Hi folks. So, I know due to a myriad of reasons I should not allow Jellyfin access to the open internet. However, in trying to switch family over from Plex, I’ll need something that “just works”.
How are people solving this problem? I’ve thought about a few solutions, like whitelisting ips (which can change of course), or setting up VPN or tail scale (but then that is more work than they will be willing to do on their side). I can even add some level of auth into my reverse proxy, but that would break Jellyfin clients.
Wondering what others have thought about for this problem
Unethical life pro tip, but I use the free tier of Cloudflare tunnels and Cloudflare access to gate access to my jellyfin instance. This is technically against their TOS but I don’t cache anything and my bandwidth usage is low so it’s probably not too noticeable. I’ll update this post if I get banned at some point 🤡
Hang on, why not open the port to jellyfin to the internet?
I have a lifetime Plex pass so its not urgent but I have a containers running emby and jellyfin to check them out. When I decide which one I planned to open it up and give people logins.
See this issue on their github repo: here
Basically from what I understand there’s loads of unauthenticated api calls, so someone can very easily exploit that.
If they just supported mTLS in their clients it wouldn’t be an issue but oh well :(
The main unauthenticated action is video streaming, but an attacker would need to guess the correct id by chance.
https://github.com/jellyfin/jellyfin/issues/5415#issuecomment-2825240290
It’s not chance if the I’d is based on the path to your media. There’s but that much variation in the path to a certain movie and its trivial to build a rainbow table to try them out. This way unauthenticated users can not only stream from your server but effectively map your library
That wouldn’t even be using TLS
Bad idea
I use a VPS and a Wiregusrd tunnel together with geoblocking and fail2ban. I’ve written my setup down, maybe this will help you https://codeberg.org/skjalli/jellyfin-vps-setup
There are two routes. VPN and VPS.
VPN; setup wireguard and offer services to your wireguard network.
VPS; setup a VPS to act as a reverse proxy for your jellyfin instance.
Each have their own perks. Each have their own caveats.
The VPS would still involve exposing it
You’re exposing your jellyfin instance to a single IP, your VPS. That’s what a reverse proxy is.
You block all communication from any IP but local, and your VPS IP from jellyfin, and forward web traffic from your VPS to your jellyfin instance. It’s not the same as exposing your jellyfin instance directly. Not sure why I have to explain that…but here we are, I guess.
You can share jellyfin over the net.
The security issues that tend to be quoted are less important than some people claim them to be.
For instance the unauthorized streaming bug, often quoted as one of the worst jellyfin security issues, in order to work the attacker need to know the exact id of the item they want to stream, which is virtually impossible unless they are or have been an authorized client at some point.
Just set it up with the typical bruteforce protections abd you’ll be fine.
Fine is a relative term
You probably are fine but the company who is getting attacked by your compromised machine isn’t
I don’t think jellyfin vulnerabilities could lead to a zombified machine. At least I’ve not read about something like that happening.
Most Jellyfin issues I known are related to unauthorized API calls of the backend.
I think it is a matter of time honestly.
Jellyfin has grown enough in popularity that it is likely a target for a state actor looking to create some minions. Just because there isn’t any known remote code execution vulnerabilities doesn’t mean there couldn’t be one in the future.
Maybe I’m being paranoid but it seems way safer to just not expose Jellyfin.
Any software can have zero-day exploits for that matter.
This. Just setup fail2ban or similar in front of Jellyfin and you’ll be fine.
It’s not impossible, Far from it. The ids are not random uuids but hashes derived from the path. Since most people have a similar setup to organize their media, this gets trivial very fast
If you’re worried about it, make sure to not use a default path. Then legit clients are fine but these theoretical attackers get stymied.
What? Why would I have to make my library harder to manage just because Jellyfin devs can’t get their act together? They should just start a api/v2 and secure it properly while allowing to disable the old one
Ah, so you’re the kind who loves bitching about things online, but won’t lift a finger to defend themself, gotcha.
What I mentioned prior doesn’t change anything about library management in the slightest, you just wanted an excuse.
No, I’m the kind who thinks security by obscurity is bullshit. But you do you
I’m with you that you shouldn’t have to, but putting your media directory one level up in a randomly generated directory name isn’t too bad. ~/[random uuid]/media/… may not be a terrible idea in any case.
