Jellyfin over the internet

Nginx in front of it, open ports for https (and ssh), nothing more. Let's encrypt certificate and you're good to go.
- I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.
  
  fail2ban with endlessh and abuseipdb as actions
  Anything that's not specifically my username or git gets instantly blocked. Same with correct users but trying to use passwords or failing authentication in any way.
  
  They can try all they like, man. They're not gonna guess a username, key and password.
  
  Sorry, misunderstanding here, I'd never open SSH to the internet, I meant it as "don't block it via your server's firewall."
  
  So? Pubkey login only and fail2ban to take care of resource abuse.
  
  i have ssh on a random port and only get so many scan, so low that fail2ban never banned anyone that was not myself (accidentally).
  
  Ssh has nothing to do with scanning. Your IP and everyone else up is being scanned constantly. In ipv4 space at least.
  
  Change the port it runs on to be stupid high and they won't bother.
- Cool if I understand only some of things that you have said. So you have a beginner guide I could follow?
  
  Take a look at Nginx Proxy Manager and how to set it up. But you'll need a domain for that. And preferably use a firewall of some sort on your server and only allow said ports.
- Why would you need to expose SSH for everyday use? Or does Jellyfin require it to function?
  Maybe leave that behind some VPN access.
  
  I agree, but SSH is more secure than Jellyfin. it shouldn't be exposed like that, others in the comments already pointed out why
  
  https://lemmy.world/post/32059264/17905111
- Also run the reverse proxy on a dedicated box for it in the DMZ
  
  Honestly you can usually just static ip the reverse proxy and open up a 1:1 port mapping directly to that box for 80/443. Generally not relevant to roll a whole DMZ for home use and port mapping will be supported by a higher % of home routing infrastructure than DMZs.
  
  In a perfect world, yes. But not as a beginner, I guess?

Wireguard.
- and a local reverse proxy that can route through wireguard when you want to watch on a smart tv.
  its not as complicated as it sounds, it's just a wireguard client, and a reverse proxy like on the main server.
  it can even be your laptop, without hdmi cables
  
  You can also use a router that can run wireguard/openvpn and have that run the tunnel back to home for you. I've got a portable GL-Inet router with OpenWRT that I use for this when I'm on the road
  
  How would you do this off network?
- lemm.ee :'''(

I just expose my local machine to the internet, unsecured
- Thanks stranger over the internet seems like the best option.
- This is absolutely unhinged but god damn it, I respect you.
- Yea same I don’t even care.
  It’s an old laptop, I have a backup. Go ahead, fuck it up.
  
  Do you at least have it on a VLAN?

I think my approach is probably the most insane one, reading this thread…
So the only thing I expose to the public internet is a homemade reverse proxy application which supports both form based and basic authentication. The only thing anonymous users have access to is the form login page. I’m on top of security updates with its dependencies and thus far I haven’t had any issues, ever. It runs in a docker container, on a VM, on Proxmox. My Jellyfin instance is in k8s.
My mum wanted to watch some stuff on my Jellyfin instance on her Chromecast With Google TV, plugged into her ancient Dumb TV. There is a Jellyfin Android TV app. I couldn’t think of a nice way to run a VPN on Android TV or on any of her (non-existent) network infra.
So instead I forked the Jellyfin Android TV app codebase. I found all the places where the API calls are made to the backend (there are multiple). I slapped in basic auth credentials. Recompiled the app. Deployed it to her Chromecast via developer mode.
Solid af so far. I haven’t updated Jellyfin since then (6 months), but when I need to, I’ll update the fork and redeploy it on her Chromecast.
- What an absolute gigachad XD
- Clever, but very hands on
  
  VERY hands on, wouldn’t recommend it haha.
  But that’s the beauty of open source. You CAN do it

