in exposing Jellyfin directly to the internet.
It supports HTTPS and certificates nowadays, so there’s no need for outside SSL termination anymore.(See Edit 2)In my setup, which I've been running for some time, I've port-forwarded only Jellyfin's HTTPS port to eliminate the possibility of someone ending up on pure HTTP and sending credentials unencrypted. I've also changed the Jellyfin's default port to a non-standard one to avoid basic port-scanning bots spamming login attempts. I fully understand that this falls into the security through obscurity category, but no harm in it either.
Anyone wanna yell at me for being an idiot and doing everything wrong? I'm genuinely curious, as the sentiment online seems to be that at least a reverse proxy is almost mandatory for this kind of setup, and I'm not entirely sure why.
Edit: Thank you everyone for your responses. While I don't agree with everything, the new insight is appreciated.
Edit 2: I've been informed that infact the support for HTTPS will be removed in a future version. From v10.11 release notes:
Deprecation Notice: Jellyfin’s internal handling of TLS/SSL certificates and configuration in the web server will be removed in a future version. No changes to the current system have been made in 10.11, however future versions will remove the current system and instead will provide advanced instructions to configure the Kestrel webserver directly for this relatively niche usecase. We strongly advise anyone using the current TLS options to use a Reverse Proxy for TLS termination instead if at all possible, as this provides a number of benefits
I think the reason why its generally suggested to use a VPN is because it reduces the risk of intrusion to almost zero. Folks that are not network/sys admin savy would feel safer with the lowest risk solution. Using the port forward method, there could be configuration mistakes made which would unintentionally expose a different service or parts of their home network they don't want exposed. And then there's the possibility of application vulnerabilities which is less of an issue when only VPN users can access the application. That being said, I do expose some services via port forwarding but that's only because I'm comfortable with ensuring its secure.
Reverse proxy is really useful when you have more than one service to expose to the internet because you only have to expose one port. It also automates the certificate creation & simplifies firewall rules inside the home network
-
Is Nginx Proxy Manager running on the VPS itself and then the proxy routes across the wireguard to your home server? Or is the VPS just port forwarding to your home server which runs the proxy?
I also would like to know
-
I see everyone in this thread recommending a VPN or reverse proxy for accessing Jellyfin from outside the LAN. While I generally agree, I don't see a realistic risk in exposing Jellyfin directly to the internet.
It supports HTTPS and certificates nowadays, so there’s no need for outside SSL termination anymore.(See Edit 2)In my setup, which I've been running for some time, I've port-forwarded only Jellyfin's HTTPS port to eliminate the possibility of someone ending up on pure HTTP and sending credentials unencrypted. I've also changed the Jellyfin's default port to a non-standard one to avoid basic port-scanning bots spamming login attempts. I fully understand that this falls into the security through obscurity category, but no harm in it either.
Anyone wanna yell at me for being an idiot and doing everything wrong? I'm genuinely curious, as the sentiment online seems to be that at least a reverse proxy is almost mandatory for this kind of setup, and I'm not entirely sure why.
Edit: Thank you everyone for your responses. While I don't agree with everything, the new insight is appreciated.
Edit 2: I've been informed that infact the support for HTTPS will be removed in a future version. From v10.11 release notes:
Deprecation Notice: Jellyfin’s internal handling of TLS/SSL certificates and configuration in the web server will be removed in a future version. No changes to the current system have been made in 10.11, however future versions will remove the current system and instead will provide advanced instructions to configure the Kestrel webserver directly for this relatively niche usecase. We strongly advise anyone using the current TLS options to use a Reverse Proxy for TLS termination instead if at all possible, as this provides a number of benefits
Nah, setting non-standard ports is sound advice in security circles.
People misunderstand the "no security through obscurity" phrase. If you build security as a chain, where the chain is only as good as the weakest link, then it's bad. But if you build security in layers, like a castle, then it can only help. It's OK for a layer to be weak when there are other layers behind it.
Even better, non-standard ports will make 99% of threats go away. They automate scans that are just looking for anything they can break. If they don't see the open ports, they move on. Won't stop a determined attacker, of course, but that's what other layers are for.
As long as there's real security otherwise (TLS, good passwords, etc), it's fine.
If anyone says "that's a false sense of security", ignore them. They've replaced thinking with a cliche.
-
I see everyone in this thread recommending a VPN or reverse proxy for accessing Jellyfin from outside the LAN. While I generally agree, I don't see a realistic risk in exposing Jellyfin directly to the internet.
