Hello. I have just recently started with self hosting my media with Jellyfin… and I am LOVING it! I had been carrying around media players for decades, with everyone looking at me like an insane crank for not giving up on my hundreds of gigs of media for SAS things like spotify… now they’re jealous! We’ve come full circle!
Annnyway. Obviously, I want to access the server anywhere, and don’t want to just raw-dog an open port to the internet- yikes!
There are SO MANY ways and guides and thoughts on this, I’m a bit overwhelmed and looking for your thoughts on the best way to start off… it doesn’t have to be ‘fort knox’ and I am sure I’ll adjust and pivot as I learn more… but here are the options I know of (did I miss any?):
-
Tailscale VPN connection
-
Reverse Proxy with Caddy or similar (this is recommended as easy in the jellyfin official guides and thus is my current leading contender!)
-
Docker/VM ‘containerized’ server with permissions/access control
What are your thoughts on the beginner-friendly-ness and ease of setup/management of these? This is exclusively for use by me and my family, so I don’t need something that’s easy for anyone to access with credentials… just our handful of devices.
Please don’t laugh, but I’m currently hosting on a Raspberry Pi5 with a big-ass harddrive attached (using CasaOS on a headless Ubuntu Server). I know this is JANK as far as self-hosting goes, and plan to upgrade to something like NAS in the future, but I’m still researching and learning, and aside from shitty video transcoding, it’s working fine for now… Thank you in advance for your advice, help and thoughts!
I’ve tested the worst of these endpoints and they were already secured, just the issues haven’t been updated.
For instance, from the security split-out issue list: https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2825369811
I took the only one that could lead to admin/system infiltration (LDAP config escalation, others are about media access), and found it to have already been secured: https://github.com/jellyfin/jellyfin/issues/13989
Yup, and these are the biggest risks IMO. I find the well organized, big media companies with deep pockets and a few basic scripts that we know to work to be the biggest vector of liability.
https://github.com/jellyfin/jellyfin/issues/1501
https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2071798575 (and the following comments)
https://github.com/jellyfin/jellyfin/issues/13984
A person’s biggest threat running Jellyfin is going to be the media companies themselves. Sony (the company known for installing rootkits on people’s computers) can pre-hash a list of their movies with commonly config’d locations/name schemas for their content and enumerate your system for if you have their content. Since you don’t have any authentication on the endpoint, they’re likely not violating any law through circumvention. The “random UUID” is just the MD5 hash of the path/filename. So it’s actually highly guessable… especially for people using default docker configs and *arr stacks and you normalize names using these tools.
Their response was “this attack isn’t in the wild”(as if they actually know… running a script and checking a few hundred thousand requests to go through a list of movies isn’t all that taxing and users won’t even notice it to report it… let alone have enough logging to notice it to begin with) and “it breaks compatability, so we don’t want to do it”. Which I find laughable. It turned me off from Jellyfin all together.
Edit: And because every time I bring up the issue I get downvoted for “fear mongering”… There are answers to resolve it… you need to use non-standard naming schemes in your files/folder structure and fail2ban. But that expects users to do that… And I could do that… but it’s a security risk non-the-less and the developers response to the risk being what it is is what’s scary to me.
Edit2: The LDAP one… I should clarify I don’t care about that one since well… requires you to additionally config stuff that most users won’t. But the media exposure issues are default and universal and require setting things “non-standard” to have any protection from, which users generally WON’T do.
Well, I wouldn’t say the media issues are worse than a full domain access issue, but despite my comment above, I agree with you.
The security split-issue feels reminiscent of when Plex didn’t use SSL and wouldn’t implement it until a white-hat POC token exploit was produced and provided to them (of which I was the author). If JF was my project, these would be top of my list.