Hello. I have just recently started with self hosting my media with Jellyfin… and I am LOVING it! I had been carrying around media players for decades, with everyone looking at me like an insane crank for not giving up on my hundreds of gigs of media for SAS things like spotify… now they’re jealous! We’ve come full circle!
Annnyway. Obviously, I want to access the server anywhere, and don’t want to just raw-dog an open port to the internet- yikes!
There are SO MANY ways and guides and thoughts on this, I’m a bit overwhelmed and looking for your thoughts on the best way to start off… it doesn’t have to be ‘fort knox’ and I am sure I’ll adjust and pivot as I learn more… but here are the options I know of (did I miss any?):
-
Tailscale VPN connection
-
Reverse Proxy with Caddy or similar (this is recommended as easy in the jellyfin official guides and thus is my current leading contender!)
-
Docker/VM ‘containerized’ server with permissions/access control
What are your thoughts on the beginner-friendly-ness and ease of setup/management of these? This is exclusively for use by me and my family, so I don’t need something that’s easy for anyone to access with credentials… just our handful of devices.
Please don’t laugh, but I’m currently hosting on a Raspberry Pi5 with a big-ass harddrive attached (using CasaOS on a headless Ubuntu Server). I know this is JANK as far as self-hosting goes, and plan to upgrade to something like NAS in the future, but I’m still researching and learning, and aside from shitty video transcoding, it’s working fine for now… Thank you in advance for your advice, help and thoughts!
You must log in or register to comment.
Easy, mine is local only and on it’s own VLAN.
Reading jellyfin’s issues it’s clear its web ui and API cannot be allowed to talk to the general internet.
I’d push for a VPN solution first. Tailscale or wireguard. If you’re happy with cloudflare sniffing all traffic and that they make take it away suddenly someday use their tunnel with authentication.
The only other novel solution I’d suggest is putting jellyfin behind an Authentik wall (not OIDC, though you can use OIDC for users after the wall). That puts security on Authentik, and that’s their only job so hopefully that works. I’d use that if VPN (tailscale or wireguard) are problematic for access. The downside is that jellyfin apps will not be able to connect, only web browsers that can log into the Authentik web ui wall.
Flow would go caddy/other reverse proxy -> Authentik wall for jellyfin -> jellyfin
I’d put everything in docker, I’d put caddy and Authentik in a VM for a DMZ (incus + Zabbly repo web ui to manage the VM), I’d set all 3 in the compose to read-only, user:####:####, cap-drop all, no new privileges, limited named networks.
Podman quadlets would be even better security than docker, but there’s less help for that (for now). Do docker and get something working to start, then grow from there
This is absolutely critical. Jellyfin is not made with security as an important factor.
I’m working on deploying Client side certificates that are validated by Caddy
Do you know if that will break applications?
I am not familiar with deploying client side certificates unfortunately. I hope it works, if the certificate is at the OS level and the application will use it, I feel it will work… not sure, in-browser feels straight forward at least
Pangolin with an Authentik login required. Jellyfin’s set up with OIDC too but that’s more for convenience than security (especially since password auth doesn’t seem possible to disable, so it’s just hidden with CSS which does jack shit for security).
I’m paranoid so I only expose 3 services total without Pangolin/Authentik in front of them: Authentik itself, headscale, and navidrome’s rest endpoint (the last one skeeves me a bit but it’s mandatory for it to work remotely in the situations I want it, like a web player on work machines). Anything else I personally need remote access to, I can get through tailscale - Pangolin for me covers friends and family usage and a few niche situations.
Put Jellyfin behind something else that requires authentication before you can access Jellyfin at all
VPN. Jellyfin is not intended for direct exposure to the Internet.
You should run it in docker anyway for convenience. A reverse proxy is optional, but I use traefik also for convenience (so that I can just use domain names on the same port, and so that it can automatically fetch certs).
Jellyfin is not intended for direct exposure to the Internet.
https://jellyfin.org/docs/general/post-install/networking/
There are multiple ways of exposing Jellyfin to the outside - the most common ones are:
forwarding its Ports directly to the internet (not recommended!)
forwarding through a Reverse Proxy
using a VPN connection to enter the Network
use a VPS to Reverse Proxy to your home networkIntended… not recommended. The reverse proxy one should also not be recommended until they resolve the unauthed endpoints issue as well really. Security is a weak point on Jellyfin in general.
