this post was submitted on 09 Apr 2025
46 points (77.4% liked)

Selfhosted

45788 readers
373 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 2 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
46
How do I host Jellyfin in the most secure manner possible? (lemmy.ml)
submitted 5 days ago* (last edited 5 days ago) by Charger8232@lemmy.ml to c/selfhosted@lemmy.world
100 comments fedilink hide all child comments
 

Please take this discussion to this post: https://lemmy.ml/post/28376589

Main contentSelfhosting is always a dilemma in terms of security for a lot of reasons. Nevertheless, I have one simple goal: selfhost a Jellyfin instance in the most secure way possible. I don't plan to access it anywhere but home.

TL;DR

I want the highest degree of security possible, but my hard limits are:

  • No custom DNS
  • Always-on VPN
  • No self-signed certificates (unless there is no risk of MITM)
  • No external server

Full explanation

I want to be able to access it from multiple devices, so it can't be a local-only instance.

I have a Raspberry Pi 5 that I want to host it on. That means I will not be hosting it on an external server, and I will only be able to run something light like securecore rather than something heavy like Qubes OS. Eventually I would like to use GrapheneOS to host it, once Android's virtual machine management app becomes more stable.

It's still crazy to me that 2TB microSDXC cards are a real thing.

I would like to avoid subscription costs such as the cost of buying a domain or the cost of paying for a VPN, however I prioritize security over cost. It is truly annoying that Jellyfin clients seldom support self-signed certificates, meaning the only way to get proper E2EE is by buying a domain and using a certificate authority. I wouldn't want to use a self-signed certificate anyways, due to the risk of MITM attacks. I am a penetration tester, so I have tested attacks by injecting malicious certificates before. It is possible to add self-signed certificates as trusted certificates for each system, but I haven't been able to get that to work since it seems clients don't trust them anyways.

Buying a domain also runs many privacy risks, since it's difficult to buy domains without handing over personal information. I do not want to change my DNS, since that risks browser fingerprinting if it differs from the VPN provider. I always use a VPN (currently ProtonVPN) for my devices.

If I pay for ProtonVPN (or other providers) it is possible to allow LAN connections, which would help significantly, but the issue of self-signed certificates still lingers.

With that said, it seems my options are very limited.

(page 2) 50 comments
sorted by: hot top controversial new old
[–] helios@social.ggbox.fr 2 points 5 days ago (1 children)

You're overthinking. Just host it on any server with a domain name and use let's encrypt certs if you want to access it from anywhere. TLS offers good encryption, I don't get how you need a VPN on top of that.

For local access only, I'd just host it on a machine over the lan, self-signed certs for TLS, hell I would even settle with http in this case. As for your VPN app preventing you to access a local resource on your lan, if true, you should get rid of that nonsense.

load more comments (1 replies)
[–] lefixxx@lemmy.world 1 points 5 days ago

You can also add a second network interface to the computer that needs to access the jellyfin server over LAN.

[–] LainTrain@lemmy.dbzer0.com 2 points 5 days ago* (last edited 5 days ago)

If you're running externally, use a cloudflare tunnel.

No ports exposed = no attack surface. This is 99% of security.

HTTPS is provided by CF although only secures comms between your devices to CF, not CF to your Pi, meaning CF can see clear text technically.

If that's not good enough then use a VPN server like PiVPN and put it on your pi and OpenVPN on your devices. *This has nothing to do with paid VPN Client subscriptions like Tunnelbear or Proton or whatever. *

You will be running a VPN server on your pi to which you will connect from your devices on which you want to watch JF by downloading a device profile to your devices and opening it in the OpenVPN app.

You do not need to pay for anything at all anywhere ever (other than something for DDNS and a domain name), use a strong password and make sure your JF is updated if there's any CVE. Expose nothing else to the internet.

You don't even need HTTPS at that point or any certs, a VPN will encrypt your traffic anyway. The only cleartext you'll have is between your VPN and your JF, and if both are on the pi then the only MITM vector is literally inside your Pi which is unlikely to have any issues.

