Hi folks. So, I know due to a myriad of reasons I should not allow Jellyfin access to the open internet. However, in trying to switch family over from Plex, I’ll need something that “just works”.

How are people solving this problem? I’ve thought about a few solutions, like whitelisting ips (which can change of course), or setting up VPN or tail scale (but then that is more work than they will be willing to do on their side). I can even add some level of auth into my reverse proxy, but that would break Jellyfin clients.

Wondering what others have thought about for this problem

  • cantankerous_cashew@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    5 days ago

    Unethical life pro tip, but I use the free tier of Cloudflare tunnels and Cloudflare access to gate access to my jellyfin instance. This is technically against their TOS but I don’t cache anything and my bandwidth usage is low so it’s probably not too noticeable. I’ll update this post if I get banned at some point 🤡

  • Darkassassin07@lemmy.ca
    link
    fedilink
    English
    arrow-up
    0
    ·
    7 days ago

    I’m so tired of seeing this overblown reaction to ancient non-news.

    Yes, there are some minor vulnerabilities in Jellyfin; but they really really aren’t concerning.

    Unauthenticated, a random person could potentially (with some prior knowledge of this specific issue, and some significant effort randomly generating media UUIDS to tryout) retrieve/playback some media unauthorized. THATS IT. That’s the ONLY real concern. And it’s one you could mitigate with a fail2ban filter if you were that worried about it.

    The other ‘issues’ here, are the potential for your already authenticated users to attack each others settings. Who do you share your server with that you’re concerned about them attacking each other???

    Put this to bed and stop fussing over it. It’s genuinely not worth your time or attention. Exposing Jellyfin to the net is fine.

    Dev comment on the situation: (4 days ago) https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2825240290

  • Getting6409@lemm.ee
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    8 days ago

    I expose jellyfin to the internet, and some precautions I have taken that I don’t see mentioned in these answers are: 1) run jellyfin as a rootless container, and 2) use read-only storage where ever possible. If you have other tools managing things like subtitles and metadata files before jellyfin there’s no reason for jellyfin to have write access to the media it hosts. While this doesn’t directly address the documented security flaws with jellyfin, you may as well treat it like a diseased plague rat if you’re going to expose it. To me, that means worst case scenario is the thing is breached and the only thing for an attacker to do is exfiltrate things limited to jellyfin.

  • daniskarma@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 days ago

    You can share jellyfin over the net.

    The security issues that tend to be quoted are less important than some people claim them to be.

    For instance the unauthorized streaming bug, often quoted as one of the worst jellyfin security issues, in order to work the attacker need to know the exact id of the item they want to stream, which is virtually impossible unless they are or have been an authorized client at some point.

    Just set it up with the typical bruteforce protections abd you’ll be fine.

    • Possibly linux@lemmy.zip
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 days ago

      Fine is a relative term

      You probably are fine but the company who is getting attacked by your compromised machine isn’t

      • daniskarma@lemmy.dbzer0.com
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        8 days ago

        I don’t think jellyfin vulnerabilities could lead to a zombified machine. At least I’ve not read about something like that happening.

        Most Jellyfin issues I know are related to unauthorized API calls of the backend.

        • Possibly linux@lemmy.zip
          link
          fedilink
          English
          arrow-up
          0
          ·
          7 days ago

          I think it is a matter of time honestly.

          Jellyfin has grown enough in popularity that it is likely a target for a state actor looking to create some minions. Just because there isn’t any known remote code execution vulnerabilities doesn’t mean there couldn’t be one in the future.

          Maybe I’m being paranoid but it seems way safer to just not expose Jellyfin.

    • MaggiWuerze@feddit.org
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 days ago

      It’s not impossible, Far from it. The ids are not random uuids but hashes derived from the path. Since most people have a similar setup to organize their media, this gets trivial very fast

      • Synestine@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        0
        ·
        8 days ago

        If you’re worried about it, make sure to not use a default path. Then legit clients are fine but these theoretical attackers get stymied.

        • MaggiWuerze@feddit.org
          link
          fedilink
          English
          arrow-up
          0
          ·
          8 days ago

          What? Why would I have to make my library harder to manage just because Jellyfin devs can’t get their act together? They should just start a api/v2 and secure it properly while allowing to disable the old one

          • Synestine@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            0
            ·
            5 days ago

            Ah, so you’re the kind who loves bitching about things online, but won’t lift a finger to defend themself, gotcha.

            What I mentioned prior doesn’t change anything about library management in the slightest, you just wanted an excuse.

