That would be the case, however the devs official stance is it’s unsafe and should not be used other than over vpn. So they also agree

It has had a pretty high number of RCE exploits including one recently the architecture of the web service is just very poor and leads to a lot of basic problems.

Personally I am not a fan of the language they chose, and I think it directly leads to a lot of these problems but that’s just like my opinion man.

The server itself also has tons of issues like the constant memory leaks that cause it to eat up endless amounts of memory that they don’t seem interested in fixing and basically once again push it to the users to deal with and a bunch of the boot lickers are like yeah you just need to put it in a Docker and limit its maximum memory as if that’s just normal and expected to need to do

I am aware that an rce is the worst possibility I’m saying it shouldn’t be. The web portion is already its own isolated binary that you have to install but it’s designed with seemingly very little attention to security.

To the point that jellyfin has already had several major RCE and despite having full support for running over the web with http developers are basically just like you should not be using this without a VPN which is overall a pretty pathetic stance for a media server

This is the most hilarious lie I think I’ve seen in a while from open source on here. To be clear I use it as my daily driver, I switched off Plex a long time ago when I saw the writing on the wall.

But I still have issues with media matching to this day, issues where subtitles on certain devices just refuse to display no matter what you do. And the server still loves to randomly take up absolutely massive amounts of memory for seemingly no reason whatsoever I ended up making a strip to just forcibly kill it and restart it every 12 hours to prevent it from eating the entire system’s memory.

And no my file naming is not the media issue everything I do is properly named exactly as jelly fin documentation says it wants by sonarr. Not to mention you are expected to maintain a VPN system just for accessing your media away from home as the web interface is so hilariously unsecured as to be a constant source of major system vulnerability.

It’s usable, but it’s not as just works as Plex I have thousands of TV shows, anime, and movies as in thousands of each of those categories and Plex never once failed to match to the correct media, never had a problem just playing subtitles on any client, and I think only ever had one major issue with the web interface in terms of security? There’s been lots of minor ones that would give people essentially just access to Plex but not the underlying system

The fact that’s needed at all is the problem. Developers need to stop making monolithic structures that have access to everything ever and putting it on the user to maintain to maintain a VPN network for security.

There’s no reason I should not be able to just use an nginx reverse proxy for remote access to my jellyfin and have that be safe. It should at worst give people a copy of my media if there’s a security issue.

Personally I went out of my way to make this be the case, i have my instance locked into an unprivileged lxc whitelist only on syscalls which took a while to figure out the minimum needed for function but I got there. The host System is using the hardened kernel from Upstream and a series of sysctl lockdowns for example P Trace is not allowed even if you are the root user.

So I do indeed just nginx reverse proxy my instant because the worst case scenario even if they got complete shell access to the system they would be locked into an unprivileged container that had no access to any files other than my media files but the fact that I have to go to this level is already ridiculous

Feed worked out lol

I think you misunderstand. They are making technical decisions that are incompatible with ux decisions. In order to make a better user experience they would need to change how the protocol was made, thus undoing thing that they chose for technical reasons.

Like the way they chose to do the custom emoji makes sense on a technical level for a de Federated protocol but it also is fundamentally incompatible with a good user experience. Same with the forest verification of devices that’s bad ux even if it is technically better

No it doesn’t, matrix was designed by people with no concept of ux. It focuses on things that are technically correct but something average people won’t put up with. Like the forced verification of devices, normal people don’t care and don’t understand what that even is and will be annoyed that every time they try to log in they are prompted to insert a stupid key just so that they can see their chat history.

Doesn’t help that tons of the clients especially the web one can’t be bothered to remember being authenticated and you have to do it literally every time but even with that fix just having to do that in general is going to put people off.

Then there’s just a bunch of base protocol stuff that’s dumb the way they finally implemented custom emoji is the stupidest thing I’ve ever seen and makes what should be a simple easy click to add a sticker and then use it turn into this complicated mess that nobody’s going to bother with. On a technical level it made sense sure but on a user experience level it makes no sense at all.

