I am in love with my Jellyfin server (running in a Docker container) - it feels so nice to take back control over my media consumption again, after more than a decade in the land of streaming. So much, that I want to share this with my family.

So I was thinking of setting up a reverse proxy (Nginx Proxy Manager is what I have used before) and expose my Jellyfin-instance through that. However, I’ve seen several people be skeptical about this solution, instead opting for access through a VPN (I don’t think that would be a good solution for some of my family members).

What are the potential pitfalls of setting it up this way, that makes people skeptical? Where could I go wrong, and what dangers would I expose myself to? As I understand it, this would only expose one port to the internet, direct all that traffic to the Nginx Proxy Manager, which then forwards traffic to specific ports internally on my home network, which sounds safe in my mind. Is it misconfiguration of the proxy manager I should be wary of? Or some exploits in the proxy manager?

  • cyberwolfieOP
    link
    fedilink
    English
    arrow-up
    1
    ·
    1 year ago

    I’ll take a look at ZeroTier, but what you say there does seem like a little hassle.

    What are the ways that the setup with Nginx is done poorly? You mention aggressive IP filtering - are you essentially just whitelisting traffic incoming IPs from the users? For DNS I was planning on using Cloudflare - I have no experience setting up anything of the kind myself.

    • corroded@lemmy.world
      link
      fedilink
      English
      arrow-up
      2
      arrow-down
      1
      ·
      edit-2
      1 year ago

      Nginx is good for isolating your internal services from the internet, and for routing HTTP over HTTPS, but you still have to make the assumption that your internal services are secure. What I do is block all incoming connections on my firewall that don’t match my whitelist. For a long time I blocked everything but my mobile provider, my work, and my partner’s work. Lately I have been whitelisting US addresses and blocking all other countries (certbot requires incoming connections to auto renew SSL certs). I also blacklist known bad ranges just in case, although few of these are in the US anyway.

      What you block and allow would depend largely on your use case, but my opinion is the more the better.

      Even if Jellyfin has an unknown exploit, and even if someone thought my little home LAN was worth targeting, chances are they wouldn’t make it past my firewall anyway.