this post was submitted on 09 Oct 2023
28 points (88.9% liked)

Selfhosted

40765 readers
973 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
 

Kind of a quick off the cuff question.... but is it difficult to get a docker hosted jellyfin server accessible outside of lan safely?

I have tailscale and a VPN I can use for my own devices but would like to be able to access it safely without needing those.

top 19 comments
sorted by: hot top controversial new old
[–] SheeEttin 18 points 1 year ago (1 children)

Stick with the VPN. No point in exposing more services with possible security vulnerabilities.

[–] [email protected] 18 points 1 year ago (3 children)

I love Jellyfin but I would absolutely not make it accessible over the public internet. A VPN is the way to go.

[–] [email protected] 5 points 1 year ago (2 children)

Yeah I'm thinking maybe just have family sign up for tailscale.

[–] manwichmakesameal 3 points 1 year ago (3 children)

Why not just run your own WireGuard instance? I have a pivpn vm for it and it works great. You could also just put jellyfin behind a TLS terminating reverse proxy.

[–] dinosaurdynasty 2 points 1 year ago

Sounds like a pain to get non technical family members to use. If you're willing to break the non web app you could always put it behind an authenticating proxy (which is what I do for myself outside of VPN, setting up a VPN on a phone is obnoxious and I only look at metadata anyway on my phone)

[–] [email protected] 1 points 1 year ago

Or headscale, works like a charm

[–] [email protected] 1 points 1 year ago

Why not just run your own WireGuard instance?

CGNAT is a big reason.

[–] SuddenlyBlowGreen 1 points 1 year ago* (last edited 1 year ago)

Yep, that way you can set ACLs, you they can only access the jellyfin ports + the ports you allow them to.

Also, tailacale DNS.

The fact that tailscale has google/apple/etc logon integration will also help.

[–] [email protected] 1 points 1 year ago (1 children)
[–] [email protected] 2 points 1 year ago (1 children)
[–] [email protected] 2 points 1 year ago (1 children)

Oh, sorry, sorry, sorry, i didn't think this is a link 😅😅😅

[–] [email protected] 1 points 1 year ago

Haha, no problem!

[–] [email protected] 0 points 1 year ago (1 children)

Oof, that's bad... And lazy

[–] [email protected] 5 points 1 year ago

Unfortunately a lot of these issues are architectural issues inherited from Emby

[–] darkan15 11 points 1 year ago

If you are not behind a CGNAT, it should be as easy as opening the necessary ports.

I have a reverse proxy running in ports 80, 443 and can safely access Jellyfin on a subdomain without issues from outside my LAN.

[–] [email protected] 4 points 1 year ago

To get it outside the LAN, you just need to forward the port it uses in your router. Example 8096 for regular http requests. I would highly recommend getting at least a reverse proxy with an SSL cert.

[–] [email protected] 4 points 1 year ago* (last edited 1 year ago)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
NAT Network Address Translation
SSL Secure Sockets Layer, for transparent encryption
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network

5 acronyms in this thread; the most compressed thread commented on today has 8 acronyms.

[Thread #204 for this sub, first seen 9th Oct 2023, 21:05] [FAQ] [Full list] [Contact] [Source code]

[–] [email protected] 2 points 1 year ago

Depends on your definition of safe.

If you do a public port forward and set up basic security and proper SSL its safe from the majority of people.

[–] [email protected] 1 points 1 year ago

You can but it will cause security issues. You will need to buy a domain and setup a SSL proxy with https to proxy traffic in. After than I would lock down you firewall rules and make sure that a compromise can't escape the isolated environment.

Also make sure you docker container is hardened against excaping as it will improve security when a security hole is discovered in jellyfin