this post was submitted on 26 Jun 2025
382 points (98.2% liked)

Selfhosted

48689 readers
1815 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
382
Jellyfin over the internet (startrek.website)
submitted 1 day ago by TribblesBestFriend@startrek.website to c/selfhosted@lemmy.world
222 comments fedilink hide all child comments
 

What’s your go too (secure) method for casting over the internet with a Jellyfin server.

I’m wondering what to use and I’m pretty beginner at this

you are viewing a single comment's thread
view the rest of the comments
[–] Vanilla_PuddinFudge@infosec.pub 34 points 17 hours ago* (last edited 17 hours ago) (3 children)

Jellyfin isn't secure and is full of holes.

That said, here's how to host it anyway.

  1. Wireguard tunnel, be it tailscale, netbird, innernet, whatever
  2. A vps with a proxy on it, I like Caddy
  3. A PC at home with Jellyfin running on a port, sure, 8096

If you aren't using Tailscale, make your VPS your main hub for whatever you choose, pihole, wg-easy, etc. Connect the proxy to Jellyfin through your chosen tunnel, with ssl, Caddy makes it easy.

Since Jellyfin isn't exactly secure, secure it. Give it its own user and make sure your media isn't writable by the user. Inconvenient for deleting movies in the app, but better for security.

more...

Use fail2ban to stop intruders after failed login attempts, you can force fail2ban to listen in on jellyfin's host for failures and block ips automatically.

More!

Use Anubis and yes, I can confirm Anubis doesn't intrude Jellyfin connectivity and just works, connect it to fail2ban and you can cook your own ddos protection.

MORE!

SELinux. Lock Jellyfin down. Lock the system down. It's work but it's worth it.

I SAID MORE!

There's a GeoIP blocking plugin for Caddy that you can use to limit Jellyfin's access to your city, state, hemisphere, etc. You can also look into whitelisting in Caddy if everyone's IP is static. If not, ddns-server and a script to update Caddy every round? It can get deep.

Again, don't do any of this and just use Jellyfin over wireguard like everyone else does(they don't).

[–] lostbit 1 points 50 minutes ago

show me those “holes” this is just fear mongering

[–] oyzmo@lemmy.world 10 points 15 hours ago (2 children)

Wow, a "for dummies" guide for doing all this would be great 😊 know of any?

[–] Vanilla_PuddinFudge@infosec.pub 3 points 9 hours ago

I figured infodump style was a bit easier for me at the time so anyone could take anything I namedropped and go search to their heart's content.

[–] ohshit604@sh.itjust.works 4 points 13 hours ago* (last edited 13 hours ago) (1 children)

If you aren’t already familiarized with the Docker Engine - you can use Play With Docker to fiddle around, spin up a container or two using the docker run command, once you get comfortable with the command structure you can move into Docker Compose which makes handling multiple containers easy using .yml files.

Once you’re comfortable with compose I suggest working into Reverse Proxying with something like SWAG or Traefik which let you put an domain behind the IP, ssl certificates and offer plugins that give you more control on how requests are handled.

There really is no “guide for dummies” here, you’ve got to rely on the documentation provided by these services.

[–] oyzmo@lemmy.world 1 points 6 hours ago

Thnx :]

[–] umbrella@lemmy.ml 2 points 13 hours ago (1 children)

i would also love more details about accomplishing some of that stuff

[–] ddawg@lemmynsfw.com 2 points 9 hours ago

I've recently been working on my own server and a lot of this stuff can be accomplished by just chatting with chatgpt/gemini or any ai agent of your choosing. One thing to note tho is that they have some outdated information due to their training data so you might have to cross reference with the documentation.

Use docker as much as you can, this will isolate the process so even if somehow you get hacked, the visibility the hackers get into your server is limited to the docker container.