I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?

  • dan@upvote.au
    link
    fedilink
    English
    arrow-up
    58
    arrow-down
    2
    ·
    edit-2
    7 months ago

    Is it just you that uses it, or do friends and family use it too?

    The best way to secure it is to use a VPN like Tailscale, which avoids having to expose it to the public internet.

    This is what I do for our security cameras. My wife installed Tailscale on her laptop and phone, created an account, and I added her to my Tailnet. I created a home screen icon for the Blue Iris web UI on her phone and mentioned to her, “if the cameras don’t load, open Tailscale and make sure it’s connected”. Works great - she hasn’t complained about anything at all.

    If you use Tailscale for everything, there’s no need to have a reverse proxy. If you use Unraid, version 7 added the ability to add individual Docker containers to the Tailnet, so each one can have a separate Tailscale IP and subdomain, and thus all of them can run on port 80.

    • paequ2@lemmy.today
      link
      fedilink
      English
      arrow-up
      17
      ·
      7 months ago

      if the cameras don’t load, open Tailscale and make sure it’s connected

      I’ve been using Tailscale for a few months now and this is my only complaint. On Android and macOS, the Tailscale client gets randomly killed. So it’s an extra thing you have to manage.

      It’s almost annoying enough to make me want to host my services on the actual internet… almost… but not yet.

      • Lem453@lemmy.ca
        link
        fedilink
        English
        arrow-up
        15
        ·
        7 months ago

        I use plain wireguard on me phone, always on essentially with no issues. I wonder why tailscale app can’t stay open.

        • beerclue@lemmy.world
          link
          fedilink
          English
          arrow-up
          10
          ·
          7 months ago

          Same, wireguard with the 'WG Tunnel" app, which adds conditional Auto-Connect. If not on home wifi, connect to the tunnel.

          • dan@upvote.au
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            2
            ·
            edit-2
            7 months ago

            conditional Auto-Connect. If not on home wifi, connect to the tunnel.

            You don’t need this with Tailscale since it uses a separate IP range for the tunnel.

            Edit: Tailscale (and Wireguard) are peer-to-peer rather than client-server, so there’s no harm leaving it connected all the time, and hitting the VPN IPs while at home will just go over your local network.

            The one thing you probably wouldn’t do at home is use an exit node, unless you want all your traffic to go through another node on the Tailnet.

              • dan@upvote.au
                link
                fedilink
                English
                arrow-up
                1
                ·
                edit-2
                7 months ago

                If you have a separate subnet for it, then why do you only want it to be connected when you’re not on home wifi? You can just leave it connected all the time since it won’t interfere with accessing anything outside that subnet.

                One of the main benefits of Wireguard (and Tailscale) is that it’s peer-to-peer rather than client-server. You can use the VPN IPs at home too, and it’ll add barely any overhead.

                (leaving it connected is assuming you’re not routing all your traffic through one of the peers)

                • beerclue@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  7 months ago

                  My network is not publicly accessible. I can only access the internal services while connected to my VPN or when I’m physically at home. I connect to WG to use the local DNS (pihole) or to access the selfhosted stuff. I don’t need to be connected while I’m at home… In a way, I am always using the home DNS.

                  Maybe I’m misunderstanding what you’re saying…

          • Lem453@lemmy.ca
            link
            fedilink
            English
            arrow-up
            3
            arrow-down
            2
            ·
            7 months ago

            I just stay connected to wireguard even at home, only downside is the odd time I need to chromecast, it needs to be shut off.

            • bonsai@lemmy.dbzer0.com
              link
              fedilink
              English
              arrow-up
              2
              ·
              7 months ago

              Can you add a split tunnel for just the Chromecast app (I presume that’s how it works idk I don’t use Chromecast) so that just that specific app always ignores your VPN?

              • Lem453@lemmy.ca
                link
                fedilink
                English
                arrow-up
                1
                ·
                7 months ago

                I haven’t tried it, but the app has the ability to select which app it tunnels.

                When you make a new tunnel, it says “all applications” if you click on that you can select specific ones to include or exclude

        • paequ2@lemmy.today
          link
          fedilink
          English
          arrow-up
          3
          ·
          7 months ago

          I suspect that it goes down and stays down whenever there is an app update, but I haven’t confirmed it yet.

          Does the plain wireguard app stay up during updates?

