Jellyfin over the internet
-
I use a cloudflare tunnel, ISP won't give me a static IP and I wanna keep my firewall locked down tight.
I tried really hard to get a named CloudFlare tunnel working with a domain name I registered (I share my personal home videos with a non technical family member in Italy) but couldn't get it working no matter what I tried.
-
Wow, a "for dummies" guide for doing all this would be great
know of any?wrote last edited by [email protected]If you arenāt already familiarized with the Docker Engine - you can use Play With Docker to fiddle around, spin up a container or two using the
docker runcommand, once you get comfortable with the command structure you can move into Docker Compose which makes handling multiple containers easy using.ymlfiles.Once youāre comfortable with compose I suggest working into Reverse Proxying with something like SWAG or Traefik which let you put an domain behind the IP, ssl certificates and offer plugins that give you more control on how requests are handled.
There really is no āguide for dummiesā here, youāve got to rely on the documentation provided by these services.
-
Whatās your go too (secure) method for casting over the internet with a Jellyfin server.
Iām wondering what to use and Iām pretty beginner at this
wrote last edited by [email protected]I think my approach is probably the most insane one, reading this threadā¦
So the only thing I expose to the public internet is a homemade reverse proxy application which supports both form based and basic authentication. The only thing anonymous users have access to is the form login page. Iām on top of security updates with its dependencies and thus far I havenāt had any issues, ever. It runs in a docker container, on a VM, on Proxmox. My Jellyfin instance is in k8s.
My mum wanted to watch some stuff on my Jellyfin instance on her Chromecast With Google TV, plugged into her ancient Dumb TV. There is a Jellyfin Android TV app. I couldnāt think of a nice way to run a VPN on Android TV or on any of her (non-existent) network infra.
So instead I forked the Jellyfin Android TV app codebase. I found all the places where the API calls are made to the backend (there are multiple). I slapped in basic auth credentials. Recompiled the app. Deployed it to her Chromecast via developer mode.
Solid af so far. I havenāt updated Jellyfin since then (6 months), but when I need to, Iāll update the fork and redeploy it on her Chromecast.
-
Whatās your go too (secure) method for casting over the internet with a Jellyfin server.
Iām wondering what to use and Iām pretty beginner at this
I use a wire guard tunnel into my Fritz box and from there I just log in because I'm in my local network.
-
Whatās your go too (secure) method for casting over the internet with a Jellyfin server.
Iām wondering what to use and Iām pretty beginner at this
Full guide to setting up Jellyfin with Reverse Proxy using Caddy and DuckDNS
I followed this video and modified some things like ports
-
Whatās your go too (secure) method for casting over the internet with a Jellyfin server.
Iām wondering what to use and Iām pretty beginner at this
VPN or Tailscale
-
And which one of those are actually vulnerabilities that are exploitable? First, yes ofc unauthenticated endpoints should be fixed, but with those there is no real damage to be done.
If you know the media path then you can request a playback, and if you get the user ids then you can get all users. That's more or less it.
Good? No. But far from making it a poor choice exposing it.
wrote last edited by [email protected]These are all holes in the Swiss cheese model.
Just because you and I cannot immediately consider ways of exploiting these vulnerabilities doesn't mean they don't exist or are not already in use (Including other endpoints of vulnerabilities not listed)
This is one of the biggest mindset gaps that exist in technology, which tends to result in a whole internet filled with exploitable services and devices. Which are more often than not used as proxies for crime or traffic, and not directly exploited.
Meaning that unless you have incredibly robust network traffic analysis, you won't notice a thing.
There are so many sonarr and similar instances out there with minor vulnerabilities being exploited in the wild because of the same"Well, what can someone do with these vulnerabilities anyways" mindset. Turns out all it takes is a common deployment misconfiguration in several seedbox providers to turn it into an RCE, which wouldn't have been possible if the vulnerability was patched.
Which is just holes in the swiss cheese model lining up. Something as simple as allowing an admin user access to their own password when they are logged in enables an entirely separate class of attacks. Excused because "If they're already logged in, they know the password". Well, not of there's another vulnerability with authentication....
See how that works?
-
Or you could use Plex and jump through zero of these hoops
I think paying for remote access counts as a hoop.
As in "that's a pain in my hoop"
-
Whatās your go too (secure) method for casting over the internet with a Jellyfin server.
Iām wondering what to use and Iām pretty beginner at this
I access it through a reverse proxy (nginx). I guess the only weak point is if someone finds out the domain for it and starts spamming the login screen. But I've restricted access to the domain for most of the world anyway. Wireguard would probably be more secure but its not always possible if like on vacation and want to use it on the TV there..
-
Tailscale, with nginx for https.
Very easy, very simple, just works, and i can share my jellyfin server with my friends
This is the easiest way for sure.
-
Whatās your go too (secure) method for casting over the internet with a Jellyfin server.
Iām wondering what to use and Iām pretty beginner at this
Wireguard VPN to my fritzbox lets me access my jellyfin.
-
I access it through a reverse proxy (nginx). I guess the only weak point is if someone finds out the domain for it and starts spamming the login screen. But I've restricted access to the domain for most of the world anyway. Wireguard would probably be more secure but its not always possible if like on vacation and want to use it on the TV there..
It is possible if you get something like an nvidia shield tho. But of course not everyone has it or the money for it
-
Whatās your go too (secure) method for casting over the internet with a Jellyfin server.
Iām wondering what to use and Iām pretty beginner at this
for me the easiest option was to set up tailscale on the server or network where jellyfin runs and then on the client/router where you want to watch the stream.
-
lemm.ee :'''(
Oh no! I didn't realise , any other options that are good ?
-
Whatās your go too (secure) method for casting over the internet with a Jellyfin server.
Iām wondering what to use and Iām pretty beginner at this
I use a VPS and a wiregusrd tunnel.
-
for me the easiest option was to set up tailscale on the server or network where jellyfin runs and then on the client/router where you want to watch the stream.
This is what I do as well. Works super well
-
Wow, a "for dummies" guide for doing all this would be great
know of any?I figured infodump style was a bit easier for me at the time so anyone could take anything I namedropped and go search to their heart's content.
-
I've recently been working on my own server and a lot of this stuff can be accomplished by just chatting with chatgpt/gemini or any ai agent of your choosing.
One thing to note tho is that they have some outdated information due to their training data so you might have to cross reference with the documentation.Use docker as much as you can, this will isolate the process so even if somehow you get hacked, the visibility the hackers get into your server is limited to the docker container.
-
I think my approach is probably the most insane one, reading this threadā¦
So the only thing I expose to the public internet is a homemade reverse proxy application which supports both form based and basic authentication. The only thing anonymous users have access to is the form login page. Iām on top of security updates with its dependencies and thus far I havenāt had any issues, ever. It runs in a docker container, on a VM, on Proxmox. My Jellyfin instance is in k8s.
My mum wanted to watch some stuff on my Jellyfin instance on her Chromecast With Google TV, plugged into her ancient Dumb TV. There is a Jellyfin Android TV app. I couldnāt think of a nice way to run a VPN on Android TV or on any of her (non-existent) network infra.
So instead I forked the Jellyfin Android TV app codebase. I found all the places where the API calls are made to the backend (there are multiple). I slapped in basic auth credentials. Recompiled the app. Deployed it to her Chromecast via developer mode.
Solid af so far. I havenāt updated Jellyfin since then (6 months), but when I need to, Iāll update the fork and redeploy it on her Chromecast.
Clever, but very hands on
-
Clever, but very hands on
VERY hands on, wouldnāt recommend it haha.
But thatās the beauty of open source. You CAN do it