[–] CmdrShepard42@lemm.ee 2 points 5 days ago (1 children)

I can't answer your question as I rely on Plex rather than fooling around with my own security, but I'd suggest reconsidering the Pi and a microSD to host Jellyfin. Neither one of these are a good fit unless you plan on sticking to very specific audio and video codecs to avoid all transcoding and your upload speeds are capable of serving the full bitrate of your files. Beyond that, SD cards are terrible for this kind of task and you'd be much better served with an SSD as your boot/data drive for robustness. I can't even count the number of failed SD cards I've had over the years.

[–] Charger8232@lemmy.ml 2 points 5 days ago (1 children)

but I’d suggest reconsidering the Pi

It's what I have on hand at the moment. I don't have proper server hardware yet.

and a microSD to host Jellyfin.

Beyond that, SD cards are terrible for this kind of task and you’d be much better served with an SSD as your boot/data drive for robustness. I can’t even count the number of failed SD cards I’ve had over the years.

I will keep this in mind, thank you!

Neither one of these are a good fit unless you plan on sticking to very specific audio and video codecs to avoid all transcoding and your upload speeds are capable of serving the full bitrate of your files.

I haven't tried playing videos from my Raspberry Pi, but I've been able to run extremely modern video codecs on some pretty old hardware without any issues. Since I've never had issues with video codecs, I'm not experienced in what hardware can and can't handle it.

[–] beerclue@lemmy.world 1 points 5 days ago (2 children)

A micro sized PC with an i5 and 8gb or ram can cost under 100€, and it's way more powerful compared to a pi. Power efficient too. That's what I used for a long time for my jellyfin server.

[–] Charger8232@lemmy.ml 2 points 5 days ago

Thank you! I'd like to avoid extra costs, since I already have the Pi on hand, but when I have the money I will switch to a proper server.

[–] AtariDump@lemmy.world 1 points 5 days ago (1 children)

Can I run it via PoE?

[–] beerclue@lemmy.world 0 points 5 days ago (1 children)

I don't think so, but don't quote me on that. My machines come with a 65w charger.

[–] AtariDump@lemmy.world 1 points 5 days ago (1 children)

It cannot.

While used equipment is more powerful then a Pi, it doesn’t always fit everyone’s use case and I hate it when people have a “one size fits all” solution.

[–] beerclue@lemmy.world 0 points 4 days ago

I agree with you, but this was specifically about jellyfin.

[–] sugar_in_your_tea@sh.itjust.works 1 points 5 days ago

Your options are only as limited as your imagination and complexity of your requirements.

If you're only using it on your network, just use HTTP with mdns (or have static routes from your router or something, but you said you don't want that) so you don't have to remember IP addresses. If you want TLS, you can borrow someone else's domain with a service like FreeDNS.afraid.org (5 free subdomains). Or if you control the devices completely, you can make a root CA and add that to each device's trusted CA list, and then sign your own certs and eliminate MITM attacks.

You have options, and most are overkill. The simplest, secure solution is HTTP on your local network or over a VPN you trust (if you have a publicly accessible IP, just host your own WireGuard server on/via your router).

[–] Mouette@jlai.lu 1 points 5 days ago* (last edited 5 days ago)

How i do it:

  • Wireguard for VPN endpoint on the pi and device that I have root on, secure, fast to setup and doesn't add a lot of overhead

  • For access outside of VPN:

You might have to pay for a domain name if you dont have a static IP, which is relatively cheap.

You can manually allow trusted IP to access the service in your firewall which nullify surface of attack if done perfectly but is really an hassle to setup and maintain. I'm looking to setup Keycloack for a strong pre-auth that I can share between services and that is also lightweight (Authentik is not lightweight, Authelia seems to be i'd like to try it aswell) This coupled with firewall rules and/or fail2ban like service should be more than enough for a private server I think.

[–] dbbljack@lemmy.world 0 points 5 days ago

So you want a self hosted jellyfin instance that you only plan to access at home, as secure and simply as possible?

Buy an HDMI splitter.

load more comments
view more: ‹ prev next ›