A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
Nginx in front of it, open ports for https (and ssh), nothing more. Let's encrypt certificate and you're good to go.
Why would you need to expose SSH for everyday use? Or does Jellyfin require it to function?
Maybe leave that behind some VPN access.
I agree, but SSH is more secure than Jellyfin. it shouldn't be exposed like that, others in the comments already pointed out why
I see everyone in this thread recommending a VPN or reverse proxy for accessing Jellyfin from outside the LAN. While I generally agree, I don't see a realistic risk in exposing Jellyfin directly to the internet. It supports HTTPS and certificates nowadays, so there’s no need for outside SSL termination anymore.
In my setup, which I've been running for some time, I've port-forwarded only Jellyfin's HTTPS port to eliminate the possibility of someone ending up on pure HTTP and sending credentials unencrypted. I've also changed the Jellyfin's default port to a non-standard one to avoid basic port-scanning bots spamming login attempts. I fully understand that this falls into the security through obscurity category, but no harm in it either.
Anyone wanna yell at me for being an idiot and doing everything wrong? I'm genuinely curious, as the sentiment online seems to be that at least a reverse proxy is almost mandatory for this kind of setup, and I'm not entirely sure why.
Edit: Thank you everyone for your responses. While I don't agree with everything, the new insight is appreciated.
Nah, setting non-standard ports is sound advice in security circles.
People misunderstand the "no security through obscurity" phrase. If you build security as a chain, where the chain is only as good as the weakest link, then it's bad. But if you build security in layers, like a castle, then it can only help. It's OK for a layer to be weak when there are other layers behind it.
Even better, non-standard ports will make 99% of threats go away. They automate scans that are just looking for anything they can break. If they don't see the open ports, they move on. Won't stop a determined attacker, of course, but that's what other layers are for.
As long as there's real security otherwise (TLS, good passwords, etc), it's fine.
If anyone says "that's a false sense of security", ignore them. They've replaced thinking with a cliche.
I don't disagree, and I am one of the VPN advocates you mention. Generally there is no issue with exposing jellyfin via proxy to the internet.
The original question seemed to imply an over-secure solution so a lot of over-secure solutions exist. There is good cause to operate services, like jellyfin, via some permanent VPN.
I think the reason why its generally suggested to use a VPN is because it reduces the risk of intrusion to almost zero. Folks that are not network/sys admin savy would feel safer with the lowest risk solution. Using the port forward method, there could be configuration mistakes made which would unintentionally expose a different service or parts of their home network they don't want exposed. And then there's the possibility of application vulnerabilities which is less of an issue when only VPN users can access the application. That being said, I do expose some services via port forwarding but that's only because I'm comfortable with ensuring its secure.
Reverse proxy is really useful when you have more than one service to expose to the internet because you only have to expose one port. It also automates the certificate creation & simplifies firewall rules inside the home network
I rent a cheap $5/mo VPS and use it to run a wireguard server with wgeasy and nginx proxy manager. Everything else runs on my home server connected by wireguard.
Use a reverse proxy (caddy or nginx proxy manager) with a subdomain, like myservice.mydomain.com (maybe even configure a subdir too, so …domain.com/guessthis/). Don’t put anything on the main domain / root dir / the IP address.
If you’re still unsure setup Knockd to whitelist only IP addresses that touch certain one or two random ports first.
So security through obscurity :) But good luck for the bots to figure all that out.
VPN is of course the actually secure option, I’d vote for Tailscale.
I kept the main domain open, but redirected it to a rickroll
Nice, but the bots may not understand the joke.
And not only that but they will tag the domain with ”there is something here”, and maybe some day someone will take a closer look and see if you are all up-to-date or would there maybe be a way in. So better to just drop everything and maybe also ban the IP if they happen to try poke some commonly scanned things (like /wp-admin, /git, port 22 etc.) GoAccess is a pretty nice tool to show you what they are after.
Yeah that's a good point. The joke is mostly for my own enjoyment or any random user who happens to forget the jellyfin. subdomain.
I have had a few hits to /wp-admin, but cloudflare actually blocks those for me (I don't use a tunnel but I do use them for the domain name which helps a bit). I might just shut down the main page then.
Tailscale - funnel
Just that
I'm using jf on unraid. I'm allowing remote https only access with Nginx Proxy Manager in a docker container.
An $11/yr domain pointed at my IP. Port 443 is open to nginx, which proxies to the desired service depending on subdomain. (and explicitly drops any connection that uses my raw ip or an unrecognized name to connect, without responding at all)
ACME.sh automatically refreshes my free ssl certificate every ~2months via DNS-01 verification and letsencrypt.
