Plex has paywalled my server!
-
I access my stuff via VPN. As for sharing with others, I simply don't do that. VPN is still an option though. Or temporary client whitelisting, etc.
Yeaaah ! Most people anyway have some kind of VPN installed on their device... Just slap in a wireguard VPN config to tunnel your traffic home... bOOm jellyfin everywhere and 99% secure !
-
My primary worry for this is that something in the jellyfin stack gets an open vulnerability, like there's an overflow you can use on a post call to a piece of media allowing remote code execution.
Tautulli had a leak once that provided the user's private token. Then there was a way in Plex with a private token to pull data from elsewhere on the server. That's how LastPass got nuked I hear.
I get you and I know that there can be security issues (especially in Jellyfin) that might give you access. This is the reason I only mount the media and config folders, and nothing else into the docker container. The media folders are mounted as read only and don't contain sensitive information. For the config folder I created a separate user. Plus I block non-German IP addresses which already blocks quite some bots. If your friends have fixed IP addresses you could also just whitelist them and block everything else.
You could also probably sniff the network and define more strict rules on 'allowed' requests in fail2ban but this is bridle because requests might change with different versions.
-
- It’s also the most complex to set up, and for many people the threshold is “walking your tech-illiterate mother-in-law through side loading it over the phone, because she lives 100 miles away… She’s afraid to touch her computer for anything except email and Facebook. And then resetting her password every 30 days, because she keeps locking herself out of it.” Suddenly the “just fucking sign into Plex and it automatically discovers your server” option becomes a lot more appealing.
wrote last edited by [email protected]To continue the metaphor: a partner can have many alluring qualities (income, hobbies, looks) but what does that matter if the relationship is abusive? Leaving (and dating someone "worse") can be more difficult that just staying in the relationship, but the priority should be clear.
-
Giving it write access to a folder is not even remotely on the same level as giving it control over the host networking. Worst case scenario in the volume access is to delete that data, which is on a btrfs drive and has backups, worst case scenario for network host is root access to host machine.
Apologies, you mentioned specifically your network drive. Interesting article but they give several work arounds for containers that may require host mode, and it appears the non Plex pass image is one of them to resolve this specific issue.
-
For software I like made by people getting paid, I was happy to pay the one time fee. It's really good, secure, and downloads are fast now.
Best 70-ish euro I spent over a decade ago
-
I tried testing a movie from my home server in plex through firefox and repeatedly got this message, even after reloading.
I knew that they had paywalled the apps on mobile and streaming from outside the network but now they have also blocked watching your own movies through your own hardware.
I do get the point that making software should be able to sustain people but I dont see the move of plex as a fair thing to do. Yes, they have made great software but taking your home server hostage feels like the wrong move.
Even a pop up that says "we need you to donate please" would have been fine. make it pop up before every movie, play donation ads before any movie but straight up disabling the app is kinda cruel.
Anyway, i have switched to jellyfin and it is insanely good. please give it a try. you can run it alongside plex with not issues (at least i had none) and compare the two.
In any case, good luck. Let me know if you need help.
wrote last edited by [email protected]As was stated on the first post you made about this, it's a dns or nat reflection issue.
Plex sees you accessing it through your external IP address, and not through your lan IP.
I had a similar problem, and had to roll back some nat changes I made, and now it's working fine again.
Meanwhile, free remote streaming works fine if you have a proper VPN setup. I just tested it, and was able to stream to my phone, through the Plex app, over my tailscale VPN, and I do not have Plex pass on the server or on my phone...
-
As was stated on the first post you made about this, it's a dns or nat reflection issue.
Plex sees you accessing it through your external IP address, and not through your lan IP.
I had a similar problem, and had to roll back some nat changes I made, and now it's working fine again.
Meanwhile, free remote streaming works fine if you have a proper VPN setup. I just tested it, and was able to stream to my phone, through the Plex app, over my tailscale VPN, and I do not have Plex pass on the server or on my phone...
I did not make a "first" or "second" post about this. This is it.
-
Plex has pay walled FREE servers streaming to FREE clients only.
If you have a plex watch pass (for client) you're good and can stream from any server. If you have a plex pass (for server) any one can stream from your server. But you have to have one or the other.
And I just tested streaming from my free server to my free phone while said server is at my house, and my phone is with me at work.
Works fine over a VPN.
-
And I just tested streaming from my free server to my free phone while said server is at my house, and my phone is with me at work.
Works fine over a VPN.
Yep, VPN will allow you to be on the same local network, and they're only pay walling remote play.
-
I get you and I know that there can be security issues (especially in Jellyfin) that might give you access. This is the reason I only mount the media and config folders, and nothing else into the docker container. The media folders are mounted as read only and don't contain sensitive information. For the config folder I created a separate user. Plus I block non-German IP addresses which already blocks quite some bots. If your friends have fixed IP addresses you could also just whitelist them and block everything else.
You could also probably sniff the network and define more strict rules on 'allowed' requests in fail2ban but this is bridle because requests might change with different versions.
They actually do a small login f2b effort right in JF, but it appears to be quite limited.
The container is more secure by default, and if people set up their docker well it reduces the dangers substantially. A lot of people don't go docker though.
-
Yeah part of doing this is keeping a ci pipeline up and unit testing against rcs and telling them exactly what's failing. The report in that ticket gave them absolutely no choice but to try to set up an entire system to reproduce whatever the user did which they obviously don't want to do.
