this post was submitted on 25 Apr 2025
81 points (97.6% liked)

Selfhosted

46357 readers
378 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
81
Sharing Jellyfin (poptalk.scrubbles.tech)
submitted 2 days ago by scrubbles@poptalk.scrubbles.tech to c/selfhosted@lemmy.world
95 comments fedilink hide all child comments
 

Hi folks. So, I know due to a myriad of reasons I should not allow Jellyfin access to the open internet. However, in trying to switch family over from Plex, I'll need something that "just works".

How are people solving this problem? I've thought about a few solutions, like whitelisting ips (which can change of course), or setting up VPN or tail scale (but then that is more work than they will be willing to do on their side). I can even add some level of auth into my reverse proxy, but that would break Jellyfin clients.

Wondering what others have thought about for this problem

top 50 comments
sorted by: hot top controversial new old
[–] Darkassassin07@lemmy.ca 5 points 5 hours ago

I'm so tired of seeing this overblown reaction to ancient non-news.

Yes, there are some minor vulnerabilities in Jellyfin; but they really really aren't concerning.

Unauthenticated, a random person could potentially (with some prior knowledge of this specific issue, and some significant effort randomly generating media UUIDS to tryout) retrieve/playback some media unauthorized. THATS IT. That's the ONLY real concern. And it's one you could mitigate with a fail2ban filter if you were that worried about it.

The other 'issues' here, are the potential for your already authenticated users to attack each others settings. Who do you share your server with that you're concerned about them attacking each other???

Put this to bed and stop fussing over it. It's genuinely not worth your time or attention. Exposing Jellyfin to the net is fine.

Dev comment on the situation: (4 days ago) https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2825240290

[–] jonesboyz@lemmy.world 5 points 22 hours ago (1 children)

I use a reverse proxy via NGINX Proxy Manager to expose to the web but allow easy access for my users. I pay $10 a year for a domain name to make access easier.

[–] NicestDicerest@lemmy.world 0 points 22 hours ago* (last edited 22 hours ago) (2 children)

You should maybe reconsider this for security reasons. You should implement a Whitelist or a VPN. Jellyfin is notoriously insecure software, check here:

https://github.com/jellyfin/jellyfin/issues/5415

[–] zenpocalypse@lemm.ee 3 points 4 hours ago* (last edited 4 hours ago) (1 children)

Reading over that list, I don't really see anything that isn't "maybe gets read privileges for non-critical data". Hardly useful enough to be worth attempting access to a single personal Jellyfin server.

I'd be mildly surprised if anyone has ever bothered.

You do you, but in my view the effort outweighs the benefits.

[–] NicestDicerest@lemmy.world 1 points 1 hour ago* (last edited 1 hour ago)

Sure, and its your own choice - But you should still be aware of what could/can happen, so that you can make this decisions informed. Maybe I worded it a bit too harshly, i'm sorry English is not my first language.

[–] skoell13@feddit.org 15 points 1 day ago

I use a VPS and a Wiregusrd tunnel together with geoblocking and fail2ban. I've written my setup down, maybe this will help you https://codeberg.org/skjalli/jellyfin-vps-setup

[–] non_burglar@lemmy.world 5 points 1 day ago

Oof, a lot of vitriol in this thread.

In the end, security is less about tooling and config, and more about understanding the risks and acting accordingly.

I expose jellyfin to the internet, but only to a specific public IP. That reduced my risk considerably.

[–] Getting6409@lemm.ee 10 points 1 day ago* (last edited 1 day ago)

I expose jellyfin to the internet, and some precautions I have taken that I don't see mentioned in these answers are: 1) run jellyfin as a rootless container, and 2) use read-only storage where ever possible. If you have other tools managing things like subtitles and metadata files before jellyfin there's no reason for jellyfin to have write access to the media it hosts. While this doesn't directly address the documented security flaws with jellyfin, you may as well treat it like a diseased plague rat if you're going to expose it. To me, that means worst case scenario is the thing is breached and the only thing for an attacker to do is exfiltrate things limited to jellyfin.

[–] merthyr1831@lemmy.ml 5 points 1 day ago* (last edited 1 day ago)

I have it as an unprivileged container behind a reverse proxy and HTTPS/HSTS. I know it's not perfect but I keep backups of important shit and monitor things regularly.

I agree that Jellyfin needs to improve its API security, though. Their excuse that "it would break clients on old APIs" is moot when C# comes with API versioning features out of the box.

[–] daniskarma@lemmy.dbzer0.com 42 points 2 days ago* (last edited 2 days ago) (7 children)

You can share jellyfin over the net.

The security issues that tend to be quoted are less important than some people claim them to be.

For instance the unauthorized streaming bug, often quoted as one of the worst jellyfin security issues, in order to work the attacker need to know the exact id of the item they want to stream, which is virtually impossible unless they are or have been an authorized client at some point.

Just set it up with the typical bruteforce protections and you'll be fine.

