this post was submitted on 18 Jul 2025
93 points (86.6% liked)

Selfhosted

49699 readers
330 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
93
Just created my own zero trust network! (lemmy.world)
submitted 4 days ago* (last edited 4 days ago) by HurlingDurling@lemmy.world to c/selfhosted@lemmy.world
56 comments fedilink hide all child comments
 

No awards are needed, just wanted to share my excitement that while my Jellyfin server still keeps loosing my entire library every 24 hours at least now it has a domain and ssl cert!

That is all. Happy Friday everyone

you are viewing a single comment's thread
view the rest of the comments
[–] possiblylinux127@lemmy.zip 0 points 4 days ago (31 children)

You didn't expose it to the internet right?

If you want remote access setup client certs

[–] BaroqueInMind@piefed.social 3 points 4 days ago (2 children)

How?

[–] tux7350@lemmy.world 0 points 4 days ago (2 children)

Ya got three options.

Option A is to create your own certificate that is self-signed. You will then have to load the certificate into any client you want to use. Easier than people realize, just a couple terminal commands. Give this a go if you want to learn how they work.

Option B is to generate a certificate with Let's Encrypt via an application like certbot. I suggest you use a DNS challenge to create a wildcard certificate.

Option C is to buy a certificate from your DNS provider aka something like cloudflare.

IMO the best is Option B. Takes a bit to figure it out but its free and rotates automatically which I like.

I like helping and fixing stuff, if you'd like to know anything just ask :D

[–] RunningInRVA@lemmy.world 7 points 4 days ago (2 children)

None of these are client certificates btw. These are just ways to have your server use TLS encryption with any client that connects but it offers no authorization. If you want authorization with client certificates you need to implement mTLS (Mutual TLS).

[–] tux7350@lemmy.world 3 points 4 days ago (2 children)

Oooo ya know I actually don't know about these. I've done both A and B for my homelab and C for work.

Any good resources / insight into mTLS? I appreciate the response btw!

[–] possiblylinux127@lemmy.zip 2 points 4 days ago (1 children)

https://www.youtube.com/watch?v=YhuWay9XJyw

You really should not expose stuff to the internet willy nilly. If you must you need to have extensive monitoring and security controls plus you should understand the application at a deep level.

[–] tux7350@lemmy.world 2 points 3 days ago

Ahhh interesting video! I appreciate the post. I see the mTLS is more about authenticating who the client is outside the application.

Don't worry, Im not just exposing thing willy nilly 🤣 For client-side authentication I use Authentik combined with 2FA, Duo, and fail2ban. Authentik provides identity management through LDAP to jellyfin and any sign in request goes to MFA and you get a Duo notification to approve. You can do other MFA, i just havent set it up.

Ive got a lot of family who use my server. Asking them to install a TSL cert on every machine would be impossible. My method also monitors all sign in requests. Setting up Authentik was a hugggeee game changer for me.

[–] RunningInRVA@lemmy.world -4 points 4 days ago (1 children)

Google?

[–] tux7350@lemmy.world 6 points 4 days ago (1 children)

Well ya know this is a forum and I was trying to engage in a friendly conversation to learn about something you brought up.

But yeah I know how to fucking Google lol

[–] RunningInRVA@lemmy.world -4 points 4 days ago (1 children)

Yes it’s a forum. But just because I corrected your error doesn’t mean I am obligated to do a whole fucking write up for you or go to google myself for you. Grow up.

[–] CybranM@feddit.nu 4 points 3 days ago (1 children)

Then why reply at all? Zero effort is to avoid commenting, maximum effort is trying to answer, "Google?" is wasted effort

[–] RunningInRVA@lemmy.world -2 points 3 days ago (1 children)

Not really. This person should learn to do their own research. They apparently need it.

[–] Confused_Emus@lemmy.dbzer0.com 2 points 3 days ago (1 children)

Who pissed in your cornflakes?

[–] RunningInRVA@lemmy.world -1 points 3 days ago (1 children)

tux7350

[–] Confused_Emus@lemmy.dbzer0.com 2 points 3 days ago* (last edited 3 days ago)

I get the impression you're the type of person who encounters assholes everywhere you go.

[–] SheeEttin@lemmy.zip 2 points 4 days ago (1 children)

Nor is it authentication.

[–] possiblylinux127@lemmy.zip 2 points 4 days ago

That is for server side certs not client side. I'm talking about Mutual TLS.

Setting up https is not going to stop bots. All it does is prevent man in the middle attacks. You want to limit who and what can access Jellyfin so that you don't end up being a victim of an automated exploit.

[–] archy@lemmy.world -1 points 4 days ago (1 children)

Kleopatra

[–] possiblylinux127@lemmy.zip 2 points 4 days ago

That isn't mutualTLS

It just is a frontend for gpg. You need OpenSSL for mutual certs.

load more comments (28 replies)