Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?
The biggest problem with that Jellyfin to this day is that you can’t.
Seems like every new open source selfhosted app implements OIDC compatibility, but for some reason, I can only assume is technical debt, Jellyfin hasn’t.
Jellyfin had a third party plugin for OIDC. It was archived recently, but I heard Jellyfin has plans to implement it directly into the software. 🤞
The plugin was neat, but if the clients don’t support it, it’s pretty much useless.
Mobile clients should use QuickConnect for it (statement by the sso plugin maintainer). Else it should work with everything that uses the WebUI.
Quick connect is not SSO. Because the topic is about non-technical end user friendly solutions, this isn’t a great one because this requires your user to login using a web browser on a different device and then use that for the quick connect and it’s just more clunky than it should really be.
It’s honestly easier in this situation to just configure your end users device with a mesh VPN like Tailscale or Netbird and then all they ever have to do is login with whatever password you gave them.
What exactly about jellyfin makes this oidc style access more difficult to manage?
Jellyfin just doesn’t have it, period. There’s a third party plugin that will kind of tack it on to the Webui, but none of the Jellyfin apps will work with it.
Which plugin?
To be totally honest I’m not sure you can harden jellyfin enough for public Internet exposure without also breaking basic functionality of the platform.
This is why everyone is always pushing so hard for a VPN/Tailnet of some kind. The public internet is a bit to much of a wild west to be exposing arbitrary services to it unless you really know what you’re doing.
You can do a reverse proxy + authelia (or other auth service). It’s still more risky than a VPN IMO, buts wayyyy better than some of the other options in this thread
I’m kinda disappointed with this thread, I’m in a similar position to OP, but all the responses are just like “use a reverse proxy and make your URL hard to guess” and other measures which are not very secure. \
It seems like that’s about as good as you can get at the moment, because the mobile apps barf if you try to add in auth in front of the reverse proxy, but a lot of people seem to be providing this advice like it’s good enough rather than as good as you can get.
Well yeah, the “good as you can get” answers are “use a VPN” or “don’t”.
So every answer is as good as you can get?
I suppose it depends on what you mean by “good as you can get”.
Im confused as to what people think the security issue is? Do they think someone will brute force their username and password with a billion queries?
That’s assuming an attacker will play nice with URL forming and discovering edge cases in POSTing shaped data to the service. Just encrypting is still weak security if the whole front-end web and API surface isn’t hardened.
Afraid people will use known vulnerabilities in common self-hosted software.
Sorry but are you guy not using Linux as your servers? Windows? Now I understand.
Did you just suggest Linux has no vulnerabilities in any of its distros, and neither does any of the self-hosted services?
Put Jellyfin and a reverse proxy in an isolated vlan or DMZ, with no ability to reach into your lan at all and everyone connects in the same way. Its just movies, thats all you lose if it gets hacked. Set up some monitoring too in case it becomes a botnet node so you can destroy it and start over.
Are the majority of you running jellyfin on windows? All of this reverse proxy stuff sounds incredibly paranoid to me and 99% of zero day exploits would be very unlikely to fully compromise up to date linux servers.
@KneeTitts @Jason2357 Recently there are a lot of zero-day kernel exploits (local privilege escalation), so I would make sure “up to date” includes regular reboots into new kernels. As opposed to just relying on something like unattended-upgrades.
For the past few weeks we’ve been averaging one LPE per week, and it’s probably going to continue like that for a bit.
The reverse proxy is just to give it TLS with a let’s encrypt cert. If you are running an internet facing web application without TLS, Windows is the least of your concerns.
My use cases are:
- Connect from multiple devices on the same home network (with the application)
- Connect from a phone device on the internet (with the application)
- Connect from some PC’s and devices on the internet (with the application and from web browser)
For home networked devices, I don’t care about security that much. I try to lock it down on the router level and by using VLANs for less secure devices. I connect via IP directly (or .local domain).
Jellyfin runs under its own user with read access to a media library.
For devices on the internet, I have jellyfin exposed on a specific url path of my domain - through a reverse proxy all through 443. A bit of security through obscurity here. I’m proxied through cloudflare on the DNS side with very restrictive IP rules.
