I’m using cloudflare tunnel to access my movie collection on selfhosted jellyfin. Jellyfin accounts are behind a strong password.
Considering it’s on the web, how bad is it? I’m not thinking about attacks, can I be flagged for piracy or things? Where does the ISP stand?
why not have nothing exposed and just use tailscale
deleted by creator
I would suggest to put it behind an sso service like a self hosted authelia or authentik. So even if someone finds your website they will only see your authentication page and not what’s behind it.
Why would that be a benefit? Jellyfin already provides a login screen (allegedly with strong passwords)
Like I said. So even if someone find your domain to your jellyfin server they would only see Authentik.
And if you start with authentik you could use it for much more self hosted services so you have one big login page in front of your services.
Ooh, I like the sound of that.
How would that work with a Jellyfin client running on a device like a Chromecast dongle? The code on the dongle doesn’t (IMHO) know how to log into an SSO service.
You would have to exclude the */api/ path in the authentik provide settings, so that if something wants to call the jellyfin api (like Swiftfin) it can go around the sso. It’s not the best practice for security but the only working way I have found.
i cant imagine a anti piracy organisation hacking into your server for the purpose of suing you
I using Plex with 2FA.
My jellyfin and jellyseerr both servers are open to web.because so many people using it i can’t sacrifice accessibility.but i have hardcore monitoring,alert system and emergency shutdown systems in place.
As long as passwords are strong it’s usually fine, I use ldap through jellyfin on authentik and everyone gets a passphrase.
Are jellyfin Servers behind a Reverse Proxy realy such a big Security risk?
I would like to know aswell, because that is my case.
JellyFin behind NPM listening on a non standard https port (4443) with a Letsencrypt SSL certificate
I serve to plenty of family members with chromecasts, smarttvs, laptops, smartphones… that may be not compatible with SSO.
It’s really not that bad especially if you setup access lists. That simple configuration alone eliminates most problems from even accessing the server.