Hello. I have just recently started with self hosting my media with Jellyfin… and I am LOVING it! I had been carrying around media players for decades, with everyone looking at me like an insane crank for not giving up on my hundreds of gigs of media for SAS things like spotify… now they’re jealous! We’ve come full circle!
Annnyway. Obviously, I want to access the server anywhere, and don’t want to just raw-dog an open port to the internet- yikes!
There are SO MANY ways and guides and thoughts on this, I’m a bit overwhelmed and looking for your thoughts on the best way to start off… it doesn’t have to be ‘fort knox’ and I am sure I’ll adjust and pivot as I learn more… but here are the options I know of (did I miss any?):
-
Tailscale VPN connection
-
Reverse Proxy with Caddy or similar (this is recommended as easy in the jellyfin official guides and thus is my current leading contender!)
-
Docker/VM ‘containerized’ server with permissions/access control
What are your thoughts on the beginner-friendly-ness and ease of setup/management of these? This is exclusively for use by me and my family, so I don’t need something that’s easy for anyone to access with credentials… just our handful of devices.
Please don’t laugh, but I’m currently hosting on a Raspberry Pi5 with a big-ass harddrive attached (using CasaOS on a headless Ubuntu Server). I know this is JANK as far as self-hosting goes, and plan to upgrade to something like NAS in the future, but I’m still researching and learning, and aside from shitty video transcoding, it’s working fine for now… Thank you in advance for your advice, help and thoughts!
EDIT: Thanks all for the helpful comments & Suggestions. I’m all set up with Tailscale, setting up Caddy with it soon, and so far, as advertised! EZPZ and soooo good!
You must log in or register to comment.
VPN. Jellyfin is not intended for direct exposure to the Internet.
You should run it in docker anyway for convenience. A reverse proxy is optional, but I use traefik also for convenience (so that I can just use domain names on the same port, and so that it can automatically fetch certs).
Use the reverse proxy for access control ? Then you don’t need to install extra software to access it remotely ?
I don’t think jellyfin supports that either. I tried it a while back and only saw partial success.
What does Jellyfin have to do with that? If you implement acess control in the reverse proxy, requests from non-whitelisted IPs are just not forwarded to Jellyfin.
Yes, that’s the whole reason for the post, as I said above. When you say “docker anyway for convenience” what do you mean? What’s the benefit of docker? Do you have any resources that would let someone entirely new to docker understand/guide through it? You mention Traefik as well… never heard of it till this post… what is it? Why is it convenient?
Docker packs the whole application and its dependencies into a container, hence the name. You can run and delete that application as much as you want without affecting the host system. (But you should probably keep your media library and config outside the container, and use a bind mount. The setup documentation covers this.)
I think the big deciding factor is how many folks will be watching remotely.
For my case, I use a VPN to tunnel back to my network and watch jellyfin that way. My son also lives away and watches jellyfin, but for him I simply punch a hole in my firewall for only his public ip, which doesn’t change much.
This works for me, but if I had to host for any more ppl, I would likely go the caddy route.
I opted to remove Jellyfins default login form and require Keycloak for SSO, my Jellyfin instance is technically facing the internet but my reverse proxy has Fail2Ban in front of it blocking non-whitelisted IP’s, makes it easier to share with other people this way compared to having to explain VPN’s to non-tech savvy people,
Easy, mine is local only and on it’s own VLAN.
deleted by creator
I’ve tried tailscale and cloudflare tunnels in the past and ended up just using PiVPN to set up a WireGuard VPN on my Pi5. Tailscale for some reason was very slow for me, and cloudflare tunnels have a 100mb limit iirc which isn’t ideal for streaming. PiVPN is quite straightforward, it sets everything up for you and all you have to do is forward a UDP port. That was the bit I was most worried about, but, unless I’ve misunderstood something, because a UDP port will just ignore invalid requests to the outside world it will appear closed so it’s not very risky. It then generates a key for each device which you can scan from a QR code onto your VPN client. I have my phone set to auto-connect to the tunnel when I disconnect from my home wifi network and the tunnel is fast enough that I’ve accidentally turned off my phone’s wifi connection before and streamed a TV show through the tunnel over mobile data and not noticed any difference in speed.
