this post was submitted on 19 May 2026
490 points (97.9% liked)
Technology
84796 readers
3607 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
Jellyfin is amazing for a lot of things, but it shouldn’t be available externally. There are a few critical security concerns that devs have openly stated will never be patched. And that makes it a non-starter for sharing with people who can’t figure out how to use a personal VPN connection. It may be fine for me and my household… But there’s no way I’m going to be able to walk my tech-illiterate grandmother through it over the phone.
In contrast, Plex makes sharing server access very easy. Since they run a centralized server to handle all of the “which servers do I have access to, and where are they located” automatic discovery traffic, sharing content is as simple as sending an invite link. That centralization flies in the face of what Jennyfin stands for, so they won’t ever implement it. I even have a burner Plex account that already has access to my server, which I can use to sign into TVs when I don’t want to bother with the whole account setup process. Handy for things like parties, because I have a few “just hit play and drunk people will enjoy it” types of playlists ready to go.
Basically, Jellyfin for yourself and your household. Plex for everyone else. Luckily, the two will happily run side-by-side without any issues.
I'm not confident enough in my knowledge to ever open up my server externally, even after reading some methods that are allegedly safe (or relatively safe). I'd just rather not take the risk of me misunderstanding something or failing to keep current with vulnerabilities.
I suppose I see the appeal if Plex handles that without hassle, but man... not for $750. Lol
This is a concern if you just port forward through a router. This isn't a problem if you simply use a reverse proxy, which is standard and normal and expected and not difficult at all.
It’s a concern even with a reverse proxy. The reverse proxy encrypts your connection from A to B, but does nothing to stop the various security concerns that have been noted. Because those concerns don’t rely on intercepting unencrypted traffic. If you can reach Jellyfin’s main log in page, you can exploit it. Full stop.
The only way a reverse proxy would stop someone from being able to exploit it is to include a separate login on your reverse proxy, meaning attackers wouldn’t even be able to hit Jellyfin’s landing page unless they know your proxy’s password. But notably, this breaks basically everything except for browsers. All of your smart TVs, mobile apps, etc would stop functioning, because they’d bounce off of that reverse proxy login page.
I don't proxy the port, I proxy the routes needed for auth and interface. This isn't that hard.
EDIT: ah I see what you're saying, you're talking about the app surface rather than the raw admin API. The risk is small enough with the remaining attack surface that I'm not particularly worried, though obviously I'd like it to be better.