Plex has paywalled my server!
-
This will work fine over the web, but won’t work with clients.
They have instructions on jellyfin forums on setting up HAProxy, that part totally works.
But you don't put 2FA on the jellyfin server, for that you just deny all IPs except whitelisted.
You did the 2FA on the whitelister only using path-based routing.
You don't have access to the root site, you go to a path and login to a separate database to whitelist yourself then your client should work from that IP.
-
If you live in an area where you need a VPN to keep your ISP off your ass
Uploading copyrightes material is illegal pretty much everywhere I know of.
Exactly, which is why you don't need a VPN if you use a Debrid service. No files are being uploaded. The Debrid service handles that for you by downloading the torrent to a remote server, than giving you a direct download link to the file. Nothing is being uploaded from your end.
-
That's true, but ISPs have logs. And if something happens that makes the police change their mind about enforcing the law, you might be fucked, retroactively.
Again, not an issue if you use a Debrid service, because no files are being uploaded.
-
I always see people advocate for Stremio. But my experience was always very mixed. Half the time it would just buffer all the time. I guess it's s my own fault for having little interest in the latest Marvel/Hollywood movies, but alas. I way more prefer my jellyfin/jellyseer/arr stack. Once it's available I'm (99%) sure it works from everywhere in the world.
Are you using a Debrid service with it? It's a much better experience if you are. Give Real-Debrid a try with Stremio. It'll change your opinion.
-
Plex has pay walled FREE servers streaming to FREE clients only.
If you have a plex watch pass (for client) you're good and can stream from any server. If you have a plex pass (for server) any one can stream from your server. But you have to have one or the other.
For software I like made by people getting paid, I was happy to pay the one time fee. It's really good, secure, and downloads are fast now.
-
wrote last edited by [email protected]
Bro you asked for a guide, I gave you a guide. The fuck you want from me? (For convenience sake I even made as short as possible. Literally less than a 45 second read.)
I put a lot of effort into that comment to help you out, and instead of saying "thank you", you respond with this bullshit? What the hell is wrong with you?
Ungrateful prick.
-
What added security do you get by using a VPS besides obscuring your home IP? I can definitely see benifits to not leaking your home address, but otherwise the reverse proxy and wireguard tunnels don't actually add any increased security for the extra steps. You could just host a reverse proxy at home, and any flaws Jellyfin could have in their app would still be exposed.
I'm not knocking your solution, I'm just in a similar place and considering if I want to go through the extra hurdle for a VPS if I don't need one.
Obscuring home IP is the big one. You also don't have to fiddle with opening ports on your router and maybe getting ISP attention for hosting on a residential network. But really obscuring home IP address would work.
Dirt simplest solution is caddy on the same jellyfin server and port forward 443 and 80 on your router to that host. Hopefully letsencrypt will work without a domain but I'm not sure.
-
So an additional 10 bucks a month….
5 actually because you can use minimal hardware. You can probably just port forward your router and run caddy on the same jellyfin server but then expose your home IP address.
-
Would you consider this a particularly constructive comment?
What's wrong with it?
-
What's wrong with it?
The term SSL has been colloquially used for the last decade, and it would be difficult, if not impossible, to confuse the two and issue the wrong type of security at this point. Are there even packages that old available to Docker?
We're having an informal discussion here about how to make Jellyfin security less daunting to the average user. Taldan is apparently knowledgeable about the situation and could lend a conceptual hand to the process, but I suspect they chose instead to nitpick terminology that's still used in common parlance. Since I have some doubts, but don't wish to assume, I asked a simple question.
-
Threads like this are why people don't use open source. It sounds like a reality-denying anti-intellectual one-size-fits-all cult in here. This is also like half the threads about Linux. Just armies of tech bros who couldn't put themselves in someone else's shoes if their life literally depended on it.
wrote last edited by [email protected]If people choose not to use software that's open source because of the way people talk on some thread.. were they intellectually thinking about their own best interests? It's like no longer enjoying a show because some fans did something cridge - anything popular enough will have weirdos (from someone's perspective).
