this post was submitted on 14 Jun 2023
20 points (100.0% liked)

Selfhosted

573 readers
1 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Resources:

> Any issues on the community? Report it using the report flag.

> Questions? DM the mods!

founded 1 year ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
20
Want to run Jellyfin server. For only me and family. Want it to be remote accessible to listen to music or watch shit away from home. (sh.itjust.works)
submitted 1 year ago by Frylock@sh.itjust.works to c/selfhosted@lemmy.world
19 comments fedilink hide all child comments
 

When I see this sort of thing, and other people are trying to do it, a reverse proxy or vpn is always mentioned. Heres my question:

How Dangerous is it to just open the port for it on my router and access it like that?

Lets say i want to access jellyfin from Kodi on my xbox or something outside my network, the vpn solution wouldnt work for this i would think.

My issue with reverse proxies, and why im asking, is it seems less secure? I mean Im well aware that an IP is easy to get, i guess. But how likely is someone to look for something on my network specifically? With reverse proxies it seems like i would be broadcasting my server to the internet in a way its easier to happen across, than someone being interested in a random residential IP.

I run a minecraft server for friends on my main computer anyway, and i know tons of people do that, theoretically thats the same level of danger as opening my network for jellyfin specifically.

VPN isnt an option because of this xbox stuff i mentioned and people in my family who have 0 chance of understanding it regardless.

So what is the better option, going through this reverse proxy ( which im actually also unsure would work with kodi) or rawdog the server on my network. I guess leaving the server exposed? or every device even.

top 17 comments
sorted by: hot top controversial new old
[–] Sleeping@programming.dev 6 points 1 year ago

Not only is it likely, it's pretty much guaranteed that a bot will scrap your network if it's opened to the public.

[–] dannym@lemmy.escapebigtech.info 6 points 1 year ago (1 children)

Look into setting up mesh networks. Opening up a port will work, but it's insecure, while tools like netbird or tailscale still allow you connect to it remotely, but only allow YOU and the people YOU want to allow to connect to it, not the entire world

[–] breadsmasher@lemmy.world 3 points 1 year ago

Maybe consider Zerotier as well

[–] eddie@fig.systems 3 points 1 year ago (1 children)

So the reason you'd want a reverse proxy is because it handles security and would do a much better job of it than an exposed jellyfin port.

Public FQDN -> your home IP -> your router allows 443/whatever to your reverse proxy -> it handles SSL and being hit by the internet (look into nginx security and even fail2ban) -> proxy serves up whatever insecure site/app you'd like.

[–] foonex@feddit.de 5 points 1 year ago (1 children)

A reverse proxy does not magically make an insecure app secure.

[–] eddie@fig.systems 3 points 1 year ago

That's where nginx security options and other tools like fail2ban come into play. I could've mentioned it better in my first sentence but a reverse proxy gives the capability to make it more secure than any options jellyfin will give you.

I'd rather put nginx with modsecurity in front of jellyfin than not.

[–] jason@sh.itjust.works 3 points 1 year ago (1 children)

I use a reverse proxy so I can just use a hostname and not need a port. I run Jellyfin that way no problem, function-wise.

Additionally, not having a domain won’t necessarily protect you since you do have people out there scanning for ports and when they see 8096, they’re going to immediately know it’s a Jellyfin/Emby server and any vulnerabilities associated with those. If you use a reverse proxy, they only see 443 which is…pretty much every other site on the internet. That’s security through obscurity, I know, but it will help mitigate some of the easier attacks.

I’ll say that everything I have to have a port open for (mostly game servers) gets targeted by the internet at large despite the fact that I’ve published the address and port absolutely nowhere online and only shared it with close friends. I almost never get anyone trying to log in to my other services.

[–] Frylock@sh.itjust.works 4 points 1 year ago (2 children)

Okay, so can people just find that shit on google? And also what are the odds of certain companies and agencies being perturbed by me essentially broadcasting copyrighted content? Even if i own it. I shpuldnt expect FBI or worse, Viacom hitmen right? Especially of the content is behond a log in?

[–] argentcorvid@midwest.social 3 points 1 year ago

Not even Google, they just go through every ip and port number and record if something responds

load more comments (1 replies)
[–] macgregor@lemmy.world 2 points 1 year ago* (last edited 1 year ago)

So I have jellyfin deployed to my kubernetes home lab, router port forwarded to the ingress controller (essentially a reverse proxy) on the cluster. So exposed to the internet. Everything on it has authentication, either built in to the application or using an oauth proxy. All applications also have valid SSL configurations thanks to the reverse proxy. I also use cloudflare DNS with their proxy enabled to access it and have firewall rules to drop traffic that hits port 80/443 that doesn't originate from those cloudflare proxy ips (required some scripting to automate). It drops a lot of traffic every day. I have other secuirty measures in place as well, but those are the big ones.

So yeah, if you expose your router to the internet, its gonna get pinged a lot by bots and someone might try to get in. Using a VPN is a very simple way to do this securely without exposing yourself and I'd suggest going that route unless you know what you're doing.

[–] ComradeMiao@lemmy.world 2 points 1 year ago (3 children)

Just put jellyfin and tailscale on an old windows computer and it's setup in less than 10 minutes.

[–] midnight@infosec.pub 2 points 1 year ago

+1 on tailscale. I used to push it through cloudflare but with tailscale has been much simpler and doesn't run afoul of cloudflare's TOS

[–] Frylock@sh.itjust.works 2 points 1 year ago (1 children)

Tailscale is a vpn no? Dont think i would be able to connect to it from an xbox or, my family who is even less technologically inclined than I am would be able to figure it out on other devices.

[–] ComradeMiao@lemmy.world 2 points 1 year ago

I believe it can be done on xbox possibly through nodes but it is very easy for family to setup on their devices!

[–] pbjamm 1 points 1 year ago

Same idea, but I use Zerotier for providing access to services my remote users need to access at the office. It is idiot proof once set up. This will work fine for computers/tablets/phones but I do not know about an Xbox.

[–] ehleks@lemmy.javant.xyz 2 points 1 year ago

Depending on your routers you might me able to set up a “site-to-site” VPN which means your Xbox could connect directly to your Jellyfins local IP

[–] pineapplelover@infosec.pub 1 points 1 year ago

I went about this in a pretty noob way. Synology + Jellyfin and I followed some online guides. Synology gives you a free DDNS hostname so you can access your NAS away from home. I don't have to VPN or anything. I have to warn that using this method will result in having slow transfer speeds if you're uploading large files. I use it to stream movies and shows so it seems to be fine for this purpose.

load more comments
view more: next ›