this post was submitted on 23 May 2026
154 points (97.0% liked)

Selfhosted

60451 readers
799 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?

you are viewing a single comment's thread
view the rest of the comments
[–] kcweller@feddit.nl 6 points 1 month ago (3 children)

Set up a reverse proxy with https always on. And get a good (physical) firewall, preferably something akin to opnsense, pfsense, openwrt. Exposing is always a risk, and if you do want it, you have to bear the responsibility for your own security. Keep things up to date, set up monitoring and a good logging system (Wazuh) comes to mind.

Exposure means a security risk. How you deal with that security risk is your choice.

Cloudflare and the likes forbid usage of their stuff for these things.

[–] syaochan@feddit.it 4 points 1 month ago (2 children)

How does a reverse proxy helps for security? I mean, the problem here is that exposing Jellyfin on the internet is dangerous: the only way to improve security via a reverse proxy would be mTLS, but I'm not sure how it would work client side.

[–] kcweller@feddit.nl 4 points 1 month ago (1 children)

By setting up a reverse proxy you redirect the traffic through that specific proxy which means less open ports (basically just 80/443), less monitoring, the ability to easily put a WAF inbetween, etc.

[–] nibbler@discuss.tchncs.de 1 points 1 month ago

Ports are closed by firewalls, and if you need to port forward on your home router this is a non-issue anyway

[–] Flatfire@lemmy.ca 2 points 1 month ago* (last edited 1 month ago)

You've got a couple benefits. If you have a domain name, and aren't advertising it publicly, then you can use the reverse proxy to point that domain to a non-standard port that Jellyfin runs on.

Security through obscurity is not good security, but it does prevent the majority of port scanning attacks. You can also use fail2ban on the reverse proxy side to try and mitigate some attacks.

[–] rumba@lemmy.zip 1 points 1 month ago* (last edited 1 month ago) (1 children)

Cf used to have it against the rules, but it's fine now.

edit: you can in fact do video, but they have added lines about ~piracy

[–] kcweller@feddit.nl 1 points 1 month ago (1 children)
[–] rumba@lemmy.zip 1 points 1 month ago

Just re-read to make sure, they def changes the non-html to allow it, but they do def have non-pirate terms in there

end to end encryption with your own key on their tunnel might be a good idea (which is allowed)

[–] Agent641@lemmy.world 1 points 1 month ago

Cloudflare and the likes forbid usage of their stuff for these things.

😬