Hi folks. So, I know due to a myriad of reasons I should not allow Jellyfin access to the open internet. However, in trying to switch family over from Plex, I’ll need something that “just works”.
How are people solving this problem? I’ve thought about a few solutions, like whitelisting ips (which can change of course), or setting up VPN or tail scale (but then that is more work than they will be willing to do on their side). I can even add some level of auth into my reverse proxy, but that would break Jellyfin clients.
Wondering what others have thought about for this problem
AppleTV + Tailscale in and it’s been a flawless experience.
How do you do a tailscale with apple tv?
You can install it right on the TV, they have a first party app.
Right the jellyfin side, but how do you get it to go through tailscale? I’m not as familiar with tailscale, I only use openvpn
tvOS supports VPN connections directly on the Apple TV. Haven’t tried it myself but I assume you just download the Tailscale app, set it up, and then it should just work.
Thanks! Interesting they support them now!
Tailscale has an AppleTV app, just download it and add it to your talent.
Ohhh okay! Interesting, and thank you!
Hang on, why not open the port to jellyfin to the internet?
I have a lifetime Plex pass so its not urgent but I have a containers running emby and jellyfin to check them out. When I decide which one I planned to open it up and give people logins.
See this issue on their github repo: here
Basically from what I understand there’s loads of unauthenticated api calls, so someone can very easily exploit that.
If they just supported mTLS in their clients it wouldn’t be an issue but oh well :(
The main unauthenticated action is video streaming, but an attacker would need to guess the correct id by chance.
https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2825240290
It’s not chance if the I’d is based on the path to your media. There’s but that much variation in the path to a certain movie and its trivial to build a rainbow table to try them out. This way unauthenticated users can not only stream from your server but effectively map your library
That wouldn’t even be using TLS
Bad idea
I do. I run it behind a caddy service so it’s secured with an SSL. The port is running on a high non standard one. I do keep checking access logs but haven’t had a peep apart from the 1 person I shared it with
That port changing stuff is way outdated and hasn’t been effective for a long time.
A quick scan will show it ofcourse. But it stops bots and stuff just hitting “known” ports. I’ve not had any issues in the months it’s been active compared to the previous month’s I just used the standard port
Oof, a lot of vitriol in this thread.
In the end, security is less about tooling and config, and more about understanding the risks and acting accordingly.
I expose jellyfin to the internet, but only to a specific public IP. That reduced my risk considerably.
I use a VPS and a Wiregusrd tunnel together with geoblocking and fail2ban. I’ve written my setup down, maybe this will help you https://codeberg.org/skjalli/jellyfin-vps-setup
Reverse proxy with CrowdSec, which has setups specifically for Jellyfin. Docker for everything.
Now that’s interesting, what is the purpose of the reverse proxy, don’t you still need something exposed then?
The reverse proxy is the part that’s exposed. CrowdSec watches the logs for intrusion attempts like fail2ban would.
A reverse proxy saves you from having to expose your services directly and acts as a go-between.
Internet <--> Reverse Proxy <--> ServiceRight, but what exactly does the reverse proxy do to stop intrusion?
Think of it as more modular.
I personally used Traefik, but only because I’m a masochist and it would be useful to know in IT workplace.
Traefik + CrowdSec + CowdSec Traefik Bouncer.
Traefik handles the traffic, and said traffic has to get a green light from CrowdSec + Bouncer before it can go anywhere.
The concept of CrowdSec is honestly super awesome.
Is Taefik really that good? It seems crazy complex
It’s designed to scale. Plus it’s nifty to be able to add ~3 tags to a docker container and then it’s instantly online and ready to be used.
Depending on how you setup your reverse proxy it can reduce random scanning/login attempts to basically zero. The point of a reverse proxy is to act as a proxy, as a sort of web router, and to validate that the http requests are correctly formatted.
For the routing depending on what DNS name/path the request comes in with it can route to different backends. So you can say that app1.yourdomain.com is routed to the internal IP address of your app1, and app2.yourdomain.com goes to app2. You can also do this with paths if the applications can handle it. Like yourdomain.com/app1.
When your client makes a request the reverse proxy uses the “Host” header or the SNI string that is part of the TLS connection to determine what certificate to use and what application to route to.
There is usually a “default” backend for any request that doesn’t match any of the names for your backend services (like a scanner blindly trying to access your IP). If you disable the default backend or redirect default requests to something that you know is secure any attacker scanning your IP for vulnerabilities would get their requests rejected. The only way they can even try to hit your service is to know the correct DNS name of your service.
