Don't expose jellyfin to the internet is a golden rule.
this post was submitted on 01 Apr 2026
461 points (98.7% liked)
Selfhosted
58609 readers
1120 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS
Kinda defeats the purpose of a media server built to be used by multiple people
Use a VPN, it's not ideal but it's secure.
Somehow difficult to install on a TV though.
That’s why you do it at your router or gateway and then set a route for the Jellyfin server through the VPN adapter. That way any device on your network will flow through the tunnel to the Jellyfin server including TVs
Which again implies that you have a router that allows you to do so. It's not always the case. For tech enthusiast people that's the case. But not for everyone.
I tried to do the same thing at first, but it was a pain, there were tons of issues.
Oh yes, the routers and gateways that most people have that are isp provided that may not actually have open VPN or wireguard support.
Those ones?
Also putting a VPN in someone else's house so that all their Network traffic goes through your gateway is pretty damn extreme.
load more comments
(1 replies)
load more comments
(10 replies)
load more comments
(26 replies)
That’s never made sense to me; why build an authn frontend instead of just clicking your user if the security is just an illusion anyways. “Use a VPN” is fine for a mainframe, but an active project in 2026 should aspire to be better.
Edit: or make note of that on their several pages with reverse proxy configuration.
Examples dating back over six years https://github.com/jellyfin/jellyfin/issues/5415
I mean I'm sure they'd like to just ship safe code in the first place. But if that's not their expertise and they demonstrate that repeatedly, we gotta take steps ourselves. Secure is obviously best, but I'd rather have insecure Jellyfin behind a VPN than no Jellyfin at all.
It's not this or that. Security comes in layers. So while I would assume that the Jellyfin developers do their best to secure their application, I acknowledge the fact that bugs do exist and that Jellyfin is developed in and for hobbyist contexts, and thus not scrutinised and pentested for vulnerabilities in the way software meant for professional environments would be. Therefore I'll add an extra layer of security by putting it behind a VPN that only whitelisted clients can access.
load more comments
(23 replies)
Y'all are assuming the security issue is something exploitable without authentication or has something to do with auth.
But it it could be a supply chain issue which a VPN won't protect you from.
load more comments
(3 replies)
Yeah, i have my 30 docker containers behind Headscale (Tailscale).
The thing is, if you have non-technical users, you have to set up the VPN connection on the client site yourself, maybe on multiple machines and more than once, if they decide to upgrade or even just reset their devices.
The problem here - it's not me who requires access to my library, if someone isn't willing or able to do it, I'm sorry but that's just how it is. People should stop infantilize non-technical people, absolute majority of them is capable of navigating our world without much problems and I'm willing to help them if help is asked.
This. And for everyone you just can't figure it out on their own, there's RustDesk for remote assistance. It, too, can be self-hosted.
load more comments
(5 replies)
load more comments
(5 replies)
load more comments
(25 replies)
Thank you for posting this. I tend to get a lot of my opensource project info from Lemmy so people who take the time to post it are awesome.
Just updated my home instance. Can confirm that 10.11.7 is available in the Debian repos and the update went perfect. I got a new kernel in the same update : D
load more comments
(9 replies)
I forgot that it's April first, and was wondering what catasthropic event had happend in order that it had to be stated in the title that its not a joke
Pretty flawless update from the apt repo on my end.
Server version 10.11.7
load more comments
(4 replies)
Wonder if it's the Axios one. Sounds like it isn't from their description though hmm
I don't think so, the previous release 10.11.6 is a few months old and the axios supply chain attack happened yesterday.
So lets hope this 10.11.7 is not subject to the axios one. :)
load more comments
(10 replies)
Is it standard practice to release the security updates on GitHub?
I am a very amateur self hoster and wouldn't go on the github of projects on my own unless I wanted to read the "read me" for install instructions. I am realizing that I got aware I needed to update my Jellyfin container ASAP only thanks to this post. I would have never checked the GitHub.
Is it standard practice to release the security updates on GitHub?
Yes.
And then the maintainers of the package on the package repository you use will release the patch there. Completely standard operation.
I recommend younto read up on package repositories on Linux and package maintainers etc.
load more comments
(19 replies)
There is a good reason I only have Jellyfin and other services accessible via valid Client Certificate.
load more comments
(5 replies)
You can always tell who does real IT work in these threads lol
Thanks for this post, i would have updated mine next semester...
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:
| Fewer Letters | More Letters |
|---|---|
| Git | Popular version control system, primarily for code |
| HTTP | Hypertext Transfer Protocol, the Web |
| IP | Internet Protocol |
| NFS | Network File System, a Unix-based file-sharing protocol known for performance and efficiency |
| Plex | Brand of media server package |
| RPi | Raspberry Pi brand of SBC |
| SBC | Single-Board Computer |
| SMB | Server Message Block protocol for file and printer sharing; Windows-native |
| SSH | Secure Shell for remote terminal access |
| SSL | Secure Sockets Layer, for transparent encryption |
| TLS | Transport Layer Security, supersedes SSL |
| VPN | Virtual Private Network |
| VPS | Virtual Private Server (opposed to shared hosting) |
| nginx | Popular HTTP server |
12 acronyms in this thread; the most compressed thread commented on today has 17 acronyms.
[Thread #203 for this comm, first seen 1st Apr 2026, 09:50] [FAQ] [Full list] [Contact] [Source code]
view more: next ›