230

I don't know who needs to hear this, but DO NOT EVER expose Jellyfin to the internet (github.com)

submitted 2 days ago by Scary_le_Poo@beehaw.org to c/technology@beehaw.org

170 comments fedilink hide all child comments

Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla...

you are viewing a single comment's thread
view the rest of the comments

[-] Saik0Shinigami@lemmy.saik0.com 2 points 1 day ago

Not unless the reverse proxy adds some layer of authentication as well.

This is correct. However I'd want to add, that this will break EVERY app-based access of jellyfin which defeats the purpose for a lot of people. Adding auth in front of jellyfin will work and allow you to use the web client only.

You kind of touched on it... I wanted to make it clear.

VPN would be a better more interoperable answer for most cases, you'll still be stuck on devices like WebOS on LG tvs, or roku devices, or others that don't have the ability to install vpn clients.

[-] jagged_circle@feddit.nl 1 points 1 day ago

This is misinformation. It breaks the web app too.

You can't use basic auth with jellyfin at all. Its a bug. Jellyfin closed the bug as won't fix because, it seems, they dont care about security.

[-] Saik0Shinigami@lemmy.saik0.com 1 points 1 day ago

Oh, sure enough. Basic auth breaks the login function. I didn't test it myself and didn't think that it wouldn't work for basic auth. I've put other auths in front of it and it works. So It's not completely "misinformation". Just annoying that the easiest most basic form of auth won't work.

[-] jagged_circle@feddit.nl 1 points 1 day ago* (last edited 1 day ago)

What other auths can you put in front of it?

The problem is that they're (ab)using the Auth header, which causes a colission and you can't load many required assets.

[-] Saik0Shinigami@lemmy.saik0.com 1 points 18 hours ago

I was testing a 2fa based one the other weak and jellyfin was the service I decided to test with. Ultimately didnt like it so I rolled ot back.I'd have to go look it up to get you a name.

this post was submitted on 02 Apr 2025

230 points (100.0% liked)

Technology

38453 readers

527 users here now

A nice place to discuss rumors, happenings, innovations, and challenges in the technology sphere. We also welcome discussions on the intersections of technology and society. If it’s technological news or discussion of technology, it probably belongs here.

Remember the overriding ethos on Beehaw: Be(e) Nice. Each user you encounter here is a person, and should be treated with kindness (even if they’re wrong, or use a Linux distro you don’t like). Personal attacks will not be tolerated.

Subcommunities on Beehaw:

This community's icon was made by Aaron Schneider, under the CC-BY-NC-SA 4.0 license.

founded 3 years ago

MODERATORS

alyaza@beehaw.org

TheRtRevKaiser@beehaw.org

gyrfalcon@beehaw.org

rs5th@beehaw.org

coldredlight@beehaw.org

SemioticStandard@beehaw.org

TheRtRevKaiser@kbin.social

remington@beehaw.org