Plex has paywalled my server!
-
They have instructions on jellyfin forums on setting up HAProxy, that part totally works.
But you don't put 2FA on the jellyfin server, for that you just deny all IPs except whitelisted.
You did the 2FA on the whitelister only using path-based routing.
You don't have access to the root site, you go to a path and login to a separate database to whitelist yourself then your client should work from that IP.
This will work fine over the web, but won’t work with clients.
They have instructions on jellyfin forums on setting up HAProxy, that part totally works.
But you don’t put 2FA on the jellyfin server, for that you just deny all IPs except whitelisted.
You did the 2FA on the whitelister only using path-based routing.
You don’t have access to the root site, you go to a path and login to a separate database to whitelist yourself then your client should work from that IP.
edit:
I just tried it, it appears to work so far.
I can send websocket traffic inbound to 8096: to the JF server and it loads on web, Android and Roku clients with an ACL limiter on originating ips.
and send 8096/whitelist to another server altogether with no ACL limits.On that process, I'd load nginx, authelia, fail2ban and what flask? Surely someone has a python longin/admin framework that I could hijack for this. Then have that app reack over in shared container storage to twiddle the haproxy config to add some ip's and reload it?
I wonder if I could do something to the haproxy side to detect non-use of an IP and remove it.
-
Plex has pay walled FREE servers streaming to FREE clients only.
If you have a plex watch pass (for client) you're good and can stream from any server. If you have a plex pass (for server) any one can stream from your server. But you have to have one or the other.
This is not true in practice, I have plexpass for my server and my wife can't watch on her phone because they want her to pay too...
-
Are you sure that works? I'm pretty sure they mentioned that reverse proxies are an unsupported (and not working) use case with Jellyfin, but I might have to look into authelia some time then.
I just put it behind an HAProxy a few minutes ago, It appears to be fine. You just need something capable enough to handle web sockets. I've made it all the way through an episode of The real monsters without any problems.
Again, you're not going to be able to 2FA it that way, what I'm looking at doing is IP whitelisting it in HAProxy using a small web helper that is 2FA, accessed via the same port but on a separate path.
-
This is how I do it: https://codeberg.org/skjalli/jellyfin-vps-setup
My primary worry for this is that something in the jellyfin stack gets an open vulnerability, like there's an overflow you can use on a post call to a piece of media allowing remote code execution.
Tautulli had a leak once that provided the user's private token. Then there was a way in Plex with a private token to pull data from elsewhere on the server. That's how LastPass got nuked I hear.
-
Are you sure that works? I'm pretty sure they mentioned that reverse proxies are an unsupported (and not working) use case with Jellyfin, but I might have to look into authelia some time then.
wrote last edited by [email protected]Both jellyfin and authelia support reverse proxies.
Here's jellyfin's guide: https://jellyfin.org/docs/general/post-install/networking/reverse-proxy/
And here's authelia's:
https://www.authelia.com/integration/proxies/introduction/There's some restrictions (like websocket support) but it's not too bad to set up.
Still, if you don't need to expose it to the internet, put it behind a vpn.
-
This is not true in practice, I have plexpass for my server and my wife can't watch on her phone because they want her to pay too...
wrote last edited by [email protected]She needs to update her app probably, it works fine for my wife on my server
-
That’s not going to scale...
How many mothers do you have?
None of your business, insensitive clod.
-
I do all of those things except neuter animals. Most rural folks do.
If you’re cleaning your own teeth, you’re missing several.
-
Bro you asked for a guide, I gave you a guide. The fuck you want from me? (For convenience sake I even made as short as possible. Literally less than a 45 second read.)
I put a lot of effort into that comment to help you out, and instead of saying "thank you", you respond with this bullshit? What the hell is wrong with you?
Ungrateful prick.
I asked for a guide on how to setup a VPN on my LG TV.
Please specifically point out where in your long repo se you provided a guide on how to run a VPN on my LG TV.
-
None of your business, insensitive clod.
wrote last edited by [email protected][email protected] wrote:
Great; how do I get my Mother to do that over the phone?
That’s not going to scale as I share out my server.
Are you incapable of recognizing that in this context my comment was a joke? What the fuck is wrong with you?
-
I asked for a guide on how to setup a VPN on my LG TV.
Please specifically point out where in your long repo se you provided a guide on how to run a VPN on my LG TV.
wrote last edited by [email protected]Again, you don't need a VPN if you follow my guide. Your reading comprehension is worse than mine, and I have ADHD. *sigh*
-
I made the switch a few months back as well. Have you had the issue where"Recently Added" just straight up doesn't work? It's about 50/50 for me whether my new downloads show up there or not, and if they do, it's usually inserted somewhere down the list between other things I added months ago. Not sure if there's a workaround, but it's my #1 complaint with Jellyfin. Otherwise, it's been great.
How is your underlying file system set up?