I think this is enough for the security flaws jellyfin does have. I’d sleep better at night if it had client certificate support, but Its not a big deal imo. If security flaws allowing remote code execution are found, I’ll shut it down and allow access through wireguard only and lose access from some devices on the internet where I cant use VPNs. Not a bit deal either.deleted by creator
If client certificates and basic auth is not supported by jellyfin:
- reverse proxy
- strong random subdomain
- wildcard certificate
- tls1.3 only
- doh/dot only
1-3 make random scanners unable to find your service, 4&5 even hide it from your ISP. Dot/doh service will still know your subdomain, so be your own dot/doh ! :D
I’m no expert, but an unguessible URL path is similar but not visible to DNS. Could do both.
If jellyfin Clients can do URLs, sure
Throw in port knocking for good measure.
You telling me jellyfin Clients can’t handle client certs but can port knock?
My proposal is for maxing ux on the client side while being properly hidden.
No you port knock first to open the ports. Then connect the client.
usually port knocking opens the relevant port to the client IP that is knocking. So it makes a lot of sense to have the knocking done by the requesting client. In many situations knocking from your mobile while behind the same NAT as your jellyfin client will do the trick, but if you have different IPv6 on those devices etc, it won’t.
Also: if you assume your DNS lookups are sniffed - so are your port knocks. If you don’t, spare the extra work. But then, if you like port knocking - keep knocking, nothing wrong about it :D
Could always get super complicated and rotate your port knocking so no replay attacks. But now we’re just getting silly :)
As others have mentioned, a reverse proxy, like nginx or caddy. These are web servers, so you need to configure it or an app that runs in it. May I shill: Nginx Proxy Manager (NPM).
Cloudflare. Just make sure to disable caching
How do you get the mobile app to connect?
I just type the URL
I have Cloudflare set up without Auth. Just region locked to my country
So it’s just a solid reverse proxy with a bunch of features and an added layer with white listing.
I know whitelisting isn’t security per say but it’s good enough
Idk if geo whitelisting is really good enough. I can’t speak for OP, but I’m in the same position and I don’t. I had high hopes for the post but everyone seems to just brush over the “secure” part
What are you afraid of?
My jellyfin runs in a a rootless podman container
I’m afraid of security bugs in the software I’m using, so that containers don’t contain, read-only doesn’t prevent writing, mounting directories doesn’t restrict access to those directories, etc.
I’m a nobody, I can’t imagine anyone targeting me or my random domain, but I can imagine getting swept up in a net of attacks of opportunities targeting hosted software with known vulnerabilities, or injected supply chain vulnerabilities, so I want to reduce my attack surface as much as I can (while still actually letting the people I want to access it actually access it)
Then don’t expose anything on the internet
At the very minimum stick a reverse proxy in front like caddy, nginx, or Traefik. Then have some middleware like crowdsec to inspect what’s going on. Then whitelist the IP or the country IP block.
There is much more but those would be the bare minimum.
I too would like to know more. Jellyfin has been something that I am still hesitating to expose online without a VPN.
I have Plex behind a reverse proxy (HAproxy) with Crowdsec and firewall rules all behind Cloudflare. My firewall rules in HAproxy block access a few different ways, like if request are higher then 60 requests a second, or if there is strange path traversal. Used the following guide as a start.
https://www.archy.net/building-a-native-fail2ban-with-haproxy-stick-tables/
Reverse proxy with auth in front of the actual jellyfin login. Like pangolin.
How do you get apps through something like that? Do you have to open your browser and hit the URL periodically to handle auth there and it just remembers your IP?
You can set pangolin to allow access to an entire resource or just certain paths without the front auth, instead relying on the built in auth.
Your random plex/emby/jellyfin server isn’t going to be a huge target and the built in auth is good enough for the limited access your media system should have.
Wait so if you’re gonna allow access without authentication then why bother putting pangolin in front of jellyfin? Does it help in some other kind of way? I don’t really get how it helps without interfering with apps accessing jellyfin.
I am really not comfortable with that. Limited or not.
