Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?
The biggest problem with that Jellyfin to this day is that you can’t.
Seems like every new open source selfhosted app implements OIDC compatibility, but for some reason, I can only assume is technical debt, Jellyfin hasn’t.
Jellyfin had a third party plugin for OIDC. It was archived recently, but I heard Jellyfin has plans to implement it directly into the software. 🤞
The plugin was neat, but if the clients don’t support it, it’s pretty much useless.
Mobile clients should use QuickConnect for it (statement by the sso plugin maintainer). Else it should work with everything that uses the WebUI.
Quick connect is not SSO. Because the topic is about non-technical end user friendly solutions, this isn’t a great one because this requires your user to login using a web browser on a different device and then use that for the quick connect and it’s just more clunky than it should really be.
It’s honestly easier in this situation to just configure your end users device with a mesh VPN like Tailscale or Netbird and then all they ever have to do is login with whatever password you gave them.
What exactly about jellyfin makes this oidc style access more difficult to manage?
Jellyfin just doesn’t have it, period. There’s a third party plugin that will kind of tack it on to the Webui, but none of the Jellyfin apps will work with it.
Which plugin?
To be totally honest I’m not sure you can harden jellyfin enough for public Internet exposure without also breaking basic functionality of the platform.
This is why everyone is always pushing so hard for a VPN/Tailnet of some kind. The public internet is a bit to much of a wild west to be exposing arbitrary services to it unless you really know what you’re doing.
Run the jellyfin in a container that only has read privileges to the videos ( make sure you can’t get out to your whole NAS from there), put that behind a Cloudflaired tunnel.
It’s not technically secure, but if they can’t get a foothold in your network and the only thing they can access is your video catalog, that’s a reasonable amount of risk.
Gotta be careful with cloudflared and media. They can block you if they detect copyrighted materials, even if it’s your own DVDs. You can setup TLS certs so the traffic is at least encrypted
If your American, ripping your own DVD’s still isn’t legal.
Right. Which is why Cloudflared would block you if it’s detected. But regardless, if for whatever reason, you ended up in court for the content you copied, the judge would probably give you a low fine. Obviously not legal advice, but the US justice system doesn’t have time to care about people making digital copies of DVDs they’ve purchased.
It’s irrelevant anyway, since none of us are just copying our own DVDs… But for legal reasons /s
Just make sure you disable caching or it can be a bit slow
You can do a reverse proxy + authelia (or other auth service). It’s still more risky than a VPN IMO, buts wayyyy better than some of the other options in this thread
Another way:
Expose using caddy. Use basic auth for the web UI only. This exempts the Jellyfin app clients from basic auth that they don’t support but requires it before anyone even gets to the Jellyfin UI. This obfuscates the fact that your endpoint is even a Jellyfin end point.
How can I do that? I’d love to have better security for my jellyfin but I risk breaking the apps.
For a remote and non-technical user I would say IP whitelisting offers a decent tradeoff.
On your end you expose your jellyfin port to internet, but restrict at the router level to your user’s client IP address as soon as you have it. Obviously in practice this works best if the address does not change often.
Also not as ideal if their ISP uses CGNAT. Still waaay better than fully open, but you would be giving access to many households
Yep, that’s why I call that a tradeoff. Far from perfect and yet so much better than nothing.
Pros:
- Likely cuts 99.99% of attacks.
- Nothing to do on client’s end.
Cons:
- Whitelisting must be updated everytime the client address changes.
- Not 100% bulletproof as operators (notably for mobile networks) can NAT multiple connections behind a single publicly addressable IPv4 address.
- Also IP addresses can be spoofed but I doubt that would be a major concern here.
Is there a way to this with like a MAC address instead of an IP? Allowing specific devices (my parents have a Firestick that they travel with) would be pretty ideal.
No, not for remote access over the internet.
Ask them to visit https://ipv4.icanhazip.com/ and give you back the number, then whitelist in your webserver, as well as your LAN/VPN range, deny rest. Explain they can only reach jellyfin from their home internet. Repeat if they get 403 forbidden after they get a new WAN IP.
That or VPN like openziti, wireguard but gets more complicated.
It’s exactly what it sounds like.
I like how if it’s IPv6 it just gives up
You really can’t assume your visitors are going to have static IPs.
What happens when they visit from their phone? A friend’s WiFi? Their home connection that has a regularly changing IP?
So far I’ve seen WAN leases expire after a long time, say months, or quarter year, so is doable. If becomes an issue I’ll work with them on a VPN solution but is a pain for non-technical users or non-supported hardware. That’s also why I explain “use from your home network only”.
What’s your concern about running it behind a reverse proxy, like caddy or nginx?
This is solid. I wonder if you could rig up a ddns somehow to keep it seamless?
Something like reverse dynamic DNS for end users? Hm, only if it would be easy to setup, is on the same level as a VPN client I’d say.
A reverse proxy is what you are looking for. I recommend Caddy.
You’ll also need a domain, but they can be had for very cheap.
