Selfhosted

48773 readers

965 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.

Resources:

selfh.st Newsletter and index of selfhosted software and apps
awesome-selfhosted software
awesome-sysadmin resources
Self-Hosted Podcast from Jupiter Broadcasting

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago

MODERATORS

[email protected]

468

Jellyfin over the internet (startrek.website)

submitted 3 days ago by [email protected] to c/[email protected]

284 comments fedilink hide all child comments

What’s your go too (secure) method for casting over the internet with a Jellyfin server.

I’m wondering what to use and I’m pretty beginner at this

you are viewing a single comment's thread
view the rest of the comments

[–] [email protected] 40 points 3 days ago* (last edited 3 days ago) (11 children)

Jellyfin isn't secure and is full of holes.

That said, here's how to host it anyway.

Wireguard tunnel, be it tailscale, netbird, innernet, whatever
A vps with a proxy on it, I like Caddy
A PC at home with Jellyfin running on a port, sure, 8096

If you aren't using Tailscale, make your VPS your main hub for whatever you choose, pihole, wg-easy, etc. Connect the proxy to Jellyfin through your chosen tunnel, with ssl, Caddy makes it easy.

Since Jellyfin isn't exactly secure, secure it. Give it its own user and make sure your media isn't writable by the user. Inconvenient for deleting movies in the app, but better for security.

more...

Use fail2ban to stop intruders after failed login attempts, you can force fail2ban to listen in on jellyfin's host for failures and block ips automatically.

More!

Use Anubis and yes, I can confirm Anubis doesn't intrude Jellyfin connectivity and just works, connect it to fail2ban and you can cook your own ddos protection.

MORE!

SELinux. Lock Jellyfin down. Lock the system down. It's work but it's worth it.

I SAID MORE!

There's a GeoIP blocking plugin for Caddy that you can use to limit Jellyfin's access to your city, state, hemisphere, etc. You can also look into whitelisting in Caddy if everyone's IP is static. If not, ddns-server and a script to update Caddy every round? It can get deep.

Again, don't do any of this and just use Jellyfin over wireguard like everyone else does(they don't).

[–] [email protected] 4 points 2 days ago (4 children)

show me those “holes” this is just fear mongering

[–] [email protected] -1 points 2 days ago* (last edited 2 days ago) (3 children)

Here, since you can't use a search engine: https://www.cvedetails.com/vulnerability-list/vendor_id-22884/product_id-81332/Jellyfin-Jellyfin.html

More, because I've been around this lap before, you'll ask for more and not believe that one, here's another: https://www.cvedetails.com/vulnerability-list/vendor_id-22884/product_id-81332/Jellyfin-Jellyfin.html

Do what you want. Idgaf about your install, just mine.

[–] [email protected] 8 points 2 days ago (2 children)

I don't want to be an asshole but after checking a couple of those out they all appear to be post-authorization vulnerabilities? Like sure if you're just passing out credentials to your jellyfin instance someone could use the device log upload to wreck your container, but shouldn't most people be more worried about vulnerabilities that have surface for unauthorized attackers?

[–] [email protected] 2 points 1 day ago

plus, most of the mentioned cve's state "versions before ...". Exposing a service to the internet always has a risk to it, keeping your service up-to-date is mandatory. Running behind a vpn can protect you, sure. But it also has to be practical. I don't get why Jellyfin especially gets this kind of slaming. You'll find similar records for any other software.

[–] [email protected] 1 points 2 days ago

A while back there was a situation where outsiders could get the name of the contents of your Jellyfin server, which would incriminate anyone. I believe it's patched now, but I don't think Jellyfin is winning any security awards. It's a selfhosted media server. I have no frame of reference for knowing whether or not any of my information was overkill and I'm sure there are even some out there that would say I didn't go far enough, even.

load more comments (6 replies)