If there was a Jellyfin app that supported adding a custom header to the server connection, you could set your reverse proxy to just let the connections with that secret key header through, and make everything else go through the extra auth middleware. But as far as I know, none of the Jellyfin apps have that feature, even though it has been requested. Lots of other selfhosted apps do have the feature though, and I use it in a few places as well.
Gotcha yeah, I did this for LunaSea with traefik forward auth for the arrs, but I the lack of support in jellyfin clients is annoying. Though personally I’ve been waiting 5 years for Findroid to support transcoded streams / adjusting video quality so personally that’s higher on my list of priorities.
Would you need to? Are apps a viable vector in? Basic auth in front of web ui does make sense though.
What do you mean viable? The web UI is just an app that is delivered to your browser, it makes more or less the same API requests as an app would make, so IDK why the risk would be lower with an app?
If an attacker can access the login endpoint for example to brute force or dictionary attack, it doesn’t matter if the web UI is or isn’t accessible if the login endpoint it uses is exposed for an app. The attacker could serve their own copy of the web UI and proxy requests to the API your app connects to. Blocking the html from being served doesn’t make a difference.
Okay then use a vpn.
That’s exactly the point I’m getting at. Putting an auth wall doesn’t work with many apps, and if you add exceptions to the API then you’re not really protecting anything.
@BakedCatboy @anon_8675309
I think that could be fixed with authentication through headers (netbird reverse proxy supports that, no idea about pangolin though) but apps should also support adding custom headers on requestsYes that’s what I would like to advocate for. I did something similar with LunaSea, but often people suggest doing that with Jellyfin and are not aware that almost no apps support it, and that adding exceptions for the API makes you basically as secure as not having it. But people tend to get very defensive when you try to tell them that something won’t work, so I try to phrase it as a question to see if I can get them to understand what the limitations are in a way that’s less confrontational.
deleted by creator
You don’t.
Gotcha I see, just checking if I missed something since that was the issue last time I tried doing something like that. These days I just yolo it and expose jellyfin to the public Internet.
i might have spoken to soon.
https://www.reddit.com/r/PangolinReverseProxy/comments/1ouk4u6/phone_app_access/
i havent tried it though, but sounds interesting.
Possibly mTLS, which you’d configure in your reverse proxy. You could email them the certificate and instructions on installing it. I believe for Chromium browsers on Windows you basically just double click the cert and click through the wizard. Firefox I know has a thing in the settings for importing the cert. Android you just tap on the cert and make sure it opens with ‘Certificate Installer’ if it gives you the option.
I recently did exactly this. Only works with the web UI, no apps support it, but working well and those without the cert just get a 400 error. Not sure if non technical tbh, since you will get warnings when adding your root certificates to any device, and that might scare some who don’t understand what it does.
Also set it up through wireguard, so can punch out of double NAT.
Only works with the web UI, no apps support it
Yeah that’s true.
you will get warnings when adding your root certificates to any device
It’s not a root certificate, and I’ve never seen any warnings.
You need the web site to use a certificate from the same root authority as your client certificate. Otherwise browsers won’t present the certificate to the server. That means either warnings on connect or adding the root cert.
I do think if you are doing it with them in person it is doable to add it.
You need the web site to use a certificate from the same root authority as your client certificate.
I’m not sure if I’ve misunderstood you, but I use Lets Encrypt for the server’s TLS, and then my own CA cert (which is only present on the webserver) for the client’s mTLS and everything works fine, since it’s the client that validates the server’s cert and the server that validates the client’s cert.
This should be at the top
Not a terrible idea but im not sure rokus or fire sticks or whatever even have this capability.
Secure is relative, you should be aware that jellyfin itself has security issues https://github.com/jellyfin/jellyfin/issues/5415 most of which are harmless, but at least one is fairly serious and allows people to watch your media without authentication, and adding an extra layer of authentication on the proxy would likely cause issues with clients.
That being said, if you’re okay with those security issues what I would do is have a cheap VPS, connect both machines to tailscale, and have something like Caddy on the VPS to do the forwarding.
