I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
My setup: Locally (all in docker):
- JF for managing and local access
- JF with read only mounted volumes that uses the network of my Wireguard client container
- Wireguard client opening a tunnel to Wireguard server on VPS ** Ping container regularly doing pings to Wireguard Server so the connection stays up (didn’t manage it otherwise)
VPS (Oracle Cloud free tier, also everything in docker):
- Caddy as a reverse proxy with https enabled and geolocking (only certain countries are allowed to connect to)
- fail2ban to block IPs that try to bruteforce credentials
- Wireguard server
Usernames are not shown in the frontend and have to be entered. Passwords are generated by a password manager and can’t be changed by the user.
So my clients just get the URL of my reverse proxy and can access the read only JF through my Wireguard tunnel. Didn’t have to open any ports on my side. If someone is interested I can share the docker compose files later.
Edit: Here the link to the setup description. Please tell me if something is not clear or you find an error. https://codeberg.org/skjalli/jellyfin-vps-setup
I am interested in your docker compose
Will share this evening after work.
https://codeberg.org/skjalli/jellyfin-vps-setup here you go, took me longer than expected and I hope it’s helpful, might contain a few errors since I had to remove some settings but I guess this should work.
This is honestly awesome! I was thinking about a similar setup for a long time but wasn’t sure how to do this exactly, this seems exactly like the setup I was looking for. Thank you!
You’re welcome, happy that I can help. I also just updated it a bit. In case you find any issues or have questions please let me know. It was mostly trial and error until it ran…
This seems like a developer/infrastructure level job, any dumb down step by step procedure to recommend?
I am currently in the ptocess to document my docker fioes and upload them to codeberg with a readme, it takes a bit, will let you know once I am done
https://codeberg.org/skjalli/jellyfin-vps-setup here you go, took me longer than expected and I hope it’s helpful, might contain a few errors since I had to remove some settings but I guess this should work.
Thank you! Impressive documentation work, looks like I have to learn docker first.
It’s a steep learning curve for sure but once you get the basics it’s straight forward until you hit very specific problems.
Are you a Windows or Linux user? They often want to push their Docker UI application but in my opinion docker engine with docker compose is enough. There are probably a lot of great tutorials out there and I can recommend https://www.linuxserver.io/ for images.
I’m more interested in the fail2ban setup. How did you do that for Jellyfin? Is it through a plugin?
It’s a separate container, currently in the process of writing everything up, will update once done
Thanks!
https://codeberg.org/skjalli/jellyfin-vps-setup here you go, took me longer than expected and I hope it’s helpful, might contain a few errors since I had to remove some settings but I guess this should work.
Thanks! I’ll read more through it when I have the chance!
OpenVPN
Or wireguard, depending where & how they want to implement it might be simpler or better/worse on hardware.
CloudFlare tunnel with Zero Trust, plus their bot and abuse blocking. Users can get in with the right oauth, plus only allowed from the countries I know they’re in. Then just their username and password on jellyfin.
I hate the cloudflare stuff making me do captchas or outright denying me with a burning passion. My fault for committing the heinous crime of using a VPN!
Skill issue
Doesn’t streaming media over a cloudflare tunnel/proxy violate their ToS
No, they removed that clause some 2 or 3 years back.
They prohibit large amounts of media being streamed, and they reserve the right to suspend or terminate accounts for it. Multiple years in, that has not happened.
Edit: here, you can read https://blog.cloudflare.com/updated-tos/
Cloudflare is known for being unreliable with how and when it enforces the ToS (especially for paying customers!). Just because they haven’t cracked down on everyone doesn’t mean they won’t arbitrarily pick out your account from thousands of others just to slap a ban on. There’s inherent risk to it
🤫
Using cloudflare tunnels means nothing is encrypted and cloudflare sees all.
Oh no they’ll see I’m watching TNG
Wireguard (or tailscale) would be best here.
setup a WAF appliance and forward traffic through it to your current installation.
WAF??
web application firewall.
think of it like an intelligent firewall proxy that can take action against perceived threats like injection attacks or timed attacks. some can also help fight against DDOS when integrated with an actual firewall upstream.
What I used to do was: I put jellyfin behind an nginx reverse proxy, on a separate vhost (so on a unique domain). Then I added basic authentication (a htpasswd file) with an unguessable password on the whole domain. Then I added geoip firewall rules so that port 443 was only reachable from the country I was in. I live in small country, so this significantly limits exposure.
Downside of this approach: basic auth is annoying. The jellyfin client doesn’t like it … so I had to use a browser to stream.
Nowadays, I put all my services behind a wireguard VPN and I expose nothing else. Only issue I’ve had is when I was on vacation in a bnb and they used the same IP range as my home network :-|
Mostly via empty threats, but occaisonally I have had to whip out the soccer ball
Whats your setup? I just Ngnix Proxy Manager, Jellyfin etc in Docker. Modify ufw rules and also install this on the server (linux) https://github.com/friendly-bits/geoip-shell
I am using tailscale but I went a little further to let my family log in with their Gmail( they will not make any account for 1 million dollars)
Tailscale funneled Jellyfin Keycloak (adminless)
Private Tailscale Keycloak admin Postgres dB
I hook up jellyfin to Keycloak (adminless) using the sso plugin. And hook Keycloak up (using the private instance) to use Google as an identity provider with a private app.
