How to secure Jellyfin hosted over the internet?
-
Using cloudflare tunnels means nothing is encrypted and cloudflare sees all.
Oh no they'll see I'm watching TNG
-
My users aren't going to figure that out.
-
My users aren't going to figure that out.
-
They'd have to connect to it, and possibly reconnect. That aspect is the issue.
-
My setup:
- Locally (all in docker)
** JF for managing and local access
** JF with read only mounted volumes that uses the network of my Wireguard client container
** Wireguard client opening a tunnel to Wireguard server on VPS
** Ping container regularly doing pings to Wireguard Server so the connection stays up (didn't manage it otherwise) - VPS (Oracle Cloud free tier)
** Caddy as a reverse proxy with https enabled and geolocking (only certain countries are allowed to connect to)
** fail2ban to block IPs that try to bruteforce credentials
** Wireguard server
So my clients just get the URL of my reverse proxy and can access the read only JF through my Wireguard tunnel. Didn't have to open any ports on my side. If someone is interested I can share the docker compose files later.
This seems like a developer/infrastructure level job, any dumb down step by step procedure to recommend?
- Locally (all in docker)
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
Tailscale is awesome. Alternatively if you're more technically inclined you can make your own wireguard tailscale and all you need is to get a static IP for your home network. Wireguard will always be safer than each individual service.
-
Just make a different API prefix that's secure and subject to change, and once the official clients are updated, deprecate the insecure API (off by default).
That way you preserve backwards compatibility without forcing everyone to be insecure.
Even just basic API versioning would be sufficient. .NET offers a bunch of ways to handle breaking changes in APIs
-
They prohibit large amounts of media being streamed, and they reserve the right to suspend or terminate accounts for it. Multiple years in, that has not happened.
Edit: here, you can read https://blog.cloudflare.com/updated-tos/
Cloudflare is known for being unreliable with how and when it enforces the ToS (especially for paying customers!). Just because they haven't cracked down on everyone doesn't mean they won't arbitrarily pick out your account from thousands of others just to slap a ban on. There's inherent risk to it
-
Clients are built to speak directly to the Jellyfin API. if you put an auth service in front it won't even ask you to try and authenticate with that.
Sorry, when out of the house I only use web not clients.
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
Kinda hard because they have an ongoing bug where if you put it behind a reverse proxy with basic auth (typical easy button to secure X web software on Internet), it breaks jellyfin.
Best thing is to not. Put it on your local net and connect in with a vpn
-
I use Pangolin (https://github.com/fosrl/pangolin)
URL is 404
-
Can't use double VPN on mobile.
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
I have another site on a different port that sits behind basic auth and adds the IP to a short ipset whitelist.
So first I have to auth into that site with basic auth, then I load jellyfin on the other port.
-
I just stay connected to wireguard even at home, only downside is the odd time I need to chromecast, it needs to be shut off.
Can you add a split tunnel for just the Chromecast app (I presume that's how it works idk I don't use Chromecast) so that just that specific app always ignores your VPN?
-
This seems like a developer/infrastructure level job, any dumb down step by step procedure to recommend?
I am currently in the ptocess to document my docker fioes and upload them to codeberg with a readme, it takes a bit, will let you know once I am done
-
I'm more interested in the fail2ban setup. How did you do that for Jellyfin? Is it through a plugin?
It's a separate container, currently in the process of writing everything up, will update once done
-
Tailscale is awesome. Alternatively if you're more technically inclined you can make your own wireguard tailscale and all you need is to get a static IP for your home network. Wireguard will always be safer than each individual service.
Love tailscale. The only issue I had with it is making it play nice with my local, daily driver VPN. Got it worked out tho. So, now everything is jippity jippity.
-
Kinda hard because they have an ongoing bug where if you put it behind a reverse proxy with basic auth (typical easy button to secure X web software on Internet), it breaks jellyfin.
Best thing is to not. Put it on your local net and connect in with a vpn
I'm not experiencing that bug. My reverse proxy is only accessed locally at the moment though. I did have to play with headers a bit in nginx to get it working.
-
I'm not experiencing that bug. My reverse proxy is only accessed locally at the moment though. I did have to play with headers a bit in nginx to get it working.
Basic auth. The bug is if you enable basic auth.
-
Basic auth. The bug is if you enable basic auth.
It is enabled, but now I'm doubting that. I'll double check when my homelab shift is complete.