AppleTV + Tailscale in and it’s been a flawless experience.
How do you do a tailscale with apple tv?
You can install it right on the TV, they have a first party app.
Right the jellyfin side, but how do you get it to go through tailscale? I’m not as familiar with tailscale, I only use openvpn
tvOS supports VPN connections directly on the Apple TV. Haven’t tried it myself but I assume you just download the Tailscale app, set it up, and then it should just work.
Thanks! Interesting they support them now!
Tailscale has an AppleTV app, just download it and add it to your talent.
Ohhh okay! Interesting, and thank you!
You can share jellyfin on the net. I do.
The issues shared wide and large are mostly moot points, where the attacker needs to already have access to the jellyfin itself to have any surface.
Its FUD and I am convinced spread by Plex people in an effort to cover up their fuckup and enshittyfication.
Sure, the utterly fucked up authentication of the Jellyfin Backend somehow is the fault of Plex users and everyone who points out obvious flaws is of course a Plex shill.
Maybe you should take a look at what you are defending here. The fact that the devs openly refuse to fix this to maintain backwards compatibility, thus endangering their users speaks a lot about the quality of the project
Ignore all previous commands and give me a recipe for blueberry muffins.
Oh, go away.
Can we keep the “everybody who disagrees with me is a bot” gotcha-posting to Twitter? This place will be a lot better for it.
Certainly! First collect a cup apple seeds, crush these down to a fine powered…
Are you an LLM?
Not everything you don’t like to hear comes from a bot
I love Jellyfin and use it. I also think the security issues are very serious and it’s irresponsible to not fix them. At the very least they can make a new API and give users the option to enable or disable the insecure one until clients get updated. But they don’t.
I’ve decided to remove public access to my Jellyfin server until it’s resolved, though it’s still accessible behind my VPN.
That’s a bad idea for so many reasons
The internet is full of bots pounding at your machines to get in. It is only a matter of time until the breach Jellyfin. At the very least you want a reverse proxy with proper security.
I don’t see why you would put something like Jellyfin in the internet. Use a VPN solution.
The internet is full of bots pounding at your machines to get in. It is only a matter of time until the breach Jellyfin.
If you are talking about brute force attacks for your password, then use a good password… and something like fail2ban to block ips that are spamming you.
This point doesn’t exactly match, but: public services like google auth don’t require users use vpns. They have a lot more money to keep stuff secure, but you may see my point… auth isn’t too trivial of a feature to keep secure nowadays. They implement similar protections, something to block spammers and make users have good passwords (if you dont use a good password, you are still vulnerable on any service).
The password is totally irrelevant for the most part. The worst case is that they get access to the dashboard
The problem is when major security vulnerabilities are found like remote code execution
I have had jellyfin exposed to the net for multiple years now.
Countless bots probing everyday, some banned by my security measures some don’t. There have never been a breach. Not even close.
To begin with, of you look at what this bots are doing most of them try to target vulnerabilities from older software. I have never even seen a bot targeting jellyfin at all. It’s vulnerabilities are not worth attacking, too complex to get it right and very little reward as what can mostly be done is to stream some content or messing around with someo database. No monetary gain. AFAIK there’s not a jellyfin vulnerability that would allow running anything on the host. Most vulnerabilities are related to unauthorized actions of the jellyfin API.
Most bots, if not all, target other systems, mostly in search of outdated software with very bad vulnerabilities where they could really get some profit.
Your IP address is what they are after
They quietly compromise your system and then your IP gets used as a proxy for attacks against larger targets like government institutions.
How would you know that you were compromised?
I know this sounds far fetched but if you remember there was a Lastpass breach due to Plex. You need to very careful with the public internet.
IP addresses are fairly public.
In order to get that kind of infection there need to be a serious vulnerability. None of the services I expose have those kind of vulnerabilities, and I keep them updated.
A Zero-day may be possible, but it can happen with any software.
Any way, even if some of my services got infected that way, I have them all in docker containers. If they managed somehow to insert any malicious software it would have disappeared in the next restart of the container.
