After 14 years with Plex, I finally moved my video library to Jellyfin. Why rising costs, feature restrictions and digital ownership pushed me towards FOSS.
You shouldn’t even have Jellyfin on a reverse proxy, because it shouldn’t be externally available. There are several known security vulnerabilities (all marked as “closed” due to inactivity on git) that the devs have said will likely never be patched. Because patching them requires breaking away from the Emby fork that the entire project is built on.
It should only be externally available via a private VPN. And that alone excludes a lot of “I want to share my library with friends/family” scenarios, because step 0 will be getting their devices connected to your VPN.
At the very least, set up some form of access control/username+PW directly on your reverse proxy as a secondary security measure. Because if you can reach the JF landing page, you can exploit those vulnerabilities without needing a valid JF login. So you should configure your reverse proxy to act as a gatekeeper, and ensure attackers can’t even reach JF at all without having a valid login to your reverse proxy. But this will break most JF apps (except for browsers) because they likely won’t have any way to give an initial user+pass to the reverse proxy before they hit the JF server.
That seems like a rather arrogant tone to take. Reverse proxies are complicated. Easy to set up, but challenging to configure depending on what your needs are. Not everyone wants a homelab.
Everyone’s journey starts somewhere and sometimes people’s needs just don’t extend beyond the easier choices available.
Don’t selfhost if you think a reverse proxy is tricky.
You shouldn’t even have Jellyfin on a reverse proxy, because it shouldn’t be externally available. There are several known security vulnerabilities (all marked as “closed” due to inactivity on git) that the devs have said will likely never be patched. Because patching them requires breaking away from the Emby fork that the entire project is built on.
It should only be externally available via a private VPN. And that alone excludes a lot of “I want to share my library with friends/family” scenarios, because step 0 will be getting their devices connected to your VPN.
At the very least, set up some form of access control/username+PW directly on your reverse proxy as a secondary security measure. Because if you can reach the JF landing page, you can exploit those vulnerabilities without needing a valid JF login. So you should configure your reverse proxy to act as a gatekeeper, and ensure attackers can’t even reach JF at all without having a valid login to your reverse proxy. But this will break most JF apps (except for browsers) because they likely won’t have any way to give an initial user+pass to the reverse proxy before they hit the JF server.
That seems like a rather arrogant tone to take. Reverse proxies are complicated. Easy to set up, but challenging to configure depending on what your needs are. Not everyone wants a homelab.
Everyone’s journey starts somewhere and sometimes people’s needs just don’t extend beyond the easier choices available.