Jellyfin isn't secure and is full of holes.
That said, here's how to host it anyway.
Wireguard tunnel, be it tailscale, netbird, innernet, whatever
A vps with a proxy on it, I like Caddy
A PC at home with Jellyfin running on a port, sure, 8096
If you aren't using Tailscale, make your VPS your main hub for whatever you choose, pihole, wg-easy, etc. Connect the proxy to Jellyfin through your chosen tunnel, with ssl, Caddy makes it easy.
Since Jellyfin isn't exactly secure, secure it. Give it its own user and make sure your media isn't writable by the user. Inconvenient for deleting movies in the app, but better for security.
more...
Use fail2ban to stop intruders after failed login attempts, you can force fail2ban to listen in on jellyfin's host for failures and block ips automatically.
More!
Use Anubis and yes, I can confirm Anubis doesn't intrude Jellyfin connectivity and just works, connect it to fail2ban and you can cook your own ddos protection.
MORE!
SELinux. Lock Jellyfin down. Lock the system down. It's work but it's worth it.
I SAID MORE!
There's a GeoIP blocking plugin for Caddy that you can use to limit Jellyfin's access to your city, state, hemisphere, etc. You can also look into whitelisting in Caddy if everyone's IP is static. If not, ddns-server and a script to update Caddy every round? It can get deep.
Again, don't do any of this and just use Jellyfin over wireguard like everyone else does(they don't).
- Wow, a "for dummies" guide for doing all this would be great 😊 know of any?
  
  If you aren’t already familiarized with the Docker Engine - you can use Play With Docker to fiddle around, spin up a container or two using the docker run command, once you get comfortable with the command structure you can move into Docker Compose which makes handling multiple containers easy using .yml files.
  Once you’re comfortable with compose I suggest working into Reverse Proxying with something like SWAG or Traefik which let you put an domain behind the IP, ssl certificates and offer plugins that give you more control on how requests are handled.
  There really is no “guide for dummies” here, you’ve got to rely on the documentation provided by these services.
  
  I figured infodump style was a bit easier for me at the time so anyone could take anything I namedropped and go search to their heart's content.
- show me those “holes” this is just fear mongering
  
  Here, since you can't use a search engine: https://www.cvedetails.com/vulnerability-list/vendor_id-22884/product_id-81332/Jellyfin-Jellyfin.html
  More, because I've been around this lap before, you'll ask for more and not believe that one, here's another: https://www.cvedetails.com/vulnerability-list/vendor_id-22884/product_id-81332/Jellyfin-Jellyfin.html
  Do what you want. Idgaf about your install, just mine.
- I've recently been working on my own server and a lot of this stuff can be accomplished by just chatting with chatgpt/gemini or any ai agent of your choosing. One thing to note tho is that they have some outdated information due to their training data so you might have to cross reference with the documentation.
  Use docker as much as you can, this will isolate the process so even if somehow you get hacked, the visibility the hackers get into your server is limited to the docker container.

My go to secure method is just putting it behind Cloudflare so people can’t see my IP, same as every other service. Nobody is gonna bother wasting time hacking into your home server in the hopes that your media library isn’t shit, when they can just pirate any media they want to watch themselves with no effort.
- Nobody is gonna bother wasting time hacking into your home server
  They absolutely will lol. It’s happening to you right now in fact. It’s not to consume your media, it’s just a matter of course when you expose something to the internet publicly.
  
  What a bunch of B's. Sure your up gets probed it's happening to every ipv4 address all the time. But that is not hacking.
  
  No, people are probing it right now. But looking at the logs, nobody has ever made it through. And I run a pretty basic setup, just Cloudflare and Authelia hooking into an LDAP server, which powers Jellyfin. Somebody who invests a little more time than me is probably a lot safer. Tailscale is nice, but it’s overkill for most people, and the majority of setups I see posted here are secure enough to stop any random scanning that happens across them, if not dedicated attention.
  
  And this is the start of the longest crypto nerd fight I've seen on Lemmy. Well done, people!

I host it publicly accessible behind a proper firewall and reverse proxy setup.
If you are only ever using Jellyfin from your own, wireguard configured phone, then that's great; but there's nothing wrong with hosting Jellyfin publicly.
I think one of these days I need to make a "myth-busting" post about this topic.
- Please do so, it'll be very useful
- Same for me. But according to everyone I should be destroyed.

