this post was submitted on 26 Jun 2025
384 points (98.2% liked)

Selfhosted

48689 readers
1815 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
384
Jellyfin over the internet (startrek.website)
submitted 1 day ago by TribblesBestFriend@startrek.website to c/selfhosted@lemmy.world
223 comments fedilink hide all child comments
 

What’s your go too (secure) method for casting over the internet with a Jellyfin server.

I’m wondering what to use and I’m pretty beginner at this

(page 2) 50 comments
sorted by: hot top controversial new old
[–] PieMePlenty@lemmy.world 11 points 12 hours ago (1 children)

I access it through a reverse proxy (nginx). I guess the only weak point is if someone finds out the domain for it and starts spamming the login screen. But I've restricted access to the domain for most of the world anyway. Wireguard would probably be more secure but its not always possible if like on vacation and want to use it on the TV there..

[–] FlembleFabber@sh.itjust.works 3 points 11 hours ago

It is possible if you get something like an nvidia shield tho. But of course not everyone has it or the money for it

[–] smiletolerantly@awful.systems 18 points 14 hours ago (2 children)

I host it publicly accessible behind a proper firewall and reverse proxy setup.

If you are only ever using Jellyfin from your own, wireguard configured phone, then that's great; but there's nothing wrong with hosting Jellyfin publicly.

I think one of these days I need to make a "myth-busting" post about this topic.

[–] greywolf0x1@lemmy.ml 8 points 13 hours ago

Please do so, it'll be very useful

load more comments (1 replies)
[–] skoell13@feddit.org 4 points 10 hours ago (1 children)

I use a VPS and a wiregusrd tunnel.

https://codeberg.org/skjalli/jellyfin-vps-setup

[–] EpicFailGuy@lemmy.world 1 points 7 hours ago (2 children)

I'm currently using CF Tunnels and I'm thinking about this (I have pretty good offers for VPS as low as $4 a month)

Can you comment on bandwidth expectations? My concern is that I also tunnel Nextcloud and my offsite backups and I may exceed the VPS bandwidth restrictions.

BTW I'm testing Pangolin which looks AWESOME so far.

load more comments (2 replies)
[–] Vanilla_PuddinFudge@infosec.pub 34 points 17 hours ago* (last edited 17 hours ago) (4 children)

Jellyfin isn't secure and is full of holes.

That said, here's how to host it anyway.

  1. Wireguard tunnel, be it tailscale, netbird, innernet, whatever
  2. A vps with a proxy on it, I like Caddy
  3. A PC at home with Jellyfin running on a port, sure, 8096

If you aren't using Tailscale, make your VPS your main hub for whatever you choose, pihole, wg-easy, etc. Connect the proxy to Jellyfin through your chosen tunnel, with ssl, Caddy makes it easy.

Since Jellyfin isn't exactly secure, secure it. Give it its own user and make sure your media isn't writable by the user. Inconvenient for deleting movies in the app, but better for security.

more...

Use fail2ban to stop intruders after failed login attempts, you can force fail2ban to listen in on jellyfin's host for failures and block ips automatically.

More!

Use Anubis and yes, I can confirm Anubis doesn't intrude Jellyfin connectivity and just works, connect it to fail2ban and you can cook your own ddos protection.

MORE!

SELinux. Lock Jellyfin down. Lock the system down. It's work but it's worth it.

I SAID MORE!

There's a GeoIP blocking plugin for Caddy that you can use to limit Jellyfin's access to your city, state, hemisphere, etc. You can also look into whitelisting in Caddy if everyone's IP is static. If not, ddns-server and a script to update Caddy every round? It can get deep.

Again, don't do any of this and just use Jellyfin over wireguard like everyone else does(they don't).

[–] oyzmo@lemmy.world 10 points 15 hours ago (2 children)

Wow, a "for dummies" guide for doing all this would be great 😊 know of any?

[–] Vanilla_PuddinFudge@infosec.pub 3 points 9 hours ago

I figured infodump style was a bit easier for me at the time so anyone could take anything I namedropped and go search to their heart's content.

[–] ohshit604@sh.itjust.works 4 points 13 hours ago* (last edited 13 hours ago) (1 children)

If you aren’t already familiarized with the Docker Engine - you can use Play With Docker to fiddle around, spin up a container or two using the docker run command, once you get comfortable with the command structure you can move into Docker Compose which makes handling multiple containers easy using .yml files.

