Comment by tech234a
11 hours ago
Can anyone comment on the security of Jellyfin? When I had last looked into it, it seemed like Jellyfin had a somewhat weak security model that made me question switching family members to it from Plex.
11 hours ago
Can anyone comment on the security of Jellyfin? When I had last looked into it, it seemed like Jellyfin had a somewhat weak security model that made me question switching family members to it from Plex.
Don't expose it to the internet unless you know what you're doing, or put it on a VPS you don't care about.
Ideally keep it behind a VPN and give your family members access to it that way, and let local devices on your LAN connect to it without a VPN.
TLS is a must-have. They don't bother doing any kind of password hashing on login. It's sent in cleartext.
I put mine behind caddy on a long random path prefix. So that acts as a sort of password that you need to know before you can access it. So far it's seemed to work great.
Those are fine ideas.
But I'm not all about getting something like Tailscale to work with my elderly mother's Roku device, nor teaching her how to use it.
Get your elderly mother an Apple TV and infuse, then connect with Tailscale. It’s pretty friggin’ smooth in daily operation. Apple TV’s UI is no easier to get lost in than Roku, and actually has fewer pitfalls if you toggle one setting (the one that makes one home tap open the Apple TV app, and a second press while in that app actually go home, by default; switch that to always go home on any press of that button no matter what)
I dunno if Tailscale works on Roku but otherwise that would indeed be entirely viable too, last I saw Jellyfin’s app on there is really good. Likely need a server powerful enough to transcode, though, lots of (all?) Roku devices don’t have hardware decoding for newer codecs like h.265. That’s one big benefit of an Apple TV, it can hardware decode damn near everything.
2 replies →
I use Jellyfin and when it works it’s great but a few small things make it totally unusable for a non-technical family member.
One thing is when it can’t see the server it doesn’t just say it can’t see it, it acts like the issue is you’re not logged in and then when you log in (having to type your password manually each time, on a TV) it then fails.
This is only really diagnosable if you can access both the client and server and is a complete failure and very tedious experience if you only have client access.
Feels like I experience this at least once a month so couldn’t ever set this up for family members remotely.
I set my dad up with a Linux box as a daily driver for him - he keeps the desktop on , and the roku jellyfin now has a clean proxy into jellyfin over the tailscale network. Giving him a desktop I can remote into was a great decision that paid dividends for him :)
You can point Tailscale toward a $5 exit-node VPS and Caddy/nginx through a cheapo-but-memorable-domain to get a Jellyfin Dashboard up in a browser. I assume running the domain and port through the Jellyfin Roku app would work fine (can't be sure as I've never used a Roku).
Just mind your ACLs
Yea its pretty bad, there are pages of non-fixed confirmed exploits, you really shouldnt let it face the net.
VPN is one solution, and actually the only real solution for app-based jellyfin (TV, phone apps) I found so far.
Another is to host Jellyfin behind reverse proxy, and have a completely independent authgatein front of it (authentik, authelia). Jellyfin even supports LDAP (trough plugin), so you dont have to login twice per visit. The downside is only web interface can be hidden this way, as apps will break expecting jellyfin auth page and finding something else.
To alleviate your concerns, I have a public facing Jellyfin instance hosted on a subdomain for almost a year now. So far zero pwns or bot activity.
For whatever reason people here and on Reddit will tell you that you need to have Jellyfin pass through five VPNs, otherwise nasty things will happen. Meanwhile the actual devs suggests simply setting up a reverse proxy, which you can do in two lines with Caddy: https://jellyfin.org/docs/general/post-install/networking/re...
Reverse proxy itself will do barely any defense, what you need in combination is an authgate (authentik, authelia), and here we are moving from "simple reverse proxy" to fun weekend activity and then some getting it to work as expected. + it kills the app auth flow, so only web interface is suitable for this.
You can use a reverse proxy and still have working app auth, I have set this up via Authelia with the OIDC Jellyfin plugin.
However:
- This is EVEN MORE complex than "just" a reverse proxy.
- I'm not really sure it wins much security, because...
- at least I'm not relying on Jellyfin's built-in auth but I'm now relying on its/the plugin's OIDC implementation to not be completely broken.
- attackers can still access unauthenticated endpoints.
Overall I really wish I could just do dumb proxy auth which would solve all these issues. But I dunno how that would work with authing from random clients like Wii (and more importantly for me, WebOS).
> Reverse proxy itself will do barely any defense, what you need in combination is an authgate
What’s your threat model?
7 replies →