I used to do all the things mentioned here. Now, I just use Wireguard. If a family member wants to use a service, they need Wireguard. If they don't want to install it, they dont get the service.
- Came here to say this. I use wireguard and it simply works.
- I started my homelab with a couple exposed services, but frankly the security upkeep and networking headaches weren't worth the effort when 99% of this server's usage is at home anyway.
  I've considered going the Pangolin route to expose a handful of things for family but even that's just way too much effort for very little added value (plus moving my reverse proxy to a VPS doesn't sound ideal in case the internet here goes down).
  Getting 2 or 3 extra folks on to wireguard as necessary is just much easier.
- Pangolin could be a solution

I see everyone in this thread recommending a VPN or reverse proxy for accessing Jellyfin from outside the LAN. While I generally agree, I don't see a realistic risk in exposing Jellyfin directly to the internet. ~~It supports HTTPS and certificates nowadays, so there’s no need for outside SSL termination anymore.~~ (See Edit 2)
In my setup, which I've been running for some time, I've port-forwarded only Jellyfin's HTTPS port to eliminate the possibility of someone ending up on pure HTTP and sending credentials unencrypted. I've also changed the Jellyfin's default port to a non-standard one to avoid basic port-scanning bots spamming login attempts. I fully understand that this falls into the security through obscurity category, but no harm in it either.
Anyone wanna yell at me for being an idiot and doing everything wrong? I'm genuinely curious, as the sentiment online seems to be that at least a reverse proxy is almost mandatory for this kind of setup, and I'm not entirely sure why.
Edit: Thank you everyone for your responses. While I don't agree with everything, the new insight is appreciated.
Edit 2: I've been informed that infact the support for HTTPS will be removed in a future version. From v10.11 release notes:
Deprecation Notice: Jellyfin’s internal handling of TLS/SSL certificates and configuration in the web server will be removed in a future version. No changes to the current system have been made in 10.11, however future versions will remove the current system and instead will provide advanced instructions to configure the Kestrel webserver directly for this relatively niche usecase. We strongly advise anyone using the current TLS options to use a Reverse Proxy for TLS termination instead if at all possible, as this provides a number of benefits
- Anyone wanna yell at me for being an idiot and doing everything wrong?
  Not yell, but: Jellyfin is dropping HTTPS support with a future update so you might want to read up on reverse proxies before then.
  Additionally, you might want to check if Shodan has your Jellyfin instance listed: https://www.shodan.io/
  
  Jellyfin is dropping HTTPS support with a future update[...]
  What's the source for this? I wasn't able to find anything with a quick google search
- It feels like everything is a tradeoff and I think a setup like this reduces the complexity for people you share with.
  If you added fail2ban along with alert email/notifications you could have a chance to react if you were ever targeted for a brute force attempt. Jellyfin docs talk about setting this up for anyone interested.
  Blocking IP segments based on geography of countries you don't expect connections from adds the cost of a VPN for malicious actors in those areas.
  Giving Jellyfin its own VLAN on your network could help limit exposure to your other services and devices if you experience a 0day or are otherwise compromised.
  
  Fail2ban isn't going to help you when jellyfin has vulnerable endpoints that need no authentication at all.
- Nah, setting non-standard ports is sound advice in security circles.
  People misunderstand the "no security through obscurity" phrase. If you build security as a chain, where the chain is only as good as the weakest link, then it's bad. But if you build security in layers, like a castle, then it can only help. It's OK for a layer to be weak when there are other layers behind it.
  Even better, non-standard ports will make 99% of threats go away. They automate scans that are just looking for anything they can break. If they don't see the open ports, they move on. Won't stop a determined attacker, of course, but that's what other layers are for.
  As long as there's real security otherwise (TLS, good passwords, etc), it's fine.
  If anyone says "that's a false sense of security", ignore them. They've replaced thinking with a cliche.
  
