What’s your go too (secure) method for casting over the internet with a Jellyfin server.

I’m wondering what to use and I’m pretty beginner at this

  • Vanilla_PuddinFudge@infosec.pubEnglish
    325·
    12 hours ago

    Jellyfin isn’t secure and is full of holes.

    That said, here’s how to host it anyway.

    1. Wireguard tunnel, be it tailscale, netbird, innernet, whatever
    2. A vps with a proxy on it, I like Caddy
    3. A PC at home with Jellyfin running on a port, sure, 8096

    If you aren’t using Tailscale, make your VPS your main hub for whatever you choose, pihole, wg-easy, etc. Connect the proxy to Jellyfin through your chosen tunnel, with ssl, Caddy makes it easy.

    Since Jellyfin isn’t exactly secure, secure it. Give it its own user and make sure your media isn’t writable by the user. Inconvenient for deleting movies in the app, but better for security.

    more…

    Use fail2ban to stop intruders after failed login attempts, you can force fail2ban to listen in on jellyfin’s host for failures and block ips automatically.

    More!

    Use Anubis and yes, I can confirm Anubis doesn’t intrude Jellyfin connectivity and just works, connect it to fail2ban and you can cook your own ddos protection.

    MORE!

    SELinux. Lock Jellyfin down. Lock the system down. It’s work but it’s worth it.

    I SAID MORE!

    There’s a GeoIP blocking plugin for Caddy that you can use to limit Jellyfin’s access to your city, state, hemisphere, etc. You can also look into whitelisting in Caddy if everyone’s IP is static. If not, ddns-server and a script to update Caddy every round? It can get deep.

    Again, don’t do any of this and just use Jellyfin over wireguard like everyone else does(they don’t).

    • oyzmo@lemmy.worldEnglish
      8·
      10 hours ago

      Wow, a “for dummies” guide for doing all this would be great 😊 know of any?

      • Vanilla_PuddinFudge@infosec.pubEnglish
        2·
        5 hours ago

        I figured infodump style was a bit easier for me at the time so anyone could take anything I namedropped and go search to their heart’s content.

      • ohshit604@sh.itjust.worksEnglish
        4·
        8 hours ago

        If you aren’t already familiarized with the Docker Engine - you can use Play With Docker to fiddle around, spin up a container or two using the docker run command, once you get comfortable with the command structure you can move into Docker Compose which makes handling multiple containers easy using .yml files.

        Once you’re comfortable with compose I suggest working into Reverse Proxying with something like SWAG or Traefik which let you put an domain behind the IP, ssl certificates and offer plugins that give you more control on how requests are handled.

        There really is no “guide for dummies” here, you’ve got to rely on the documentation provided by these services.

      • ddawg@lemmynsfw.comEnglish
        2·
        4 hours ago

        I’ve recently been working on my own server and a lot of this stuff can be accomplished by just chatting with chatgpt/gemini or any ai agent of your choosing. One thing to note tho is that they have some outdated information due to their training data so you might have to cross reference with the documentation.

        Use docker as much as you can, this will isolate the process so even if somehow you get hacked, the visibility the hackers get into your server is limited to the docker container.