this post was submitted on 23 May 2026
206 points (97.2% liked)

Selfhosted

60664 readers
960 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details. Tags [CBH] or [AIP] are required, see the links in Rule 8 for details.

  8. AI-related discussions and AI-involved promotional posts have additional requirements for tagging, as noted in Rule 7 and the AI & Promotional Post Expanded Rules post, and find example disclosures here.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
 

Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?

(page 2) 50 comments
sorted by: hot top controversial new old
[–] irotsoma@piefed.blahaj.zone 5 points 1 month ago

Reverse proxy with fail2ban or crowdsec. It's possible to set up things like Pangolin which ultimately use a VPN between external and internal access points but not at the client, though it takes more setup if you want to use apps over pangolin instead of just the browser.

[–] Decronym@lemmy.decronym.xyz 5 points 1 month ago* (last edited 1 month ago) (1 children)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CA (SSL) Certificate Authority
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
ISP Internet Service Provider
LXC Linux Containers
NAS Network-Attached Storage
NAT Network Address Translation
NUC Next Unit of Computing brand of Intel small computers
Plex Brand of media server package
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
SSO Single Sign-On
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

16 acronyms in this thread; the most compressed thread commented on today has 14 acronyms.

[Thread #311 for this comm, first seen 23rd May 2026, 22:30] [FAQ] [Full list] [Contact] [Source code]

load more comments (1 replies)
[–] Jason2357@lemmy.ca 4 points 1 month ago (3 children)

Put Jellyfin and a reverse proxy in an isolated vlan or DMZ, with no ability to reach into your lan at all and everyone connects in the same way. Its just movies, thats all you lose if it gets hacked. Set up some monitoring too in case it becomes a botnet node so you can destroy it and start over.

load more comments (3 replies)
[–] PieMePlenty@lemmy.world 3 points 1 month ago

My use cases are:

  • Connect from multiple devices on the same home network (with the application)
  • Connect from a phone device on the internet (with the application)
  • Connect from some PC's and devices on the internet (with the application and from web browser)

For home networked devices, I don't care about security that much. I try to lock it down on the router level and by using VLANs for less secure devices. I connect via IP directly (or .local domain).

Jellyfin runs under its own user with read access to a media library.

For devices on the internet, I have jellyfin exposed on a specific url path of my domain - through a reverse proxy all through 443. A bit of security through obscurity here. I'm proxied through cloudflare on the DNS side with very restrictive IP rules.
I think this is enough for the security flaws jellyfin does have. I'd sleep better at night if it had client certificate support, but Its not a big deal imo. If security flaws allowing remote code execution are found, I'll shut it down and allow access through wireguard only and lose access from some devices on the internet where I cant use VPNs. Not a bit deal either.

[–] azureskypirate@lemmy.zip 3 points 1 month ago

As others have mentioned, a reverse proxy, like nginx or caddy. These are web servers, so you need to configure it or an app that runs in it. May I shill: Nginx Proxy Manager (NPM).

[–] njordomir@lemmy.world 2 points 1 month ago* (last edited 1 month ago)

I toyed with the idea of exposing ports and decided against it. I don't understand networking well enough yet. For me specifically, VPN access has been perfectly workable in the US with both speed and ease of access.

Can you use fail2ban on Jellyfin? That might be a wise step.

[–] Nomecks@lemmy.ca 2 points 1 month ago

How much access do you have to their system? I would set up a script on their end to poll https://ipv4.icanhazip.com/ and send you their IP. I would then trigger a firewall rule change on your end to that information. This keeps the access to only their IP, with maybe a few minutes between polls where it might be different.

[–] skoell13@feddit.org 2 points 1 month ago

I use a Wireguard tunnel to a VPS and fail2ban with geoblocking: https://codeberg.org/skjalli/jellyfin-vps-setup

[–] androidul@lemmy.world 2 points 1 month ago (2 children)

afaik but I’m not sure, Jellyfin lacks support for OIDC AuthN which is a clear sign that you cannot expose this publicly.

[–] IratePirate@feddit.org 4 points 1 month ago* (last edited 1 month ago) (3 children)

~~There's a plugin for that.~~ Plugin is archived and will become outdated (and unsafe to use) over time. Don't use it.

[–] androidul@lemmy.world 4 points 1 month ago (1 children)
[–] IratePirate@feddit.org 3 points 1 month ago* (last edited 1 month ago)

Oops. I tried it in the past and just linked to quickly without taking a close look at the repo. I've updated the above posting. Thanks for pointing this out.

load more comments (2 replies)
load more comments (1 replies)
load more comments
view more: ‹ prev next ›