It supports HTTPS and certificates nowadays, so there’s no need for outside SSL termination anymore.(See Edit 2)In my setup, which I've been running for some time, I've port-forwarded only Jellyfin's HTTPS port to eliminate the possibility of someone ending up on pure HTTP and sending credentials unencrypted. I've also changed the Jellyfin's default port to a non-standard one to avoid basic port-scanning bots spamming login attempts. I fully understand that this falls into the security through obscurity category, but no harm in it either.
Anyone wanna yell at me for being an idiot and doing everything wrong? I'm genuinely curious, as the sentiment online seems to be that at least a reverse proxy is almost mandatory for this kind of setup, and I'm not entirely sure why.
Edit: Thank you everyone for your responses. While I don't agree with everything, the new insight is appreciated.
Edit 2: I've been informed that infact the support for HTTPS will be removed in a future version. From v10.11 release notes:
Deprecation Notice: Jellyfin’s internal handling of TLS/SSL certificates and configuration in the web server will be removed in a future version. No changes to the current system have been made in 10.11, however future versions will remove the current system and instead will provide advanced instructions to configure the Kestrel webserver directly for this relatively niche usecase. We strongly advise anyone using the current TLS options to use a Reverse Proxy for TLS termination instead if at all possible, as this provides a number of benefits
It feels like everything is a tradeoff and I think a setup like this reduces the complexity for people you share with.
If you added fail2ban along with alert email/notifications you could have a chance to react if you were ever targeted for a brute force attempt. Jellyfin docs talk about setting this up for anyone interested.
Blocking IP segments based on geography of countries you don't expect connections from adds the cost of a VPN for malicious actors in those areas.
Giving Jellyfin its own VLAN on your network could help limit exposure to your other services and devices if you experience a 0day or are otherwise compromised.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
Tailscale - funnel
Just that
-
How are you geoblocking?
Sadly, it may not be an option for a lot of people, but on the fortinet firewall you can make policies and set up geoblocking.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I'm trying to self host navidrome in docker with a cloudflare domain and reverse proxy on the same network. Still fiddling myself since I keep getting a 403 cloudflare no access error.
Essentially, using cert provided by cloudflare where they proxy to my ip. From there the reverse proxy routes to my service. If I'm understanding it right, anyone with my domain would only see cloudflare ip instead of my own. Someone correct me if I'm wrong. I'm still learning this stuff as well.
Prior to this, I was using tailscale which worked fine but I'd have to connect via tailscale everytime and some instances, it wouldn't connect properly at all.
-
You can use cloudflares DNS and not use their WAF (the proxy bit) just fine. I have been for almost a decade.
Ahh ok, I have as going to route Plex over 443 to see if that helped streaming on T-Mobile home Internet.
-
In a perfect world, yes. But not as a beginner, I guess?
It's beginner level, the hard part is the reverse proxy, once you have a grasp on that just having it on a dedicated box in a segmented portion on your firewall designated as the DMZ is easy. Id even go so far as to say its the bare minimum if you're even considering exposing to the internet.
It doesn't even need to be all that powerful since its just relaying packets as a middleman
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
Headscale server on cheap vps with tailscale clients.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
Wireguard.
-
Look pretty interesting. Do you have guide I could follow ?
Not at hand no, but I’m sure any of the LLMs can guide you through the setup if googling does not give anything good.
Nothing very special about all this, well maybe the subdir does require some extra spells to reverse proxy config.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I'm using jf on unraid. I'm allowing remote https only access with Nginx Proxy Manager in a docker container.
-
I kept the main domain open, but redirected it to a rickroll
Nice, but the bots may not understand the joke.
And not only that but they will tag the domain with ”there is something here”, and maybe some day someone will take a closer look and see if you are all up-to-date or would there maybe be a way in. So better to just drop everything and maybe also ban the IP if they happen to try poke some commonly scanned things (like /wp-admin, /git, port 22 etc.) GoAccess is a pretty nice tool to show you what they are after.
-
Wireguard.
Exactly this !
-
This isn't a guide, but any reverse proxy allows you to limit open ports on your network (router) by using subdomains (thisPart.website.com) to route connections to an internal port.
So you setup a rev proxy for jellyfin.website.com that points to the port that jf wants to use. So when someone connects to the subdomain, the reverse proxy is hit, and it reads your configuration for that subdomain, and since it's now connected to your internal network (via the proxy) it is routed to the port, and jf "just works".
There's an ssl cert involved but that's the basic understanding. Then you can add Some Other Services at whatever.website.com and rinse and repeat. Now you can host multiple services, without exposing the open ports directly, and it's easy for users as there is nothing "confusing" like port numbers, IP addresses, etc.
So I’m another newbie dummy to reverse proxies. I’ve got my jellyfin accessible at jellyfin.mydomain.com but I can only access it through the web. How do I share with other people who want to use the apps? I can’t get my apps to find my instance.