          • blitzen@lemmy.ca
            link
            fedilink
            English
            arrow-up
            0
            ·
            7 days ago

            I’m with you that you shouldn’t have to, but putting your media directory one level up in a randomly generated directory name isn’t too bad. ~/[random uuid]/media/… may not be a terrible idea in any case.

  • skankhunt42@lemmy.ca
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 days ago

    Hang on, why not open the port to jellyfin to the internet?

    I have a lifetime Plex pass so its not urgent but I have a containers running emby and jellyfin to check them out. When I decide which one I planned to open it up and give people logins.

    • Selfhoster1728@infosec.pub
      link
      fedilink
      English
      arrow-up
      0
      ·
      edit-2
      9 days ago

      See this issue on their github repo: here

      Basically from what I understand there’s loads of unauthenticated api calls, so someone can very easily exploit that.

      If they just supported mTLS in their clients it wouldn’t be an issue but oh well :(

  • Chris@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 days ago

    When I did this I set up a VPN on my network and forced anyone that wanted to use it to get on my network.

      • Chris@lemmy.world
        link
        fedilink
        English
        arrow-up
        0
        ·
        9 days ago

        Probably doesn’t. Might need to use the router to get the whole network on th vpn

      • sugar_in_your_tea@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        0
        ·
        edit-2
        8 days ago

        I have my smart TV access it over my local network. If you’re using a friend’s instance, you could set up a WiFi SSID that tunnels everything over your VPN.

        If that’s onerous, you can make it publicly accessible, but only for whitelisted client IPs.

        • Blue_Morpho@lemmy.world
          link
          fedilink
          English
          arrow-up
          0
          ·
          8 days ago

          Yeah I want to completely switch off of Plex but neither is a good solution for my non tech family members. Mother in law is in a retirement center where they use wifi provided for the condos so I can’t access her router. And I would expect her ip to occasionally change on reboots etc. I might try IP ranges or narrow geo blocking.

          • sugar_in_your_tea@sh.itjust.works
            link
            fedilink
            English
            arrow-up
            0
            ·
            8 days ago

            Yeah, an IP range totally works. Figure out the subnet info and add that to a whitelist. It’s a pain, but it should keep the script kiddies at bay.

  • Possibly linux@lemmy.zip
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    8 days ago

    Netbird/Tailscale

    You also could use Wireguard as it is a p2p protocol by default.

    If you have IPv6 access you could put in on a IPv6 address

      • Synestine@sh.itjust.works
        link
        fedilink
        English
        arrow-up
        0
        ·
        8 days ago

        The reverse proxy is the part that’s exposed. CrowdSec watches the logs for intrusion attempts like fail2ban would.

      • airgapped@piefed.social
        link
        fedilink
        English
        arrow-up
        0
        ·
        8 days ago

        A reverse proxy saves you from having to expose your services directly and acts as a go-between.

        Internet <--> Reverse Proxy <--> Service

  • Appoxo@lemmy.dbzer0.com
    link
    fedilink
    English
    arrow-up
    0
    ·
    8 days ago

    I share Jellyfin.

    Behind a Reverse Proxy with 2FA that breaks client support.
    So only web browser :)

  • RonnyZittledong@lemmy.world
    link
    fedilink
    English
    arrow-up
    0
    ·
    9 days ago

    You could probably set up a cloudflare tunnel. I forget what they call it. I think technically sending video through it is against their TOS but if just a few friends and family are using it I doubt you will hit their naughty list.

    • Censed@lemmy.zip
      link
      fedilink
      English
      arrow-up
      0
      ·
      8 days ago

      I’ve heard mixed responses about how sensitive they are about routing video through their service. I’ve heard some people are just fine running jellyfin/Plex while others get shut down from routing a security system through it.

      • Clusterfck@lemmy.sdf.org
        link
        fedilink
        English
        arrow-up
        0
        ·
        8 days ago

        I’ve used it about 2 years now. I have both Jellyfin and even had Invidious for a while. I don’t even know it was against any terms until right now.

  • merthyr1831@lemmy.ml
    link
    fedilink
    English
    arrow-up
    0
    ·
    edit-2
    8 days ago

    I have it as an unprivileged container behind a reverse proxy and HTTPS/HSTS. I know it’s not perfect but I keep backups of important shit and monitor things regularly.

    I agree that Jellyfin needs to improve its API security, though. Their excuse that “it would break clients on old APIs” is moot when C# comes with API versioning features out of the box.

  • fishynoob@infosec.pub
    link
    fedilink
    English
    arrow-up
    0
    ·
    8 days ago

    I don’t do this, but I would set up oAuth like Authelia or something behind a reverse-proxy and authenticate Jellyfin clients through that.