If it's for your personal use and no one else is going to connect, why don't you just configure a wireguard tunnel to remotely connect to your server as if you were in LAN without exposing anything?
I’d like to be able to share it with friends and family
Tailscale has the Funnel feature too, which puts the endpoint on Tailscale's servers.
You could do both - Funnel for people who you don't want to walk through setting up a client, and use the client for those who you're willing to put the effort into.
I second this for the funnel feature
It made my whole issue with ports easy since it forwards only one open port
I still don't recommend putting jellyfin on the Internet. It's not designed for it. There are some API endpoints you can access without authentication, not to mention potential authentication bypass vulnerabilities.
5 minutes is also probably too frequent. Leases are usually significantly longer. You might hit a rate limit and get blocked.
Thanks for the tip! I’ll back the refresh rate off to be safe.
I’m not sure I entirely understand your concern about putting Jellyfin on the internet. A large part of my interest in selfhosting is being able host my own music library, my own cloud storage, etc, and access it as an alternative to Spotify or Google Drive. Doesn’t that inherently mean that they need to be on the internet, if I want to be able to access them when I’m away from home?
My goal has been to find a way to do that safely, but if that’s not possible, that’s good to know too, so I don’t keep trying to do the impossible.
Wireguard or tailscale are much better ways of accessing jellyfin from outside your network.
What if I want a bunch of people to be able to log into my library via Finamp?
Provide them with VPN access. If that's too much for them, then they don't get access. Tough. On the scale of security vs convenience, that's nothing.
If you really really want, you should at least see if you can put a WAF in front, and put the server itself somewhere it doesn't have access to the rest of your network (a DMZ) so that if and when it gets hacked, it doesn't compromise the entire network.
I highly recommend Tailscale, you can share machines/services with unlimited friends on the free tier, and all of the actual auth stuff is handled by someone who isn't me.
You use plex instead, or you accept the massive security vulnerabilities.
What vulnerabilities? Sure there are some but nothing massive that I have seen. Care to post them.
web endpoints with zero authentication lol
It's honestly just a matter of how much risk you are comfortable with for using jellyfin on the open internet.
(If i remember correctly:) The unauthenticated routes thing can only be used for streaming your content without a login (if you can guess the contents ids on your server I believe).
In my opinion, it's not worth the hassle of using a vpn because I don't think this risk is worth mitigating with one.
But everyone has their own personal risk assesment of course.
P.s. Easier than a VPN, at least for logging in other users, would be to use some type of proxy authentication like Authelia. I believe jellyfin has a plugin you can use. It can be complicated to setup, but it's an option. I believe it should protect all routes exposed by jellyfin so that solves the unauthenticated streaming issue. (I still dont think this is necessary but more choice for the risk-adverse!).
It’s not designed for it
Yet everyone in here tells everyone to switch from Plex, which is designed for it, to jellyfin lol
I prefer security vulnerabilities I can manage to privacy ones I cannot.
What privacy vulnerabilities are you talking about exactly?
Only one of these software has lead to someone hacking into someone's computer.
You have no idea how many breaches jellyfin has been the cause of lol
It's perfectly fine to host jellyfin online. Use a proxy server to enable TLS and do not use default ports 80/443. Use letsencrypt for free certificates. No need for VPN to access here either. Do not expose any other ports such as SSH on default ports. Lock down your jellyfin server and any other related services behind a VPN service and block access to Internet through other interfaces (except for port forwards on your ISP for jelly). Go high on port ranges since they typically aren't scanned or blocked. Go dual stack for best results and don't use your router address for IPv6 more than likely you have your own /64 choose a different address for port forwards. Do not assign this address to your internal servers. Use a reserved unrouted IPv6 range internally and do NAT6. Do not allow any raw IPv6 internet access
do not use default ports 80/443.
In my opinion, you'd be fine using default ports. Guess there's no harm in using other ports though, other than the pain of having the remember which port to use if you ever forget when adding a new device, etc.
You don't need to hard update your IP every 5 minutes. The typical DNS updaters (just use ddclient) can simply check if your IP is up to date and only update if it isn't.
I forgot duckdns still exists to be fair
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!