Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
You can do a reverse proxy + authelia (or other auth service). It's still more risky than a VPN IMO, buts wayyyy better than some of the other options in this thread
The biggest problem with that Jellyfin to this day is that you can’t.
Seems like every new open source selfhosted app implements OIDC compatibility, but for some reason, I can only assume is technical debt, Jellyfin hasn’t.
Jellyfin had a third party plugin for OIDC. It was archived recently, but I heard Jellyfin has plans to implement it directly into the software. 🤞
The plugin was neat, but if the clients don’t support it, it’s pretty much useless.
Mobile clients should use QuickConnect for it (statement by the sso plugin maintainer). Else it should work with everything that uses the WebUI.
Quick connect is not SSO. Because the topic is about non-technical end user friendly solutions, this isn’t a great one because this requires your user to login using a web browser on a different device and then use that for the quick connect and it’s just more clunky than it should really be.
It’s honestly easier in this situation to just configure your end users device with a mesh VPN like Tailscale or Netbird and then all they ever have to do is login with whatever password you gave them.
To be totally honest I'm not sure you can harden jellyfin enough for public Internet exposure without also breaking basic functionality of the platform.
This is why everyone is always pushing so hard for a VPN/Tailnet of some kind. The public internet is a bit to much of a wild west to be exposing arbitrary services to it unless you really know what you're doing.
I'm kinda disappointed with this thread, I'm in a similar position to OP, but all the responses are just like "use a reverse proxy and make your URL hard to guess" and other measures which are not very secure. \
It seems like that's about as good as you can get at the moment, because the mobile apps barf if you try to add in auth in front of the reverse proxy, but a lot of people seem to be providing this advice like it's good enough rather than as good as you can get.
Well yeah, the "good as you can get" answers are "use a VPN" or "don't".
So every answer is as good as you can get?
I suppose it depends on what you mean by "good as you can get".
Im confused as to what people think the security issue is? Do they think someone will brute force their username and password with a billion queries?
That’s assuming an attacker will play nice with URL forming and discovering edge cases in POSTing shaped data to the service. Just encrypting is still weak security if the whole front-end web and API surface isn’t hardened.
Afraid people will use known vulnerabilities in common self-hosted software.
Sorry but are you guy not using Linux as your servers? Windows? Now I understand.
Run the jellyfin in a container that only has read privileges to the videos ( make sure you can't get out to your whole NAS from there), put that behind a Cloudflaired tunnel.
It's not technically secure, but if they can't get a foothold in your network and the only thing they can access is your video catalog, that's a reasonable amount of risk.
Gotta be careful with cloudflared and media. They can block you if they detect copyrighted materials, even if it's your own DVDs. You can setup TLS certs so the traffic is at least encrypted
Another way:
Expose using caddy. Use basic auth for the web UI only. This exempts the Jellyfin app clients from basic auth that they don’t support but requires it before anyone even gets to the Jellyfin UI. This obfuscates the fact that your endpoint is even a Jellyfin end point.
At the very minimum stick a reverse proxy in front like caddy, nginx, or Traefik. Then have some middleware like crowdsec to inspect what's going on. Then whitelist the IP or the country IP block.
There is much more but those would be the bare minimum.
Put Jellyfin and a reverse proxy in an isolated vlan or DMZ, with no ability to reach into your lan at all and everyone connects in the same way. Its just movies, thats all you lose if it gets hacked. Set up some monitoring too in case it becomes a botnet node so you can destroy it and start over.
A reverse proxy is what you are looking for. I recommend Caddy.
You’ll also need a domain, but they can be had for very cheap.
My use cases are:
- Connect from multiple devices on the same home network (with the application)
- Connect from a phone device on the internet (with the application)
- Connect from some PC's and devices on the internet (with the application and from web browser)
For home networked devices, I don't care about security that much. I try to lock it down on the router level and by using VLANs for less secure devices. I connect via IP directly (or .local domain).
Jellyfin runs under its own user with read access to a media library.
For devices on the internet, I have jellyfin exposed on a specific url path of my domain - through a reverse proxy all through 443. A bit of security through obscurity here. I'm proxied through cloudflare on the DNS side with very restrictive IP rules.
I think this is enough for the security flaws jellyfin does have. I'd sleep better at night if it had client certificate support, but Its not a big deal imo. If security flaws allowing remote code execution are found, I'll shut it down and allow access through wireguard only and lose access from some devices on the internet where I cant use VPNs. Not a bit deal either.