  People misunderstand the "no security through obscurity" phrase. If you build security as a chain, where the chain is only as good as the weakest link, then it's bad. But if you build security in layers, like a castle, then it can only help. It's OK for a layer to be weak when there are other layers behind it.
  And this is what should be sung from the hills and mountaintops. There’s some old infosec advice that you should have two or three honeypots, buried successively deeper behind your security, and only start to worry when the second or third gets hit; The first one getting hit simply means they’re sniffing around with automated port scanners and bots. They’re just throwing common vulnerabilities at the wall to see if any of them stick. The first one is usually enough for them to go “ah shit I guess I hit a honeypot. They must be looking for me now. Never mind.” The second is when you know they’re actually targeting you specifically. And the third is when you need to start considering pulling plugs.
- It's difficult to say exactly what all a reverse proxy adds to the security conversation for a handful of reasons, so I won't touch on that, but the realistic risk of exposing your jellyfin instance to the internet is about the same as handing your jellyfin api over to every stranger globally without giving them your user account or password and letting them do whatever they'd like for as long as they'd like. This means any undiscovered or unintentional vulnerability in the api implementation could easily allow for security bypass or full rce (remote code execution, real examples of this can be found by looking at the history of WordPress), but by siloing it behind a vpn you're far far far more secure because the internet at large cannot access the apis even if there is a known vulnerability. I'm not saying exposing jellyfin to the raw web is so risky it shouldn't be done, but don't buy into the misconception that it's even nearly as secure as running a vpn. They're entirely different classes of security posture and it should be acknowledged that if you don't have actual use for internet level access to jellyfin (external users, etc, etc) a vpn like tailscale or zero tier is 100% best practice.
- You remember when LastPass had a massive leak and it out of their production source code which demonstrated that their encryption security was horrible? That was a Plex vulnerability. All it takes is a zero day and one of the packages they're using and you're a prime target for ransomware.
  You can see from the number of unauthenticated processes in their security backlog that security really has been an afterthought.
  Unless you're running in a non-privileged container with read only media, I definitely would not put that out on the open network.
- I think the reason why its generally suggested to use a VPN is because it reduces the risk of intrusion to almost zero. Folks that are not network/sys admin savy would feel safer with the lowest risk solution. Using the port forward method, there could be configuration mistakes made which would unintentionally expose a different service or parts of their home network they don't want exposed. And then there's the possibility of application vulnerabilities which is less of an issue when only VPN users can access the application. That being said, I do expose some services via port forwarding but that's only because I'm comfortable with ensuring its secure.
  Reverse proxy is really useful when you have more than one service to expose to the internet because you only have to expose one port. It also automates the certificate creation & simplifies firewall rules inside the home network
- Jellyfin has a whole host of unresolved and unmitigated security vulnerabilities that make exposing it to the internet. A pretty poor choice.
  https://github.com/jellyfin/jellyfin/issues/5415
  
  And which one of those are actually vulnerabilities that are exploitable? First, yes ofc unauthenticated endpoints should be fixed, but with those there is no real damage to be done.
  If you know the media path then you can request a playback, and if you get the user ids then you can get all users. That's more or less it.
  Good? No. But far from making it a poor choice exposing it.
- Imo that's perfectly fine and not idiotic if you have a static IP, no ISP blocked ports / don't care about using alt ports, and don't mind people who find your domain knowing your IP.
  I did basically that when I had a fiber line but then I added a local haproxy in front to handle additional subdomains. I feel like people gravitate towards recommending that because it works regardless of the answers to the other questions, even their security tolerance if recommending access only over VPN.
  I have CGNAT now so reverse proxy in the cloud is my only option, but at least I'm free to reconfigure my LAN or uproot everything and plant it on any other LAN and it'll all be fine.
- Reverse proxies can be useful for hiding your IP if you do something like host it in a VPS and tunnel the traffic back to your self hosted service. There's also a lot of documentation on attaching things like fail2ban or crowd sec which can be helpful in reducing the threat from attacks. if you're running lots of services it can reduce the risk of two apps using the same ports as ultimately everything will go through ports 80 and 443 on the public facing side. Finally again if you're hosting several services having a central place to manage and deal with cert from can save a lot of time rather than having to wrangle it per service/ server.
- I don't disagree, and I am one of the VPN advocates you mention. Generally there is no issue with exposing jellyfin via proxy to the internet.
  The original question seemed to imply an over-secure solution so a lot of over-secure solutions exist. There is good cause to operate services, like jellyfin, via some permanent VPN.

for me the easiest option was to set up tailscale on the server or network where jellyfin runs and then on the client/router where you want to watch the stream.
- This is also what I do, however, each user creates their own tailnet, not an account on mine and I share the server to them.
  This way I keep my 3 free users for me, and other people still get to see jellyfin.
  Tailscale and jellyfin in docker, add server to tailnet and share it out to your users emails. They have to install tailscale client in a device, login, then connect to your jellyfin. My users use Walmart Onn $30 streaming boxes. They work great.
  I struggled for a few weeks to get it all working, there's a million people saying "I use this" but never "this is how to do it". YouTube is useless because it's filled with "jellyfin vs Plex SHOWDOWN DEATH FIGHT DE GOOGLE UR TOILET".
  
  For the users you have using Onn TVs, is Tailscale just installed on a device on the network or on the Onn TVs?
- This is what I do as well. Works super well

Tailscale

Tailscale with self hosted headscale
- Any helpful tips or links to tutorials for this method?
  