[–] MaggiWuerze@feddit.org 10 points 1 day ago (3 children)

It's not impossible, Far from it. The ids are not random uuids but hashes derived from the path. Since most people have a similar setup to organize their media, this gets trivial very fast

load more comments (3 replies)
[–] BlackEco@lemmy.blackeco.com 17 points 2 days ago* (last edited 2 days ago)

This. Just setup fail2ban or similar in front of Jellyfin and you'll be fine.

load more comments (5 replies)
[–] Shimitar@downonthestreet.eu 24 points 2 days ago (10 children)

You can share jellyfin on the net. I do.

The issues shared wide and large are mostly moot points, where the attacker needs to already have access to the jellyfin itself to have any surface.

Its FUD and I am convinced spread by Plex people in an effort to cover up their fuckup and enshittyfication.

[–] possiblylinux127@lemmy.zip 8 points 1 day ago (2 children)

That's a bad idea for so many reasons

The internet is full of bots pounding at your machines to get in. It is only a matter of time until the breach Jellyfin. At the very least you want a reverse proxy with proper security.

I don't see why you would put something like Jellyfin in the internet. Use a VPN solution.

[–] daniskarma@lemmy.dbzer0.com 7 points 1 day ago (2 children)

I have had jellyfin exposed to the net for multiple years now.

Countless bots probing everyday, some banned by my security measures some don't. There have never been a breach. Not even close.

To begin with, of you look at what this bots are doing most of them try to target vulnerabilities from older software. I have never even seen a bot targeting jellyfin at all. It's vulnerabilities are not worth attacking, too complex to get it right and very little reward as what can mostly be done is to stream some content or messing around with someo database. No monetary gain. AFAIK there's not a jellyfin vulnerability that would allow running anything on the host. Most vulnerabilities are related to unauthorized actions of the jellyfin API.

Most bots, if not all, target other systems, mostly in search of outdated software with very bad vulnerabilities where they could really get some profit.

load more comments (2 replies)
[–] dogs0n@sh.itjust.works 3 points 1 day ago (1 children)

The internet is full of bots pounding at your machines to get in. It is only a matter of time until the breach Jellyfin.

If you are talking about brute force attacks for your password, then use a good password.. and something like fail2ban to block ips that are spamming you.

This point doesn't exactly match, but: public services like google auth don't require users use vpns. They have a lot more money to keep stuff secure, but you may see my point.. auth isn't too trivial of a feature to keep secure nowadays. They implement similar protections, something to block spammers and make users have good passwords (if you dont use a good password, you are still vulnerable on any service).

[–] possiblylinux127@lemmy.zip 4 points 1 day ago

The password is totally irrelevant for the most part. The worst case is that they get access to the dashboard

The problem is when major security vulnerabilities are found like remote code execution

[–] sugar_in_your_tea@sh.itjust.works 9 points 1 day ago

I love Jellyfin and use it. I also think the security issues are very serious and it's irresponsible to not fix them. At the very least they can make a new API and give users the option to enable or disable the insecure one until clients get updated. But they don't.

I've decided to remove public access to my Jellyfin server until it's resolved, though it's still accessible behind my VPN.

load more comments (8 replies)
[–] possiblylinux127@lemmy.zip 5 points 1 day ago* (last edited 1 day ago)

Netbird/Tailscale

You also could use Wireguard as it is a p2p protocol by default.

If you have IPv6 access you could put in on a IPv6 address

[–] Chocrates@lemmy.world 13 points 2 days ago (7 children)

When I did this I set up a VPN on my network and forced anyone that wanted to use it to get on my network.

load more comments (7 replies)
[–] ch8zer@lemmy.ca 13 points 2 days ago (7 children)

AppleTV + Tailscale in and it’s been a flawless experience.

load more comments (7 replies)
[–] Xanza@lemm.ee 9 points 2 days ago (1 children)

There are two routes. VPN and VPS.

VPN; setup wireguard and offer services to your wireguard network.

VPS; setup a VPS to act as a reverse proxy for your jellyfin instance.

Each have their own perks. Each have their own caveats.

[–] possiblylinux127@lemmy.zip 3 points 1 day ago (1 children)

The VPS would still involve exposing it

[–] Xanza@lemm.ee 4 points 1 day ago

You're exposing your jellyfin instance to a single IP, your VPS. That's what a reverse proxy is.

You block all communication from any IP but local, and your VPS IP from jellyfin, and forward web traffic from your VPS to your jellyfin instance. It's not the same as exposing your jellyfin instance directly. Not sure why I have to explain that...but here we are, I guess.

[–] majestictechie@lemmy.fosshost.com 8 points 2 days ago (2 children)

I do. I run it behind a caddy service so it's secured with an SSL. The port is running on a high non standard one. I do keep checking access logs but haven't had a peep apart from the 1 person I shared it with

load more comments (2 replies)
[–] fishynoob@infosec.pub 6 points 2 days ago (1 children)

I don't do this, but I would set up oAuth like Authelia or something behind a reverse-proxy and authenticate Jellyfin clients through that.

[–] scrubbles@poptalk.scrubbles.tech 9 points 2 days ago (1 children)

that's what I'd like personally, but I don't think the clients would play nice with that

load more comments (1 replies)
load more comments
view more: next ›