this post was submitted on 19 May 2026
437 points (97.8% liked)
Technology
84796 readers
3607 users here now
This is a most excellent place for technology news and articles.
Our Rules
- Follow the lemmy.world rules.
- Only tech related news or articles.
- Be excellent to each other!
- Mod approved content bots can post up to 10 articles per day.
- Threads asking for personal tech support may be deleted.
- Politics threads may be removed.
- No memes allowed as posts, OK to post as comments.
- Only approved bots from the list below, this includes using AI responses and summaries. To ask if your bot can be added please contact a mod.
- Check for duplicates before posting, duplicates may be removed
- Accounts 7 days and younger will have their posts automatically removed.
Approved Bots
founded 2 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
It’s a concern even with a reverse proxy. The reverse proxy encrypts your connection from A to B, but does nothing to stop the various security concerns that have been noted. Because those concerns don’t rely on intercepting unencrypted traffic. If you can reach Jellyfin’s main log in page, you can exploit it. Full stop.
The only way a reverse proxy would stop someone from being able to exploit it is to include a separate login on your reverse proxy, meaning attackers wouldn’t even be able to hit Jellyfin’s landing page unless they know your proxy’s password. But notably, this breaks basically everything except for browsers. All of your smart TVs, mobile apps, etc would stop functioning, because they’d bounce off of that reverse proxy login page.
I don't proxy the port, I proxy the routes needed for auth and interface. This isn't that hard.
EDIT: ah I see what you're saying, you're talking about the app surface rather than the raw admin API. The risk is small enough with the remaining attack surface that I'm not particularly worried, though obviously I'd like it to be better.