this post was submitted on 13 Nov 2023
2 points (100.0% liked)

Self-Hosted Main

511 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
 

This seems too straightforward, what's the catch?

Like how secure is it? Should I be turning it off (and disabling the port forwarding) when not using it?

Do I need any additional security? Mainly just want to use it for Jellyfin

Thanks

you are viewing a single comment's thread
view the rest of the comments
[–] [email protected] 2 points 11 months ago

I would not directly expose Jellyfin to the Internet (including reverse proxy) because of security issues they've had. And no, a reverse proxy (like Caddy) doesn't usually add much insecurity or security^.

The thing I currently do is use forward_auth w/ Authelia (from anywhere, you could also use basic_auth though the UX sucks) but bypass it for the app in private IP ranges (aka at home or in VPN):

jellyfin.example {
        @notapp {
                not {
                        header User-Agent *Jellyfin*
                        client_ip private_ranges
                }
        }

        forward_auth @notapp localhost:8080 {
                uri /api/verify?rd=https://authelia.example/
        }
        reverse_proxy 192.168.1.44:8080
}

Apps get to continue working, and I can access it from my phone without a VPN setup (because it's annoying and I only look at metadata on my phone anyway).

You can also do a simpler config (which I used to do) where you just give an HTTP Unauthorized for anything outside of private ranges (this lets you do the HTTP challenge for a certificate while still not exposing Jellyfin to the general internet).

^You can configure more security by doing authentication in the reverse proxy so that anyone trying to attack services behind it must first authenticate with the reverse proxy, but this is not the default. Security-wise this ends up similar to forcing all access through a VPN first, if a little harder to setup.