          • Lem453@lemmy.ca
            link
            fedilink
            English
            arrow-up
            10
            ·
            edit-2
            7 months ago

            Android wireguard all hasn’t been updated in 18mo. Its extremely simple with a small code base. There basically isn’t anything to update. It uses wireguard kernel module which is itself is only like 700 lines of code. It so simple that it basically became stable very quickly and there is nothing left of update right now.

            https://git.zx2c4.com/wireguard-android/about/

            I personally get the from obtainium to bypass play store

      • Byter@lemmy.one
        link
        fedilink
        English
        arrow-up
        7
        ·
        7 months ago

        If you make Tailscale your VPN in Android it will never be killed. Mileage may vary depending on flavor of Android. I’ve used this on stock Pixel and GrapheneOS.

        Under Settings > Network and internet > VPN

        Tap the Cog icon next to Tailscale and select Always-on VPN.

        • ladfrombrad 🇬🇧@lemdro.id
          link
          fedilink
          English
          arrow-up
          3
          ·
          edit-2
          7 months ago

          It loses its foreground notification I’ve found that kills it for me

          even thou the Quick Toggle and the app itself, shows as running

          If I disconnect/reconnect the notification comes back, and I’ve found something even more weird on my device (A Xiaomi with its infamous OOM / background app killer…) is Tailscale still actually works fine most of the time without the foreground notification. I’m hazarding a 70% of the time for me?

          A lot of us a while back found v1.5.2 fugged around with the persistent notification going RIP

          https://github.com/tailscale/tailscale/issues/10104

          • LiveLM@lemmy.zip
            link
            fedilink
            English
            arrow-up
            2
            ·
            7 months ago

            Oh the Quick Toggle has never, ever worked correctly. I hoped they fixed it after the UI refresh update but unfortunately not yet.

            • ladfrombrad 🇬🇧@lemdro.id
              link
              fedilink
              English
              arrow-up
              2
              ·
              edit-2
              7 months ago

              What device/ROM are you using?

              It’s been very iffy for me on and off from Miui > HyperHyperOS, but just checking now?

              Works fine

              Like I say, the foreground notification seemed to be the lifeline to some of us using it and keeping it alive, even after IIRC some more restrictions came in with future versions of Android (forgive me, I’m very lazy these days and just skim Mishaal’s TG feed 😇)?

              e: also dupe comment ;)

                • ladfrombrad 🇬🇧@lemdro.id
                  link
                  fedilink
                  English
                  arrow-up
                  2
                  ·
                  edit-2
                  7 months ago

                  Huh. The nearest I have to an actual “AOSP” device is my King Kong Cubot phone that has probably the cleanest version of “stock Android” I’ve ever seen, and I’m going to presume you mean like a Google Pixel / Graphene etc?

                  Tailscale and the QS tile / notification was solid on that Cubot but to be honest, I’ve barely turned it on these days and is now one of those drawer phones.

                  Miui / HyperHyperOS though is a different kettle of fish and exempting Tailscale from its App lel Killer does seem to work. 70-80%ish…

                  But there is something that just fuggs up and turn it off/on like most thingys I own 🙈

                • dai@lemmy.world
                  link
                  fedilink
                  English
                  arrow-up
                  1
                  ·
                  7 months ago

                  Works great and has been for some time on my P7P.

                  Ensure you’ve allowed background usage and turn off manage app if unused.

                  Keep the notification on and allow notifications.

          • LiveLM@lemmy.zip
            link
            fedilink
            English
            arrow-up
            1
            ·
            7 months ago

            Oh the Quick Toggle has never, ever worked correctly. I hoped they fixed it after the UI refresh update but unfortunately not yet.

      • fmstrat@lemmy.nowsci.com
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        Try WG Tunnel instead. It will reconnect on loss, but you lose the Tailscale features (no big deal with dynamic DNS)

        • dan@upvote.au
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 months ago

          Headscale is a replacement for the coordination servers, which are only used to distribute configs and help nodes find each other. It won’t change client-side behaviour.

  • skoell13@feddit.org
    link
    fedilink
    English
    arrow-up
    35
    ·
    edit-2
    7 months ago

    My setup: Locally (all in docker):

    • JF for managing and local access
    • JF with read only mounted volumes that uses the network of my Wireguard client container
    • Wireguard client opening a tunnel to Wireguard server on VPS ** Ping container regularly doing pings to Wireguard Server so the connection stays up (didn’t manage it otherwise)

    VPS (Oracle Cloud free tier, also everything in docker):

    • Caddy as a reverse proxy with https enabled and geolocking (only certain countries are allowed to connect to)
    • fail2ban to block IPs that try to bruteforce credentials
    • Wireguard server

    Usernames are not shown in the frontend and have to be entered. Passwords are generated by a password manager and can’t be changed by the user.

