Jellyfin over the internet
-
I don't want to be an asshole but after checking a couple of those out they all appear to be post-authorization vulnerabilities? Like sure if you're just passing out credentials to your jellyfin instance someone could use the device log upload to wreck your container, but shouldn't most people be more worried about vulnerabilities that have surface for unauthorized attackers?
A while back there was a situation where outsiders could get the name of the contents of your Jellyfin server, which would incriminate anyone. I believe it's patched now, but I don't think Jellyfin is winning any security awards. It's a selfhosted media server. I have no frame of reference for knowing whether or not any of my information was overkill and I'm sure there are even some out there that would say I didn't go far enough, even.
-
Are we not worried about their terms of service? I've been using pangolin
I run multiple enterprise companies through it who are transferring significantly more sensitive data than me. I'm not as strict as some people here, so no, I don't really care. I think it's the best service, especially for free, so until things change, that's what I'm using.
-
This is also what I do, however, each user creates their own tailnet, not an account on mine and I share the server to them.
This way I keep my 3 free users for me, and other people still get to see jellyfin.
Tailscale and jellyfin in docker, add server to tailnet and share it out to your users emails. They have to install tailscale client in a device, login, then connect to your jellyfin. My users use Walmart Onn $30 streaming boxes. They work great.
I struggled for a few weeks to get it all working, there's a million people saying "I use this" but never "this is how to do it". YouTube is useless because it's filled with "jellyfin vs Plex SHOWDOWN DEATH FIGHT DE GOOGLE UR TOILET".
For the users you have using Onn TVs, is Tailscale just installed on a device on the network or on the Onn TVs?
-
For the users you have using Onn TVs, is Tailscale just installed on a device on the network or on the Onn TVs?
wrote last edited by [email protected]The onn boxes run android so it's just installed as an app from play store. The users connect with their own tailscale account. My server is shared so they see it. Then they install jellyfin on the device, punch in the hostname of the server given by tailscale and the port and then it connects.
I could not get my reverse proxy to let them use my local domain.. I'm not smart enough and couldn't figure it out but they are only using jellyfin so typing one address was fine.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I just expose my local machine to the internet, unsecured
-
I just expose my local machine to the internet, unsecured
Thanks stranger over the internet seems like the best option.
-
I expose jellyfin and keycloak to the internet with pangolin, jellyfin user only has read access. Using the sso
jellyfin listens to my keycloak which has Google as an identity provider(admin disabled), restricting access to my users, but letting people use their google identity. Learned my family doesn't use anything that isn't sso head-to-toe.It's what we do in the shadows that makes us heroes, kalpol.
First time I hear someone using keycloak for local hosting.
-
Yup, the sad reality is that you don’t need to worry about the attacks you expect; You need to worry about the ones you don’t know anything about. Honeypots exist specifically to alert you that something has been breached.
Couple questions here.
What is a honeypot? I've only heard it in terms of piracy.
Also, what steps can someone take to reinforce this attack layer? You have an infograph or something people can google search their way through?
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
Sad that mTLS support is non existent because it solves this problem.
-
I just expose my local machine to the internet, unsecured
This is absolutely unhinged but god damn it, I respect you.
-
Tailscale with self hosted headscale
Any helpful tips or links to tutorials for this method?
-
Nobody is gonna bother wasting time hacking into your home server
They absolutely will lol. It’s happening to you right now in fact. It’s not to consume your media, it’s just a matter of course when you expose something to the internet publicly.
And this is the start of the longest crypto nerd fight I've seen on Lemmy. Well done, people!
-
Its very easy to deploy fail2ban for Jellyfin: https://jellyfin.org/docs/general/post-install/networking/advanced/fail2ban/
Indeed a good recommendation. I've not set it up yet but I'm probably going to do so in the near future.
-
I just expose my local machine to the internet, unsecured
wrote last edited by [email protected]Yea same I don’t even care.
It’s an old laptop, I have a backup. Go ahead, fuck it up.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
For now just Tailscale but I'm working on setting up a reverse proxy and SSO through Authentik
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I use mTLS by adding a reverse proxy between Jellyfin and the Inet. This makes it hard to use the app, but works perfect with a browser. If you still want to use the app. There is a solution by using stunnel (termux) between te app and the Inet or better, a wireguard VPN.
-
The onn boxes run android so it's just installed as an app from play store. The users connect with their own tailscale account. My server is shared so they see it. Then they install jellyfin on the device, punch in the hostname of the server given by tailscale and the port and then it connects.
I could not get my reverse proxy to let them use my local domain.. I'm not smart enough and couldn't figure it out but they are only using jellyfin so typing one address was fine.
Thank you for following up.
-
Sad that mTLS support is non existent because it solves this problem.
It would cover all phones, pcs and maybe Android TVs.
The barrier to entry would be having to replace the cert every year since we now made that a thing. Maybe spin up a self-sign shirt server and start issuing people 10 years certs
-
Yea same I don’t even care.
It’s an old laptop, I have a backup. Go ahead, fuck it up.
Do you at least have it on a VLAN?
-
For now just Tailscale but I'm working on setting up a reverse proxy and SSO through Authentik
wrote last edited by [email protected]Even more secure is having a VPS and self hosting Heascale, even better is Wireguard
