I already host multiple services via caddy as my reverse proxy. Jellyfin, I am worried about authentication. How do you secure it?
You must log in or register to comment.
setup a WAF appliance and forward traffic through it to your current installation.
I’ve put it behind WireGuard since only my wife and I use it. Otherwise I’d just use Caddy or other such reverse proxy that does https and then keep Jellyfin and Caddy up to date.
Whats your setup? I just Ngnix Proxy Manager, Jellyfin etc in Docker. Modify ufw rules and also install this on the server (linux) https://github.com/friendly-bits/geoip-shell
I use good ol’ obscurity. My reverse proxy requires that the correct subdomain is used to access any service that I host and my domain has a wildcard entry. So if you access asdf.example.com you get an error, the same for directly accessing my ip, but going to jellyfin.example.com works. And since i don’t post my valid urls anywhere no web-scraper can find them. This filters out 99% of bots and the rest are handled using authelia and crowdsec
And since i don’t post my valid urls anywhere no web-scraper can find them
You would ah… be surprised. My urls aren’t published anywhere and I currently have 4 active decisions and over 300 alerts from crowdsec.
It’s true none of those threat actors know my valid subdomains, but that doesn’t mean they don’t know I’m there.
Of course i get a bunch of scanners hitting ports 80 and 443. But if they don’t use the correct domain they all end up on an Nginx server hosting a static error page. Not much they can do there
I am using tailscale but I went a little further to let my family log in with their Gmail( they will not make any account for 1 million dollars)
Tailscale funneled Jellyfin Keycloak (adminless)
Private Tailscale Keycloak admin Postgres dB
I hook up jellyfin to Keycloak (adminless) using the sso plugin. And hook Keycloak up (using the private instance) to use Google as an identity provider with a private app.
SSO plugin is good to know about. Does that address any of the issues with security that someone was previously talking about?
I’d say it’s nearly as secure as
basic authentication. If you restrict deletion to admin users and use role (or group) based auth to restrict that jellyfin admin ability to people with strong passwords in keycloak, i think you are good. Still the only risk is people could delete your media if an adminusers gmail is hacked.
Will say it’s not as secure as restricting access to vpn, you could be brute forced. Frankly it would be preferable to set up rate limiting, but that was a bridge too far for me
Tailscale is awesome. Alternatively if you’re more technically inclined you can make your own wireguard tailscale and all you need is to get a static IP for your home network. Wireguard will always be safer than each individual service.
Love tailscale. The only issue I had with it is making it play nice with my local, daily driver VPN. Got it worked out tho. So, now everything is jippity jippity.
Use a VPN like Tailscale
My setup: Locally (all in docker):
- JF for managing and local access
- JF with read only mounted volumes that uses the network of my Wireguard client container
- Wireguard client opening a tunnel to Wireguard server on VPS ** Ping container regularly doing pings to Wireguard Server so the connection stays up (didn’t manage it otherwise)
VPS (Oracle Cloud free tier, also everything in docker):
- Caddy as a reverse proxy with https enabled and geolocking (only certain countries are allowed to connect to)
- fail2ban to block IPs that try to bruteforce credentials
- Wireguard server
Usernames are not shown in the frontend and have to be entered. Passwords are generated by a password manager and can’t be changed by the user.
So my clients just get the URL of my reverse proxy and can access the read only JF through my Wireguard tunnel. Didn’t have to open any ports on my side. If someone is interested I can share the docker compose files later.
Edit: Here the link to the setup description. Please tell me if something is not clear or you find an error. https://codeberg.org/skjalli/jellyfin-vps-setup
I am interested in your docker compose
https://codeberg.org/skjalli/jellyfin-vps-setup here you go, took me longer than expected and I hope it’s helpful, might contain a few errors since I had to remove some settings but I guess this should work.
This is honestly awesome! I was thinking about a similar setup for a long time but wasn’t sure how to do this exactly, this seems exactly like the setup I was looking for. Thank you!
You’re welcome, happy that I can help. I also just updated it a bit. In case you find any issues or have questions please let me know. It was mostly trial and error until it ran…
Will share this evening after work.
I’m more interested in the fail2ban setup. How did you do that for Jellyfin? Is it through a plugin?
It’s a separate container, currently in the process of writing everything up, will update once done
Thanks!
https://codeberg.org/skjalli/jellyfin-vps-setup here you go, took me longer than expected and I hope it’s helpful, might contain a few errors since I had to remove some settings but I guess this should work.
Thanks! I’ll read more through it when I have the chance!
deleted by creator
I use fail2ban to ban IPs that fall to login and also IPs that perform common scans in the reverse proxy
also have jellyfin disable the account after a number of failed logins.
I use Pangolin (https://github.com/fosrl/pangolin)
I was thinking of setting this up recntly after seeing it on Jim’s garage. Do you use it for all your external services or just jellyfin? How does it compare to a fairly robust WAF like bunkerweb?
I use it for all of my external services. It’s just wireguard and traefik under the hood. I have no familiarity with bunkerweb, but pangolin integrates with crowdsec. Specifically it comes out of the box with traefik bouncer, but it is relatively straightforward to add the crowdsec firewall bouncer on the host machine which I have found to be adequate for my needs.
OpenVPN
Or wireguard, depending where & how they want to implement it might be simpler or better/worse on hardware.
My setup is: Proxmox - restricted LXC running docker which runs jellyfin, tailscale funnel as reverse proxy and certificate provider. So so don’t care about jellyfin security, it can get hacked / broken , its an end road. If so i will delete the LXC and bring it up again using backups. Also i dont think someone will risk or use time to hack a jellyfin server. My strategy is, with webservices that don’t have critical personal data, i have them isolated in instances. I don’t rely on security on anything besides the firewall. And i try not to have services with personal sensitive data, and if i do, on my local lan with the needed protections. If i need access to it outside my local lan, vpn.