-
Both jellyfin and authelia support reverse proxies.
Here's jellyfin's guide: https://jellyfin.org/docs/general/post-install/networking/reverse-proxy/
And here's authelia's:
https://www.authelia.com/integration/proxies/introduction/There's some restrictions (like websocket support) but it's not too bad to set up.
Still, if you don't need to expose it to the internet, put it behind a vpn.
Maybe I was thinking of this from back in 2024?
https://github.com/jellyfin/jellyfin-android/issues/123
"Hacking around with a reverse proxy is strongly discouraged and we won't provide any support for it."
-
I just put it behind an HAProxy a few minutes ago, It appears to be fine. You just need something capable enough to handle web sockets. I've made it all the way through an episode of The real monsters without any problems.
Again, you're not going to be able to 2FA it that way, what I'm looking at doing is IP whitelisting it in HAProxy using a small web helper that is 2FA, accessed via the same port but on a separate path.
Maybe I was thinking of this from back in 2024?
https://github.com/jellyfin/jellyfin-android/issues/123
"Hacking around with a reverse proxy is strongly discouraged and we won't provide any support for it."
-
If people choose not to use software that's open source because of the way people talk on some thread.. were they intellectually thinking about their own best interests? It's like no longer enjoying a show because some fans did something cridge - anything popular enough will have weirdos (from someone's perspective).
The way people act while advocating for something does in fact affect the efficacy of their advocacy whether they want to admit it or not.
-
Maybe I was thinking of this from back in 2024?
https://github.com/jellyfin/jellyfin-android/issues/123
"Hacking around with a reverse proxy is strongly discouraged and we won't provide any support for it."
Yeah part of doing this is keeping a ci pipeline up and unit testing against rcs and telling them exactly what's failing. The report in that ticket gave them absolutely no choice but to try to set up an entire system to reproduce whatever the user did which they obviously don't want to do.
WebSocket relays are poorly implemented in a lot of proxies, Even cloudflare has its fair share of issues.
The downside of using HA is reinventing the let's encrypt pipeline for the 40th time, the upside is it's dead simple, web sockets go in, web sockets go out, The logs are good, it's easy to debug it with TCP dump If things start to get sketchy.
-
Both jellyfin and authelia support reverse proxies.
Here's jellyfin's guide: https://jellyfin.org/docs/general/post-install/networking/reverse-proxy/
And here's authelia's:
https://www.authelia.com/integration/proxies/introduction/There's some restrictions (like websocket support) but it's not too bad to set up.
Still, if you don't need to expose it to the internet, put it behind a vpn.
The problem with putting it behind a VPN is then all your users have to be on VPN.
Self-service IP whitelisting would be easy and let all clients work without trying to hack in a separate VPN client.
The only thing that would suck would be if you were on a mobile link while moving and swapping towers your IP would change so you constantly get kicked off.
But if you were so inclined you could VPN to your own house and your IP would stay the same.
-
You've likely given it full control to whatever storage you've mounted in the container anyway, unless you've given it the :ro flag, which in that case would operate the same regardless of networking mode. If someone gains access to your internal host, you have bigger problems. Some things just play better under host mode and all bridged mode is doing is creating a virtual switch on your host and passing allowed traffic through it at a base level. The best way to protect is by running a load balancer in a DMZ and proxying all of the traffic through it which is how I have my instance running. I funnel everything external --> TCP\UDP 443 in DMZ vlan load balancer --> internal LAN IP:docker port. I run a mix of host network or bridged mode depending on the container.
Giving it write access to a folder is not even remotely on the same level as giving it control over the host networking. Worst case scenario in the volume access is to delete that data, which is on a btrfs drive and has backups, worst case scenario for network host is root access to host machine.
-
I access my stuff via VPN. As for sharing with others, I simply don't do that. VPN is still an option though. Or temporary client whitelisting, etc.
Yeaaah ! Most people anyway have some kind of VPN installed on their device... Just slap in a wireguard VPN config to tunnel your traffic home... bOOm jellyfin everywhere and 99% secure !
-
My primary worry for this is that something in the jellyfin stack gets an open vulnerability, like there's an overflow you can use on a post call to a piece of media allowing remote code execution.
Tautulli had a leak once that provided the user's private token. Then there was a way in Plex with a private token to pull data from elsewhere on the server. That's how LastPass got nuked I hear.
I get you and I know that there can be security issues (especially in Jellyfin) that might give you access. This is the reason I only mount the media and config folders, and nothing else into the docker container. The media folders are mounted as read only and don't contain sensitive information. For the config folder I created a separate user. Plus I block non-German IP addresses which already blocks quite some bots. If your friends have fixed IP addresses you could also just whitelist them and block everything else.
You could also probably sniff the network and define more strict rules on 'allowed' requests in fail2ban but this is bridle because requests might change with different versions.