I hadn’t thought to automate connecting to Wireguard when not on my home network, that’s a good call. I’ve just set up Tasker on my phone and tablet.
I hide it behind Cloudflare. I assume that since most of the world pays them for domain security, and if Cloudflare goes down so does half the internet, I thought to try them out. Best decision I’ve made. They blocked substantial DDoS attempts on my IP, a fuck ton of malicious web scrapers that attempt CVEs, and they also allow me to have very specific users access to my domain using complex allow lists, zero-trust, and DNS over HTTPS.
I heard something about cloudflare not being stream friendly. Guess jellyfin doesn’t count?
used to be against terms of use for proxy, the forbidding language has been gone for a year or two now
Others have recently reported being been banned if more thab 1 streaming. Fyi
not the person you replied to, but i have been using cloudflare zero trust for my streaming needs; have not gotten a complaint yet.
just make sure you have the upload bandwidth.
Others have recently reported being been banned if more than 1 streaming. Fyi
Others have recently reported being been banned if more than 1 streaming. Fyi
So… do you have to register the server as a domain, then set up and register it w cloudflare?
Wireguard tunnels with a ssh tunnel as a backup.
Put Jellyfin behind something else that requires authentication before you can access Jellyfin at all
Which breaks basically every client, since none of them can deal with basic auth getting in the way
Well the other option would be a VPN
Yeah and that kills Jellyfin as a drop in replacement for Plex. I would’ve deployed it years ago with a subdomain and given it to friends if it was as easily shareable as Plex
I personally wouldn’t expose anything to the internet. You could always setup a computer on a different network that routes traffic over netbird
That doesn’t solve the glaring security issues Jellyfin has. It just changes the computer through which they are accessed
It does though
Do not expose Jellyfin to the internet. Local network is mostly fine since the real threats are the bots
I use netbird. I found it easy to setup and they also have an android app. You also get a neat URL for each device. I havent tried any other options apart fromthis and wireguard. Wireguard wasnt easy to setup for me.
Caddy + crowd sec + some kind of auth solution is what I’m aiming for though I haven’t got authentik working with it yet so I haven’t opened it up yet. I wouldn’t want to do jellyfish without the auth solution though as there local stuff isn’t so robust.
VPN in and a few local users would be the most secure if you haven’t got too many folks connecting.
Reverse proxy with mTLS in front might be a simple solution depending on your setup
I have mine behind a revwrse proxy (Nginx Proxy Manager), and use a whitelist to allow specific IPs or IP ranges access so my family can use it.
Pangolin with an Authentik login required. Jellyfin’s set up with OIDC too but that’s more for convenience than security (especially since password auth doesn’t seem possible to disable, so it’s just hidden with CSS which does jack shit for security).
I’m paranoid so I only expose 3 services total without Pangolin/Authentik in front of them: Authentik itself, headscale, and navidrome’s rest endpoint (the last one skeeves me a bit but it’s mandatory for it to work remotely in the situations I want it, like a web player on work machines). Anything else I personally need remote access to, I can get through tailscale - Pangolin for me covers friends and family usage and a few niche situations.
Waiting for replies.
Edit: What’s with the downvotes? I just commented to bookmark. Geesh.
Just use the bookmark feature…
Then I’d forget to check the thread…
You do you, just expect downvotes for this sort of engagement with the community
My favourite way of having a secure Jellyfin is using Plex
Yes, then you only get hacked by the software manufacturer
Yeah, and in contrast to the Jellyfins devs, they acknowledged a security risk and fixed it. The chances of Jellyfin actually doing something to improve the security is rather slim, since they prioritize client compatibility
