this post was submitted on 23 May 2026
190 points (97.0% liked)

Selfhosted

56958 readers
1396 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
190
How would you expose Jellyfin securely without a vpn? (discuss.online)
submitted 2 days ago by kiol@discuss.online to c/selfhosted@lemmy.world
182 comments fedilink hide all child comments
 

Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?

(page 4) 33 comments
sorted by: hot top controversial new old
[–] Decronym@lemmy.decronym.xyz 5 points 2 days ago* (last edited 38 minutes ago) (1 children)

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I've seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
IP Internet Protocol
ISP Internet Service Provider
LXC Linux Containers
NAS Network-Attached Storage
NAT Network Address Translation
NUC Next Unit of Computing brand of Intel small computers
Plex Brand of media server package
SSH Secure Shell for remote terminal access
SSL Secure Sockets Layer, for transparent encryption
SSO Single Sign-On
TLS Transport Layer Security, supersedes SSL
VPN Virtual Private Network
VPS Virtual Private Server (opposed to shared hosting)
nginx Popular HTTP server

[Thread #311 for this comm, first seen 23rd May 2026, 22:30] [FAQ] [Full list] [Contact] [Source code]

load more comments (1 replies)
[–] androidul@lemmy.world 2 points 1 day ago (6 children)

afaik but I’m not sure, Jellyfin lacks support for OIDC AuthN which is a clear sign that you cannot expose this publicly.

[–] Appoxo@lemmy.dbzer0.com 1 points 1 day ago

If that is the same as oAuth, that can be done with a plugin.
But yes, that's not native.

load more comments (5 replies)
[–] Konraddo@lemmy.world 2 points 2 days ago* (last edited 2 days ago)

Ask them to use the Jellyfin web, and you expose it to the public via Netbird / Pangolin locked behind SSO

[–] KarnaSubarna@lemmy.ml -3 points 1 day ago (2 children)

Tailscale

load more comments (2 replies)
[–] Nomecks@lemmy.ca 2 points 2 days ago

How much access do you have to their system? I would set up a script on their end to poll https://ipv4.icanhazip.com/ and send you their IP. I would then trigger a firewall rule change on your end to that information. This keeps the access to only their IP, with maybe a few minutes between polls where it might be different.

[–] brickfrog@lemmy.dbzer0.com 1 points 2 days ago* (last edited 2 days ago) (1 children)

Adding onto the other comments, if you have admin access to your network router/firewall you can configure the incoming port forward itself to only allow specific IP addresses while dropping traffic from any other internet WAN IPs. It's a bit like using the Jellyfin whitelist/blacklist but doing it at the network level. This drops all unwanted internet traffic to that port at the firewall before ever reaching the Jellyfin software. Downside is having to occasionally update the firewall whenever there are IP address changes.

This is probably only feasible if you only have some specific Jellyfin clients in mind to accept connections from, not any random person from any random WAN IP address.

load more comments (1 replies)
[–] BartyDeCanter@piefed.social 1 points 2 days ago (1 children)

Does Tailscale count as a VPN for you? It’s how I roll. Well, I run my own headscale server, but the free Tailscale tier is going to be fine for any reasonably sized personal project.

load more comments (1 replies)
[–] frongt@lemmy.zip 1 points 2 days ago

See if there are any apps that will handle the VPN tunneling transparently, then provide the web interface, all in one.

If you can't find any that work like you want, I would put an authenticating reverse proxy in front of jellyfin. But last time I tried that, it only half worked. I don't know if that's changed.

Worst case, a reverse proxy that only exposes the necessary endpoints. Or a WAF that can block known attacks.

In any case, you should have a firewall rule as narrow as possible to only limit access to them. Static IP address if possible, then subnet, then ASN. Whatever is the most restrictive but still works.

[–] GreenKnight23@lemmy.world -2 points 2 days ago* (last edited 1 day ago)

you don't.

if you're intent on "spreading your legs" to the world, get a WAF.

edit: don't get mad about the analogy, it's apt.

when you open your local network to public access without protection, you're bound to have a couple "accidents" and "infections".

protect your local network with at least a proper firewall and segmented network.

a properly configured WAF is better than any reverse proxy you could use.

load more comments
view more: ‹ prev next ›