this post was submitted on 31 Mar 2025
211 points (98.2% liked)

Selfhosted

45411 readers
541 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
211
How to secure Jellyfin hosted over the internet? (programming.dev)
submitted 3 days ago by lambda@programming.dev to c/selfhosted@lemmy.world
141 comments fedilink hide all child comments
 

I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?

top 50 comments
sorted by: hot top controversial new old
[–] CapitalNumbers@lemm.ee 1 points 19 hours ago* (last edited 18 hours ago) (2 children)

So i’ve been trying to set this up this exact thing for the past few weeks - tried all manner of different Nginx/Tailscale/VPS/Traefik/Wireguard/Authelia combos, but to no avail

I was lost in the maze

However, I realised that it was literally as simple as setting up a CloudFlare Tunnel on my particular local network I wanted exposed (in my case, the Docker network that runs the JellyFin container) and then linking that domain/ip:port within CloudFlare’s Zero Trust dashboard

Cloudflare then proxies all requests to your public domain/route to your locally hosted service, all without exposing your private IP, all without exposing any ports on your router, and everything is encrypted with HTTPS by default

And you can even set up what looks like pretty robust authentication (2FA, limited to only certain emails, etc) for your tunnel

Not sure what your use case is, but as mine is shared with only me and my partner, this worked like a charm

[–] vodka@lemm.ee 1 points 5 hours ago

Pay attention to your email, when cloudflare decides to warn you for this (they will, it's very very much against TOS) they'll send you an email, if you don't remove the tunnel ASAP, your entire account will be terminated.

[–] chriscrutch@lemm.ee 2 points 14 hours ago

I'm pretty sure that using Jellyfin over Cloudflare tunnels is against their TOS, just FYI. I'm trying to figure out an alternative myself right now because of that.

[–] Hawk@lemmynsfw.com 2 points 1 day ago

Wireguard (or tailscale) would be best here.

[–] SpaceCadet@feddit.nl 7 points 2 days ago

What I used to do was: I put jellyfin behind an nginx reverse proxy, on a separate vhost (so on a unique domain). Then I added basic authentication (a htpasswd file) with an unguessable password on the whole domain. Then I added geoip firewall rules so that port 443 was only reachable from the country I was in. I live in small country, so this significantly limits exposure.

Downside of this approach: basic auth is annoying. The jellyfin client doesn't like it ... so I had to use a browser to stream.

Nowadays, I put all my services behind a wireguard VPN and I expose nothing else. Only issue I've had is when I was on vacation in a bnb and they used the same IP range as my home network :-|

[–] Kusimulkku@lemm.ee 6 points 2 days ago

I've put it behind WireGuard since only my wife and I use it. Otherwise I'd just use Caddy or other such reverse proxy that does https and then keep Jellyfin and Caddy up to date.

[–] dan@upvote.au 55 points 3 days ago* (last edited 3 days ago) (1 children)

Is it just you that uses it, or do friends and family use it too?

The best way to secure it is to use a VPN like Tailscale, which avoids having to expose it to the public internet.

This is what I do for our security cameras. My wife installed Tailscale on her laptop and phone, created an account, and I added her to my Tailnet. I created a home screen icon for the Blue Iris web UI on her phone and mentioned to her, "if the cameras don't load, open Tailscale and make sure it's connected". Works great - she hasn't complained about anything at all.

If you use Tailscale for everything, there's no need to have a reverse proxy. If you use Unraid, version 7 added the ability to add individual Docker containers to the Tailnet, so each one can have a separate Tailscale IP and subdomain, and thus all of them can run on port 80.

[–] paequ2@lemmy.today 17 points 3 days ago (18 children)

if the cameras don’t load, open Tailscale and make sure it’s connected

I've been using Tailscale for a few months now and this is my only complaint. On Android and macOS, the Tailscale client gets randomly killed. So it's an extra thing you have to manage.

It's almost annoying enough to make me want to host my services on the actual internet....... almost... but not yet.