I’m kinda disappointed with this thread, I’m in a similar position to OP, but all the responses are just like “use a reverse proxy and make your URL hard to guess” and other measures which are not very secure. \
It seems like that’s about as good as you can get at the moment, because the mobile apps barf if you try to add in auth in front of the reverse proxy, but a lot of people seem to be providing this advice like it’s good enough rather than as good as you can get.
Well yeah, the “good as you can get” answers are “use a VPN” or “don’t”.
So every answer is as good as you can get?
I suppose it depends on what you mean by “good as you can get”.
Im confused as to what people think the security issue is? Do they think someone will brute force their username and password with a billion queries?
That’s assuming an attacker will play nice with URL forming and discovering edge cases in POSTing shaped data to the service. Just encrypting is still weak security if the whole front-end web and API surface isn’t hardened.
Afraid people will use known vulnerabilities in common self-hosted software.
Sorry but are you guy not using Linux as your servers? Windows? Now I understand.
Did you just suggest Linux has no vulnerabilities in any of its distros, and neither does any of the self-hosted services?
Perhaps (and I know I might be weird) running pangolin on something like hetzner? (Which I do)
This is the way I do it with services. Has auth. Rules for access per service. Handles reverse proxy. And can integrate crowdsec. Not a security guru…
Pangolin?
Pangolin reverse proxy https://github.com/fosrl/pangolin
Put Jellyfin and a reverse proxy in an isolated vlan or DMZ, with no ability to reach into your lan at all and everyone connects in the same way. Its just movies, thats all you lose if it gets hacked. Set up some monitoring too in case it becomes a botnet node so you can destroy it and start over.
Are the majority of you running jellyfin on windows? All of this reverse proxy stuff sounds incredibly paranoid to me and 99% of zero day exploits would be very unlikely to fully compromise up to date linux servers.
@KneeTitts @Jason2357 Recently there are a lot of zero-day kernel exploits (local privilege escalation), so I would make sure “up to date” includes regular reboots into new kernels. As opposed to just relying on something like unattended-upgrades.
For the past few weeks we’ve been averaging one LPE per week, and it’s probably going to continue like that for a bit.
The reverse proxy is just to give it TLS with a let’s encrypt cert. If you are running an internet facing web application without TLS, Windows is the least of your concerns.
Am I shadow banned
If anyone has any tips for getting Tailscale running via Docker on my Openmediavault machine, I’m open to it. Everyone lauds it for being dead simple and I cannot for the life of me get it running on the machine it needs to be. Not sure my wife can/will handle anything more complicated.
Just read their actual documentation. You’ll want to either way.
Set up a reverse proxy with https always on. And get a good (physical) firewall, preferably something akin to opnsense, pfsense, openwrt. Exposing is always a risk, and if you do want it, you have to bear the responsibility for your own security. Keep things up to date, set up monitoring and a good logging system (Wazuh) comes to mind.
Exposure means a security risk. How you deal with that security risk is your choice.
Cloudflare and the likes forbid usage of their stuff for these things.
How does a reverse proxy helps for security? I mean, the problem here is that exposing Jellyfin on the internet is dangerous: the only way to improve security via a reverse proxy would be mTLS, but I’m not sure how it would work client side.
By setting up a reverse proxy you redirect the traffic through that specific proxy which means less open ports (basically just 80/443), less monitoring, the ability to easily put a WAF inbetween, etc.
Ports are closed by firewalls, and if you need to port forward on your home router this is a non-issue anyway
You’ve got a couple benefits. If you have a domain name, and aren’t advertising it publicly, then you can use the reverse proxy to point that domain to a non-standard port that Jellyfin runs on.
Security through obscurity is not good security, but it does prevent the majority of port scanning attacks. You can also use fail2ban on the reverse proxy side to try and mitigate some attacks.
Some reverse proxies have an authentication layer.
But this typically breaks the jellyfin Mobile app.
Cf used to have it against the rules, but it’s fine now.
edit: you can in fact do video, but they have added lines about ~piracy
Ah cool, didn’t know!
Just re-read to make sure, they def changes the non-html to allow it, but they do def have non-pirate terms in there
end to end encryption with your own key on their tunnel might be a good idea (which is allowed)
Cloudflare and the likes forbid usage of their stuff for these things.
😬
Not at all, there’s legal risk if you’re hosting your blurays. Cloudflare even explicitly forbids such use. VPN or nothing imo.
Wow, Cloudflare is against piracy? Every single site I’ve ever seen in my life is registered with Cloudflare and uses their DNS with the exception of PTB I believe.
Not sure about that, I think it’s more just that they don’t want people streaming terabytes of traffic through their edge.
Well, I don’t know. Cloudflare seems to be the standard, again with that one exception, and the only reason PTB has a different situation is because the founders had a connect.
They have to be. They have to at least somewhat comply with laws to avoid lawsuits and fines
Oh, ok, “they have to be” in the same way my seedbox says not to download copyright material. Got it.
Legal risk of bluray rips, as opposed to other media types?