  Easiest method is Docker, but it heavily depends on your network and tech stacks.

Use a reverse proxy (caddy or nginx proxy manager) with a subdomain, like myservice.mydomain.com (maybe even configure a subdir too, so …domain.com/guessthis/). Don’t put anything on the main domain / root dir / the IP address.
If you’re still unsure setup Knockd to whitelist only IP addresses that touch certain one or two random ports first.
So security through obscurity :) But good luck for the bots to figure all that out.
VPN is of course the actually secure option, I’d vote for Tailscale.
- I kept the main domain open, but redirected it to a rickroll
  
  Nice, but the bots may not understand the joke.
  And not only that but they will tag the domain with ”there is something here”, and maybe some day someone will take a closer look and see if you are all up-to-date or would there maybe be a way in. So better to just drop everything and maybe also ban the IP if they happen to try poke some commonly scanned things (like /wp-admin, /git, port 22 etc.) GoAccess is a pretty nice tool to show you what they are after.
- Look pretty interesting. Do you have guide I could follow ?
  
  Not at hand no, but I’m sure any of the LLMs can guide you through the setup if googling does not give anything good.
  Nothing very special about all this, well maybe the subdir does require some extra spells to reverse proxy config.

I access it through a reverse proxy (nginx). I guess the only weak point is if someone finds out the domain for it and starts spamming the login screen. But I've restricted access to the domain for most of the world anyway. Wireguard would probably be more secure but its not always possible if like on vacation and want to use it on the TV there..
- It is possible if you get something like an nvidia shield tho. But of course not everyone has it or the money for it
- This is the biggest weakness of Jellyfin. Native OIDC support would really be a no brainer at this point.
- Its very easy to deploy fail2ban for Jellyfin: https://jellyfin.org/docs/general/post-install/networking/advanced/fail2ban/
  
  Indeed a good recommendation. I've not set it up yet but I'm probably going to do so in the near future.

Wireguard vpn into my home router. Works on android so fire sticks etc can run the client.

I rent a cheap $5/mo VPS and use it to run a wireguard server with wgeasy and nginx proxy manager. Everything else runs on my home server connected by wireguard.
- I was just trying to get a setup like this going yesterday. I used standard Wiregaurd and got that working between the VPS and home server, but I was trying to set up Caddy as a reverse proxy to direct the incoming traffic through the WG VPN to my services. I wasnt able to figure it out yesterday. Everyone online says Caddy is so simple, but I'm such a noob I just have no idea what it's doing or how to troubleshoot.
  
  I havent tried with caddy but i might be able to help you get it working if you wanna chat some time. My contact info is on my website.
  
  I've also really struggled with Caddy despite everyone saying its so simple. I'm pretty new to all this, but I had better luck with Traefik - I now actually have a reverse proxy up and running correctly, which I haven't been able replicate with Caddy.
  Traefik labels make sense to me in a way Caddy does not.
  
  You should try pangolin. It uses Traefik instead of Caddy under the hood but it automates approximately 80 % of setup. It's what I use for my setup.
  https://fossorial.io/
- Is Nginx Proxy Manager running on the VPS itself and then the proxy routes across the wireguard to your home server? Or is the VPS just port forwarding to your home server which runs the proxy?
  
  My goal was to have no ports exposed on my home network so the proxy is on the VPS. My home server connects over wireguad to the vps, then all the traffic is routed over wireguard to the home server which only listens on wireguard.
  
  I also would like to know
- This is 99% my setup, just with a traefik container attached to my wifeguard container.
  Can recommend especially because I can move apartments any time, not care about CGNAT (my current situation which I predicted would be the case), and easily switch to any backup by sticking my boxes on any network with DHCP that can reach the Internet (like a 4G hotspot or a nanobeam pointed at a public wifi down the road) in a pinch without reconfiguring anything.

If you’re a beginner and you’re looking for the most secure way with least amount of effort, just VPN into your home network using something like WireGuard, or use an off the shelf mesh vpn like Tailscale to connect directly to your JF server. You can give access to your VPN to other people to use. Tailscale would be the easiest to do this with, but if you want to go full self-hosted you can do it with WireGuard if you’re willing to put in a little extra leg work.
What I’ve done in the past is run a reverse proxy on a cloud VPS and tunnel that to the JF server. The cloud VPS acts as a reverse proxy and a web application firewall which blocks common exploits, failed connection attempts etc. you can take it one step beyond that if you want people to authenticate BEFORE they reach your server by using an oauth provider and whatever forward Auth your reverse proxy software supports.