And I say this is someone that self-hosts basically anything I can get my hands on, I’ve got Seafile, immich, piped, jellyfin, microbin, among various others. I keep trying matrix and keep finding myself getting annoyed enough to stop using it

Eh, i just use pubkey only Auth config (so password entirely disabled as an option) and put ssh on a non standard port to reduce script kid noise. (and no 2222 is not non-standard it may as well be the default)

Fail2ban triggers false too often for my taste in a high traffic environment.

If you ran nginx as a non privileged user it wouldn’t be able to bind to 80/443 as those are privileged ports. So you would need to use iptables to forward them to an unprivlaged port

I mean it WOULD work you would just need a von on every device you wanted to use.

The REAL answer is never host them DIRECTLY, always use a reverse proxy like nginx. Many projects (i believe jellyfin is one of them) explicitly recommend this for better security. Which it looks like you did so congrats

For extra bonus points you can setup nginx to run as a non privileged user and use iptables to forward the lower ports (80/443). A pain but closes out a large chunk of nginx as a risk.

https://spartanhost.org/ owner is super chill will make custom spec deployments and they actually have a really nice management panels with nice easy custom iso support

One end is a local VPS with insanely good peering pretty much round the damn world, other end is my opnsense router. I actually pass a block of ipv6 through the vpn and my router hands it out to devices which is a nice little bonus

That sounds like a lack of port forwarding on at least one side. Ensure the vpn port is properly open on both sides. There is also an option you can add to the wireguard config for keepalive set it to something like 1min

I feel like im missing something here. This is pretty trivial and the comments i see are over complicating the hell outta everything. All you need is your VPN tunnel working. Personally i use wireguard for this. Then you just use nginx as the reverse proxy it talks to services on the other side of the VPN.

The nginx server config looks like

server { listen 443 quic; listen [::]:443 quic; listen 443 ssl; listen [::]:443 ssl; server_name my.domain.tld; http2 on; http3 on; quic_gso on; tcp_nodelay on; error_log /var/log/nginx/jellyfin.access.log; ssl_certificate /path/to/ssl/fullchain.pem; ssl_certificate_key /path/to/ssl/privkey.pem; ssl_protocols TLSv1.2 TLSv1.3; add_header Alt-Svc ‘h3=“:$server_port”; ma=86400’; add_header x-quic ‘h3’; add_header Alt-Svc ‘h3-29=“:$server_port”’;

location / {
    proxy_pass http://10.159.4.12:8096/;
    proxy_set_header Upgrade $http_upgrade;
    proxy_set_header Connection "upgrade";
    proxy_set_header Host $http_host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
    proxy_set_header X-Forward-Proto http;
    proxy_set_header X-Nginx-Proxy true;
}

}

I have no idea how to do the proper code block i guess so have a paste from my reverse proxy hosted pastebin lol https://paste.kitsuna.net/upload/snail-seal-pig

What? As long as it’s a good not Telegraphed twist it will be able to still be a good moment even if you know to expect one. You’ll be trying to figure it out the whole time and you’ll probably get it wrong multiple times along the way lol

I feel like this all started around that time that there was that article that mentioned the most popular desktop environments on Arch Linux from repo stats where KDE plasma was the highest with over double gnome.

Clearly gnome foundation salty

There’s nobody for me to join, the only family that are not horrible manipulative monsters are beyond my means of travel, currently it’s just me and the dog so there’s really no point in making an elaborate dinner for myself. So today is just me being bored and alone till friends become available again.

I don’t not celebrate it because Christian or whatever. I don’t celebrate it because there’s nobody to celebrate it with

Imagine not having an opnsense firewall deployed as an IT professional

Can you not just setup an nginx reverse proxy at the network edge to handle the ssl for the domain(s) and not have to worry about the app itself being setup for it? That’s how I’ve always managed all software personal or professional