A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
No spam posting.
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
No trolling.
Resources:
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
What’s your go too (secure) method for casting over the internet with a Jellyfin server.
I’m wondering what to use and I’m pretty beginner at this
Jellyfin through a traefik proxy, with a WAF as middleware and brute force login protected by fail2ban
I just use tailscale. I am thinking about external share options but for me and my closests just plain simple tailscale
Tailscale + Caddy (automatic certificates FTW).
OpenVPN into my router
Tailscale - funnel
Just that
Tailscale, with nginx for https.
Very easy, very simple, just works, and i can share my jellyfin server with my friends
This is the easiest way for sure.
OpenVPN into my own LAN. Stream from there to my device.
Over the top for security would be to setup a personal VPN and only watch it over the VPN. If you are enabling other users and you don't want them on your network; using a proxy like nginx is the way.
Being new to this I would look into how to set these things up in docker using docker-compose.
An $11/yr domain pointed at my IP. Port 443 is open to nginx, which proxies to the desired service depending on subdomain. (and explicitly drops any connection that uses my raw ip or an unrecognized name to connect, without responding at all)
ACME.sh automatically refreshes my free ssl certificate every ~2months via DNS-01 verification and letsencrypt.
And finally, I've got a dynamic IP, so DDClient keeps my domain pointed at the correct IP when/if it changes.
There's also pihole on the local network, replacing the WAN IP from external DNS, with the servers local IP, for LAN devices to use. But that's very much optional, especially if your router performs NAT Hairpinning.
This setup covers all ~24 of the services/web applications I host, though most other services have some additional configuration to make them only accessible from LAN/VPN despite using the same ports and nginx service. I can go into that if there's interest.
Only Emby/Jellyfin, Ombi, and Filebrowser are made accessible from WAN; so I can easily share those with friends/family without having to guide them through/restrict them to a vpn connection.
This is an interesting setup
I have had Jellyfin directly open to the Internet with a reverse proxy for years. No problems.
If your reverse proxy only acknowledges jellyfin exists if the hostname is correct, you won't get discovered by an IP scanner.
Mine's on jellyfin.[domain].com and you get a completely different page if you hit it by IP address.
If it does get found, there's also a fail2ban to rate-limit someone brute-forcing a login.
I've always exposed my home IP to the internet. Haven't had an issue in the last 15 years. I'm running about 10 public-facing services including NTP and SMTP.
Please to see: https://github.com/jellyfin/jellyfin/issues/5415
Someone doesn't necessarily have to brute Force a login if they know about pre-existing vulnerabilities, that may be exploited in unexpected ways
Personally I use twingate, free for 5 users and relatively straightforward to set up.
I don't use jellyfin but my general approach is either:
There are obviously ways to do this all on your own but... if you are asking this question you probably want to use one of those to roll it. Because you can leave yourself ridiculously vulnerable if you do it yourself.
for me i just needed a basic system so my family could share so I have it on my pc, then I registered a subdomain and pointed it to my existing ec2 server with apache using a proxy which points to my local ip and port then I opened the jellyfin port on my router
and I have certbot for my domain on ec2 :)
SWAG reverse proxy with a custom domain+subdomain, protected by authentik and fail2ban. Easy access from anywhere once it's set up. No vpn required, just type in the short subdomain.domain.com and sign in (or the app keeps me signed in)
Nobody here with a tailscale funnel?? It's such a simple way to get https access from anywhere without being on the tailnet.
For my travel devices, I use Tailscale to talk to the server. For raw internet, I use their funnel feature to expose the service over HTTPS. Then just have fail2ban watching the port to make sure no shenanigans or have the entire service offlined until I can check it.
I'm using jf on unraid. I'm allowing remote https only access with Nginx Proxy Manager in a docker container.
Synology with Emby (do not use the connect service they offer) running behind my fortinet firewall. DDNS with my own domain name and ssl cert. Open 1 custom port (not 443) for it, and that's it. Geoblock every country but my own, which basically eliminated all random traffic that was hitting hit. I've been running it this way for 5 years now and have no issues to report.