this post was submitted on 23 May 2026
182 points (96.9% liked)

Selfhosted

56957 readers
1345 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
182
How would you expose Jellyfin securely without a vpn? (discuss.online)
submitted 1 day ago by kiol@discuss.online to c/selfhosted@lemmy.world
167 comments fedilink hide all child comments
 

Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?

(page 3) 50 comments
sorted by: hot top controversial new old
[–] 8j1obzlb@piefed.social 9 points 1 day ago (2 children)

I agree with the folks saying reverse proxy of some kind + WAF. That way end users don’t have to deal with the VPN, but your home system is not directly exposed.

I’ve been doing something similar with SSH local port forwarding and a $5/month VPS. Haven’t come anywhere close to my network quotas, and performance has not been an issue for home use with 2-5 concurrent users most of the time. I forward the local caddy ports to unprivileged ports/user on the VPS, then use the firewall on the VPS to forward that port to 443 and lock down the rest.

load more comments (2 replies)
[–] cupcakezealot@piefed.blahaj.zone 10 points 1 day ago (2 children)

if theyre close, add them to your tailscale, if not and you have a web serve, use a reverse proxy.

for tailscale, you'd probably have to walk them through setting it up but then its one and done

[–] WeirdGoesPro@lemmy.dbzer0.com 6 points 1 day ago

That’s basically the VPN solution but with a little more flexibility.

If you want to actually expose the service, you can use Tailscale to connect it to a VPS and then expose that port to the web with Nginx, but if you do that, be prepared on the security front because…you know…open internet be full of hazards.

load more comments (1 replies)
[–] blah3166@piefed.social 7 points 1 day ago

best practice states security through obscurity is not to be relied upon, but compare ssh logs after one year on the default port vs a non-standard port and you'll immediately see why you want to use a non-standard https port for non-professional services. it cuts 99.9% of the noise/attempts.

[–] skeevy_scallops@feddit.online 8 points 1 day ago (1 children)

call me crazy but I just use a couldflare tunnel since my domain is already provided through them. They make it really easy to add sub-domains attached to specific ports on the local machine and automatically adds the proper DNS entries. Additionally they have a ton of domain security/anti-bot measures you can set up.

[–] darcmage@lemmy.dbzer0.com 4 points 1 day ago (1 children)
[–] skeevy_scallops@feddit.online 3 points 1 day ago

I haven't had any issues like that. It's been pretty plug and play and I have it set up for some family that are accessing it from out of town. No problems except for the big cloudflare outage that happened a while ago.

[–] sulfidedisburseangledafternoontipper@piefed.blahaj.zone 6 points 1 day ago (3 children)

Depends on what you mean by "secure." My personal setup is Jellyfin LXC on proxmox --> Wireguard to VPS -> Nginx reverse proxy on VPS.

This setup relies somewhat on Jellyfin's auth, but I'm comfortable with that risk. The LXC is blocked from sending local traffic on my network by firewall rules. Yes, someone could exploit a vulnerability in Jellyfin (though looking through the CVEs I'm not overly worried about that), then escape the LXC and fuck with my server. But that's a lot of work for no profit.

For more protection (in sense of reducing traffic that even interacts with your server), I'd recommend getting a wildcard cert for the domain so that the actual subdomain jellyfin is on is undisclosed to anyone not using your service.

Security isn't about making everything impregnable, it's about making attacks more trouble than they're worth. Otherwise, we'd all live in fortified bunkers surrounded by landmines. 🙃

[–] atzanteol@sh.itjust.works 5 points 1 day ago (1 children)

Your vps isn't doing anything useful security wise.. it's just sending traffic directly to jellyfin.

You'd get the same protection with just port forwarding to a local proxy in front of jellyfin. Or you could even leave out the proxy if you didn't need it.