Once you’re comfortable with compose I suggest working into Reverse Proxying with something like SWAG or Traefik which let you put an domain behind the IP, ssl certificates and offer plugins that give you more control on how requests are handled.

There really is no “guide for dummies” here, you’ve got to rely on the documentation provided by these services.

[–] oyzmo@lemmy.world 1 points 6 hours ago

Thnx :]

[–] umbrella@lemmy.ml 2 points 13 hours ago (1 children)

i would also love more details about accomplishing some of that stuff

[–] ddawg@lemmynsfw.com 2 points 9 hours ago

I've recently been working on my own server and a lot of this stuff can be accomplished by just chatting with chatgpt/gemini or any ai agent of your choosing. One thing to note tho is that they have some outdated information due to their training data so you might have to cross reference with the documentation.

Use docker as much as you can, this will isolate the process so even if somehow you get hacked, the visibility the hackers get into your server is limited to the docker container.

load more comments (2 replies)
[–] Takios@discuss.tchncs.de 6 points 12 hours ago

Wireguard VPN to my fritzbox lets me access my jellyfin.

[–] WhatThaFudge@lemmy.sdf.org 7 points 13 hours ago

Full guide to setting up Jellyfin with Reverse Proxy using Caddy and DuckDNS

I followed this video and modified some things like ports

[–] circledot@feddit.org 7 points 13 hours ago

I use a wire guard tunnel into my Fritz box and from there I just log in because I'm in my local network.

[–] captainastronaut@seattlelunarsociety.org 8 points 14 hours ago

If it’s just so you personally can access it away from home, use tailscale. Less risky than running a publicly exposed server.

[–] Evil_Shrubbery@lemm.ee 52 points 22 hours ago (5 children)

Wireguard.

[–] WhyJiffie@sh.itjust.works 9 points 19 hours ago* (last edited 19 hours ago) (2 children)

and a local reverse proxy that can route through wireguard when you want to watch on a smart tv.

its not as complicated as it sounds, it's just a wireguard client, and a reverse proxy like on the main server.

it can even be your laptop, without hdmi cables

[–] phx@lemmy.ca 6 points 14 hours ago

You can also use a router that can run wireguard/openvpn and have that run the tunnel back to home for you. I've got a portable GL-Inet router with OpenWRT that I use for this when I'm on the road

load more comments (1 replies)
load more comments (4 replies)
[–] potentiallynotfelix@lemmy.fish 3 points 13 hours ago

VPN or Tailscale

[–] oong3Eepa1ae1tahJozoosuu@lemmy.world 64 points 1 day ago (14 children)

Nginx in front of it, open ports for https (and ssh), nothing more. Let's encrypt certificate and you're good to go.

[–] Novi@sh.itjust.works 58 points 1 day ago (32 children)

I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.

[–] 30p87@feddit.org 45 points 1 day ago (1 children)

fail2ban with endlessh and abuseipdb as actions

Anything that's not specifically my username or git gets instantly blocked. Same with correct users but trying to use passwords or failing authentication in any way.

[–] mosiacmango@lemm.ee 24 points 18 hours ago* (last edited 18 hours ago) (1 children)

Youve minimized login risk, but not any 0 days or newly discovered vulnerabilites in your ssh server software. Its still best to not directly expose any ports you dont need to regularly interact with to the internet.

Also, Look into crowdsec as a fail2ban replacement. Its uses automatically crowdsourced info to pre block IPs. A bit more proactive compared to abuseipdb manual reporting.

load more comments (1 replies)
load more comments (31 replies)
load more comments (13 replies)
[–] xnx@slrpnk.net 15 points 20 hours ago

Tailscale

[–] nutbutter@discuss.tchncs.de 6 points 17 hours ago (1 children)

This is my setup.

Read more, here.

load more comments (1 replies)
[–] This2ShallPass@lemmy.world 8 points 18 hours ago (1 children)

I don't host my media outside my local network but, if I did, I would use my go to method of SWAG with Authentik. This is what I have done for my other self-hosted items.

[–] bitwolf@sh.itjust.works 4 points 16 hours ago

Is putting it behind an Oauth2 proxy and running the server in a rootless container enough?

[–] Merlin@discuss.tchncs.de 7 points 18 hours ago

I just install tailscale at family houses. The limit is 100 machines.

load more comments
view more: ‹ prev next ›