If it’s just so you personally can access it away from home, use tailscale. Less risky than running a publicly exposed server.

We have it open to the public, behind a load balancer URL filtering incomming connection, https proxied through cloudflare with a country filter in place

I don't host my media outside my local network but, if I did, I would use my go to method of SWAG with Authentik. This is what I have done for my other self-hosted items.

Over the top for security would be to setup a personal VPN and only watch it over the VPN. If you are enabling other users and you don't want them on your network; using a proxy like nginx is the way.
Being new to this I would look into how to set these things up in docker using docker-compose.

I use a wire guard tunnel into my Fritz box and from there I just log in because I'm in my local network.

Tailscale, with nginx for https.
Very easy, very simple, just works, and i can share my jellyfin server with my friends
- This is the easiest way for sure.

I'm just using caddy and a cheap $2 a year .top domain with a $4 a month VPS. Works for my users, I only have 3 users on my server.

Cheap VPS with Pangolin for Wireguard and reverse proving through the tunnel.

Cloudflare. No public exposure to the internet.
- Are we not worried about their terms of service? I've been using pangolin
  
  I run multiple enterprise companies through it who are transferring significantly more sensitive data than me. I'm not as strict as some people here, so no, I don't really care. I think it's the best service, especially for free, so until things change, that's what I'm using.
  
  We are, Batman, we are.
  I VPN to my network for it.

I just install tailscale at family houses. The limit is 100 machines.

I use a cloudflare tunnel, ISP won't give me a static IP and I wanna keep my firewall locked down tight.
- I tried really hard to get a named CloudFlare tunnel working with a domain name I registered (I share my personal home videos with a non technical family member in Italy) but couldn't get it working no matter what I tried.
  
  I'm not sure whay the OS you use is, but on linux (debian based) they have a Curl installer that installs their Systemd service preconfigured for your account and the specific tunnel you're using.
  Once that is installed, configuration is pretty easy. Inside their ZeroTrust portal, you will find the options to configure ports.
  Always point your tunnel to https://localhost:port or http://localhost:port. You can get a TLS cert from lets-encrypt for your first one. New certifications are issued by cloudflare's partners regularly to prevent expiration. I think I have like 3 for my domain now? 1 from Lets-Encrypt and a couple from Google.
  This could be totally unrelated, but when I first configured my domain, I used DuckDNS as my DNS registrar so I could do everything over wireguard. That's is still set up and in Cloudflare I still have duckdns included in my DNS registry. Could he worth a shot to set that up and add it to your DNS registry on cloudflare.

Full guide to setting up Jellyfin with Reverse Proxy using Caddy and DuckDNS
I followed this video and modified some things like ports

Tailscale - funnel
Just that

Personally I use twingate, free for 5 users and relatively straightforward to set up.
- I’m fidgeting with Tailscale right now, only to stream on a AppleTV at a friend house. So far no luck but that’s not me that set up Infuse, so could be an operator error on my friend part
  
  The way I do it for a family member with Tailscale is them having a couple of boxes down there (n100 with their Jellyfin server, and a RPI4 with a TVHServer) with my Tailnet signed in, and those boxes running both a "subnet router" and an "exit node"that both me and said fam member can use.
  This means she has permissions to use the exit node wherever like I do to my own local LAN, to connect to her LAN and access things locally since you can assign them via the ACL's / device perms.
  I know reading docs can suck sometimes but honest to god the ones that Tailscale put up are pretty awesome.
  https://tailscale.com/kb
  Along with all the YT videos about it I didn't even have to go nagging on forums to get it to work, and that's a general first for me.
  
  I tried tailscale first but to be honest wasn't a fan. I moved to Twingate and found it much simpler to set up

For now just Tailscale but I'm working on setting up a reverse proxy and SSO through Authentik
- Even more secure is having a VPS and self hosting Heascale, even better is Wireguard
  
  I'm trying to move away from needing a VPN to connect to make it simpler for less technically inclined family members

“Technically” my jellyfin is exposed to the internet however, I have Fail2Ban setup blocking every public IP and only whitelisting IP’s that I’ve verified.
I use GeoBlock for the services I want exposed to the internet however, I should also setup Authelia or something along those lines for further verification.
Reverse proxy is Traefik.