Just leaving this here
Now, let’s address this clearly once and for all. What is possible is unauthenticated streaming. Each item in a Jellyfin library has a UUID generated which is based on a checksum of the file path. So, theoretically, if someone knows your exact media paths, they could calculate the item IDs, and then use that ItemID to initiate an unauthenticated stream of the media. As far as we know this has never actually been seen in the wild. This does not affect anything else - all other configuration/management endpoints are behind user authentication. Is this suboptimal? Yes. Is this a massive red-flag security risk that actively exposes your data to the Internet? No.
https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2825240290
Reminds me of
It really seems overblown of an issue…
Except most people have almost the same structure because of media organizers like radarr/sonarr. At the very least they should hide that behind a setting to not require auth (since the header should be there for most clients) so only people running an old client would be affected. They could also add an extra salt to that hash or something similar.
I agree, it’s not critical, but it shouldn’t be hand waved either. And like I said, security is relative, I would argue for most people this is fine, but I still think this should be taken more seriously.
Yeah not only would a lot of people have the same media name, because of docker mounts, probably a lot of people have the same path to the media inside of the docker container even if the external location is different. I bet you could make a rainbow table of sorts of the most popular movie/TV torrents combined with the most common place in the container for media to be mounted, then use shodan to get a list of hundreds of instances that you could scan for the common hashes.
I’m just seeing the issue for the first time and noticed it was raised 5 years ago - surely that was enough time to at least put forward a changeover date and give clients time to update.
Jokes on them, my paths are a shitshow and I can’t be bothered to organize them properly
Do you not do any renaming? That probably would make it even easier as you can just brute force with a database of filenames scraped from torrents. I already have a proof of concept that generates valid jellyfin IDs from any given file path, it only takes a few more steps before you can plug in a shodan scan of jellyfin instances and just shotgun a bunch of IDs generated from torrents.csv at them and find stuff you can stream without authentication.
People not bothering to rename, using the default radarr naming scheme, or everyone using the same naming pattern from trash guides just makes it easier.
Probably the only way to guarantee nobody can probe your media and stream it without authentication is to make sure to rename everything using a format that only you use or mount all your media under a path inside docker that contains a long randomly generated folder prefix.
I was mostly making the comment in jest. I do rename, but my folder structures, as someone who downloads everything manually based on what I want to watch rather than doing the automated *arr stuff leaves it in directories only I consider sensible.
I have Jellyfin behind a reverse proxy that lives in a DMZ and a WAF to go with it. I’m sure there’s still room for watching an unauthenticated stream because I forgot to rename a folder somewhere, but it’s not exactly an attack vector I care about. I’m more concerned about DDoS or impersonation attacks, which I also attempt to mitigate via an LDAP implementation behind the scenes.
It’s not perfect, but it’s the best effort I can make at the moment.
Yeah that’s fair and I think that’s a good move, my point is just that people are acting like this is not feasible to exploit. I’m at the point in my exploit testing excursion where I have a script that can generate a stream of potential IDs based on real torrent names being parsed and reformatted using radarr’s default naming pattern as well as the commonly used trash guides ones permuted with some common library paths used in the default docker compose examples, and it’s turning up actual ID matches with my jellyfin instance. All I have left to do is make it create API requests to test the IDs against the unauthenticated API instead of checking an exported list and there’s a proof of concept. 5 years is a long time for someone to figure that out.
Run the jellyfin in a container that only has read privileges to the videos ( make sure you can’t get out to your whole NAS from there), put that behind a Cloudflaired tunnel.
It’s not technically secure, but if they can’t get a foothold in your network and the only thing they can access is your video catalog, that’s a reasonable amount of risk.
Just make sure you disable caching or it can be a bit slow
Gotta be careful with cloudflared and media. They can block you if they detect copyrighted materials, even if it’s your own DVDs. You can setup TLS certs so the traffic is at least encrypted
If your American, ripping your own DVD’s still isn’t legal.
Right. Which is why Cloudflared would block you if it’s detected. But regardless, if for whatever reason, you ended up in court for the content you copied, the judge would probably give you a low fine. Obviously not legal advice, but the US justice system doesn’t have time to care about people making digital copies of DVDs they’ve purchased.
It’s irrelevant anyway, since none of us are just copying our own DVDs… But for legal reasons /s