-
Threads like this are why people don't use open source. It sounds like a reality-denying anti-intellectual one-size-fits-all cult in here. This is also like half the threads about Linux. Just armies of tech bros who couldn't put themselves in someone else's shoes if their life literally depended on it.
Plex server isn't open source.
-
What's wrong with it?
SSL or the comment? The comment is annoying because people use TLS and SLL interchangeably in colloquial speak.
-
Yes! You just have to set up your reverse proxy to send everything through it and it'll block the unauthenticated access.
The downside is that apps stop working since they don't have a way to authenticate with authelia. I've installed it as a PWA on my phone and use an old laptop with the TV interface on my TV, but it's not perfect
Are you sure that works? I'm pretty sure they mentioned that reverse proxies are an unsupported (and not working) use case with Jellyfin, but I might have to look into authelia some time then.
-
They have instructions on jellyfin forums on setting up HAProxy, that part totally works.
But you don't put 2FA on the jellyfin server, for that you just deny all IPs except whitelisted.
You did the 2FA on the whitelister only using path-based routing.
You don't have access to the root site, you go to a path and login to a separate database to whitelist yourself then your client should work from that IP.
This will work fine over the web, but won’t work with clients.
They have instructions on jellyfin forums on setting up HAProxy, that part totally works.
But you don’t put 2FA on the jellyfin server, for that you just deny all IPs except whitelisted.
You did the 2FA on the whitelister only using path-based routing.
You don’t have access to the root site, you go to a path and login to a separate database to whitelist yourself then your client should work from that IP.
edit:
I just tried it, it appears to work so far.
I can send websocket traffic inbound to 8096: to the JF server and it loads on web, Android and Roku clients with an ACL limiter on originating ips.
and send 8096/whitelist to another server altogether with no ACL limits.On that process, I'd load nginx, authelia, fail2ban and what flask? Surely someone has a python longin/admin framework that I could hijack for this. Then have that app reack over in shared container storage to twiddle the haproxy config to add some ip's and reload it?
I wonder if I could do something to the haproxy side to detect non-use of an IP and remove it.
-
Plex has pay walled FREE servers streaming to FREE clients only.
If you have a plex watch pass (for client) you're good and can stream from any server. If you have a plex pass (for server) any one can stream from your server. But you have to have one or the other.
This is not true in practice, I have plexpass for my server and my wife can't watch on her phone because they want her to pay too...
-
Are you sure that works? I'm pretty sure they mentioned that reverse proxies are an unsupported (and not working) use case with Jellyfin, but I might have to look into authelia some time then.
I just put it behind an HAProxy a few minutes ago, It appears to be fine. You just need something capable enough to handle web sockets. I've made it all the way through an episode of The real monsters without any problems.
Again, you're not going to be able to 2FA it that way, what I'm looking at doing is IP whitelisting it in HAProxy using a small web helper that is 2FA, accessed via the same port but on a separate path.
-
This is how I do it: https://codeberg.org/skjalli/jellyfin-vps-setup
My primary worry for this is that something in the jellyfin stack gets an open vulnerability, like there's an overflow you can use on a post call to a piece of media allowing remote code execution.
Tautulli had a leak once that provided the user's private token. Then there was a way in Plex with a private token to pull data from elsewhere on the server. That's how LastPass got nuked I hear.
-
Are you sure that works? I'm pretty sure they mentioned that reverse proxies are an unsupported (and not working) use case with Jellyfin, but I might have to look into authelia some time then.
wrote last edited by [email protected]Both jellyfin and authelia support reverse proxies.
Here's jellyfin's guide: https://jellyfin.org/docs/general/post-install/networking/reverse-proxy/
And here's authelia's:
https://www.authelia.com/integration/proxies/introduction/There's some restrictions (like websocket support) but it's not too bad to set up.
Still, if you don't need to expose it to the internet, put it behind a vpn.
-
This is not true in practice, I have plexpass for my server and my wife can't watch on her phone because they want her to pay too...
wrote last edited by [email protected]She needs to update her app probably, it works fine for my wife on my server