I have had Jellyfin directly open to the Internet with a reverse proxy for years. No problems.
- If your reverse proxy only acknowledges jellyfin exists if the hostname is correct, you won't get discovered by an IP scanner.
  Mine's on jellyfin.[domain].com and you get a completely different page if you hit it by IP address.
  If it does get found, there's also a fail2ban to rate-limit someone brute-forcing a login.
  I've always exposed my home IP to the internet. Haven't had an issue in the last 15 years. I'm running about 10 public-facing services including NTP and SMTP.
  
  Please to see: https://github.com/jellyfin/jellyfin/issues/5415
  Someone doesn't necessarily have to brute Force a login if they know about pre-existing vulnerabilities, that may be exploited in unexpected ways

An $11/yr domain pointed at my IP. Port 443 is open to nginx, which proxies to the desired service depending on subdomain. (and explicitly drops any connection that uses my raw ip or an unrecognized name to connect, without responding at all)
ACME.sh automatically refreshes my free ssl certificate every ~2months via DNS-01 verification and letsencrypt.
And finally, I've got a dynamic IP, so DDClient keeps my domain pointed at the correct IP when/if it changes.
There's also pihole on the local network, replacing the WAN IP from external DNS, with the servers local IP, for LAN devices to use. But that's very much optional, especially if your router performs NAT Hairpinning.
This setup covers all ~24 of the services/web applications I host, though most other services have some additional configuration to make them only accessible from LAN/VPN despite using the same ports and nginx service. I can go into that if there's interest.
Only Emby/Jellyfin, Ombi, and Filebrowser are made accessible from WAN; so I can easily share those with friends/family without having to guide them through/restrict them to a vpn connection.
- This is an interesting setup

Wireguard VPN to my fritzbox lets me access my jellyfin.

I just use tailscale. I am thinking about external share options but for me and my closests just plain simple tailscale

This is my setup.
Read more, here.
- good article! thanks for that

I use a VPS and a wiregusrd tunnel.
https://codeberg.org/skjalli/jellyfin-vps-setup
- I'm currently using CF Tunnels and I'm thinking about this (I have pretty good offers for VPS as low as $4 a month)
  Can you comment on bandwidth expectations? My concern is that I also tunnel Nextcloud and my offsite backups and I may exceed the VPS bandwidth restrictions.
  BTW I'm testing Pangolin which looks AWESOME so far.
  
  I am using the free Oracle VPS offer until they block me, so far I have no issue. Alzernatively I wanted to check out IONOS, since you dont have a bandwidth limit there.

Jellyfin through a traefik proxy, with a WAF as middleware and brute force login protected by fail2ban

I don't use jellyfin but my general approach is either:
Expose it over a VPN only. I usually use Tailscale for this so that I can expose individual machines but you do you
Cloudflare tunnel that exposes a single port on a single internal machine to a subdomain I own
There are obviously ways to do this all on your own but... if you are asking this question you probably want to use one of those to roll it. Because you can leave yourself ridiculously vulnerable if you do it yourself.
- That’s my feeling too
  
  I would look into Tailscale based on your responses here. I don’t know what your use case is exactly but you set TS up on your server and then again on your phone/laptop and you can connect them through the vpn directly. No extra exposed ports or making a domain or whatnot.
  If you want other people to access the server they will need to make a TS account and you can authorize them.

for me i just needed a basic system so my family could share so I have it on my pc, then I registered a subdomain and pointed it to my existing ec2 server with apache using a proxy which points to my local ip and port then I opened the jellyfin port on my router
and I have certbot for my domain on ec2 :)
- Who are you using for your domain? I was told if I used cloudfair they would ban me for having streaming traffic over their DNS.
  
  You can use cloudflares DNS and not use their WAF (the proxy bit) just fine. I have been for almost a decade.
  
  That would only be if you use their cloudflare tunnel feature
  
  for me I just registered through route 53 its a subdomain of my personal domain.

Nobody here with a tailscale funnel?? It's such a simple way to get https access from anywhere without being on the tailnet.
- Is the funnel URL accessible by everyone who knows it? I.e what are the chances someone finds the URL and gets access to it?
  