Some reverse proxies (Traefik, HAproxy) have options to reject the requests before the TLS negation has even completed. If the SNI string doesn’t match the connection just drops it doesn’t even bother to send a 404/5xx error. This can prevent an attacker from doing information gathering about the reverse proxy itself that might be helpful in attacking it.
This is security by obscurity which isn’t really security, but it does reduce your risk because it significantly reduces the chances of an attacker being able to find your applications.
Reverse proxies also have a much narrower scope than most applications as well. Your services are running a web server with your application, but is Jellyfin’s built in webserver secure? Could an attacker send invalid data in headers/requests to trigger a buffer overflow? A reverse proxy often does a much better job of preventing those kinds of attacks, rejecting invalid requests before they ever get to your application.
It protects against vulnerabilities in layer 3 of the OSI model. It is the thing that gets hit from the outside while the back end is hidden away. This makes some attacks much harder.
Crowdsec is what stops the intrusion.
Crowdsec won’t protect against a security vulnerability
It will if it detects the requests and blocks them
Only if it is from a known bad IP
Also the vulnerability may be in something needed for client functionality.
Netbird/Tailscale
You also could use Wireguard as it is a p2p protocol by default.
If you have IPv6 access you could put in on a IPv6 address
Making a note so I can find this again - also I have been loving JellyFin over Plex.
Jellyfin over Plex?
Yup, I like jelly more - not that I have one running over the other lol
I thought there was some way to use Jelly on the backend with a Plex client!
Unethical life pro tip, but I use the free tier of Cloudflare tunnels and Cloudflare access to gate access to my jellyfin instance. This is technically against their TOS but I don’t cache anything and my bandwidth usage is low so it’s probably not too noticeable. I’ll update this post if I get banned at some point 🤡
I don’t do this, but I would set up oAuth like Authelia or something behind a reverse-proxy and authenticate Jellyfin clients through that.
that’s what I’d like personally, but I don’t think the clients would play nice with that
They are out of luck if using the Android TV client but web browser should be fine
There are two routes. VPN and VPS.
VPN; setup wireguard and offer services to your wireguard network.
VPS; setup a VPS to act as a reverse proxy for your jellyfin instance.
Each have their own perks. Each have their own caveats.
The VPS would still involve exposing it
You’re exposing your jellyfin instance to a single IP, your VPS. That’s what a reverse proxy is.
You block all communication from any IP but local, and your VPS IP from jellyfin, and forward web traffic from your VPS to your jellyfin instance. It’s not the same as exposing your jellyfin instance directly. Not sure why I have to explain that…but here we are, I guess.
I have it as an unprivileged container behind a reverse proxy and HTTPS/HSTS. I know it’s not perfect but I keep backups of important shit and monitor things regularly.
I agree that Jellyfin needs to improve its API security, though. Their excuse that “it would break clients on old APIs” is moot when C# comes with API versioning features out of the box.
I expose jellyfin to the internet, and some precautions I have taken that I don’t see mentioned in these answers are: 1) run jellyfin as a rootless container, and 2) use read-only storage where ever possible. If you have other tools managing things like subtitles and metadata files before jellyfin there’s no reason for jellyfin to have write access to the media it hosts. While this doesn’t directly address the documented security flaws with jellyfin, you may as well treat it like a diseased plague rat if you’re going to expose it. To me, that means worst case scenario is the thing is breached and the only thing for an attacker to do is exfiltrate things limited to jellyfin.
I just expose it to the internet.
I have it behind a proxy and IPS. I force my users to have strong passwords. I don’t see why this would be a problem.
Its a major problem
It is only a matter of time before it gets compromised. Chances are you will have no idea it happened and you home internet will join the bot net of some nation state. The Jellyfin devs take security seriously but there will always be flaws.
There will always be flaws
You said it.
deleted by creator
deleted by creator
You should maybe reconsider this for security reasons. You should implement a Whitelist or a VPN. Jellyfin is notoriously insecure software, check here:
Reading over that list, I don’t really see anything that isn’t “maybe gets read privileges for non-critical data”. Hardly useful enough to be worth attempting access to a single personal Jellyfin server.
I’d be mildly surprised if anyone has ever bothered.
You do you, but in my view the effort outweighs the benefits.
Sure, and its your own choice - But you should still be aware of what could/can happen, so that you can make this decisions informed. Maybe I worded it a bit too harshly, i’m sorry English is not my first language.
deleted by creator
