I put mine behind a reverse proxy, like any sane person would. Configure an original sni and you are basically invisible. (Tls1.3, doh/dot make it even better, depending on your threat model, but most likely overkill)
While you are (probably?) correct, this is significantly beyond what is required to deploy Plex for a standard home server chump like me.
I’m using jellyfin and a few others, but am consciously putting off exposing these services to the web until I can learn enough about security to do so. Given life, this will probably take me the better part of a year…
you are right to be careful here. But it certainly is also not a “requirement to deploy jellyfin” either. It’s just a good practice to minimize attack surface, no matter what you expose. Unless it’s meant for the general public and advertised, then this makes little sense :-)
Also, most selfhosters have at best one IP to use. This helps with the one-IP-multiple-webservices problem anyway.
My grandparents cannot access jellyfin via vpn and it’s not safe to expose it to the web because the devs don’t take security seriously
I put mine behind a reverse proxy, like any sane person would. Configure an original sni and you are basically invisible. (Tls1.3, doh/dot make it even better, depending on your threat model, but most likely overkill)
While you are (probably?) correct, this is significantly beyond what is required to deploy Plex for a standard home server chump like me.
I’m using jellyfin and a few others, but am consciously putting off exposing these services to the web until I can learn enough about security to do so. Given life, this will probably take me the better part of a year…
you are right to be careful here. But it certainly is also not a “requirement to deploy jellyfin” either. It’s just a good practice to minimize attack surface, no matter what you expose. Unless it’s meant for the general public and advertised, then this makes little sense :-)
Also, most selfhosters have at best one IP to use. This helps with the one-IP-multiple-webservices problem anyway.
I use tailscale when I’m in these situations. It even works behind the most cursed CGNAT like starlink where it’s impossible to even port forward.
As long as your tunnel is running you just use the private IP address for your jellyfin machine and your parents will access it like it’s local.
Old people don’t understand mesh network vpns