[–] sulfidedisburseangledafternoontipper@piefed.blahaj.zone 4 points 1 day ago

I'm aware of this (that's why I described a potential breach as Jellyfin -> LXC escape). What it does provide me is a static IP to point my domain at that I don't have to worry about updating via whatever DDNS service and that isn't tied to my home address. That and the wireguard tunnel gives me plausible deniability should my ISP ever decide to enforce its rules against hosting servers. 😀

load more comments (2 replies)
[–] njordomir@lemmy.world 2 points 1 day ago* (last edited 1 day ago)

I toyed with the idea of exposing ports and decided against it. I don't understand networking well enough yet. For me specifically, VPN access has been perfectly workable in the US with both speed and ease of access.

Can you use fail2ban on Jellyfin? That might be a wise step.

[–] AllYourSmurf@lemmy.world 8 points 1 day ago

I agree with reverse proxy + middleware. I’d also suggest something like Jellyswarm as the front end. That way I can connect to other friends’ servers too.

[–] INeedMana@piefed.zip 6 points 1 day ago

If they could be using web UI (I'm not sure how a client would work with auth like that) then it kind of depends on how much hassle they can live with and how secure you want to be

Simplest would be to use https://doc.traefik.io/traefik/reference/routing-configuration/http/middlewares/basicauth/
You set up username and password and share those with the user. But it can be brute-forced

Something more secure but also a bit more demanding would be some kind of email otp
https://docs.goauthentik.io/add-secure-apps/flows-stages/stages/authenticator_email/
Set up authentik to send time-limited link to their email that well let them through. But they would have to authenticate every time they access

[–] irotsoma@piefed.blahaj.zone 5 points 1 day ago

Reverse proxy with fail2ban or crowdsec. It's possible to set up things like Pangolin which ultimately use a VPN between external and internal access points but not at the client, though it takes more setup if you want to use apps over pangolin instead of just the browser.

[–] crypt0cler1c@infosec.pub 6 points 1 day ago (6 children)

Why no VPN?

load more comments (6 replies)
[–] sturmblast@lemmy.world 1 points 1 day ago (1 children)

Tailscale or cloudflare

[–] FreedomAdvocate 0 points 20 hours ago

without a VPN

Also running all your pirated content traffic through the works biggest internet traffic/service provider is certainly a choice lol

[–] androidul@lemmy.world 2 points 1 day ago (2 children)

afaik but I’m not sure, Jellyfin lacks support for OIDC AuthN which is a clear sign that you cannot expose this publicly.

[–] IratePirate@feddit.org 4 points 1 day ago* (last edited 1 day ago) (2 children)

~~There's a plugin for that.~~ Plugin is archived and will become outdated (and unsafe to use) over time. Don't use it.

[–] androidul@lemmy.world 4 points 1 day ago (1 children)

says repo is archived

[–] IratePirate@feddit.org 3 points 1 day ago* (last edited 1 day ago)

Oops. I tried it in the past and just linked to quickly without taking a close look at the repo. I've updated the above posting. Thanks for pointing this out.

[–] Passerby6497@lemmy.world 1 points 1 day ago (1 children)

Plugin is arrived

*Archived, arrived just means it is here

load more comments (1 replies)
load more comments (1 replies)
[–] Decronym@lemmy.decronym.xyz 5 points 1 day ago* (last edited 12 minutes ago) (1 children)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
ISP Internet Service Provider
LXC Linux Containers
NAS Network-Attached Storage
NAT Network Address Translation
NUC Next Unit of Computing brand of Intel small computers
Plex Brand of media server package
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
SSO Single Sign-On
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

[Thread #311 for this comm, first seen 23rd May 2026, 22:30] [FAQ] [Full list] [Contact] [Source code]

[–] albbi@piefed.ca 7 points 1 day ago

Good bot.

[–] KarnaSubarna@lemmy.ml -4 points 1 day ago (2 children)

Tailscale

load more comments (2 replies)
load more comments
view more: ‹ prev next ›