Comment by tech234a
7 hours ago
Can anyone comment on the security of Jellyfin? When I had last looked into it, it seemed like Jellyfin had a somewhat weak security model that made me question switching family members to it from Plex.
7 hours ago
Can anyone comment on the security of Jellyfin? When I had last looked into it, it seemed like Jellyfin had a somewhat weak security model that made me question switching family members to it from Plex.
Don't expose it to the internet unless you know what you're doing, or put it on a VPS you don't care about.
Ideally keep it behind a VPN and give your family members access to it that way, and let local devices on your LAN connect to it without a VPN.
Those are fine ideas.
But I'm not all about getting something like Tailscale to work with my elderly mother's Roku device, nor teaching her how to use it.
Get your elderly mother an Apple TV and infuse, then connect with Tailscale. It’s pretty friggin’ smooth in daily operation. Apple TV’s UI is no easier to get lost in than Roku, and actually has fewer pitfalls if you toggle one setting (the one that makes one home tap open the Apple TV app, and a second press while in that app actually go home, by default; switch that to always go home on any press of that button no matter what)
I dunno if Tailscale works on Roku but otherwise that would indeed be entirely viable too, last I saw Jellyfin’s app on there is really good. Likely need a server powerful enough to transcode, though, lots of (all?) Roku devices don’t have hardware decoding for newer codecs like h.265. That’s one big benefit of an Apple TV, it can hardware decode damn near everything.
2 replies →
I set my dad up with a Linux box as a daily driver for him - he keeps the desktop on , and the roku jellyfin now has a clean proxy into jellyfin over the tailscale network. Giving him a desktop I can remote into was a great decision that paid dividends for him :)
You can point Tailscale toward a $5 exit-node VPS and Caddy/nginx through a cheapo-but-memorable-domain to get a Jellyfin Dashboard up in a browser. I assume running the domain and port through the Jellyfin Roku app would work fine (can't be sure as I've never used a Roku).
Just mind your ACLs
Yea its pretty bad, there are pages of non-fixed confirmed exploits, you really shouldnt let it face the net.
VPN is one solution, and actually the only real solution for app-based jellyfin (TV, phone apps) I found so far.
Another is to host Jellyfin behind reverse proxy, and have a completely independent authgatein front of it (authentik, authelia). Jellyfin even supports LDAP (trough plugin), so you dont have to login twice per visit. The downside is only web interface can be hidden this way, as apps will break expecting jellyfin auth page and finding something else.
For whatever reason people here and on Reddit will tell you that you need to have Jellyfin pass through five VPNs, otherwise nasty things will happen. Meanwhile the actual devs suggests simply setting up a reverse proxy, which you can do in two lines with Caddy: https://jellyfin.org/docs/general/post-install/networking/re...
Reverse proxy itself will do barely any defense, what you need in combination is an authgate (authentik, authelia), and here we are moving from "simple reverse proxy" to fun weekend activity and then some getting it to work as expected. + it kills the app auth flow, so only web interface is suitable for this.
> Reverse proxy itself will do barely any defense, what you need in combination is an authgate
What’s your threat model?
5 replies →