How to secure Jellyfin hosted over the internet?
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
I use Pangolin (https://github.com/fosrl/pangolin)
-
You could put authentik in front of it too
I think that breaks most clients
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
CloudFlare tunnel with Zero Trust, plus their bot and abuse blocking. Users can get in with the right oauth, plus only allowed from the countries I know they're in. Then just their username and password on jellyfin.
-
I use fail2ban to ban IPs that fall to login and also IPs that perform common scans in the reverse proxy
also have jellyfin disable the account after a number of failed logins.
-
if the cameras don’t load, open Tailscale and make sure it’s connected
I've been using Tailscale for a few months now and this is my only complaint. On Android and macOS, the Tailscale client gets randomly killed. So it's an extra thing you have to manage.
It's almost annoying enough to make me want to host my services on the actual internet....... almost... but not yet.
Yeah I haven't been able to figure it out.
-
if the cameras don’t load, open Tailscale and make sure it’s connected
I've been using Tailscale for a few months now and this is my only complaint. On Android and macOS, the Tailscale client gets randomly killed. So it's an extra thing you have to manage.
It's almost annoying enough to make me want to host my services on the actual internet....... almost... but not yet.
Yeah my wife and I are both on Android, and I haven't been able to figure out why it does that.
The Android client is open-source so maybe someone could figure it out. https://github.com/tailscale/tailscale-android
-
Same, wireguard with the 'WG Tunnel" app, which adds conditional Auto-Connect. If not on home wifi, connect to the tunnel.
conditional Auto-Connect. If not on home wifi, connect to the tunnel.
You don't need this with Tailscale since it uses a separate IP range for the tunnel.
-
I think that breaks most clients
Yes, it breaks native login, but you can authenticate with Authentik on your phone for example, and use Quick connect to authorize non-browser sessions with it.
-
Same, wireguard with the 'WG Tunnel" app, which adds conditional Auto-Connect. If not on home wifi, connect to the tunnel.
I just stay connected to wireguard even at home, only downside is the odd time I need to chromecast, it needs to be shut off.
-
CloudFlare tunnel with Zero Trust, plus their bot and abuse blocking. Users can get in with the right oauth, plus only allowed from the countries I know they're in. Then just their username and password on jellyfin.
Doesn't streaming media over a cloudflare tunnel/proxy violate their ToS
-
I suspect that it goes down and stays down whenever there is an app update, but I haven't confirmed it yet.
Does the plain wireguard app stay up during updates?
Android wireguard all hasn't been updated in 18mo. Its extremely simple with a small code base. There basically isn't anything to update. It uses wireguard kernel module which is itself is only like 700 lines of code. It so simple that it basically became stable very quickly and there is nothing left of update right now.
-
CloudFlare tunnel with Zero Trust, plus their bot and abuse blocking. Users can get in with the right oauth, plus only allowed from the countries I know they're in. Then just their username and password on jellyfin.
I hate the cloudflare stuff making me do captchas or outright denying me with a burning passion. My fault for committing the heinous crime of using a VPN!
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
Jellyfin is secure by default, as long as you have https. Just chose a secure password
-
Doesn't streaming media over a cloudflare tunnel/proxy violate their ToS
No, they removed that clause some 2 or 3 years back.
-
Yeah my wife and I are both on Android, and I haven't been able to figure out why it does that.
The Android client is open-source so maybe someone could figure it out. https://github.com/tailscale/tailscale-android
even thou the Quick Toggle and the app itself, shows as running
If I disconnect/reconnect the notification comes back, and I've found something even more weird on my device (A Xiaomi with its infamous OOM / background app killer....) is Tailscale still actually works fine most of the time without the foreground notification. I'm hazarding a 70% of the time for me?
A lot of us a while back found v1.5.2 fugged around with the persistent notification going RIP
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
My setup:
- Locally (all in docker)
** JF for managing and local access
** JF with read only mounted volumes that uses the network of my Wireguard client container
** Wireguard client opening a tunnel to Wireguard server on VPS
** Ping container regularly doing pings to Wireguard Server so the connection stays up (didn't manage it otherwise) - VPS (Oracle Cloud free tier)
** Caddy as a reverse proxy with https enabled and geolocking (only certain countries are allowed to connect to)
** fail2ban to block IPs that try to bruteforce credentials
** Wireguard server
So my clients just get the URL of my reverse proxy and can access the read only JF through my Wireguard tunnel. Didn't have to open any ports on my side. If someone is interested I can share the docker compose files later.
- Locally (all in docker)
-
My setup:
- Locally (all in docker)
** JF for managing and local access
** JF with read only mounted volumes that uses the network of my Wireguard client container
** Wireguard client opening a tunnel to Wireguard server on VPS
** Ping container regularly doing pings to Wireguard Server so the connection stays up (didn't manage it otherwise) - VPS (Oracle Cloud free tier)
** Caddy as a reverse proxy with https enabled and geolocking (only certain countries are allowed to connect to)
** fail2ban to block IPs that try to bruteforce credentials
** Wireguard server
So my clients just get the URL of my reverse proxy and can access the read only JF through my Wireguard tunnel. Didn't have to open any ports on my side. If someone is interested I can share the docker compose files later.
- Locally (all in docker)
-
Jellyfin is secure by default, as long as you have https. Just chose a secure password
No, it isn't.
-
No, it isn't.
Wtf. Thank you
-
I just stay connected to wireguard even at home, only downside is the odd time I need to chromecast, it needs to be shut off.
Oh shit, you may have just solved my only issue with Symfonium
