Hi folks. So, I know due to a myriad of reasons I should not allow Jellyfin access to the open internet. However, in trying to switch family over from Plex, I’ll need something that “just works”.
How are people solving this problem? I’ve thought about a few solutions, like whitelisting ips (which can change of course), or setting up VPN or tail scale (but then that is more work than they will be willing to do on their side). I can even add some level of auth into my reverse proxy, but that would break Jellyfin clients.
Wondering what others have thought about for this problem
I expose jellyfin to the internet, and some precautions I have taken that I don’t see mentioned in these answers are: 1) run jellyfin as a rootless container, and 2) use read-only storage where ever possible. If you have other tools managing things like subtitles and metadata files before jellyfin there’s no reason for jellyfin to have write access to the media it hosts. While this doesn’t directly address the documented security flaws with jellyfin, you may as well treat it like a diseased plague rat if you’re going to expose it. To me, that means worst case scenario is the thing is breached and the only thing for an attacker to do is exfiltrate things limited to jellyfin.