Comment by notpushkin
15 hours ago
> Reverse proxy itself will do barely any defense, what you need in combination is an authgate
What’s your threat model?
15 hours ago
> Reverse proxy itself will do barely any defense, what you need in combination is an authgate
What’s your threat model?
Same as anyones: random bots scanning IP/ports to find established services and trying exploits from the book.
If you expose Jellyfin on 443, have HTTPS properly set up (which Caddy handles automatically), your admin password is not pswd1234 (or you straight up disable remote admin logins), and use a cheap .com domain rather than your IP--what is the actual attack surface in that case?
As far as I can remember that is more or less what is usually suggested by Jellyfin's devs, and I have yet to see something that convinces me about its inadequacy.
He claims there are known exploits. Though I also want to know if this is really true.
2 replies →
With a reverse proxy, I don't see how this would work. The whole way the reverse proxy works is you use a subdomain name ("jellyfin.yourdomain.org") to access Jellyfin, rather than some other service on your server. The reverse proxy sees the subdomain name that was used in the HTTP request, and routes the traffic based on that. Scanning only the IP address and port won't get attackers to Jellyfin; they need to know the subdomain name as well.
The only tricky part here would be to make sure you’re doing a wildcard certificate, so that your subdomain doesn’t appear in Certificate Transparency logs.