this post was submitted on 31 Mar 2025
214 points (98.2% liked)

Selfhosted

59955 readers
308 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam.

  3. Posts here are to be centered around self-hosting. Please ensure it is clear in your post how it relates to self-hosting.

  4. Don't duplicate the full text of your blog or git here. Just post the link for folks to click.

  5. Submission headline should match the article title.

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
214
How to secure Jellyfin hosted over the internet? (programming.dev)
submitted 1 year ago by lambda@programming.dev to c/selfhosted@lemmy.world
137 comments fedilink hide all child comments
 

I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?

you are viewing a single comment's thread
view the rest of the comments
[–] sludge@lemmy.ml 6 points 1 year ago* (last edited 1 year ago) (1 children)

And since i don't post my valid urls anywhere no web-scraper can find them

You would ah... be surprised. My urls aren't published anywhere and I currently have 4 active decisions and over 300 alerts from crowdsec.

It's true none of those threat actors know my valid subdomains, but that doesn't mean they don't know I'm there.

[–] gagootron@feddit.org 2 points 1 year ago (1 children)

Of course i get a bunch of scanners hitting ports 80 and 443. But if they don't use the correct domain they all end up on an Nginx server hosting a static error page. Not much they can do there

[–] SpaceCadet@feddit.nl 5 points 1 year ago (1 children)

This is how I found out Google harvests the URLs I visit through Chrome.

Got google bots trying to crawl deep links into a domain that I hadn't published anywhere.

[–] zod000@lemmy.ml 1 points 1 year ago* (last edited 1 year ago) (1 children)

This is true, and is why I annoyingly have to keep robots.txt on my unpublished domains. Google does honor them for the most part, for now.

[–] SpaceCadet@feddit.nl 4 points 1 year ago* (last edited 1 year ago) (2 children)

That reminds me ... another annoying thing Google did was list my private jellyfin instance as a "deceptive site", after it had uninvitedly crawled it.

A common issue it seems.

[–] zod000@lemmy.ml 2 points 1 year ago

Unsurprising, but still shitty. Par for the course for the company these days.

[–] Nibodhika@lemmy.world 2 points 1 year ago

They did that with most of my subdomains