SSO plugin is good to know about. Does that address any of the issues with security that someone was previously talking about?
I’d say it’s nearly as secure as
basic authentication. If you restrict deletion to admin users and use role (or group) based auth to restrict that jellyfin admin ability to people with strong passwords in keycloak, i think you are good. Still the only risk is people could delete your media if an adminusers gmail is hacked.
Will say it’s not as secure as restricting access to vpn, you could be brute forced. Frankly it would be preferable to set up rate limiting, but that was a bridge too far for me
I set mine up with Authelia 2FA and restricted media deletion to one user: The administrator.
All others arent allowed to delete. Not even me.
Jellyfin is secure by default, as long as you have https. Just chose a secure passwordNo, it isn’t.
EDIT: I quickly want to add that Jellyfin is still great software. Just please don’t expose it to the public web, use a VPN (Wireguard, Tailscale, Nebula, …) instead.
Oh boy. Nope. My friends gonna have to fiddle with a VPN, forget exposing JF to the outside…
Some of these are bonkers. The argument not to fix them because of backwards compatibility is even wilder. Which normal client would need the ability to get data for any other account that it hasn’t the Auth token for.
Just make a different API prefix that’s secure and subject to change, and once the official clients are updated, deprecate the insecure API (off by default).
That way you preserve backwards compatibility without forcing everyone to be insecure.
Even just basic API versioning would be sufficient. .NET offers a bunch of ways to handle breaking changes in APIs
Wtf. Thank you
You could put authentik in front of it too
So i’ve been trying to set this up this exact thing for the past few weeks - tried all manner of different Nginx/Tailscale/VPS/Traefik/Wireguard/Authelia combos, but to no avail
I was lost in the maze
However, I realised that it was literally as simple as setting up a CloudFlare Tunnel on my particular local network I wanted exposed (in my case, the Docker network that runs the JellyFin container) and then linking that domain/ip:port within CloudFlare’s Zero Trust dashboard
Cloudflare then proxies all requests to your public domain/route to your locally hosted service, all without exposing your private IP, all without exposing any ports on your router, and everything is encrypted with HTTPS by default
And you can even set up what looks like pretty robust authentication (2FA, limited to only certain emails, etc) for your tunnel
Not sure what your use case is, but as mine is shared with only me and my partner, this worked like a charm
I’m pretty sure that using Jellyfin over Cloudflare tunnels is against their TOS, just FYI. I’m trying to figure out an alternative myself right now because of that.
I just moved from that. I now have Traefik on aVPS with a Wireguard server that my home router connects to (Immich IP forwarded in the config of WG).
Thanks for mentioning. I ended up using a Tailscale funnel and everything is running swimmingly so far.
Pay attention to your email, when cloudflare decides to warn you for this (they will, it’s very very much against TOS) they’ll send you an email, if you don’t remove the tunnel ASAP, your entire account will be terminated.
Why would Cloudflare warn me against a service they themselves offer? The email authentication is all managed by them
You’re not allowed to tunnel video traffic.
I use Pangolin (https://github.com/fosrl/pangolin)
I was thinking of setting this up recntly after seeing it on Jim’s garage. Do you use it for all your external services or just jellyfin? How does it compare to a fairly robust WAF like bunkerweb?
I use it for all of my external services. It’s just wireguard and traefik under the hood. I have no familiarity with bunkerweb, but pangolin integrates with crowdsec. Specifically it comes out of the box with traefik bouncer, but it is relatively straightforward to add the crowdsec firewall bouncer on the host machine which I have found to be adequate for my needs.
URL is 404
remove the brace at the end
It’s not, though?
Uhh, interesting! Thanks for sharing.
For web access, stick it behind a reverse proxy and use something like Authentik/Authelia/SSO provider of your choice to secure it.
For full access including native clients, set up a VPN.
I use Tailscale right now. Which, in fairness, I didn’t state in the post. However, I was hoping to share it more similarly to how I used to with Plex. But, it would appear, I would have to share it through Tailscale only at this point.
Right now none of the native clients support SSO. It is a frequently requested feature but, unfortunately, it doesn’t look like it will be implemented any time soon. As with many OSS projects it is probably a case of “you want it, you build it” - but nobody has actually stepped up.
My setup is: Proxmox - restricted LXC running docker which runs jellyfin, tailscale funnel as reverse proxy and certificate provider. So so don’t care about jellyfin security, it can get hacked / broken , its an end road. If so i will delete the LXC and bring it up again using backups. Also i dont think someone will risk or use time to hack a jellyfin server. My strategy is, with webservices that don’t have critical personal data, i have them isolated in instances. I don’t rely on security on anything besides the firewall. And i try not to have services with personal sensitive data, and if i do, on my local lan with the needed protections. If i need access to it outside my local lan, vpn.
