this post was submitted on 23 May 2026
154 points (97.0% liked)

Selfhosted

60409 readers
263 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?

you are viewing a single comment's thread
view the rest of the comments
[–] BakedCatboy@lemmy.ml 14 points 1 month ago (4 children)

How do you get apps through something like that? Do you have to open your browser and hit the URL periodically to handle auth there and it just remembers your IP?

[–] halcyoncmdr@piefed.social 2 points 1 month ago (2 children)

You can set pangolin to allow access to an entire resource or just certain paths without the front auth, instead relying on the built in auth.

Your random plex/emby/jellyfin server isn't going to be a huge target and the built in auth is good enough for the limited access your media system should have.

[–] BakedCatboy@lemmy.ml 16 points 1 month ago

Wait so if you're gonna allow access without authentication then why bother putting pangolin in front of jellyfin? Does it help in some other kind of way? I don't really get how it helps without interfering with apps accessing jellyfin.

[–] prenatal_confusion@feddit.org 1 points 1 month ago

I am really not comfortable with that. Limited or not.

[–] clb92@feddit.dk 2 points 1 month ago* (last edited 1 month ago)

If there was a Jellyfin app that supported adding a custom header to the server connection, you could set your reverse proxy to just let the connections with that secret key header through, and make everything else go through the extra auth middleware. But as far as I know, none of the Jellyfin apps have that feature, even though it has been requested. Lots of other selfhosted apps do have the feature though, and I use it in a few places as well.

[–] prenatal_confusion@feddit.org 1 points 1 month ago (1 children)
[–] BakedCatboy@lemmy.ml 2 points 1 month ago (1 children)

Gotcha I see, just checking if I missed something since that was the issue last time I tried doing something like that. These days I just yolo it and expose jellyfin to the public Internet.

[–] prenatal_confusion@feddit.org 1 points 1 month ago

i might have spoken to soon.

https://www.reddit.com/r/PangolinReverseProxy/comments/1ouk4u6/phone_app_access/

i havent tried it though, but sounds interesting.

[–] anon_8675309@lemmy.world 1 points 1 month ago (1 children)

Would you need to? Are apps a viable vector in? Basic auth in front of web ui does make sense though.

[–] BakedCatboy@lemmy.ml 2 points 1 month ago* (last edited 1 month ago) (1 children)

What do you mean viable? The web UI is just an app that is delivered to your browser, it makes more or less the same API requests as an app would make, so IDK why the risk would be lower with an app?

If an attacker can access the login endpoint for example to brute force or dictionary attack, it doesn't matter if the web UI is or isn't accessible if the login endpoint it uses is exposed for an app. The attacker could serve their own copy of the web UI and proxy requests to the API your app connects to. Blocking the html from being served doesn't make a difference.

[–] anon_8675309@lemmy.world 1 points 1 month ago (2 children)
[–] BakedCatboy@lemmy.ml 2 points 1 month ago (1 children)

That's exactly the point I'm getting at. Putting an auth wall doesn't work with many apps, and if you add exceptions to the API then you're not really protecting anything.

[–] pushpull@fosstodon.org 1 points 1 month ago* (last edited 1 month ago) (1 children)

@BakedCatboy @anon_8675309
I think that could be fixed with authentication through headers (netbird reverse proxy supports that, no idea about pangolin though) but apps should also support adding custom headers on requests

[–] BakedCatboy@lemmy.ml 3 points 1 month ago

Yes that's what I would like to advocate for. I did something similar with LunaSea, but often people suggest doing that with Jellyfin and are not aware that almost no apps support it, and that adding exceptions for the API makes you basically as secure as not having it. But people tend to get very defensive when you try to tell them that something won't work, so I try to phrase it as a question to see if I can get them to understand what the limitations are in a way that's less confrontational.