How to secure Jellyfin hosted over the internet?
-
Is it just you that uses it, or do friends and family use it too?
The best way to secure it is to use a VPN like Tailscale, which avoids having to expose it to the public internet.
if the cameras don’t load, open Tailscale and make sure it’s connected
I've been using Tailscale for a few months now and this is my only complaint. On Android and macOS, the Tailscale client gets randomly killed. So it's an extra thing you have to manage.
It's almost annoying enough to make me want to host my services on the actual internet....... almost... but not yet.
-
if the cameras don’t load, open Tailscale and make sure it’s connected
I've been using Tailscale for a few months now and this is my only complaint. On Android and macOS, the Tailscale client gets randomly killed. So it's an extra thing you have to manage.
It's almost annoying enough to make me want to host my services on the actual internet....... almost... but not yet.
I use plain wireguard on me phone, always on essentially with no issues. I wonder why tailscale app can't stay open.
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
You could put authentik in front of it too
-
I use plain wireguard on me phone, always on essentially with no issues. I wonder why tailscale app can't stay open.
Same, wireguard with the 'WG Tunnel" app, which adds conditional Auto-Connect. If not on home wifi, connect to the tunnel.
-
I use plain wireguard on me phone, always on essentially with no issues. I wonder why tailscale app can't stay open.
I suspect that it goes down and stays down whenever there is an app update, but I haven't confirmed it yet.
Does the plain wireguard app stay up during updates?
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
I use Pangolin (https://github.com/fosrl/pangolin)
-
You could put authentik in front of it too
I think that breaks most clients
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
CloudFlare tunnel with Zero Trust, plus their bot and abuse blocking. Users can get in with the right oauth, plus only allowed from the countries I know they're in. Then just their username and password on jellyfin.
-
I use fail2ban to ban IPs that fall to login and also IPs that perform common scans in the reverse proxy
also have jellyfin disable the account after a number of failed logins.
-
if the cameras don’t load, open Tailscale and make sure it’s connected
I've been using Tailscale for a few months now and this is my only complaint. On Android and macOS, the Tailscale client gets randomly killed. So it's an extra thing you have to manage.
It's almost annoying enough to make me want to host my services on the actual internet....... almost... but not yet.
Yeah I haven't been able to figure it out.
-
if the cameras don’t load, open Tailscale and make sure it’s connected
I've been using Tailscale for a few months now and this is my only complaint. On Android and macOS, the Tailscale client gets randomly killed. So it's an extra thing you have to manage.
It's almost annoying enough to make me want to host my services on the actual internet....... almost... but not yet.
Yeah my wife and I are both on Android, and I haven't been able to figure out why it does that.
The Android client is open-source so maybe someone could figure it out. https://github.com/tailscale/tailscale-android
-
Same, wireguard with the 'WG Tunnel" app, which adds conditional Auto-Connect. If not on home wifi, connect to the tunnel.
conditional Auto-Connect. If not on home wifi, connect to the tunnel.
You don't need this with Tailscale since it uses a separate IP range for the tunnel.
-
I think that breaks most clients
Yes, it breaks native login, but you can authenticate with Authentik on your phone for example, and use Quick connect to authorize non-browser sessions with it.
-
Same, wireguard with the 'WG Tunnel" app, which adds conditional Auto-Connect. If not on home wifi, connect to the tunnel.
I just stay connected to wireguard even at home, only downside is the odd time I need to chromecast, it needs to be shut off.
-
CloudFlare tunnel with Zero Trust, plus their bot and abuse blocking. Users can get in with the right oauth, plus only allowed from the countries I know they're in. Then just their username and password on jellyfin.
Doesn't streaming media over a cloudflare tunnel/proxy violate their ToS
-
I suspect that it goes down and stays down whenever there is an app update, but I haven't confirmed it yet.
Does the plain wireguard app stay up during updates?
Android wireguard all hasn't been updated in 18mo. Its extremely simple with a small code base. There basically isn't anything to update. It uses wireguard kernel module which is itself is only like 700 lines of code. It so simple that it basically became stable very quickly and there is nothing left of update right now.
-
CloudFlare tunnel with Zero Trust, plus their bot and abuse blocking. Users can get in with the right oauth, plus only allowed from the countries I know they're in. Then just their username and password on jellyfin.
I hate the cloudflare stuff making me do captchas or outright denying me with a burning passion. My fault for committing the heinous crime of using a VPN!
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
Jellyfin is secure by default, as long as you have https. Just chose a secure password
-
Doesn't streaming media over a cloudflare tunnel/proxy violate their ToS
No, they removed that clause some 2 or 3 years back.
-
Yeah my wife and I are both on Android, and I haven't been able to figure out why it does that.
The Android client is open-source so maybe someone could figure it out. https://github.com/tailscale/tailscale-android
even thou the Quick Toggle and the app itself, shows as running
If I disconnect/reconnect the notification comes back, and I've found something even more weird on my device (A Xiaomi with its infamous OOM / background app killer....) is Tailscale still actually works fine most of the time without the foreground notification. I'm hazarding a 70% of the time for me?
A lot of us a while back found v1.5.2 fugged around with the persistent notification going RIP
