Jellyfin over the internet
-
Nginx in front of it, open ports for https (and ssh), nothing more. Let's encrypt certificate and you're good to go.
Also run the reverse proxy on a dedicated box for it in the DMZ
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
wrote last edited by [email protected]An $11/yr domain pointed at my IP. Port 443 is open to nginx, which proxies to the desired service depending on subdomain. (and explicitly drops any connection that uses my raw ip or an unrecognized name to connect, without responding at all)
ACME.sh automatically refreshes my free ssl certificate every ~2months via DNS-01 verification and letsencrypt.
And finally, I've got a dynamic IP, so DDClient keeps my domain pointed at the correct IP when/if it changes.
There's also pihole on the local network, replacing the WAN IP from external DNS, with the servers local IP, for LAN devices to use. But that's very much optional, especially if your router performs NAT Hairpinning.
This setup covers all ~24 of the services/web applications I host, though most other services have some additional configuration to make them only accessible from LAN/VPN despite using the same ports and nginx service. I can go into that if there's interest.
Only Emby/Jellyfin, Ombi, and Filebrowser are made accessible from WAN; so I can easily share those with friends/family without having to guide them through/restrict them to a vpn connection.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
Synology with Emby (do not use the connect service they offer) running behind my fortinet firewall. DDNS with my own domain name and ssl cert. Open 1 custom port (not 443) for it, and that's it. Geoblock every country but my own, which basically eliminated all random traffic that was hitting hit. I've been running it this way for 5 years now and have no issues to report.
-
Use a reverse proxy (caddy or nginx proxy manager) with a subdomain, like myservice.mydomain.com (maybe even configure a subdir too, so …domain.com/guessthis/). Don’t put anything on the main domain / root dir / the IP address.
If you’re still unsure setup Knockd to whitelist only IP addresses that touch certain one or two random ports first.
So security through obscurity
But good luck for the bots to figure all that out.VPN is of course the actually secure option, I’d vote for Tailscale.
Look pretty interesting. Do you have guide I could follow ?
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
Nobody here with a tailscale funnel?? It's such a simple way to get https access from anywhere without being on the tailnet.
-
Nobody here with a tailscale funnel?? It's such a simple way to get https access from anywhere without being on the tailnet.
I’m looking into it but I find that starting (or keeping open) Tailscale for music is not the best system.
I’m looking into building a shared Jellyfin library between friends
-
I’m fidgeting with Tailscale right now, only to stream on a AppleTV at a friend house. So far no luck but that’s not me that set up Infuse, so could be an operator error on my friend part
I tried tailscale first but to be honest wasn't a fan. I moved to Twingate and found it much simpler to set up
-
I tried tailscale first but to be honest wasn't a fan. I moved to Twingate and found it much simpler to set up
Will look into it, thanks !
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
SWAG reverse proxy with a custom domain+subdomain, protected by authentik and fail2ban. Easy access from anywhere once it's set up. No vpn required, just type in the short subdomain.domain.com and sign in (or the app keeps me signed in)
-
Use a reverse proxy (caddy or nginx proxy manager) with a subdomain, like myservice.mydomain.com (maybe even configure a subdir too, so …domain.com/guessthis/). Don’t put anything on the main domain / root dir / the IP address.
If you’re still unsure setup Knockd to whitelist only IP addresses that touch certain one or two random ports first.
So security through obscurity
But good luck for the bots to figure all that out.VPN is of course the actually secure option, I’d vote for Tailscale.
I kept the main domain open, but redirected it to a rickroll
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I rent a cheap $5/mo VPS and use it to run a wireguard server with wgeasy and nginx proxy manager. Everything else runs on my home server connected by wireguard.
-
SWAG reverse proxy with a custom domain+subdomain, protected by authentik and fail2ban. Easy access from anywhere once it's set up. No vpn required, just type in the short subdomain.domain.com and sign in (or the app keeps me signed in)
That’s probably this type of setup I would want but I miss the technical know how, so if you have a cool beginner guide
-
I’ll try looking into that
Just remember to test with something better than your phone, T-Mobile aggressively filters VPNs. Try a coffee shop.
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
I don't use jellyfin but my general approach is either:
- Expose it over a VPN only. I usually use Tailscale for this so that I can expose individual machines but you do you
- Cloudflare tunnel that exposes a single port on a single internal machine to a subdomain I own
There are obviously ways to do this all on your own but... if you are asking this question you probably want to use one of those to roll it. Because you can leave yourself ridiculously vulnerable if you do it yourself.
-
Nobody here with a tailscale funnel?? It's such a simple way to get https access from anywhere without being on the tailnet.
Is the funnel URL accessible by everyone who knows it? I.e what are the chances someone finds the URL and gets access to it?
-
Just remember to test with something better than your phone, T-Mobile aggressively filters VPNs. Try a coffee shop.
Not in the US, most providers are asshole-y but seems less asshole that T-Mobile
-
I don't use jellyfin but my general approach is either:
- Expose it over a VPN only. I usually use Tailscale for this so that I can expose individual machines but you do you
- Cloudflare tunnel that exposes a single port on a single internal machine to a subdomain I own
There are obviously ways to do this all on your own but... if you are asking this question you probably want to use one of those to roll it. Because you can leave yourself ridiculously vulnerable if you do it yourself.
That’s my feeling too
-
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
no idea how safe or secure but i use cloudflare tunnel to point my jellyfin port on my computer
-
I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.
Change the port it runs on to be stupid high and they won't bother.
-
I’m fidgeting with Tailscale right now, only to stream on a AppleTV at a friend house. So far no luck but that’s not me that set up Infuse, so could be an operator error on my friend part
The way I do it for a family member with Tailscale is them having a couple of boxes down there (n100 with their Jellyfin server, and a RPI4 with a TVHServer) with my Tailnet signed in, and those boxes running both a "subnet router" and an "exit node"that both me and said fam member can use.
This means she has permissions to use the exit node wherever like I do to my own local LAN, to connect to her LAN and access things locally since you can assign them via the ACL's / device perms.
I know reading docs can suck sometimes but honest to god the ones that Tailscale put up are pretty awesome.
Along with all the YT videos about it I didn't even have to go nagging on forums to get it to work, and that's a general first for me.
