What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
For now just Tailscale but I’m working on setting up a reverse proxy and SSO through Authentik
Even more secure is having a VPS and self hosting Heascale, even better is Wireguard
Sad that mTLS support is non existent because it solves this problem.
I just expose my local machine to the internet, unsecured
Yea same I don’t even care.
It’s an old laptop, I have a backup. Go ahead, fuck it up.
This is absolutely unhinged but god damn it, I respect you.
Thanks stranger over the internet seems like the best option.
Tailscale with self hosted headscale
Any helpful tips or links to tutorials for this method?
Easiest method is Docker, but it heavily depends on your network and tech stacks.
“Technically” my jellyfin is exposed to the internet however, I have Fail2Ban setup blocking every public IP and only whitelisting IP’s that I’ve verified.
I use GeoBlock for the services I want exposed to the internet however, I should also setup Authelia or something along those lines for further verification.
Reverse proxy is Traefik.
Cloudflare. No public exposure to the internet.
Are we not worried about their terms of service? I’ve been using pangolin
I run multiple enterprise companies through it who are transferring significantly more sensitive data than me. I’m not as strict as some people here, so no, I don’t really care. I think it’s the best service, especially for free, so until things change, that’s what I’m using.
We are, Batman, we are.
I VPN to my network for it.
I expose jellyfin and keycloak to the internet with pangolin, jellyfin user only has read access. Using the sso 🔌 jellyfin listens to my keycloak which has Google as an identity provider(admin disabled), restricting access to my users, but letting people use their google identity. Learned my family doesn’t use anything that isn’t sso head-to-toe.
It’s what we do in the shadows that makes us heroes, kalpol.
First time I hear someone using keycloak for local hosting.
If you’re a beginner and you’re looking for the most secure way with least amount of effort, just VPN into your home network using something like WireGuard, or use an off the shelf mesh vpn like Tailscale to connect directly to your JF server. You can give access to your VPN to other people to use. Tailscale would be the easiest to do this with, but if you want to go full self-hosted you can do it with WireGuard if you’re willing to put in a little extra leg work.
What I’ve done in the past is run a reverse proxy on a cloud VPS and tunnel that to the JF server. The cloud VPS acts as a reverse proxy and a web application firewall which blocks common exploits, failed connection attempts etc. you can take it one step beyond that if you want people to authenticate BEFORE they reach your server by using an oauth provider and whatever forward Auth your reverse proxy software supports.
My go to secure method is just putting it behind Cloudflare so people can’t see my IP, same as every other service. Nobody is gonna bother wasting time hacking into your home server in the hopes that your media library isn’t shit, when they can just pirate any media they want to watch themselves with no effort.
Nobody is gonna bother wasting time hacking into your home server
They absolutely will lol. It’s happening to you right now in fact. It’s not to consume your media, it’s just a matter of course when you expose something to the internet publicly.
And this is the start of the longest crypto nerd fight I’ve seen on Lemmy. Well done, people!
What a bunch of B’s. Sure your up gets probed it’s happening to every ipv4 address all the time. But that is not hacking.
Anything you expose to the internet publicly will be attacked, just about constantly. Brute force attempts, exploit attempts, the whole nine. It is a ubiquitous and fundamental truth I’m afraid. If you think it’s not happening to you, you just don’t know enough about what you’re doing to realize.
You can mitigate it, but you can’t stop it. There’s a reason you’ll hear terms like “attack surface” used when discussing this stuff. There’s no “if” factor when it comes to being attacked. If you have an attack surface, it is being attacked.
Yup, the sad reality is that you don’t need to worry about the attacks you expect; You need to worry about the ones you don’t know anything about. Honeypots exist specifically to alert you that something has been breached.
Couple questions here.
What is a honeypot? I’ve only heard it in terms of piracy.
Also, what steps can someone take to reinforce this attack layer? You have an infograph or something people can google search their way through?
@EncryptKeeper That’s my experience. Zombied home computers are big business. The networks are thousands of computers. I had a hacker zombie my printer(!) maybe via an online fax connection and it/they then proceeded to attack everything else on my network. One older machine succumbed before I could lock everything down.
No, people are probing it right now. But looking at the logs, nobody has ever made it through. And I run a pretty basic setup, just Cloudflare and Authelia hooking into an LDAP server, which powers Jellyfin. Somebody who invests a little more time than me is probably a lot safer. Tailscale is nice, but it’s overkill for most people, and the majority of setups I see posted here are secure enough to stop any random scanning that happens across them, if not dedicated attention.
No, they are actively trying to get in right now. If you have Authelia exposed they’re brute forcing it. They’re actively trying to exploit vulnerabilities that exist in whatever outwardly accessible software you’re exposing is, and in many cases also in software you’re not even using in scattershot fashion. Cloudflare is blocking a lot of the well known CVEs for sure, so you won’t see those hit your server logs. If you look at your Authelia logs you’ll see the login attempts though. If you connect via SSH you’ll see those in your server logs.
You’re mitigating it, sure. But they are absolutely 100% trying to get into your server right now, same as everyone else. There is no consideration to whether you are a self hosted or a Fortune 500 company.
No, they are actively trying to get in right now. If you have Authelia exposed they’re brute forcing it.
No, they aren’t. Just to be sure, I just checked it, and out of the over 2k requests made to the Authelia login page in the last 24 hours, none have made it to the login page itself. You don’t know jack shit about what’s going on in another persons network, so I’m not sure why you’re acting like some kind of expert.
Yes they are. The idea that they’re not would be a statistical wonder.
