this post was submitted on 23 Oct 2023
29 points (100.0% liked)
Jellyfin: The Free Software Media System
5779 readers
21 users here now
Current stable release: 10.10.3
Matrix (General Information & Help)
Matrix (Off-Topic) - Come get to know the team and blow off steam!
Matrix Space - List of all the available rooms on Matrix.
Discord - Bridged to our Matrix rooms
founded 4 years ago
MODERATORS
you are viewing a single comment's thread
view the rest of the comments
view the rest of the comments
You could setup zerotier and expose jellyfin in that network instead. Will allow access to clients you allow without needing to widely expose it
I tried that before and was never able to get it working properly. Clients had to have server addresses changed each time they used ZeroTier instead of my LAN; ZT DNS didn't work for me either.
Ultimately, I just shared Jellyfin through Nginix, set up aggressive IP filtering on my WAN, and handled the DNS configuration on my own hardware at home. This is essentially what OP is suggesting, and I found it much easier than ZeroTier, just "technically" less secure, but not by much if you do it right.
I'll take a look at ZeroTier, but what you say there does seem like a little hassle.
What are the ways that the setup with Nginx is done poorly? You mention aggressive IP filtering - are you essentially just whitelisting traffic incoming IPs from the users? For DNS I was planning on using Cloudflare - I have no experience setting up anything of the kind myself.
Nginx is good for isolating your internal services from the internet, and for routing HTTP over HTTPS, but you still have to make the assumption that your internal services are secure. What I do is block all incoming connections on my firewall that don't match my whitelist. For a long time I blocked everything but my mobile provider, my work, and my partner's work. Lately I have been whitelisting US addresses and blocking all other countries (certbot requires incoming connections to auto renew SSL certs). I also blacklist known bad ranges just in case, although few of these are in the US anyway.
What you block and allow would depend largely on your use case, but my opinion is the more the better.
Even if Jellyfin has an unknown exploit, and even if someone thought my little home LAN was worth targeting, chances are they wouldn't make it past my firewall anyway.