this post was submitted on 01 Apr 2026
709 points (99.0% liked)

Selfhosted

59999 readers
802 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
709
Jellyfin critical security update - This is not a joke (github.com)
submitted 2 months ago by Mubelotix@jlai.lu to c/selfhosted@lemmy.world
260 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] Infernal_pizza@lemmy.dbzer0.com 3 points 2 months ago (2 children)

Isn't it easier to set up a VPN than expose it to the internet?

[–] sanzky@lemmy.world 6 points 2 months ago (2 children)

and then you are giving access to your lan to people whose computer you don’t control and might be full of malware.

[–] Infernal_pizza@lemmy.dbzer0.com 5 points 2 months ago

Tbh I forgot about giving access to others, my homelab is for me only lol

[–] FauxLiving@lemmy.world 2 points 2 months ago (1 children)

You only have to give them access to a specific port on a specific machine, not your entire LAN.

My VPN has a 'media' usergroup who can only access the, read-only, NFS exports of my media library.

If you're just installing Wireguard and enabling IP forwarding, yeah it would not be secure. But using a mesh VPN, like Tailscale/Headscale, gives you A LOT more tools to control access.

[–] WhyJiffie@sh.itjust.works 2 points 2 months ago (1 children)

yeah but even with plain wireguard the peers can be limited. you just have to figure out the firewall rules, or use opnsense as your wireguard server because it figures the harder part out for you.

[–] sanzky@lemmy.world 1 points 2 months ago* (last edited 2 months ago) (1 children)

it’s not that it cannot be done. the issue is that something as simple as acceding a service should not require to configure wire guard and routing rules. plenty of FOSS projects are safe to expose through a simple reverse proxy

[–] WhyJiffie@sh.itjust.works 1 points 2 months ago

plenty of FOSS projects are safe to expose through a simple reverse proxy

I have my doubts about that. Personally I would never do that.

[–] Hammersamatom@lemmy.dbzer0.com 3 points 2 months ago* (last edited 2 months ago) (2 children)

Oh absolutely, difference being that you only need to expose the service once, versus helping however many people set up VPNs to access the service on your LAN

I know way too many people who won't remember to toggle it on, or just won't deal with it

It's just not convenient enough

[–] WhyJiffie@sh.itjust.works 1 points 2 months ago

I know way too many people who won't remember to toggle it on, or just won't deal with it

they need a VPN app that toggles automatically. turn off when they happen to connect to your network, otherwise on, and only forward jellyfin and such apps through it.

[–] WhyJiffie@sh.itjust.works 1 points 2 months ago

I know way too many people who won't remember to toggle it on, or just won't deal with it

they need a VPN app that toggles automatically. turn off when they happen to connect to your network, otherwise on, and only forward jellyfin and such apps through it.