Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?
You must log in or register to comment.
afaik but I’m not sure, Jellyfin lacks support for OIDC AuthN which is a clear sign that you cannot expose this publicly.
Secure is relative, you should be aware that jellyfin itself has security issues https://github.com/jellyfin/jellyfin/issues/5415 most of which are harmless, but at least one is fairly serious and allows people to watch your media without authentication, and adding an extra layer of authentication on the proxy would likely cause issues with clients.
That being said, if you’re okay with those security issues what I would do is have a cheap VPS, connect both machines to tailscale, and have something like Caddy on the VPS to do the forwarding.
Just leaving this here
Now, let’s address this clearly once and for all. What is possible is unauthenticated streaming. Each item in a Jellyfin library has a UUID generated which is based on a checksum of the file path. So, theoretically, if someone knows your exact media paths, they could calculate the item IDs, and then use that ItemID to initiate an unauthenticated stream of the media. As far as we know this has never actually been seen in the wild. This does not affect anything else - all other configuration/management endpoints are behind user authentication. Is this suboptimal? Yes. Is this a massive red-flag security risk that actively exposes your data to the Internet? No.
https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2825240290
I agree with the folks saying reverse proxy of some kind + WAF. That way end users don’t have to deal with the VPN, but your home system is not directly exposed.
I’ve been doing something similar with SSH local port forwarding and a $5/month VPS. Haven’t come anywhere close to my network quotas, and performance has not been an issue for home use with 2-5 concurrent users most of the time. I forward the local caddy ports to unprivileged ports/user on the VPS, then use the firewall on the VPS to forward that port to 443 and lock down the rest.
That said, VPN would be much more manageable if I was trying to really push performance or scale out the network.
best practice states security through obscurity is not to be relied upon, but compare ssh logs after one year on the default port vs a non-standard port and you’ll immediately see why you want to use a non-standard https port for non-professional services. it cuts 99.9% of the noise/attempts.
Depends on what you mean by “secure.” My personal setup is Jellyfin LXC on proxmox --> Wireguard to VPS -> Nginx reverse proxy on VPS.
This setup relies somewhat on Jellyfin’s auth, but I’m comfortable with that risk. The LXC is blocked from sending local traffic on my network by firewall rules. Yes, someone could exploit a vulnerability in Jellyfin (though looking through the CVEs I’m not overly worried about that), then escape the LXC and fuck with my server. But that’s a lot of work for no profit.
For more protection (in sense of reducing traffic that even interacts with your server), I’d recommend getting a wildcard cert for the domain so that the actual subdomain jellyfin is on is undisclosed to anyone not using your service.
Security isn’t about making everything impregnable, it’s about making attacks more trouble than they’re worth. Otherwise, we’d all live in fortified bunkers surrounded by landmines. 🙃
Your vps isn’t doing anything useful security wise… it’s just sending traffic directly to jellyfin.
You’d get the same protection with just port forwarding to a local proxy in front of jellyfin. Or you could even leave out the proxy if you didn’t need it.
I’m aware of this (that’s why I described a potential breach as Jellyfin -> LXC escape). What it does provide me is a static IP to point my domain at that I don’t have to worry about updating via whatever DDNS service and that isn’t tied to my home address. That and the wireguard tunnel gives me plausible deniability should my ISP ever decide to enforce its rules against hosting servers. 😀
How much bandwidth is used via the VPS in this instance? I’ve seen most VPS in the USA have a limit of 1TB of bandwidth.
How many users are you sharing with?
I know Hetzner does 20TB bandwidth, but that is only EU servers as far as I know.
I have a very cheap ($11/yr) us-based vps through racknerd I got via low end box. I’ve got 12 users but only 5 really active ones and I’ve never come close to hitting the 1tb transfer. I serve several services through that one vps (all just reverse proxy to my homelab).
