this post was submitted on 20 Oct 2023
1 points (100.0% liked)

Self-Hosted Main

511 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

For Example

We welcome posts that include suggestions for good self-hosted alternatives to popular online services, how they are better, or how they give back control of your data. Also include hints and tips for less technical readers.

Useful Lists

founded 1 year ago
MODERATORS
 

I'm using cloudflare tunnel to access my movie collection on selfhosted jellyfin. Jellyfin accounts are behind a strong password.

Considering it's on the web, how bad is it? I'm not thinking about attacks, can I be flagged for piracy or things? Where does the ISP stand?

all 21 comments
sorted by: hot top controversial new old
[–] [email protected] 2 points 1 year ago (2 children)

why not have nothing exposed and just use tailscale

[–] [email protected] 1 points 1 year ago

why is this downvoted? tailscale works amazingly well..

[–] [email protected] 1 points 1 year ago (4 children)

I would suggest to put it behind an sso service like a self hosted authelia or authentik. So even if someone finds your website they will only see your authentication page and not what’s behind it.

[–] [email protected] 1 points 1 year ago (1 children)

Why would that be a benefit? Jellyfin already provides a login screen (allegedly with strong passwords)

[–] [email protected] 1 points 1 year ago (1 children)

Like I said. So even if someone find your domain to your jellyfin server they would only see Authentik.

And if you start with authentik you could use it for much more self hosted services so you have one big login page in front of your services.

[–] [email protected] 1 points 1 year ago

Ooh, I like the sound of that.

[–] [email protected] 1 points 1 year ago

I really gotta find a straight forward install guide for Authelia.

[–] [email protected] 1 points 1 year ago

Cloudfare offers an authentication service like that already. Really easy to set up in front of a tunnel

[–] [email protected] 1 points 1 year ago (1 children)

How would that work with a Jellyfin client running on a device like a Chromecast dongle? The code on the dongle doesn't (IMHO) know how to log into an SSO service.

[–] [email protected] 1 points 1 year ago

You would have to exclude the */api/ path in the authentik provide settings, so that if something wants to call the jellyfin api (like Swiftfin) it can go around the sso. It’s not the best practice for security but the only working way I have found.

[–] [email protected] 1 points 1 year ago

i cant imagine a anti piracy organisation hacking into your server for the purpose of suing you

[–] [email protected] 1 points 1 year ago

I using Plex with 2FA.

[–] [email protected] 1 points 1 year ago (2 children)

My jellyfin and jellyseerr both servers are open to web.because so many people using it i can't sacrifice accessibility.but i have hardcore monitoring,alert system and emergency shutdown systems in place.

[–] [email protected] 1 points 1 year ago

As long as passwords are strong it's usually fine, I use ldap through jellyfin on authentik and everyone gets a passphrase.

[–] [email protected] 1 points 1 year ago

Same situation here but my users are all just friends and family so what I did was whitelist access from my own country and blacklist everything else. Not bulletproof of course but it did cut down on unintended traffic by nearly 100%

[–] [email protected] 1 points 1 year ago (2 children)

Are jellyfin Servers behind a Reverse Proxy realy such a big Security risk?

[–] [email protected] 1 points 1 year ago

I would like to know aswell, because that is my case.

JellyFin behind NPM listening on a non standard https port (4443) with a Letsencrypt SSL certificate

I serve to plenty of family members with chromecasts, smarttvs, laptops, smartphones... that may be not compatible with SSO.

[–] [email protected] 1 points 1 year ago

It's really not that bad especially if you setup access lists. That simple configuration alone eliminates most problems from even accessing the server.

[–] [email protected] 1 points 1 year ago

And you will be banned. Cloudflare does not permit non-html traffic over their tunnels.

[–] [email protected] 1 points 1 year ago

Jellyfin is a media player. It’s built in security is more than enough for most. A lot use it for access to their own personal collections. You’re using it for your own use, you’re not distributing so doubtful anybody would care. There’s no way to know what’s there so not worth anybody’s time. Now if you were selling logins to that server and advertising the content then things would be different in the same way that if you seed pirated content they will care more than if you just leech it. For all they know you could have your personal home videos behind it or legitimate backups of physical disks you own. Hide it behind a subdomain and random path then unless somebody is looking for it they won’t stumble on it in the first place. This should be enough really. Jellyfin is designed to keep your content secure. The only way somebody official would come knocking is if they suspect there’s something to hide. Unless you tell people they have no reason to suspect. They have much bigger fish to fry.

I don’t think you have anything to worry about but you can ofc secure things further if you want to jump through a few mostly unrequired hoops.

That’s just my personal opinion. If you don’t feel safe exposing it then you shouldn’t and should setup a vpn or similar and hide it all behind that. My jellyfin has been exposed for years. Just me and my family using it. I’ve never had anybody try to access it. Nothing exciting behind it other than family videos but nobody knows that.