How to secure Jellyfin hosted over the internet?
-
I was thinking of setting this up recntly after seeing it on Jim's garage. Do you use it for all your external services or just jellyfin? How does it compare to a fairly robust WAF like bunkerweb?
I use it for all of my external services. It's just wireguard and traefik under the hood. I have no familiarity with bunkerweb, but pangolin integrates with crowdsec. Specifically it comes out of the box with traefik bouncer, but it is relatively straightforward to add the crowdsec firewall bouncer on the host machine which I have found to be adequate for my needs.
-
Oh, I get that, but it just doesn't make any sense to me to be physically next to the server, and connect to it via VPN...
My point is that since the VPN uses a different subnet, it's fine to keep it connected even at home. It'll only use the VPN if you access the server's VPN IP, not its regular IP.
In any case, Tailscale and Wireguard are peer-to-peer, so the connection over the VPN is still directly to the server and there's no real disadvantage of using the VPN IP on your local network.
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
I use good ol' obscurity. My reverse proxy requires that the correct subdomain is used to access any service that I host and my domain has a wildcard entry. So if you access asdf.example.com you get an error, the same for directly accessing my ip, but going to jellyfin.example.com works.
And since i don't post my valid urls anywhere no web-scraper can find them.
This filters out 99% of bots and the rest are handled using authelia and crowdsec -
I don't understand how that isn't widely deployed. I call it poor man's Zero Trust.
I mean I'd rather jellyfin fix the bug and let me just put that behind basic auth
-
It is enabled, but now I'm doubting that. I'll double check when my homelab shift is complete.
It isnt. Else you wouldn't be able to loaf many jellyfin assets. Because there's a colission of the Auth header
-
I use good ol' obscurity. My reverse proxy requires that the correct subdomain is used to access any service that I host and my domain has a wildcard entry. So if you access asdf.example.com you get an error, the same for directly accessing my ip, but going to jellyfin.example.com works.
And since i don't post my valid urls anywhere no web-scraper can find them.
This filters out 99% of bots and the rest are handled using authelia and crowdsec -
And since i don't post my valid urls anywhere no web-scraper can find them
You would ah... be surprised. My website isn't published anywhere and I currently have 4 active decisions and over 300 alerts from crowdsec.
Of course i get a bunch of scanners hitting ports 80 and 443. But if they don't use the correct domain they all end up on an Nginx server hosting a static error page. Not much they can do there
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
I've put it behind WireGuard since only my wife and I use it. Otherwise I'd just use Caddy or other such reverse proxy that does https and then keep Jellyfin and Caddy up to date.
-
I use good ol' obscurity. My reverse proxy requires that the correct subdomain is used to access any service that I host and my domain has a wildcard entry. So if you access asdf.example.com you get an error, the same for directly accessing my ip, but going to jellyfin.example.com works.
And since i don't post my valid urls anywhere no web-scraper can find them.
This filters out 99% of bots and the rest are handled using authelia and crowdsec -
My point is that since the VPN uses a different subnet, it's fine to keep it connected even at home. It'll only use the VPN if you access the server's VPN IP, not its regular IP.
In any case, Tailscale and Wireguard are peer-to-peer, so the connection over the VPN is still directly to the server and there's no real disadvantage of using the VPN IP on your local network.
Right, but I have wireguard on my opnsense. So when I want to reach https://jellyfin.example.com/ , if I am at home, it goes phone -> DNS -> proxy -> jellyfin (on the same network). If I am connected to the VPN, it goes from phone -> internet -> opnsense public ip -> wireguard subnet -> local subnet -> DNS -> proxy -> jellyfin. I see some unneeded extra steps here... Am I wrong?
-
Tailscale is awesome. Alternatively if you're more technically inclined you can make your own wireguard tailscale and all you need is to get a static IP for your home network. Wireguard will always be safer than each individual service.
all you need is to get a static IP for your home network
Don't even need a static IP. Dyndns is enough.
-
Of course i get a bunch of scanners hitting ports 80 and 443. But if they don't use the correct domain they all end up on an Nginx server hosting a static error page. Not much they can do there
This is how I found out Google harvests the URLs I visit through Chrome.
Got google bots trying to crawl deep links into a domain that I hadn't published anywhere.
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
What I used to do was: I put jellyfin behind an nginx reverse proxy, on a separate vhost (so on a unique domain). Then I added basic authentication (a htpasswd file) with an unguessable password on the whole domain. Then I added geoip firewall rules so that port 443 was only reachable from the country I was in. I live in small country, so this significantly limits exposure.
Downside of this approach: basic auth is annoying. The jellyfin client doesn't like it ... so I had to use a browser to stream.
Nowadays, I put all my services behind a wireguard VPN and I expose nothing else. Only issue I've had is when I was on vacation in a bnb and they used the same IP range as my home network
-
all you need is to get a static IP for your home network
Don't even need a static IP. Dyndns is enough.
Unless you're behind cgnat and without ipv6 support.
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
Whats your setup? I just Ngnix Proxy Manager, Jellyfin etc in Docker. Modify ufw rules and also install this on the server (linux) https://github.com/friendly-bits/geoip-shell
-
Unless you're behind cgnat and without ipv6 support.
cgnat
Ew
-
I use Tailscale right now. Which, in fairness, I didn't state in the post. However, I was hoping to share it more similarly to how I used to with Plex. But, it would appear, I would have to share it through Tailscale only at this point.
Right now none of the native clients support SSO. It is a frequently requested feature but, unfortunately, it doesn't look like it will be implemented any time soon. As with many OSS projects it is probably a case of "you want it, you build it" - but nobody has actually stepped up.
-
I am using tailscale but I went a little further to let my family log in with their Gmail( they will not make any account for 1 million dollars)
Tailscale funneled
Jellyfin
Keycloak (adminless)Private Tailscale
Keycloak admin
Postgres dBI hook up jellyfin to Keycloak (adminless) using the sso plugin. And hook Keycloak up (using the private instance) to use Google as an identity provider with a private app.
SSO plugin is good to know about. Does that address any of the issues with security that someone was previously talking about?
-
This is how I found out Google harvests the URLs I visit through Chrome.
Got google bots trying to crawl deep links into a domain that I hadn't published anywhere.
This is true, and is why I annoyingly have to keep robots.txt on my unpublished domains. Google does honor them for the most part, for now.
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
setup a WAF appliance and forward traffic through it to your current installation.
