How to secure Jellyfin hosted over the internet?
-
If you have a separate subnet for it, then why do you only want it to be connected when you're not on home wifi? You can just leave it connected all the time since it won't interfere with accessing anything outside that subnet.
That's assuming you're not routing all your traffic through it.
My network is not publicly accessible. I can only access the internal services while connected to my VPN or when I'm physically at home. I connect to WG to use the local DNS (pihole) or to access the selfhosted stuff. I don't need to be connected while I'm at home... In a way, I am always using the home DNS.
Maybe I'm misunderstanding what you're saying...
-
If you make Tailscale your VPN in Android it will never be killed. Mileage may vary depending on flavor of Android. I've used this on stock Pixel and GrapheneOS.
Under Settings > Network and internet > VPN
Tap the Cog icon next to Tailscale and select Always-on VPN.
Holy moly, I did not know this existed! Thanks! Just turned this on!
-
I have another site on a different port that sits behind basic auth and adds the IP to a short ipset whitelist.
So first I have to auth into that site with basic auth, then I load jellyfin on the other port.
I don't understand how that isn't widely deployed. I call it poor man's Zero Trust.
-
Can you add a split tunnel for just the Chromecast app (I presume that's how it works idk I don't use Chromecast) so that just that specific app always ignores your VPN?
I haven't tried it, but the app has the ability to select which app it tunnels.
When you make a new tunnel, it says "all applications" if you click on that you can select specific ones to include or exclude
-
My network is not publicly accessible. I can only access the internal services while connected to my VPN or when I'm physically at home. I connect to WG to use the local DNS (pihole) or to access the selfhosted stuff. I don't need to be connected while I'm at home... In a way, I am always using the home DNS.
Maybe I'm misunderstanding what you're saying...
He's saying that while there is no benefit to being connect to WG at home, there is also no downside so many people just stay connected all the time.
-
This seems like a developer/infrastructure level job, any dumb down step by step procedure to recommend?
https://codeberg.org/skjalli/jellyfin-vps-setup here you go, took me longer than expected and I hope it's helpful, might contain a few errors since I had to remove some settings but I guess this should work.
-
https://codeberg.org/skjalli/jellyfin-vps-setup here you go, took me longer than expected and I hope it's helpful, might contain a few errors since I had to remove some settings but I guess this should work.
-
https://codeberg.org/skjalli/jellyfin-vps-setup here you go, took me longer than expected and I hope it's helpful, might contain a few errors since I had to remove some settings but I guess this should work.
-
He's saying that while there is no benefit to being connect to WG at home, there is also no downside so many people just stay connected all the time.
Yeah, this. Plus if you leave it connected, you can use the VPN IPs while at home instead of having to use a different IP when at home vs when out (or deal with split horizon DNS)
-
He's saying that while there is no benefit to being connect to WG at home, there is also no downside so many people just stay connected all the time.
Oh, I get that, but it just doesn't make any sense to me to be physically next to the server, and connect to it via VPN...
-
URL is 404
-
URL is 404
-
It's a steep learning curve for sure but once you get the basics it's straight forward until you hit very specific problems.
Are you a Windows or Linux user?
They often want to push their Docker UI application but in my opinion docker engine with docker compose is enough. There are probably a lot of great tutorials out there and I can recommend https://www.linuxserver.io/ for images. -
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
Use a VPN like Tailscale
-
I use Pangolin (https://github.com/fosrl/pangolin)
I was thinking of setting this up recntly after seeing it on Jim's garage. Do you use it for all your external services or just jellyfin? How does it compare to a fairly robust WAF like bunkerweb?
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
I am using tailscale but I went a little further to let my family log in with their Gmail( they will not make any account for 1 million dollars)
Tailscale funneled
Jellyfin
Keycloak (adminless)Private Tailscale
Keycloak admin
Postgres dBI hook up jellyfin to Keycloak (adminless) using the sso plugin. And hook Keycloak up (using the private instance) to use Google as an identity provider with a private app.
-
I was thinking of setting this up recntly after seeing it on Jim's garage. Do you use it for all your external services or just jellyfin? How does it compare to a fairly robust WAF like bunkerweb?
I use it for all of my external services. It's just wireguard and traefik under the hood. I have no familiarity with bunkerweb, but pangolin integrates with crowdsec. Specifically it comes out of the box with traefik bouncer, but it is relatively straightforward to add the crowdsec firewall bouncer on the host machine which I have found to be adequate for my needs.
-
Oh, I get that, but it just doesn't make any sense to me to be physically next to the server, and connect to it via VPN...
My point is that since the VPN uses a different subnet, it's fine to keep it connected even at home. It'll only use the VPN if you access the server's VPN IP, not its regular IP.
In any case, Tailscale and Wireguard are peer-to-peer, so the connection over the VPN is still directly to the server and there's no real disadvantage of using the VPN IP on your local network.
-
I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
I use good ol' obscurity. My reverse proxy requires that the correct subdomain is used to access any service that I host and my domain has a wildcard entry. So if you access asdf.example.com you get an error, the same for directly accessing my ip, but going to jellyfin.example.com works.
And since i don't post my valid urls anywhere no web-scraper can find them.
This filters out 99% of bots and the rest are handled using authelia and crowdsec -
I don't understand how that isn't widely deployed. I call it poor man's Zero Trust.
I mean I'd rather jellyfin fix the bug and let me just put that behind basic auth