[–] fmstrat@lemmy.nowsci.com 1 points 5 hours ago

Try WG Tunnel instead. It will reconnect on loss, but you lose the Tailscale features (no big deal with dynamic DNS)

[–] Lem453@lemmy.ca 15 points 3 days ago (19 children)

I use plain wireguard on me phone, always on essentially with no issues. I wonder why tailscale app can't stay open.

load more comments (19 replies)
[–] Byter@lemmy.one 7 points 3 days ago (1 children)

If you make Tailscale your VPN in Android it will never be killed. Mileage may vary depending on flavor of Android. I've used this on stock Pixel and GrapheneOS.

Under Settings > Network and internet > VPN

Tap the Cog icon next to Tailscale and select Always-on VPN.

load more comments (1 replies)
load more comments (15 replies)
[–] GreenKnight23@lemmy.world 3 points 2 days ago (1 children)

setup a WAF appliance and forward traffic through it to your current installation.

[–] lambda@programming.dev 1 points 1 day ago (1 children)

WAF??

[–] GreenKnight23@lemmy.world 1 points 1 day ago

web application firewall.

think of it like an intelligent firewall proxy that can take action against perceived threats like injection attacks or timed attacks. some can also help fight against DDOS when integrated with an actual firewall upstream.

[–] gagootron@feddit.org 7 points 2 days ago (4 children)

I use good ol' obscurity. My reverse proxy requires that the correct subdomain is used to access any service that I host and my domain has a wildcard entry. So if you access asdf.example.com you get an error, the same for directly accessing my ip, but going to jellyfin.example.com works. And since i don't post my valid urls anywhere no web-scraper can find them. This filters out 99% of bots and the rest are handled using authelia and crowdsec

[–] Nibodhika@lemmy.world 2 points 1 day ago

If you're using jellyfin as the url, that's an easily guessable name, however if you use random words not related to what's being hosted chances are less, e.g. salmon.example.com . Also ideally your server should reply with a 200 to * subdomains so scrappers can't tell valid from invalid domains. Also also, ideally it also sends some random data on each of those so they don't look exactly the same. But that's approaching paranoid levels of security.

[–] ocean@lemmy.selfhostcat.com 3 points 1 day ago (1 children)

That’s not how web scrappers work lol. No such thing as obscurity except for humans

[–] gagootron@feddit.org 1 points 1 day ago (1 children)

It seems to that it works. I don't get any web-scrapers hitting anything but my main domain. I can't find any of my subdomains on google.

Please tell me how you believe that it works. Maybe i overlooked something...

[–] ocean@lemmy.selfhostcat.com 0 points 1 day ago

My understanding is that scrappers check every domain and subdomain. You’re making it harder but not impossible. Everything gets scrapped

It would be better if you also did IP whitelisting, rate limiting to prevent bots, bot detection via cloudflare or something similar, etc.

[–] andreluis034@bookwormstory.social 8 points 2 days ago

Are you using HTTPS? It's highly likely that your domains/certificates are being logged for certificate transparency. Unless you're using wildcard domains, it's very easy to enumerate your sub-domains.

[–] sludge@lemmy.ml 6 points 2 days ago* (last edited 2 days ago) (6 children)

And since i don't post my valid urls anywhere no web-scraper can find them

You would ah... be surprised. My urls aren't published anywhere and I currently have 4 active decisions and over 300 alerts from crowdsec.

It's true none of those threat actors know my valid subdomains, but that doesn't mean they don't know I'm there.

load more comments (6 replies)
[–] Rookeh@startrek.website 29 points 3 days ago* (last edited 3 days ago) (2 children)

For web access, stick it behind a reverse proxy and use something like Authentik/Authelia/SSO provider of your choice to secure it.

For full access including native clients, set up a VPN.

load more comments (2 replies)
[–] skoell13@feddit.org 34 points 3 days ago* (last edited 2 days ago) (11 children)

My setup: Locally (all in docker):

  • JF for managing and local access
  • JF with read only mounted volumes that uses the network of my Wireguard client container
  • Wireguard client opening a tunnel to Wireguard server on VPS ** Ping container regularly doing pings to Wireguard Server so the connection stays up (didn't manage it otherwise)

VPS (Oracle Cloud free tier, also everything in docker):

  • Caddy as a reverse proxy with https enabled and geolocking (only certain countries are allowed to connect to)
  • fail2ban to block IPs that try to bruteforce credentials
  • Wireguard server

Usernames are not shown in the frontend and have to be entered. Passwords are generated by a password manager and can't be changed by the user.

