🚀 Jellyfin Server 10.11.7
We are pleased to announce the latest stable release of Jellyfin, version 10.11.7! This minor release brings several bugfixes to improve your Jellyfin experience. As alway...
Which doesn’t work for The grand majority of devices that would be used to watch said media.
Tvs game consoles rokus so on so forth typically don’t support VPN clients.
The Jonathan clients for these devices also typically don’t support alternative authentication methods which would allow you to put jellyfin behind a proxy and have the proxy exposed to the internet. Gating all access to jellyfin apis behind a primary authentication layer thus mitigating effectively all security vulnerabilities that are currently open.
you are better just closing up shop then, because it’s not like the other services you are hosting are much better. vulnerabilities being discovered don’t mean they don’t exist, it just means the software is not popular enough or too complex for someone to look into it
much of the internet is run on simpler software or by full time employees tasked to deal with all this. but sure, ignorance is bliss, what you don’t see does not exist, etc etc, keep running your Jellyfin exposed to the internet. you wouldnt even get to know when your system is compromised. but you know what? you could even remove your password for extra convenience. who would want to log in to a random jellyfin account anyway! surely no one! just don’t recommend these practices to anyone, because you are putting them at risk.
That’s why you do it at your router or gateway and then set a route for the Jellyfin server through the VPN adapter. That way any device on your network will flow through the tunnel to the Jellyfin server including TVs
What? No, you can do a tiny reverse proxy/vpn on a stick with something like a RPi. Configure it and give it to them. Then they point their Jellyfin client on their device to the IP of the RPi instance on their network and that creates the tunnel back to your VPN endpoint and server.
And for VPNs at a router level you can inject routes and leave th default route going out through your ISP, you don’t need to, nor want to, have all traffic going through it.
Which again implies that you have a router that allows you to do so. It’s not always the case. For tech enthusiast people that’s the case. But not for everyone.
I tried to do the same thing at first, but it was a pain, there were tons of issues.
Pangolin is based off of Traefik if I’m not mistaken, should be able to use Traefiks IPAllowlist middleware to blacklist all IP addresses and only whitelisting the known few, that way you can expose your application to the internet knowing you have that restriction in place for those who connect to your service.
Reverse proxy will let anyone connect to it. VPN, you can create keys/logins for your intended users only. Having said that, from what I could see, nothing in the security fixes were to do with authentication. I think (just from a cursory look), they could only be exploited, if at all from an authenticated user session.
But personally, something like jellyfin where the number of people I want to be able to access it is very limited, stays behind a VPN. Better to limit your potential attack surface as much as you can.
Kinda defeats the purpose of a media server built to be used by multiple people
No need to expose jellyfin to the internet if you selectively allow peers on your lan via wireguard.
Which doesn’t work for The grand majority of devices that would be used to watch said media.
Tvs game consoles rokus so on so forth typically don’t support VPN clients.
The Jonathan clients for these devices also typically don’t support alternative authentication methods which would allow you to put jellyfin behind a proxy and have the proxy exposed to the internet. Gating all access to jellyfin apis behind a primary authentication layer thus mitigating effectively all security vulnerabilities that are currently open.
Easy for me but not my aunts, cousins or father in law to setup and use.
they are not setting up the Jellyfin server either, why would they need to bother with the VPN?
They’re connecting to it.
yeah, it’s the operator’s job to help setting that up
Nor will the VPN work on things like their TV or Roku or game console. You know the things that people typically sit down and watch media on…
Wireguard and possibly openvpn work on Android TVs. I set it up for my mom. Not sure about other OSs.
This attitude is why Plex remains popular.
I’d rather just not use it at that point
you are better just closing up shop then, because it’s not like the other services you are hosting are much better. vulnerabilities being discovered don’t mean they don’t exist, it just means the software is not popular enough or too complex for someone to look into it
lol the whole internet better shut down right? Too vulnerable
much of the internet is run on simpler software or by full time employees tasked to deal with all this. but sure, ignorance is bliss, what you don’t see does not exist, etc etc, keep running your Jellyfin exposed to the internet. you wouldnt even get to know when your system is compromised. but you know what? you could even remove your password for extra convenience. who would want to log in to a random jellyfin account anyway! surely no one! just don’t recommend these practices to anyone, because you are putting them at risk.
I mean I do this stuff for a living but okay go off king
would not ever use your services in that case
Thank god
Fair, you do you, I get a lot of value out of it instead.
The difference is that my friends get a lot of value out of my server, as they don’t need to use any technology they’re unfamiliar with.
Use a VPN, it’s not ideal but it’s secure.
Somehow difficult to install on a TV though.
That’s why you do it at your router or gateway and then set a route for the Jellyfin server through the VPN adapter. That way any device on your network will flow through the tunnel to the Jellyfin server including TVs
Oh yes, the routers and gateways that most people have that are isp provided that may not actually have open VPN or wireguard support.
Those ones?
Also putting a VPN in someone else’s house so that all their Network traffic goes through your gateway is pretty damn extreme.
What? No, you can do a tiny reverse proxy/vpn on a stick with something like a RPi. Configure it and give it to them. Then they point their Jellyfin client on their device to the IP of the RPi instance on their network and that creates the tunnel back to your VPN endpoint and server.
And for VPNs at a router level you can inject routes and leave th default route going out through your ISP, you don’t need to, nor want to, have all traffic going through it.
Which again implies that you have a router that allows you to do so. It’s not always the case. For tech enthusiast people that’s the case. But not for everyone.
I tried to do the same thing at first, but it was a pain, there were tons of issues.
Don’t reverse proxies like pangolin just do the job? Does it have to be VPN in this particular concept? VPN isn’t like immune to vulnerabilities.
Pangolin is based off of Traefik if I’m not mistaken, should be able to use Traefiks IPAllowlist middleware to blacklist all IP addresses and only whitelisting the known few, that way you can expose your application to the internet knowing you have that restriction in place for those who connect to your service.
If the people you want to have access have static, exclusive ip addresses. Which is pretty unusual, these days.
Reverse proxy will let anyone connect to it. VPN, you can create keys/logins for your intended users only. Having said that, from what I could see, nothing in the security fixes were to do with authentication. I think (just from a cursory look), they could only be exploited, if at all from an authenticated user session.
But personally, something like jellyfin where the number of people I want to be able to access it is very limited, stays behind a VPN. Better to limit your potential attack surface as much as you can.
Reverse proxy doesn’t really get you much security. If there is an application level issue a reverse proxy will not help
Hmmm, I’m a bit rusty on this but can’t one put an auth gate in front of the application, handled by the reverse proxy?
You can, that would actually give you security. Not sure how many people do that. I assumed a straight reverse proxy without any auth
I see thanks. I’ll think about it more.