    So my clients just get the URL of my reverse proxy and can access the read only JF through my Wireguard tunnel. Didn’t have to open any ports on my side. If someone is interested I can share the docker compose files later.

    Edit: Here the link to the setup description. Please tell me if something is not clear or you find an error. https://codeberg.org/skjalli/jellyfin-vps-setup

  • Rookeh@startrek.website
    link
    fedilink
    English
    arrow-up
    29
    ·
    edit-2
    7 months ago

    For web access, stick it behind a reverse proxy and use something like Authentik/Authelia/SSO provider of your choice to secure it.

    For full access including native clients, set up a VPN.

    • λλλ@programming.devOP
      link
      fedilink
      English
      arrow-up
      7
      arrow-down
      1
      ·
      7 months ago

      I use Tailscale right now. Which, in fairness, I didn’t state in the post. However, I was hoping to share it more similarly to how I used to with Plex. But, it would appear, I would have to share it through Tailscale only at this point.

      • Rookeh@startrek.website
        link
        fedilink
        English
        arrow-up
        3
        ·
        7 months ago

        Right now none of the native clients support SSO. It is a frequently requested feature but, unfortunately, it doesn’t look like it will be implemented any time soon. As with many OSS projects it is probably a case of “you want it, you build it” - but nobody has actually stepped up.

  • borax7385@lemmy.world
    link
    fedilink
    English
    arrow-up
    21
    arrow-down
    1
    ·
    7 months ago

    I use fail2ban to ban IPs that fall to login and also IPs that perform common scans in the reverse proxy

  • Dr. Moose@lemmy.world
    link
    fedilink
    English
    arrow-up
    15
    ·
    7 months ago

    Tailscale is awesome. Alternatively if you’re more technically inclined you can make your own wireguard tailscale and all you need is to get a static IP for your home network. Wireguard will always be safer than each individual service.

  • DefederateLemmyMl@feddit.nl
    link
    fedilink
    English
    arrow-up
    7
    ·
    7 months ago

    What I used to do was: I put jellyfin behind an nginx reverse proxy, on a separate vhost (so on a unique domain). Then I added basic authentication (a htpasswd file) with an unguessable password on the whole domain. Then I added geoip firewall rules so that port 443 was only reachable from the country I was in. I live in small country, so this significantly limits exposure.

    Downside of this approach: basic auth is annoying. The jellyfin client doesn’t like it … so I had to use a browser to stream.

    Nowadays, I put all my services behind a wireguard VPN and I expose nothing else. Only issue I’ve had is when I was on vacation in a bnb and they used the same IP range as my home network :-|

  • Gagootron@feddit.org
    link
    fedilink
    English
    arrow-up
    7
    ·
    7 months ago

    I use good ol’ obscurity. My reverse proxy requires that the correct subdomain is used to access any service that I host and my domain has a wildcard entry. So if you access asdf.example.com you get an error, the same for directly accessing my ip, but going to jellyfin.example.com works. And since i don’t post my valid urls anywhere no web-scraper can find them. This filters out 99% of bots and the rest are handled using authelia and crowdsec

    • andreluis034@bookwormstory.social
      link
      fedilink
      English
      arrow-up
      8
      ·
      7 months ago

      Are you using HTTPS? It’s highly likely that your domains/certificates are being logged for certificate transparency. Unless you’re using wildcard domains, it’s very easy to enumerate your sub-domains.

    • sludge@lemmy.ml
      link
      fedilink
      English
      arrow-up
      6
      ·
      edit-2
      7 months ago

      And since i don’t post my valid urls anywhere no web-scraper can find them

      You would ah… be surprised. My urls aren’t published anywhere and I currently have 4 active decisions and over 300 alerts from crowdsec.

      It’s true none of those threat actors know my valid subdomains, but that doesn’t mean they don’t know I’m there.

      • Gagootron@feddit.org
        link
        fedilink
        English
        arrow-up
        2
        ·
        7 months ago

        Of course i get a bunch of scanners hitting ports 80 and 443. But if they don’t use the correct domain they all end up on an Nginx server hosting a static error page. Not much they can do there

        • DefederateLemmyMl@feddit.nl
          link
          fedilink
          English
          arrow-up
          5
          ·
          7 months ago

          This is how I found out Google harvests the URLs I visit through Chrome.

          Got google bots trying to crawl deep links into a domain that I hadn’t published anywhere.