2k requests made to the Authelia login page in the last 24 hours
Are you logging into your Authelia login page 2k times a day? If not, I suspect that some (most) of those are malicious lol.
You don’t know jack shit about what’s going on in another persons network
It’s the internet, not your network. And I’m well aware of how the internet works. What you’re trying to argue here is like arguing that there’s no possible way that I know your part of the earth revolves around the sun. Unless you’re on a different internet from the rest of us, you’re subject to the same behavior. I mean I guess I didn’t ask if you were hosting your server in North Korea but since you’re posting here, I doubt it.
I’m not sure why you’re acting like some kind of expert
Well I am an expert with over a decade of experience in cybersecurity, but I’m not acting like an expert here, I’m acting like somebody with at least a rudimentary understanding of how these things work.
Yes they are. The idea that they’re not would be a statistical wonder.
Guess I’m a wonder then. I’ve always thought of myself as pretty wonderful, I’m glad to hear you agree.
Are you logging into your Authelia login page 2k times a day? If not, I suspect that some (most) of those are malicious lol.
That’s 2k requests made. None of them were served. Try to keep up.
Well I am an expert with over a decade of experience in cybersecurity, but I’m not acting like an expert here, I’m acting like somebody with at least a rudimentary understanding of how these things work.
Then I guess I should get a career in cybersecurity, because I obviously know more than someone with over a decade of supposed experience. If you were worth whatever your company is paying you in wages, you would know that a rule blocking connections from other countries, and also requiring the request for the login page come from one of the services on your domain, will block virtually all malicious attempts to access your services. Such a rule doesn’t work for a public site, but for a selfhosted setup it’s absolutely an easy option to reduce your bandwidth usage and make your setup far more secure.
a rule blocking connections from other countries, and also requiring the request for the login page come from one of the services on your domain, will block virtually all malicious attempts to access your services.
Whoa whoa whoa. What malicious attempts?
You just told me you were the statistical wonder that nobody is bothering attack?
That’s 2k requests made. None of them were served.
So those 2k requests were not you then? They were hostile actors attempting to gain unauthorized access to your services?
Well there we have it folks lmao
I used to do all the things mentioned here. Now, I just use Wireguard. If a family member wants to use a service, they need Wireguard. If they don’t want to install it, they dont get the service.
Came here to say this. I use wireguard and it simply works.
Pangolin could be a solution
I started my homelab with a couple exposed services, but frankly the security upkeep and networking headaches weren’t worth the effort when 99% of this server’s usage is at home anyway.
I’ve considered going the Pangolin route to expose a handful of things for family but even that’s just way too much effort for very little added value (plus moving my reverse proxy to a VPS doesn’t sound ideal in case the internet here goes down).
Getting 2 or 3 extra folks on to wireguard as necessary is just much easier.
We have it open to the public, behind a load balancer URL filtering incomming connection, https proxied through cloudflare with a country filter in place
I use a VPS and a wiregusrd tunnel.
I’m currently using CF Tunnels and I’m thinking about this (I have pretty good offers for VPS as low as $4 a month)
Can you comment on bandwidth expectations? My concern is that I also tunnel Nextcloud and my offsite backups and I may exceed the VPS bandwidth restrictions.
BTW I’m testing Pangolin which looks AWESOME so far.
I am using the free Oracle VPS offer until they block me, so far I have no issue. Alzernatively I wanted to check out IONOS, since you dont have a bandwidth limit there.
WOW! That’s one hell of a deal. You’ve convinced me XD I’m installing pangolin Right now. The hell with Cloudflare and their evil ways
for me the easiest option was to set up tailscale on the server or network where jellyfin runs and then on the client/router where you want to watch the stream.
This is also what I do, however, each user creates their own tailnet, not an account on mine and I share the server to them.
This way I keep my 3 free users for me, and other people still get to see jellyfin.
Tailscale and jellyfin in docker, add server to tailnet and share it out to your users emails. They have to install tailscale client in a device, login, then connect to your jellyfin. My users use Walmart Onn $30 streaming boxes. They work great.
I struggled for a few weeks to get it all working, there’s a million people saying “I use this” but never “this is how to do it”. YouTube is useless because it’s filled with “jellyfin vs Plex SHOWDOWN DEATH FIGHT DE GOOGLE UR TOILET”.
For the users you have using Onn TVs, is Tailscale just installed on a device on the network or on the Onn TVs?
The onn boxes run android so it’s just installed as an app from play store. The users connect with their own tailscale account. My server is shared so they see it. Then they install jellyfin on the device, punch in the hostname of the server given by tailscale and the port and then it connects.
I could not get my reverse proxy to let them use my local domain… I’m not smart enough and couldn’t figure it out but they are only using jellyfin so typing one address was fine.
This is what I do as well. Works super well
Wireguard VPN to my fritzbox lets me access my jellyfin.
I access it through a reverse proxy (nginx). I guess the only weak point is if someone finds out the domain for it and starts spamming the login screen. But I’ve restricted access to the domain for most of the world anyway. Wireguard would probably be more secure but its not always possible if like on vacation and want to use it on the TV there…
This is the biggest weakness of Jellyfin. Native OIDC support would really be a no brainer at this point.
Its very easy to deploy fail2ban for Jellyfin: https://jellyfin.org/docs/general/post-install/networking/advanced/fail2ban/
Indeed a good recommendation. I’ve not set it up yet but I’m probably going to do so in the near future.
It is possible if you get something like an nvidia shield tho. But of course not everyone has it or the money for it
VPN or Tailscale