They need to switch to cookie based auth instead of doing the weird think with the URLs
Yeah the API token exposure in the URLs is another thing… And that can expose itself in all sorts of ways.
I have used Tailscale for about a year now. Flawless for a small ecosystem and couple of people and doesnt expose anything.
Bonus of routing all my traffic through pi-hole at home and then through VPN client on router
tailscale here as well. it’s honestly 2ezpz to set up, and that’s about it! this also allows you to access other services you may be hosting.
you can also specify an exit node that your traffic will route through if you are connected to your tailnet. for example, if you had a VPN client on your home router, you could set a PC on that network as your exit node and your remote traffic through tailscale would ultimately hit your home network and then out through your PC -> VPN -> Internet setup.
I second this. Especially for the PiHole access. Its also handy as it covers any of my self-hosted stuffs.
Do you mind explaining PiHole to me? I’ve heard it mentioned, not sure what it is.
@Profligate_parasite @thejml #PiHole sits in your network replacing your existing DNS server you may have configured. By using a specified blocklist(s) it’s mostly used to block adverts and malware sites. Can be very effectives. Can take a little tinkering, for example one side-effect for me was it blocking a local TV streaming app.
To start with I put one on a free cloud provider, with a VPN from my router to it and played with it until I was happy.
I think the big deciding factor is how many folks will be watching remotely.
For my case, I use a VPN to tunnel back to my network and watch jellyfin that way. My son also lives away and watches jellyfin, but for him I simply punch a hole in my firewall for only his public ip, which doesn’t change much.
This works for me, but if I had to host for any more ppl, I would likely go the caddy route.
I hide it behind Cloudflare. I assume that since most of the world pays them for domain security, and if Cloudflare goes down so does half the internet, I thought to try them out. Best decision I’ve made. They blocked substantial DDoS attempts on my IP, a fuck ton of malicious web scrapers that attempt CVEs, and they also allow me to have very specific users access to my domain using complex allow lists, zero-trust, and DNS over HTTPS.
So… do you have to register the server as a domain, then set up and register it w cloudflare?
I heard something about cloudflare not being stream friendly. Guess jellyfin doesn’t count?
Others have recently reported being been banned if more than 1 streaming. Fyi
used to be against terms of use for proxy, the forbidding language has been gone for a year or two now
Others have recently reported being been banned if more thab 1 streaming. Fyi
not the person you replied to, but i have been using cloudflare zero trust for my streaming needs; have not gotten a complaint yet.
just make sure you have the upload bandwidth.
Others have recently reported being been banned if more than 1 streaming. Fyi
I’ve tried tailscale and cloudflare tunnels in the past and ended up just using PiVPN to set up a WireGuard VPN on my Pi5. Tailscale for some reason was very slow for me, and cloudflare tunnels have a 100mb limit iirc which isn’t ideal for streaming. PiVPN is quite straightforward, it sets everything up for you and all you have to do is forward a UDP port. That was the bit I was most worried about, but, unless I’ve misunderstood something, because a UDP port will just ignore invalid requests to the outside world it will appear closed so it’s not very risky. It then generates a key for each device which you can scan from a QR code onto your VPN client. I have my phone set to auto-connect to the tunnel when I disconnect from my home wifi network and the tunnel is fast enough that I’ve accidentally turned off my phone’s wifi connection before and streamed a TV show through the tunnel over mobile data and not noticed any difference in speed.
I hadn’t thought to automate connecting to Wireguard when not on my home network, that’s a good call. I’ve just set up Tasker on my phone and tablet.
i only use it for my family so like just me, my brother, and my parents so i just spun up a subdomain and configured apache to reverse proxy and use certbot for a lets encrypt certificate so i’m not exposing my port or ip. (the subdomain is just hosted on an ec2 server that i was using anyway)
I don’t get it
How do you control access?
Wireguard tunnels with a ssh tunnel as a backup.
Caddy + crowd sec + some kind of auth solution is what I’m aiming for though I haven’t got authentik working with it yet so I haven’t opened it up yet. I wouldn’t want to do jellyfish without the auth solution though as there local stuff isn’t so robust.
VPN in and a few local users would be the most secure if you haven’t got too many folks connecting.
Waiting for replies.
Edit: What’s with the downvotes? I just commented to bookmark. Geesh.
Just use the bookmark feature…