          • zod000@lemmy.ml
            link
            fedilink
            English
            arrow-up
            1
            ·
            edit-2
            7 months ago

            This is true, and is why I annoyingly have to keep robots.txt on my unpublished domains. Google does honor them for the most part, for now.

      • Gagootron@feddit.org
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        It seems to that it works. I don’t get any web-scrapers hitting anything but my main domain. I can’t find any of my subdomains on google.

        Please tell me how you believe that it works. Maybe i overlooked something…

        • ocean@lemmy.selfhostcat.com
          link
          fedilink
          English
          arrow-up
          1
          arrow-down
          1
          ·
          7 months ago

          My understanding is that scrappers check every domain and subdomain. You’re making it harder but not impossible. Everything gets scrapped

          It would be better if you also did IP whitelisting, rate limiting to prevent bots, bot detection via cloudflare or something similar, etc.

    • Nibodhika@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      ·
      7 months ago

      If you’re using jellyfin as the url, that’s an easily guessable name, however if you use random words not related to what’s being hosted chances are less, e.g. salmon.example.com . Also ideally your server should reply with a 200 to * subdomains so scrappers can’t tell valid from invalid domains. Also also, ideally it also sends some random data on each of those so they don’t look exactly the same. But that’s approaching paranoid levels of security.

  • Batman@lemmy.world
    link
    fedilink
    English
    arrow-up
    7
    ·
    7 months ago

    I am using tailscale but I went a little further to let my family log in with their Gmail( they will not make any account for 1 million dollars)

    Tailscale funneled Jellyfin Keycloak (adminless)

    Private Tailscale Keycloak admin Postgres dB

    I hook up jellyfin to Keycloak (adminless) using the sso plugin. And hook Keycloak up (using the private instance) to use Google as an identity provider with a private app.

    • λλλ@programming.devOP
      link
      fedilink
      English
      arrow-up
      3
      ·
      7 months ago

      SSO plugin is good to know about. Does that address any of the issues with security that someone was previously talking about?

      • Batman@lemmy.world
        link
        fedilink
        English
        arrow-up
        2
        ·
        edit-2
        7 months ago

        I’d say it’s nearly as secure as

        basic authentication. If you restrict deletion to admin users and use role (or group) based auth to restrict that jellyfin admin ability to people with strong passwords in keycloak, i think you are good. Still the only risk is people could delete your media if an adminusers gmail is hacked.

        Will say it’s not as secure as restricting access to vpn, you could be brute forced. Frankly it would be preferable to set up rate limiting, but that was a bridge too far for me

        • Appoxo@lemmy.dbzer0.com
          link
          fedilink
          English
          arrow-up
          2
          ·
          7 months ago

          I set mine up with Authelia 2FA and restricted media deletion to one user: The administrator.
          All others arent allowed to delete. Not even me.

    • darkknight@discuss.online
      link
      fedilink
      English
      arrow-up
      1
      ·
      7 months ago

      I was thinking of setting this up recntly after seeing it on Jim’s garage. Do you use it for all your external services or just jellyfin? How does it compare to a fairly robust WAF like bunkerweb?

      • sludge@lemmy.ml
        link
        fedilink
        English
        arrow-up
        1
        ·
        7 months ago

        I use it for all of my external services. It’s just wireguard and traefik under the hood. I have no familiarity with bunkerweb, but pangolin integrates with crowdsec. Specifically it comes out of the box with traefik bouncer, but it is relatively straightforward to add the crowdsec firewall bouncer on the host machine which I have found to be adequate for my needs.

  • Kusimulkku@lemm.ee
    link
    fedilink
    English
    arrow-up
    6
    ·
    7 months ago

    I’ve put it behind WireGuard since only my wife and I use it. Otherwise I’d just use Caddy or other such reverse proxy that does https and then keep Jellyfin and Caddy up to date.

  • jagged_circle@feddit.nl
    link
    fedilink
    English
    arrow-up
    6
    ·
    7 months ago

    I have another site on a different port that sits behind basic auth and adds the IP to a short ipset whitelist.

    So first I have to auth into that site with basic auth, then I load jellyfin on the other port.

        • λλλ@programming.devOP
          link
          fedilink
          English
          arrow-up
          5
          ·
          7 months ago

          Clients are built to speak directly to the Jellyfin API. if you put an auth service in front it won’t even ask you to try and authenticate with that.

      • Svinhufvud@sopuli.xyz
        link
        fedilink
        English
        arrow-up
        2
        ·
        7 months ago

        Yes, it breaks native login, but you can authenticate with Authentik on your phone for example, and use Quick connect to authorize non-browser sessions with it.