I’m on your side. I don’t really see the difference hosting Jellyfin or Plex to the internet.
If you want max security and headache for jellyfin, set up a VPN like they say, otherwise keep it exposed, It’s very unlikely for your server to be targeted and It hasn’t been worth the hassle for me.
Edit: well not directly directly, do the minimum and put it behind a reverse proxy that adds HTTPS of course, but thats recommended in the docs so yah
I mean, the worst that could happen is they delete everything on the server and I have to spend time restoring from a backup. Not exactly the riskiest thing to do.
I am using a non-privileged user on jellyfin.
Admin stuff needs to be done with a hidden user.
I might should be bothering to do rootless docker at some point…
depending what is on it, and your risk factor, theoretically an attacker can check known resource paths to confirm or deny whats on the server. That’s my main complaint currently on it is that the jellyfin team is aware of the fact that it doesn’t need authentication, but are looking for some miracle solution that won’t toss legacy clients out in order to fix, so therefore the issues are just perpetually open.
edit: it looks like some of these issues may be being worked on now that they moved the problemic protocal into a plugin. I hope that that means they will close them in the next few releases!
VPN. There is no safe direct option.
I’ve had my instance open to the internet for about two years with no issues.
I’m on your side. I don’t really see the difference hosting Jellyfin or Plex to the internet.
If you want max security and headache for jellyfin, set up a VPN like they say, otherwise keep it exposed, It’s very unlikely for your server to be targeted and It hasn’t been worth the hassle for me.
Edit: well not directly directly, do the minimum and put it behind a reverse proxy that adds HTTPS of course, but thats recommended in the docs so yah
So far. That you know of.
I mean, the worst that could happen is they delete everything on the server and I have to spend time restoring from a backup. Not exactly the riskiest thing to do.
Well, the worst that could happen is they start hosting CSAM out of your house and then the FBI knocks on your door.
Ok, fair enough. I don’t think that’s likely though.
No. More likely is an automated botnet mining cryptocurrency or running a DDoS. That’s usually what happens.
Don’t forget automated tools of rights holders like Sony scouring your server and finding that Spiderman.3.bluRay.MKV, suing you for infringement
I am using a non-privileged user on jellyfin.
Admin stuff needs to be done with a hidden user.
I might should be bothering to do rootless docker at some point…
depending what is on it, and your risk factor, theoretically an attacker can check known resource paths to confirm or deny whats on the server. That’s my main complaint currently on it is that the jellyfin team is aware of the fact that it doesn’t need authentication, but are looking for some miracle solution that won’t toss legacy clients out in order to fix, so therefore the issues are just perpetually open.
edit: it looks like some of these issues may be being worked on now that they moved the problemic protocal into a plugin. I hope that that means they will close them in the next few releases!