this post was submitted on 23 May 2026
192 points (97.1% liked)

Selfhosted

59450 readers
1360 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
192
How would you expose Jellyfin securely without a vpn? (discuss.online)
submitted 2 days ago by kiol@discuss.online to c/selfhosted@lemmy.world
186 comments fedilink hide all child comments
 

Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?

you are viewing a single comment's thread
view the rest of the comments
[–] nibbler@discuss.tchncs.de 3 points 1 day ago* (last edited 1 day ago) (2 children)

If client certificates and basic auth is not supported by jellyfin:

  • reverse proxy
  • strong random subdomain
  • wildcard certificate
  • tls1.3 only
  • doh/dot only

1-3 make random scanners unable to find your service, 4&5 even hide it from your ISP. Dot/doh service will still know your subdomain, so be your own dot/doh ! :D

[–] Dultas@lemmy.world 1 points 14 hours ago (1 children)

Throw in port knocking for good measure.

[–] nibbler@discuss.tchncs.de 1 points 14 hours ago (1 children)

You telling me jellyfin Clients can't handle client certs but can port knock?

My proposal is for maxing ux on the client side while being properly hidden.

[–] Dultas@lemmy.world 1 points 11 hours ago (1 children)

No you port knock first to open the ports. Then connect the client.

[–] nibbler@discuss.tchncs.de 1 points 5 hours ago

usually port knocking opens the relevant port to the client IP that is knocking. So it makes a lot of sense to have the knocking done by the requesting client. In many situations knocking from your mobile while behind the same NAT as your jellyfin client will do the trick, but if you have different IPv6 on those devices etc, it won't.

Also: if you assume your DNS lookups are sniffed - so are your port knocks. If you don't, spare the extra work. But then, if you like port knocking - keep knocking, nothing wrong about it :D

[–] Jason2357@lemmy.ca 2 points 1 day ago (1 children)

I'm no expert, but an unguessible URL path is similar but not visible to DNS. Could do both.

[–] nibbler@discuss.tchncs.de 1 points 16 hours ago

If jellyfin Clients can do URLs, sure