• 0 Posts
  • 202 Comments
Joined 11 months ago
cake
Cake day: May 28th, 2024

help-circle

















  • kitnaht@lemmy.worldBannedtoSelfhosted@lemmy.worldHow do I securely host Jellyfin? (Part 2)
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    1
    ·
    edit-2
    13 days ago

    And again - if you put those behind a fail2ban; and you 404 5x in an hour, which is likely - you’ve solved that issue. Had my jellyfin instance publicly available for 2 years on its own VM with passthrough GPU, and haven’t had any issues. People poke around quite often, and get blackholed via the firewall for 30d.

    It wouldn’t stop a dedicated attacker, but I doubt anyone’s threat model here is that intense. Most compromised servers happen from automated attacks probing for vulnerabilities in order to get RCE; not probing for what movies you have – Because having movies on a media server doesn’t prove that you didn’t rip them all off of blu-ray…it just means you have movies.

    You’re not going to have 100% privacy when you put up ANY service on your network. Everything leaves a trace somehow; but I’m starting to think half of you are Chinese spies or something with the amount of paranoia people here show sometimes. :P



  • kitnaht@lemmy.worldBannedtoSelfhosted@lemmy.worldHow do I securely host Jellyfin? (Part 2)
    link
    fedilink
    English
    arrow-up
    1
    arrow-down
    2
    ·
    edit-2
    13 days ago

    If they need SSL certs, they’ve got to. Jellyfin doesn’t accept self-signed certs, which means DNS entries in a domain, and access from the internet.

    Really, honestly - what they need to do is just install Jellyfin on the Raspberry Pi and ditch the encryption requirement altogether. There’s no reason to have it on a LAN-only environment. They aren’t going to need it, nobody is going to MITM their lan environment, and VPNs will regularly allow LAN passthrough.

    If ProntonVPNs own client doesn’t allow LAN connections, they either need to swap to the Wireguard vanilla client (if that’s allowed on free tier), or upgrade their VPN service.

    OR switch VPNs altogether.

    There isn’t a way to do this without breaking one of their requirements

    Only options here are to publicly host with real SSL certs, on a domain and tunnel out – Or swap VPN providers/software so that you can achieve LAN access and forego HTTPS altogether.

    Edit: And sorry – the previous post is gone regarding their only needing access within the home, there’s no way I could have known that.

    There’s a bit of paranoia going on here to begin with - There’s no reason they need this level of “security” within their home network on the LAN side anyhow. They could possibly buy a managed switch and make the jellyfin server only visible to a specific vlan that didn’t include the router, but that doesn’t quite match up with what it sounds like they’re needing.