I am in love with my Jellyfin server (running in a Docker container) - it feels so nice to take back control over my media consumption again, after more than a decade in the land of streaming. So much, that I want to share this with my family.
So I was thinking of setting up a reverse proxy (Nginx Proxy Manager is what I have used before) and expose my Jellyfin-instance through that. However, I’ve seen several people be skeptical about this solution, instead opting for access through a VPN (I don’t think that would be a good solution for some of my family members).
What are the potential pitfalls of setting it up this way, that makes people skeptical? Where could I go wrong, and what dangers would I expose myself to? As I understand it, this would only expose one port to the internet, direct all that traffic to the Nginx Proxy Manager, which then forwards traffic to specific ports internally on my home network, which sounds safe in my mind. Is it misconfiguration of the proxy manager I should be wary of? Or some exploits in the proxy manager?
Denial-of-service attacks or risk of someone compromising your server and therefore network via a vulnerability. Possibility of an attacker using your server for other malicious activities if they manage to compromise it.
Don’t get me wrong, your server would be a teeny tiny fish in the sea of internet connected services and probably of little interest to most hackers. But, if you expose the door, it’s gonna at least get knocked on.
Security issues aside, you will now be ‘tech support’ for this service and they’re going to complain at you any time it doesn’t do what they want it to. Just make sure you’re ok with that.
Are denial-of-serivce attacks something anyone would waste resources on for a random Jellyfin-server, though? Do people do that kind of thing just for the lulz? I have no reason to believe anyone would actively target me for anything like this.
I also wonder that, since the URL to access the server would not be posted anywhere, I guess the only way someone finds the server is by trying random IPs? This presumably would be part of some larger automated crawling, where they attempt to SSH in or something similar to gain access - I’ve seen this on my Nextcloud server which I host on a VPS. Lots of attempts to login with “root” or “admin” or regular usernames to the server itself, not seen any attempts to login to my Nextcloud server (or maybe I have been looking in the wrong places). Since Nginx listens only on one port, anything that could compromise the server would have to be either in Nginx itself, or Jellyfin? And if there was a vulnerability in Jellyfin or Nginx, is it likely that exploits of this kind would be incorporated into this crawling?
On the tech support side, I’m am aware of the potential consequences, and I am fine with this. :)
Do people do that kind of thing just for the lulz? I have no reason to believe anyone would actively target me for anything like this.
They most definitely do. Some people get some sort of sick joy out to of being a PITA. I’ve had it happen to me. You’re very unlikely to become the target of a DDOS (distributed DOS) attack since that takes a lot more effort to execute successfully and there’s no payoff in this situation. But, isolated DOS attacks are more common than you might think. Whether you can defend against one depends on how much bandwidth you have but probably more on the firewall you’re running. If you have a WAN facing firewall capable of detecting and dropping connection attempts that follow a malicious pattern without choking, you’re probably not gonna have a lot of issues if any.
The level of obscurity also helps minimize your likelihood of becoming a target. Just keep your servers and any device firmware up to date.
These are just some risks you might run into. I wouldn’t necessarily consider them showstoppers. Just things to be aware of what could happen, not necessarily will and try to take preventative measures. To be honest, you’re probably going to get more trouble from your relatives than you will from a malicious actor.
I think I equated denial-of-service with DDOS, and didn’t consider isolated DOS attacks. Makes sense that there are people who would do that for kicks and giggles. I’ll look into what protection options I have on my router firewall. There were some suggestions below on keeping a strict IP whitelist policy, which if implemented successfully would lower the risk of any such attack at least. I am just imagining that it might be quite a hassle maintaining such a policy, at least in the beginning.
To be honest, you’re probably going to get more trouble from your relatives than you will from a malicious actor.
Hehe, it is hopefully too many I will share this with, so I hope the burden won’t be too big.
Web applications may have vulnerabilities that allow an attacker to run code on the host system (Remote Code Execution). Famous example would be the log4shell vulnerability.
If you want to expose your server to the internet, you have to make sure you are not suffering damage if an attack like this occurs.
- Give the server application minimum privileges on your system. Use either containerization, sandboxing or systemd hardening to prevent the app from running commands on your system or access important data. Jellyfin for example only needs to read your media library, so if you are using docker, mount it read-only.
- Keep both the reverse proxy and the application up-to-date. For a docker setup you can use watchtower.
- Make backups of both your media collection and the Jellyfin database in case you need to restore your system. You should also have a script or at least some written notes on how you set up everything.
- Ideally isolate the media server from the rest of your network. If someone manages to put malware on your server, they should not be able to access the rest of your network (PCs, smart home devices, cameras, etc). This requires a more advanced firewall than most consumer routers have, so I currently do not do it on my home setup.
You could setup zerotier and expose jellyfin in that network instead. Will allow access to clients you allow without needing to widely expose it
I tried that before and was never able to get it working properly. Clients had to have server addresses changed each time they used ZeroTier instead of my LAN; ZT DNS didn’t work for me either.
Ultimately, I just shared Jellyfin through Nginix, set up aggressive IP filtering on my WAN, and handled the DNS configuration on my own hardware at home. This is essentially what OP is suggesting, and I found it much easier than ZeroTier, just “technically” less secure, but not by much if you do it right.
I’ll take a look at ZeroTier, but what you say there does seem like a little hassle.
What are the ways that the setup with Nginx is done poorly? You mention aggressive IP filtering - are you essentially just whitelisting traffic incoming IPs from the users? For DNS I was planning on using Cloudflare - I have no experience setting up anything of the kind myself.
Nginx is good for isolating your internal services from the internet, and for routing HTTP over HTTPS, but you still have to make the assumption that your internal services are secure. What I do is block all incoming connections on my firewall that don’t match my whitelist. For a long time I blocked everything but my mobile provider, my work, and my partner’s work. Lately I have been whitelisting US addresses and blocking all other countries (certbot requires incoming connections to auto renew SSL certs). I also blacklist known bad ranges just in case, although few of these are in the US anyway.
What you block and allow would depend largely on your use case, but my opinion is the more the better.
Even if Jellyfin has an unknown exploit, and even if someone thought my little home LAN was worth targeting, chances are they wouldn’t make it past my firewall anyway.
deleted by creator
If you run something like Authelia or something like that, it may break the access between Client apps and server.
Web-UI will most likely workI was not planning on it. I would prefer them to use clients that can stream directly, so my poor server wouldn’t need to do much transcoding, so I will keep that in mind.
I use tailscale for this. On my phone, I setup the work profile and use it in there with my work profile jellyfin app. So when I’m remote I can hit my media using that.
If you are opening it up for others I would still recommend a VPN like solution. Yeah it’s more work, but worth it for the safety of your NAS and home network.
I just use ssh.
I can access my jellyfin outside my network no problem after forwarding a couple ports. Am I missing something here?
is the URL you use to access it secured by https? that’s generally the recommended route to take
No, but its not worth it for me to setup a signing server. If someone cares enough to do the work to hack my jellyfin and wants access to my random TV shows and movies they can enjoy them lol, its not like it opens them up to the rest of my computer or anything
ah, well I found it pretty accessible with Let’s Encrypt + DuckDNS. I use HomeAssistant addons to handle updating the cert, DNS and just point it to my Jellyfin server with nginx
Those are a lot of words I would need to research to know what you mean lol