So my clients just get the URL of my reverse proxy and can access the read only JF through my Wireguard tunnel. Didn't have to open any ports on my side. If someone is interested I can share the docker compose files later.

Edit: Here the link to the setup description. Please tell me if something is not clear or you find an error. https://codeberg.org/skjalli/jellyfin-vps-setup

[–] CarlosSpicyWiener@lemmy.world 11 points 3 days ago (2 children)

I am interested in your docker compose

[–] skoell13@feddit.org 12 points 3 days ago

Will share this evening after work.

[–] skoell13@feddit.org 5 points 2 days ago (1 children)

https://codeberg.org/skjalli/jellyfin-vps-setup here you go, took me longer than expected and I hope it's helpful, might contain a few errors since I had to remove some settings but I guess this should work.

[–] shaserlark@sh.itjust.works 2 points 1 day ago (1 children)

This is honestly awesome! I was thinking about a similar setup for a long time but wasn’t sure how to do this exactly, this seems exactly like the setup I was looking for. Thank you!

[–] skoell13@feddit.org 2 points 1 day ago

You're welcome, happy that I can help. I also just updated it a bit. In case you find any issues or have questions please let me know. It was mostly trial and error until it ran..

load more comments (10 replies)
[–] drmoose@lemmy.world 16 points 3 days ago (4 children)

Tailscale is awesome. Alternatively if you're more technically inclined you can make your own wireguard tailscale and all you need is to get a static IP for your home network. Wireguard will always be safer than each individual service.

[–] irmadlad@lemmy.world 6 points 3 days ago

Love tailscale. The only issue I had with it is making it play nice with my local, daily driver VPN. Got it worked out tho. So, now everything is jippity jippity.

load more comments (3 replies)
[–] Batman@lemmy.world 7 points 2 days ago (1 children)

I am using tailscale but I went a little further to let my family log in with their Gmail( they will not make any account for 1 million dollars)

Tailscale funneled Jellyfin Keycloak (adminless)

Private Tailscale Keycloak admin Postgres dB

I hook up jellyfin to Keycloak (adminless) using the sso plugin. And hook Keycloak up (using the private instance) to use Google as an identity provider with a private app.

[–] lambda@programming.dev 3 points 2 days ago (1 children)

SSO plugin is good to know about. Does that address any of the issues with security that someone was previously talking about?

[–] Batman@lemmy.world 2 points 1 day ago* (last edited 1 day ago) (1 children)

I'd say it's nearly as secure as

basic authentication. If you restrict deletion to admin users and use role (or group) based auth to restrict that jellyfin admin ability to people with strong passwords in keycloak, i think you are good. Still the only risk is people could delete your media if an adminusers gmail is hacked.

Will say it's not as secure as restricting access to vpn, you could be brute forced. Frankly it would be preferable to set up rate limiting, but that was a bridge too far for me

[–] Appoxo@lemmy.dbzer0.com 2 points 1 day ago

I set mine up with Authelia 2FA and restricted media deletion to one user: The administrator.
All others arent allowed to delete. Not even me.

[–] fennec@lemm.ee 3 points 2 days ago

Whats your setup? I just Ngnix Proxy Manager, Jellyfin etc in Docker. Modify ufw rules and also install this on the server (linux) https://github.com/friendly-bits/geoip-shell

[–] borax7385@lemmy.world 20 points 3 days ago (1 children)

I use fail2ban to ban IPs that fall to login and also IPs that perform common scans in the reverse proxy

[–] nullPointer@programming.dev 13 points 3 days ago

also have jellyfin disable the account after a number of failed logins.

[–] KingThrillgore@lemmy.ml 6 points 2 days ago

Use a VPN like Tailscale

[–] jagged_circle@feddit.nl 7 points 3 days ago (2 children)

I have another site on a different port that sits behind basic auth and adds the IP to a short ipset whitelist.

So first I have to auth into that site with basic auth, then I load jellyfin on the other port.

load more comments (2 replies)
load more comments
view more: next ›