Selfhosted
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
view the rest of the comments
Are you singling out Jellyfin for a particular reason? Or are also going to advise just never opening ports in general?
jellyfin people just always spout this advice as some sort of copium and i dont even know why. ALL software will have security issues at some point or another. just update and move on with your life.
Definitely.
But I think more than copium it's them understanding their users. It's advice for people that will figure out how to run Jellyfin but won't stay on top of updates, setup a waf, use a firewall/reverseproxy to limit access, etc. There are surely a lot of those that just one clicked an installer etc and for them it's good advice.
that's fair, does it not have any kind of encryption by default?
Standard TLS, I think, but what else would you need?
None really, just wondering what the issue with opening it up is if it has TLS? In 10+ years I've never had my Plex server compromised and it just uses TLS. I do change the default port but that's it.
Plex logins go through their login server so you'll also have login throttling and probably other bot protections.
They also do some SSL shenanigans to get every user a unique, valid public certificate created during setup. https://words.filippo.io/how-plex-is-doing-https-for-all-its-users/
That's kinda my perspective on it to. I mean, how do they think websites work? Gotta expose ports to make all the internet things happen. Sure commercial stuff will have more devices to protect it, but there are things you can do to mitigate issues at home too.
There is a new story every week in Steve Gibson's "Security Now" podcast about why you should virtually never open ports. And if you do, you'd better IP restrict. Even, or especially, in commercial products. Cisco has a new CVSS 10.0 every other week just about
I run pretty much all my stuff through NPMplus. Then I have a firewall between my public and private networks in case something does get compromised. But I've had Plex exposed (on a non-default port) for literally years and nothing ever happens.
Why NPMplus and not the default NPM?
Primarily for the CrowdSec integration (one less thing to set up manually)
https://www.virtualizationhowto.com/2025/09/nginx-proxy-manager-vs-npmplus-which-one-is-better-for-your-home-lab/
Why link the fork of a fork in your original response?
uhhh did i? https://github.com/ZoeyVid/NPMplus is the link I meant to post for npmplus. its a fork of npm.
For the vast majority of users? Yes. They shouldn't forward ports.
Setup a VPN gateway at Grandma's house.
Jellyfin is particularly bad compared to other things. You still should avoid exposing stuff to the internet