And finally, I've got a dynamic IP, so DDClient keeps my domain pointed at the correct IP when/if it changes.
There's also pihole on the local network, replacing the WAN IP from external DNS, with the servers local IP, for LAN devices to use. But that's very much optional, especially if your router performs NAT Hairpinning.
This setup covers all ~24 of the services/web applications I host, though most other services have some additional configuration to make them only accessible from LAN/VPN despite using the same ports and nginx service. I can go into that if there's interest.
Only Emby/Jellyfin, Ombi, and Filebrowser are made accessible from WAN; so I can easily share those with friends/family without having to guide them through/restrict them to a vpn connection.
Tailscale, with nginx for https.
Very easy, very simple, just works, and i can share my jellyfin server with my friends
I don't use jellyfin but my general approach is either:
There are obviously ways to do this all on your own but... if you are asking this question you probably want to use one of those to roll it. Because you can leave yourself ridiculously vulnerable if you do it yourself.
I have had Jellyfin directly open to the Internet with a reverse proxy for years. No problems.
If your reverse proxy only acknowledges jellyfin exists if the hostname is correct, you won't get discovered by an IP scanner.
Mine's on jellyfin.[domain].com and you get a completely different page if you hit it by IP address.
If it does get found, there's also a fail2ban to rate-limit someone brute-forcing a login.
I've always exposed my home IP to the internet. Haven't had an issue in the last 15 years. I'm running about 10 public-facing services including NTP and SMTP.
Over the top for security would be to setup a personal VPN and only watch it over the VPN. If you are enabling other users and you don't want them on your network; using a proxy like nginx is the way.
Being new to this I would look into how to set these things up in docker using docker-compose.
Personally I use twingate, free for 5 users and relatively straightforward to set up.
Headscale server on cheap vps with tailscale clients.
SWAG reverse proxy with a custom domain+subdomain, protected by authentik and fail2ban. Easy access from anywhere once it's set up. No vpn required, just type in the short subdomain.domain.com and sign in (or the app keeps me signed in)
What's the point of authentik when Jellyfin already has authentication?
While technically not strictly necessary, it adds more robust authentication methods, and makes it easier to build out other apps if you want to in the future without having to re-do the sign-in process for all of your users. You can have things like 2fa and other things that make it harder for bots to get in and easier for users to stay in. It also makes it easier to keep track of login attempts and notice compromised accounts.
Edit: There are also alternatives like authelia that may be easier to implement. I don't really trust most web apps to be ultra secure with internet-facing sign-in pages so it just feels like "good practice" to hide behind an auth service whose sole purpose is to be written and built securely. Plus once you learn how to set up fail2ban with an auth service, there will be no need to re-learn or re-implement it if you add a 2nd app/service. Very modular and makes testing and adding new things much easier.
Another benefit is that it has a nice GUI. I can look at logins, add services, stuff like that without touching config files which will be nice for those who don't like wading through text files to change config.
Can authentik pass through the authentication to Jellyfin, or do you just log in twice?
It can pass through. There is even an official Authentik guide on the various methods specifically for Jellyfin: https://integrations.goauthentik.io/integrations/services/jellyfin/
Same with Authelia, though I don't have a link for that on hand.
Cheers!
Nobody here with a tailscale funnel?? It's such a simple way to get https access from anywhere without being on the tailnet.
For my travel devices, I use Tailscale to talk to the server. For raw internet, I use their funnel feature to expose the service over HTTPS. Then just have fail2ban watching the port to make sure no shenanigans or have the entire service offlined until I can check it.
I'm trying to self host navidrome in docker with a cloudflare domain and reverse proxy on the same network. Still fiddling myself since I keep getting a 403 cloudflare no access error.
Essentially, using cert provided by cloudflare where they proxy to my ip. From there the reverse proxy routes to my service. If I'm understanding it right, anyone with my domain would only see cloudflare ip instead of my own. Someone correct me if I'm wrong. I'm still learning this stuff as well.
Prior to this, I was using tailscale which worked fine but I'd have to connect via tailscale everytime and some instances, it wouldn't connect properly at all.
for me i just needed a basic system so my family could share so I have it on my pc, then I registered a subdomain and pointed it to my existing ec2 server with apache using a proxy which points to my local ip and port then I opened the jellyfin port on my router
and I have certbot for my domain on ec2 :)