I did just pick up another u.s. based vps through low end box the other day- $12/yr and unmetered Gbps. 1 CPU only, but a reverse proxy doesn’t need a lot of compute. :)
At the very minimum stick a reverse proxy in front like caddy, nginx, or Traefik. Then have some middleware like crowdsec to inspect what’s going on. Then whitelist the IP or the country IP block.
There is much more but those would be the bare minimum.
I too would like to know more. Jellyfin has been something that I am still heditating to expose online without a VPN.
I have Plex behind a reverse proxy (HAproxy) with Crowdsec and firewall rules all behind Cloudflare. My firewall rules in HAproxy block access a few different ways, like if request are higher then 60 requests a second, or if there is strange path traversal. Used the following guide as a start.
https://www.archy.net/building-a-native-fail2ban-with-haproxy-stick-tables/
if theyre close, add them to your tailscale, if not and you have a web serve, use a reverse proxy.
for tailscale, you’d probably have to walk them through setting it up but then its one and done
That’s basically the VPN solution but with a little more flexibility.
If you want to actually expose the service, you can use Tailscale to connect it to a VPS and then expose that port to the web with Nginx, but if you do that, be prepared on the security front because…you know…open internet be full of hazards.
Reverse proxy with auth in front of the actual jellyfin login. Like pangolin.
How do you get apps through something like that? Do you have to open your browser and hit the URL periodically to handle auth there and it just remembers your IP?
You can set pangolin to allow access to an entire resource or just certain paths without the front auth, instead relying on the built in auth.
Your random plex/emby/jellyfin server isn’t going to be a huge target and the built in auth is good enough for the limited access your media system should have.
Wait so if you’re gonna allow access without authentication then why bother putting pangolin in front of jellyfin? Does it help in some other kind of way? I don’t really get how it helps without interfering with apps accessing jellyfin.
call me crazy but I just use a couldflare tunnel since my domain is already provided through them. They make it really easy to add sub-domains attached to specific ports on the local machine and automatically adds the proper DNS entries. Additionally they have a ton of domain security/anti-bot measures you can set up.
https://community.cloudflare.com/t/using-cloudflare-for-remote-access-to-jellyfin/855051
I haven’t heard of anyone being kicked off.
I haven’t had any issues like that. It’s been pretty plug and play and I have it set up for some family that are accessing it from out of town. No problems except for the big cloudflare outage that happened a while ago.
Possibly mTLS, which you’d configure in your reverse proxy. You could email them the certificate and instructions on installing it. I believe for Chromium browsers on Windows you basically just double click the cert and click through the wizard. Firefox I know has a thing in the settings for importing the cert. Android you just tap on the cert and make sure it opens with ‘Certificate Installer’ if it gives you the option.
This should be at the top
Reverse proxy with fail2ban or crowdsec. It’s possible to set up things like Pangolin which ultimately use a VPN between external and internal access points but not at the client, though it takes more setup if you want to use apps over pangolin instead of just the browser.
If they could be using web UI (I’m not sure how a client would work with auth like that) then it kind of depends on how much hassle they can live with and how secure you want to be
Simplest would be to use https://doc.traefik.io/traefik/reference/routing-configuration/http/middlewares/basicauth/
You set up username and password and share those with the user. But it can be brute-forcedSomething more secure but also a bit more demanding would be some kind of email otp
https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_email/
Set up authentik to send time-limited link to their email that well let them through. But they would have to authenticate every time they accessAsk them to use the Jellyfin web, and you expose it to the public via Netbird / Pangolin locked behind SSO
Why no VPN?
Yeah, let me just walk my normie friends and parents through setting up a VPN on their TV so they can stream their shows.
Sounds annoying but doable. No need to be offended I’m just asking why VPN is being ruled out.
VPNs are not trivial to use for normies.
Way easier than reverse proxies IMO
They mean on the client side most likely. A reverse proxy will be transparent to the user.
I agree with reverse proxy + middleware. I’d also suggest something like Jellyswarm as the front end. That way I can connect to other friends’ servers too.
