Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
I am once again recommending that you not expose any services to the internet except a VPN
Good as a general recommendation.
I also feel like the risk levels are very different. If it's something that performs a function but doesn't save/serve any custom data (e.g. bentopdf), that's a lot easier to decide to do than something complicate like Jellyfin.
I do have public addresses for Matrix, overleaf, AppFlowy, immich because they would be much less useful otherwise. Haven't had any problems yet, but wouldn't necessarily recommend it to others.
I'd never host any stuff with "Linux ISOs" on a public adress, that seems like it'd be looking for trouble.
Doesn't matter. Any exposure risks compromise. From there, an attacker could pivot to read your data, mine cryptocurrency on your device(s), serve objectionable material, or other unsavory activities.
Even if you have authentication enabled, not all APIs require authentication. Jellyfin in particular is not designed to be internet-facing. And even if it does require authentication, authentication bypass attacks are a thing.
If you really want to secure your computer, encase that puppy in concrete (after disconnecting it from power),
What do you mean JellyFin is not designed to be Internet facing??? https://jellyfin.org/docs/general/post-install/networking/
https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2825369811
Designed meaning in that case intended to be exposed.
More of an internal thing.
VPNs on the other hand are designed to be exposed. Same with some ssh servers or reverse proxies like traefik, nginx etc.
So you mean the JellyFin ports should not be directlly exposed, but self hosting and exposing nginx to forward the traffic locally to jellyfin is fine?
Better rather than worse, yes.
Just need to be aware if what you expose and how and where.
So its also not designed to be exposed via nginx?
Please stop nitpicking.
It's as insecure as every other software exposed to the internet.
It's just that some softwares (like Jellyfin) is more prone to be a risk than others (like nginx).
Juat be aware of what you do.
... sure. Nothing here is wrong, but there's ways to try and mitigate that. And then it's kinda an arms race, and vigilance.
I'm not sure that's gonna work with my Jellyfin 🤔🫤
I mean it WOULD work you would just need a von on every device you wanted to use.
The REAL answer is never host them DIRECTLY, always use a reverse proxy like nginx. Many projects (i believe jellyfin is one of them) explicitly recommend this for better security. Which it looks like you did so congrats
For extra bonus points you can setup nginx to run as a non privileged user and use iptables to forward the lower ports (80/443). A pain but closes out a large chunk of nginx as a risk.
Throw in fail2ban as well.
Eh, i just use pubkey only Auth config (so password entirely disabled as an option) and put ssh on a non standard port to reduce script kid noise. (and no 2222 is not non-standard it may as well be the default)
Fail2ban triggers false too often for my taste in a high traffic environment.
Did you learn that about my jellyfin by looking at my post history or connecting to my server? 😀
It'd struggle a bit on some setups, like when I'm using the Jellyfin app on my GFs smart TV.. Or explaining to a friend in Europe how to setup a VPN without breaking anything else on his network... It is a risk for sure.
I'm too tired right now to parse what you mean about the port forwarding. I guess the idea is to reduce the impact if Jellyfin were breached or exploited. If you're up for it, can you explain more about why that relates to port forwarding?
If you ran nginx as a non privileged user it wouldn't be able to bind to 80/443 as those are privileged ports. So you would need to use iptables to forward them to an unprivlaged port
Ah, gotcha! Thanks.
I feel like that information could have multiple implications in future. Thank you!