this post was submitted on 26 Jun 2025
262 points (98.9% liked)

Selfhosted

46672 readers
1004 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
CannaVet@lemmy.world
Loki@lemmy.world
HybridSarcasm@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
262
Jellyfin over the internet (startrek.website)
submitted 12 hours ago by TribblesBestFriend@startrek.website to c/selfhosted@lemmy.world
162 comments fedilink hide all child comments
 

What’s your go too (secure) method for casting over the internet with a Jellyfin server.

I’m wondering what to use and I’m pretty beginner at this

top 50 comments
sorted by: hot top controversial new old
[–] FrostyCaveman@lemm.ee 6 points 46 minutes ago* (last edited 44 minutes ago)

I think my approach is probably the most insane one, reading this thread…

So the only thing I expose to the public internet is a homemade reverse proxy application which supports both form based and basic authentication. The only thing anonymous users have access to is the form login page. I’m on top of security updates with its dependencies and thus far I haven’t had any issues, ever. It runs in a docker container, on a VM, on Proxmox. My Jellyfin instance is in k8s.

My mum wanted to watch some stuff on my Jellyfin instance on her Chromecast With Google TV, plugged into her ancient Dumb TV. There is a Jellyfin Android TV app. I couldn’t think of a nice way to run a VPN on Android TV or on any of her (non-existent) network infra.

So instead I forked the Jellyfin Android TV app codebase. I found all the places where the API calls are made to the backend (there are multiple). I slapped in basic auth credentials. Recompiled the app. Deployed it to her Chromecast via developer mode.

Solid af so far. I haven’t updated Jellyfin since then (6 months), but when I need to, I’ll update the fork and redeploy it on her Chromecast.

[–] circledot@feddit.org 2 points 37 minutes ago

I use a wire guard tunnel into my Fritz box and from there I just log in because I'm in my local network.

[–] potentiallynotfelix@lemmy.fish 1 points 31 minutes ago

VPN or Tailscale

[–] WhatThaFudge@lemmy.sdf.org 1 points 32 minutes ago

Full guide to setting up Jellyfin with Reverse Proxy using Caddy and DuckDNS

I followed this video and modified some things like ports

[–] captainastronaut@seattlelunarsociety.org 6 points 1 hour ago

If it’s just so you personally can access it away from home, use tailscale. Less risky than running a publicly exposed server.

[–] smiletolerantly@awful.systems 4 points 1 hour ago (1 children)

I host it publicly accessible behind a proper firewall and reverse proxy setup.

If you are only ever using Jellyfin from your own, wireguard configured phone, then that's great; but there's nothing wrong with hosting Jellyfin publicly.

I think one of these days I need to make a "myth-busting" post about this topic.

[–] greywolf0x1@lemmy.ml 3 points 1 hour ago

Please do so, it'll be very useful

[–] Vanilla_PuddinFudge@infosec.pub 21 points 4 hours ago* (last edited 4 hours ago) (2 children)

Jellyfin isn't secure and is full of holes.

That said, here's how to host it anyway.

  1. Wireguard tunnel, be it tailscale, netbird, innernet, whatever
  2. A vps with a proxy on it, I like Caddy
  3. A PC at home with Jellyfin running on a port, sure, 8096

If you aren't using Tailscale, make your VPS your main hub for whatever you choose, pihole, wg-easy, etc. Connect the proxy to Jellyfin through your chosen tunnel, with ssl, Caddy makes it easy.

Since Jellyfin isn't exactly secure, secure it. Give it its own user and make sure your media isn't writable by the user. Inconvenient for deleting movies in the app, but better for security.

more...

Use fail2ban to stop intruders after failed login attempts, you can force fail2ban to listen in on jellyfin's host for failures and block ips automatically.

More!

Use Anubis and yes, I can confirm Anubis doesn't intrude Jellyfin connectivity and just works, connect it to fail2ban and you can cook your own ddos protection.

MORE!

SELinux. Lock Jellyfin down. Lock the system down. It's work but it's worth it.

I SAID MORE!

There's a GeoIP blocking plugin for Caddy that you can use to limit Jellyfin's access to your city, state, hemisphere, etc. You can also look into whitelisting in Caddy if everyone's IP is static. If not, ddns-server and a script to update Caddy every round? It can get deep.

Again, don't do any of this and just use Jellyfin over wireguard like everyone else does(they don't).

[–] umbrella@lemmy.ml 2 points 58 minutes ago

i would also love more details about accomplishing some of that stuff

[–] oyzmo@lemmy.world 6 points 2 hours ago (1 children)

Wow, a "for dummies" guide for doing all this would be great 😊 know of any?

[–] ohshit604@sh.itjust.works 1 points 54 minutes ago* (last edited 50 minutes ago)

If you aren’t already familiarized with the Docker Engine - you can use Play With Docker to fiddle around, spin up a container or two using the docker run command, once you get comfortable with the command structure you can move into Docker Compose which makes handling multiple containers easy using .yml files.

Once you’re comfortable with compose I suggest working into Reverse Proxying with something like SWAG or Traefik which let you put an domain behind the IP, ssl certificates and offer plugins that give you more control on how requests are handled.

There really is no “guide for dummies” here, you’ve got to rely on the documentation provided by these services.

[–] bitwolf@sh.itjust.works 3 points 3 hours ago

Is putting it behind an Oauth2 proxy and running the server in a rootless container enough?

[–] RememberTheApollo_@lemmy.world 2 points 3 hours ago

OpenVPN into my own LAN. Stream from there to my device.

[–] somewa@suppo.fi 3 points 4 hours ago

Tailscale + Caddy (automatic certificates FTW).

[–] Sgt_choke_n_stroke@lemmy.world 4 points 4 hours ago (1 children)

Synology worked for me. They have built in reverse proxy. As well as good documentation to install it on their machine. Just gotta configure your wifi router to port forward your device and bam you're ready to rock and roll

load more comments (1 replies)
[–] nutbutter@discuss.tchncs.de 3 points 4 hours ago (1 children)

This is my setup.

Read more, here.

[–] blah3166@piefed.social 1 points 1 hour ago

good article! thanks for that

[–] Merlin@discuss.tchncs.de 7 points 6 hours ago

I just install tailscale at family houses. The limit is 100 machines.

[–] This2ShallPass@lemmy.world 5 points 5 hours ago (1 children)

I don't host my media outside my local network but, if I did, I would use my go to method of SWAG with Authentik. This is what I have done for my other self-hosted items.

[–] swearengen@sopuli.xyz 6 points 6 hours ago

I'm just using caddy and a cheap $2 a year .top domain with a $4 a month VPS. Works for my users, I only have 3 users on my server.

[–] xnx@slrpnk.net 14 points 8 hours ago

Tailscale

[–] Evil_Shrubbery@lemm.ee 36 points 9 hours ago (4 children)

Wireguard.

[–] WhyJiffie@sh.itjust.works 6 points 6 hours ago* (last edited 6 hours ago) (1 children)

and a local reverse proxy that can route through wireguard when you want to watch on a smart tv.

its not as complicated as it sounds, it's just a wireguard client, and a reverse proxy like on the main server.

it can even be your laptop, without hdmi cables

[–] phx@lemmy.ca 3 points 2 hours ago

You can also use a router that can run wireguard/openvpn and have that run the tunnel back to home for you. I've got a portable GL-Inet router with OpenWRT that I use for this when I'm on the road

load more comments (3 replies)
load more comments
view more: next ›