Hi y’all, thanks for the help with my question yesterday. I did a bit of homework, and I think I’ve got things figured out. Here’s my revised plan:
-
configure a cron job to update DuckDNS with my IP address every 5 minutes
-
use ufw to block all incoming traffic, except to ports 80 and 443, to allow incoming traffic to reach Caddy
-
configure the Caddyfile to direct traffic from my DuckDNS subdomain to Jellyfin’s port
Does this seem right this time? Am I missing anything, or unnecessarily adding steps? Thanks in advance, I’ll get the hang of all this someday!
Thanks for the tip! I’ll back the refresh rate off to be safe.
I’m not sure I entirely understand your concern about putting Jellyfin on the internet. A large part of my interest in selfhosting is being able host my own music library, my own cloud storage, etc, and access it as an alternative to Spotify or Google Drive. Doesn’t that inherently mean that they need to be on the internet, if I want to be able to access them when I’m away from home?
My goal has been to find a way to do that safely, but if that’s not possible, that’s good to know too, so I don’t keep trying to do the impossible.
Wireguard or tailscale are much better ways of accessing jellyfin from outside your network.
What if I want a bunch of people to be able to log into my library via Finamp?
Provide them with VPN access. If that’s too much for them, then they don’t get access. Tough. On the scale of security vs convenience, that’s nothing.
If you really really want, you should at least see if you can put a WAF in front, and put the server itself somewhere it doesn’t have access to the rest of your network (a DMZ) so that if and when it gets hacked, it doesn’t compromise the entire network.
You use plex instead, or you accept the massive security vulnerabilities.
What vulnerabilities? Sure there are some but nothing massive that I have seen. Care to post them.
web endpoints with zero authentication lol
I just finished refining my Jellyfin setup. I use caddy as reverse proxy and use authelia as authentication in front of Jellyfin. This way only users logged in to authelia can access my Jellyfin. And there is an SSO plugin for jellyfin to avoid double login. The tricky part was getting apps to work.