this post was submitted on 08 Jun 2026
479 points (96.3% liked)

Selfhosted

59955 readers
399 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
479
Why I moved my Plex library to Jellyfin after 14 years (the.unknown-universe.co.uk)
submitted 1 week ago by TheIPW@lemmy.ml to c/selfhosted@lemmy.world
244 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Mic_Check_One_Two@reddthat.com 0 points 1 week ago* (last edited 1 week ago) (1 children)

You shouldn’t even have Jellyfin on a reverse proxy, because it shouldn’t be externally available. There are several known security vulnerabilities (all marked as “closed” due to inactivity on git) that the devs have said will likely never be patched. Because patching them requires breaking away from the Emby fork that the entire project is built on.

It should only be externally available via a private VPN. And that alone excludes a lot of “I want to share my library with friends/family” scenarios, because step 0 will be getting their devices connected to your VPN.

At the very least, set up some form of access control/username+PW directly on your reverse proxy as a secondary security measure. Because if you can reach the JF landing page, you can exploit those vulnerabilities without needing a valid JF login. So you should configure your reverse proxy to act as a gatekeeper, and ensure attackers can’t even reach JF at all without having a valid login to your reverse proxy. But this will break most JF apps (except for browsers) because they likely won’t have any way to give an initial user+pass to the reverse proxy before they hit the JF server.

[–] lostbit@feddit.nl 3 points 1 week ago* (last edited 1 week ago)

Theres not a single high risk security issue in there as far i can see. Can you point them out?