How to secure Jellyfin hosted over the internet?
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
Kinda hard because they have an ongoing bug where if you put it behind a reverse proxy with basic auth (typical easy button to secure X web software on Internet), it breaks jellyfin.
Best thing is to not. Put it on your local net and connect in with a vpn
-
I use Pangolin (https://github.com/fosrl/pangolin)
URL is 404
-
Can't use double VPN on mobile.
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
I have another site on a different port that sits behind basic auth and adds the IP to a short ipset whitelist.
So first I have to auth into that site with basic auth, then I load jellyfin on the other port.
-
I just stay connected to wireguard even at home, only downside is the odd time I need to chromecast, it needs to be shut off.
Can you add a split tunnel for just the Chromecast app (I presume that's how it works idk I don't use Chromecast) so that just that specific app always ignores your VPN?
-
This seems like a developer/infrastructure level job, any dumb down step by step procedure to recommend?
I am currently in the ptocess to document my docker fioes and upload them to codeberg with a readme, it takes a bit, will let you know once I am done
-
I'm more interested in the fail2ban setup. How did you do that for Jellyfin? Is it through a plugin?
It's a separate container, currently in the process of writing everything up, will update once done
-
Tailscale is awesome. Alternatively if you're more technically inclined you can make your own wireguard tailscale and all you need is to get a static IP for your home network. Wireguard will always be safer than each individual service.
Love tailscale. The only issue I had with it is making it play nice with my local, daily driver VPN. Got it worked out tho. So, now everything is jippity jippity.
-
Kinda hard because they have an ongoing bug where if you put it behind a reverse proxy with basic auth (typical easy button to secure X web software on Internet), it breaks jellyfin.
Best thing is to not. Put it on your local net and connect in with a vpn
I'm not experiencing that bug. My reverse proxy is only accessed locally at the moment though. I did have to play with headers a bit in nginx to get it working.
-
I'm not experiencing that bug. My reverse proxy is only accessed locally at the moment though. I did have to play with headers a bit in nginx to get it working.
Basic auth. The bug is if you enable basic auth.
-
Basic auth. The bug is if you enable basic auth.
It is enabled, but now I'm doubting that. I'll double check when my homelab shift is complete.
-
I also have a different subnet for WG. Not sure I understand what you're saying...
If you have a separate subnet for it, then why do you only want it to be connected when you're not on home wifi? You can just leave it connected all the time since it won't interfere with accessing anything outside that subnet.
That's assuming you're not routing all your traffic through it.
-
I did this and it still seems to randomly disconnect.
-
Maybe headscale will do better?
Headscale is a replacement for the coordination servers, which are only used to distribute configs and help nodes find each other. It won't change client-side behaviour.
-
If you have a separate subnet for it, then why do you only want it to be connected when you're not on home wifi? You can just leave it connected all the time since it won't interfere with accessing anything outside that subnet.
That's assuming you're not routing all your traffic through it.
My network is not publicly accessible. I can only access the internal services while connected to my VPN or when I'm physically at home. I connect to WG to use the local DNS (pihole) or to access the selfhosted stuff. I don't need to be connected while I'm at home... In a way, I am always using the home DNS.
Maybe I'm misunderstanding what you're saying...
-
If you make Tailscale your VPN in Android it will never be killed. Mileage may vary depending on flavor of Android. I've used this on stock Pixel and GrapheneOS.
Under Settings > Network and internet > VPN
Tap the Cog icon next to Tailscale and select Always-on VPN.
Holy moly, I did not know this existed! Thanks! Just turned this on!
-
I have another site on a different port that sits behind basic auth and adds the IP to a short ipset whitelist.
So first I have to auth into that site with basic auth, then I load jellyfin on the other port.
I don't understand how that isn't widely deployed. I call it poor man's Zero Trust.
-
Can you add a split tunnel for just the Chromecast app (I presume that's how it works idk I don't use Chromecast) so that just that specific app always ignores your VPN?
I haven't tried it, but the app has the ability to select which app it tunnels.
When you make a new tunnel, it says "all applications" if you click on that you can select specific ones to include or exclude
-
My network is not publicly accessible. I can only access the internal services while connected to my VPN or when I'm physically at home. I connect to WG to use the local DNS (pihole) or to access the selfhosted stuff. I don't need to be connected while I'm at home... In a way, I am always using the home DNS.
Maybe I'm misunderstanding what you're saying...
He's saying that while there is no benefit to being connect to WG at home, there is also no downside so many people just stay connected all the time.
-
This seems like a developer/infrastructure level job, any dumb down step by step procedure to recommend?
https://codeberg.org/skjalli/jellyfin-vps-setup here you go, took me longer than expected and I hope it's helpful, might contain a few errors since I had to remove some settings but I guess this should work.