WebSocket relays are poorly implemented in a lot of proxies, Even cloudflare has its fair share of issues.
The downside of using HA is reinventing the let's encrypt pipeline for the 40th time, the upside is it's dead simple, web sockets go in, web sockets go out, The logs are good, it's easy to debug it with TCP dump If things start to get sketchy.
How can you debug it with a TCP dump if it's encrypted?
-
How can you debug it with a TCP dump if it's encrypted?
You are doing the https unwrapping in tf/HA proxy. It's clear text between the proxy process and the JF server
You can do a dump off the entire network stream when it's working, install the release candidate and do another dump of the network stream with it not working. Sift through to find the changes.
When the person posted that there was a problem with the RC, It was probably a web socket being mishandled by the proxy due to some change. You can't just go oh there's a problem with my third party middleware. They're going to need to know which of their changes broke the problem. Why it breaks it, and what should be done instead if you expect them to make any kind of changes.
The alternative is you ask them to support traffic or HA or NPM, and on a volunteer project I could see that being a bridge too far
-
They actually do a small login f2b effort right in JF, but it appears to be quite limited.
The container is more secure by default, and if people set up their docker well it reduces the dangers substantially. A lot of people don't go docker though.
Yeah the link I posted does everything via docker and explains what should be mounted and how.
-
Yeah the link I posted does everything via docker and explains what should be mounted and how.
That's awesome and thank you for sharing that
-
Obscuring home IP is the big one. You also don't have to fiddle with opening ports on your router and maybe getting ISP attention for hosting on a residential network. But really obscuring home IP address would work.
Dirt simplest solution is caddy on the same jellyfin server and port forward 443 and 80 on your router to that host. Hopefully letsencrypt will work without a domain but I'm not sure.
That's basically what I do right now except I do have a domain and my ISP doesn't restrict inbound ports like 443 so it works fine.
Just trying to sort out if I want the headache of a VPS if I don't need it (costs, maintenance, point of failure, etc).
-
For software I like made by people getting paid, I was happy to pay the one time fee. It's really good, secure, and downloads are fast now.
Ditto. There is a crowd on Lemmy who seem to get angry whenever people are happy to pay for software and I do not understand it. Surely we want developers to be paid for their hard work? Don't we want them to able to comfortably live?
-
Welp, i killed mine yesterday as it wouldnt let me stream while offline. Modem died so no Internet for me. Why do i have everything local if it dosent work while offline...
FYI you can definitely watch while your network is offline. You just net to tell it that you're happy with that (it's not activated by default for security reasons).
-
In your Plex server settings, go to Network, enable "Show Advanced".
-
Near the bottom, find the textbox that says
List of IP addresses and networks that are allowed without auth -
In this field, enter the local IP address of any Plex client(s) you want to keep using if your internet (or the Plex cloud) is down.
-
A example:
192.168.0.50 -
Save the setting, done.
#Important thing to be aware of:
What this setting does is tell your local Plex server to simply give any Plex client that connects from that specific IP full admin access to your Plex server, ignoring any account restrictions. This means that if you have things in place to restrict access to some libraries (kids blocked from 18+ movies etc) those restrictions will have no effect. Also if you have the option set to allow file deletion, then any client from that IP could also delete items. And they could of course change any settings in your Plex server. So your kids can watch anything on your server, if you have a guest in your network and they browse to the Plex web interface, they can mess with things.
Because of that I would recommend to limit the amount of IP's you enter in that field to the absolute bare minimum. For example, only whitelist the "main living room device" plus one device you to admin the server, such as a laptop.
If you want to whitelist multiple devices, this is a example:
192.168.0.50,192.168.0.77,192.168.0.80If you want to whitelist a entire network, these would be examples:
192.168.0.0/24 (this means 192.168.0.0 - 192.168.0.255) 192.168.0.0/16 (this means 192.168.0.0 - 192.168.255.255)And of course those involved network devices should use static IPs in your home network.
-
-
Plex server isn't open source.
They’re talking about the Jellyfin crew.
-
Ditto. There is a crowd on Lemmy who seem to get angry whenever people are happy to pay for software and I do not understand it. Surely we want developers to be paid for their hard work? Don't we want them to able to comfortably live?
Agreed. I've stated it before in other threads, and I'll say it again here, but if they asked me in 5 years to pay another $89 or whatever in continuing support for a badge on my server I'd happily do it. Plex is really good. Great UI, great apps, great external enrichments like trailers/subtitles/ratings/actor info, and Plexamp is 9.5/10 for music.
Their biggest fault is how they communicated about the change for remote users. I did have a few family members get the email and ask if they were going to have to start paying monthly now, but they've never been on a free server. They should have stated more clearly than if you were on a Plex Pass server that no change is required.
-
As was stated on the first post you made about this, it's a dns or nat reflection issue.
Plex sees you accessing it through your external IP address, and not through your lan IP.
I had a similar problem, and had to roll back some nat changes I made, and now it's working fine again.
Meanwhile, free remote streaming works fine if you have a proper VPN setup. I just tested it, and was able to stream to my phone, through the Plex app, over my tailscale VPN, and I do not have Plex pass on the server or on my phone...
This sounds like a whole lot of convoluted bullshit to use Plex locally and "looking local" through VPN solutions when you could just roll a Jellyfin instance and do things a more straightforward way..