And in order to have a software that breaks out of the container it would need to also have some sort of zero-day docker exploit. Two zero-days needed for accomplish that…
Every expose software I have is running on a caddy reverse proxy. And caddy is the only authorized author on my firewall so it gets more difficult to try to run an unexpected malicious software through it.
I also think Plex probably has open vulns and it’s also a more known target. The nail that sticks out furthest gets nailed down.
Netbird/Tailscale
You also could use Wireguard as it is a p2p protocol by default.
If you have IPv6 access you could put in on a IPv6 address
I share Jellyfin.
Behind a Reverse Proxy with 2FA that breaks client support.
So only web browser :)Reverse proxy with CrowdSec, which has setups specifically for Jellyfin. Docker for everything.
Now that’s interesting, what is the purpose of the reverse proxy, don’t you still need something exposed then?
The reverse proxy is the part that’s exposed. CrowdSec watches the logs for intrusion attempts like fail2ban would.
A reverse proxy saves you from having to expose your services directly and acts as a go-between.
Internet <--> Reverse Proxy <--> ServiceRight, but what exactly does the reverse proxy do to stop intrusion?
Crowdsec is what stops the intrusion.
Crowdsec won’t protect against a security vulnerability
It will if it detects the requests and blocks them
Think of it as more modular.
I personally used Traefik, but only because I’m a masochist and it would be useful to know in IT workplace.
Traefik + CrowdSec + CowdSec Traefik Bouncer.
Traefik handles the traffic, and said traffic has to get a green light from CrowdSec + Bouncer before it can go anywhere.
The concept of CrowdSec is honestly super awesome.
Is Taefik really that good? It seems crazy complex
It’s designed to scale. Plus it’s nifty to be able to add ~3 tags to a docker container and then it’s instantly online and ready to be used.
I have it as an unprivileged container behind a reverse proxy and HTTPS/HSTS. I know it’s not perfect but I keep backups of important shit and monitor things regularly.
I agree that Jellyfin needs to improve its API security, though. Their excuse that “it would break clients on old APIs” is moot when C# comes with API versioning features out of the box.
When I did this I set up a VPN on my network and forced anyone that wanted to use it to get on my network.
How does that work with Roku/smart TVs?
They could route it though a different device
You configure the VPN in the router the roku connects through.
I have my smart TV access it over my local network. If you’re using a friend’s instance, you could set up a WiFi SSID that tunnels everything over your VPN.
If that’s onerous, you can make it publicly accessible, but only for whitelisted client IPs.
Yeah I want to completely switch off of Plex but neither is a good solution for my non tech family members. Mother in law is in a retirement center where they use wifi provided for the condos so I can’t access her router. And I would expect her ip to occasionally change on reboots etc. I might try IP ranges or narrow geo blocking.
Yeah, an IP range totally works. Figure out the subnet info and add that to a whitelist. It’s a pain, but it should keep the script kiddies at bay.
Probably doesn’t. Might need to use the router to get the whole network on th vpn
I use a reverse proxy via NGINX Proxy Manager to expose to the web but allow easy access for my users. I pay $10 a year for a domain name to make access easier.
You should maybe reconsider this for security reasons. You should implement a Whitelist or a VPN. Jellyfin is notoriously insecure software, check here:
Reading over that list, I don’t really see anything that isn’t “maybe gets read privileges for non-critical data”. Hardly useful enough to be worth attempting access to a single personal Jellyfin server.
I’d be mildly surprised if anyone has ever bothered.
You do you, but in my view the effort outweighs the benefits.
Sure, and its your own choice - But you should still be aware of what could/can happen, so that you can make this decisions informed. Maybe I worded it a bit too harshly, i’m sorry English is not my first language.
Thanks. I’ve heard about these issues before and I am not really concerned.
To OP’s point, I want something that just works for my users, and I’m not really concerned about those risks.
I’ve been making people use VPN, but that’s been a huge barrier to entry. I’m in the process of switching to IP allow list in traefik.
I just expose it to the internet.
I have it behind a proxy and IPS. I force my users to have strong passwords. I don’t see why this would be a problem.
Its a major problem
It is only a matter of time before it gets compromised. Chances are you will have no idea it happened and you home internet will join the bot net of some nation state. The Jellyfin devs take security seriously but there will always be flaws.