  Yep, a Tailscale funnel URL is publicly accessible to anyone who knows it. And while it doesn’t expose your machine’s IP, Jellyfin is exposed publicly. Only the port you configure is reachable, but that doesn’t make it secure in itself - you definitely need more security. I don't have anything critical on my server so I'm not overly concerned but I still use CSF to block traffic from most every other country and limit abuse.
- I’m looking into it but I find that starting (or keeping open) Tailscale for music is not the best system.
  I’m looking into building a shared Jellyfin library between friends

Sad that mTLS support is non existent because it solves this problem.
- It would cover all phones, pcs and maybe Android TVs.
  The barrier to entry would be having to replace the cert every year since we now made that a thing. Maybe spin up a self-sign shirt server and start issuing people 10 years certs

For my travel devices, I use Tailscale to talk to the server. For raw internet, I use their funnel feature to expose the service over HTTPS. Then just have fail2ban watching the port to make sure no shenanigans or have the entire service offlined until I can check it.

SWAG reverse proxy with a custom domain+subdomain, protected by authentik and fail2ban. Easy access from anywhere once it's set up. No vpn required, just type in the short subdomain.domain.com and sign in (or the app keeps me signed in)
- What's the point of authentik when Jellyfin already has authentication?
  
  While technically not strictly necessary, it adds more robust authentication methods, and makes it easier to build out other apps if you want to in the future without having to re-do the sign-in process for all of your users. You can have things like 2fa and other things that make it harder for bots to get in and easier for users to stay in. It also makes it easier to keep track of login attempts and notice compromised accounts.
  Edit: There are also alternatives like authelia that may be easier to implement. I don't really trust most web apps to be ultra secure with internet-facing sign-in pages so it just feels like "good practice" to hide behind an auth service whose sole purpose is to be written and built securely. Plus once you learn how to set up fail2ban with an auth service, there will be no need to re-learn or re-implement it if you add a 2nd app/service. Very modular and makes testing and adding new things much easier.
  Another benefit is that it has a nice GUI. I can look at logins, add services, stuff like that without touching config files which will be nice for those who don't like wading through text files to change config.
- That’s probably this type of setup I would want but I miss the technical know how, so if you have a cool beginner guide
  
  I used several separate guides plus help from a friend. Check out space invader one's YouTube channel. I'm not at my pc right now but I can gather some of the tutorials I used when I get back.
  
  Here is the video I followed for SWAG. Note that this (and most of IBRACORP's guides, which are all fantastic) uses Unraid as the OS, which automates a lot of the processes.
  https://youtu.be/N7FlsvhpVGE
  And here is a written guide by the same group to go with or replace the video if this is more your speed: https://docs.ibracorp.io/swag-2/
  I'll be honest, even for "beginners" (which I was when I started this) this is still a lot to take in. Let me know if you run into any specific questions and I can try to help you.

OpenVPN into my router

Synology worked for me. They have built in reverse proxy. As well as good documentation to install it on their machine. Just gotta configure your wifi router to port forward your device and bam you're ready to rock and roll
- Didn’t they patch their things now that your stuck in their bubble/environment now or something like that ?
  
  Not sure what what you mean. Plex has a bubble you can get stuck in. Jellyfin is free and open source

Is putting it behind an Oauth2 proxy and running the server in a rootless container enough?

Unifi teleport. A zero configuration VPN to my home network.
- I’m fidgeting with Tailscale but I find this solution some what lacking
  
  Tailscale is great for not opening your ports to the internet. Having it playable on a friend's appletv adds some extra complexity. Reverse proxy on a subdomain with something like fail2ban would work, but it does leave you more vulnerable.

I'm using jf on unraid. I'm allowing remote https only access with Nginx Proxy Manager in a docker container.

Synology with Emby (do not use the connect service they offer) running behind my fortinet firewall. DDNS with my own domain name and ssl cert. Open 1 custom port (not 443) for it, and that's it. Geoblock every country but my own, which basically eliminated all random traffic that was hitting hit. I've been running it this way for 5 years now and have no issues to report.
- How are you geoblocking?
  
  Sadly, it may not be an option for a lot of people, but on the fortinet firewall you can make policies and set up geoblocking.

I'm using a cheap VPS that connects over Tailscale to my home server. The VPS runs Nginx Proxy Manager, has a firewall and the provider offers DDOS protection and that's it.

VPN or Tailscale

Headscale server on cheap vps with tailscale clients.