- cross-posted to:
- jellyfin@lemmy.ml
- jellyfin@lemmy.ml
- cross-posted to:
- jellyfin@lemmy.ml
- jellyfin@lemmy.ml
You must log in or register to comment.
The update rolled out perfectly for my Kubernetes setup (using the Docker image). 👍
You can always tell who does real IT work in these threads lol
There is a good reason I only have Jellyfin and other services accessible via valid Client Certificate.
Does it work with android and TV apps?
I tried long ago and failed.
No, we only use Jellyfin via browser. Unfortunately even with imported Client Cert, Android apps won’t work.
Edit: Client Certs need to be implemented per App. There is a feature request from 2022 https://features.jellyfin.org/posts/1461/capability-to-specify-client-certificate-for-android-client
Also interested how this works for mobile apps. I self host a number of services through caddy as my reverse proxy but each application is just dependent on it’s own authentication. If I exposed all my services to the internet, that’s a huge attack vector. If anyone else has some ideas I’d be happy to listen.
If you are the only user and don’t need to use those apps in devices you don’t own a vpn is the way to go.
If not. Depending the number of users you could do some heavy ip geoblocking to at least reduce the exposed surface.
There are a few services I have just like 3 IPs allowed to get a response from caddy, any other ip gets 403 error.
Don’t expose jellyfin to the internet is a golden rule.
So don’t use it outside your house? Pass
Nothing stops you from using it outside of your house.
It kind of does. Whatever and yes I’m aware of the list people keep posting and I’ve looked at it.
I just love it when people post one sentence rebuttals without actually including any usable information what they are talking about.
The solution is mentioned already - use vpn, it will solve 90% of the problems that you can encounter. Also you can serve multiple other services this way without exposing them.
Tailscale is a super easy vpn that gives you access to your home network from anywhere. And it’s free.
the usable information is information that’s so widely talked about in this community that they probably expected anyone who is reading this to know what they’re talking about.
clearly there are still people who have no experience self-hosting whatsoever that we should be considerate of.
Kinda defeats the purpose of a media server built to be used by multiple people
No need to expose jellyfin to the internet if you selectively allow peers on your lan via wireguard.
Which doesn’t work for The grand majority of devices that would be used to watch said media.
Tvs game consoles rokus so on so forth typically don’t support VPN clients.
The Jonathan clients for these devices also typically don’t support alternative authentication methods which would allow you to put jellyfin behind a proxy and have the proxy exposed to the internet. Gating all access to jellyfin apis behind a primary authentication layer thus mitigating effectively all security vulnerabilities that are currently open.
Tvs game consoles rokus so on so forth typically don’t support VPN clients.
and that’s why you set up a VPN client box on the location, set it up as a regular VPN client, and install a reverse proxy on it that the dumb clients can connect to.
the VPN box could be as simple as an old android phone no one uses, and termux
I’d rather just not use it at that point
Fair, you do you, I get a lot of value out of it instead.
The difference is that my friends get a lot of value out of my server, as they don’t need to use any technology they’re unfamiliar with.
you are better just closing up shop then, because it’s not like the other services you are hosting are much better. vulnerabilities being discovered don’t mean they don’t exist, it just means the software is not popular enough or too complex for someone to look into it
lol the whole internet better shut down right? Too vulnerable
much of the internet is run on simpler software or by full time employees tasked to deal with all this. but sure, ignorance is bliss, what you don’t see does not exist, etc etc, keep running your Jellyfin exposed to the internet. you wouldnt even get to know when your system is compromised. but you know what? you could even remove your password for extra convenience. who would want to log in to a random jellyfin account anyway! surely no one! just don’t recommend these practices to anyone, because you are putting them at risk.
I mean I do this stuff for a living but okay go off king
Easy for me but not my aunts, cousins or father in law to setup and use.
Nor will the VPN work on things like their TV or Roku or game console. You know the things that people typically sit down and watch media on…
Wireguard and possibly openvpn work on Android TVs. I set it up for my mom. Not sure about other OSs.
they are not setting up the Jellyfin server either, why would they need to bother with the VPN?
They’re connecting to it.
yeah, it’s the operator’s job to help setting that up
This attitude is why Plex remains popular.
Use a VPN, it’s not ideal but it’s secure.
Don’t reverse proxies like pangolin just do the job? Does it have to be VPN in this particular concept? VPN isn’t like immune to vulnerabilities.
Reverse proxy doesn’t really get you much security. If there is an application level issue a reverse proxy will not help
Hmmm, I’m a bit rusty on this but can’t one put an auth gate in front of the application, handled by the reverse proxy?
You can, that would actually give you security. Not sure how many people do that. I assumed a straight reverse proxy without any auth
I think that’s one of the major reasons to use pangolin over something like nginx - built in auth and support for oidc.
Of course, the native jellyfin apps don’t like the auth layer so idk if it helps if you’re trying to install it on your dad’s tv
I see thanks. I’ll think about it more.
Pangolin is based off of Traefik if I’m not mistaken, should be able to use Traefiks IPAllowlist middleware to blacklist all IP addresses and only whitelisting the known few, that way you can expose your application to the internet knowing you have that restriction in place for those who connect to your service.
If the people you want to have access have static, exclusive ip addresses. Which is pretty unusual, these days.
Reverse proxy will let anyone connect to it. VPN, you can create keys/logins for your intended users only. Having said that, from what I could see, nothing in the security fixes were to do with authentication. I think (just from a cursory look), they could only be exploited, if at all from an authenticated user session.
But personally, something like jellyfin where the number of people I want to be able to access it is very limited, stays behind a VPN. Better to limit your potential attack surface as much as you can.
Somehow difficult to install on a TV though.
That’s why you do it at your router or gateway and then set a route for the Jellyfin server through the VPN adapter. That way any device on your network will flow through the tunnel to the Jellyfin server including TVs
Oh yes, the routers and gateways that most people have that are isp provided that may not actually have open VPN or wireguard support.
Those ones?
Also putting a VPN in someone else’s house so that all their Network traffic goes through your gateway is pretty damn extreme.
What? No, you can do a tiny reverse proxy/vpn on a stick with something like a RPi. Configure it and give it to them. Then they point their Jellyfin client on their device to the IP of the RPi instance on their network and that creates the tunnel back to your VPN endpoint and server.
And for VPNs at a router level you can inject routes and leave th default route going out through your ISP, you don’t need to, nor want to, have all traffic going through it.
Which again implies that you have a router that allows you to do so. It’s not always the case. For tech enthusiast people that’s the case. But not for everyone.
I tried to do the same thing at first, but it was a pain, there were tons of issues.
Yeah, i have my 30 docker containers behind Headscale (Tailscale).
NetBird is coming for you
I have been planning to check out Netbird for couple of days. Is it a good alternative for headscale and pangolin?
It depends if you’re using Pangolin for private access or public exposure.
NetBird is a clean replacement for headscale/tailscale, but if your using pangolin specifically for its public tunnel feature then you’d need to keep pangolin.
That’s never made sense to me; why build an authn frontend instead of just clicking your user if the security is just an illusion anyways. “Use a VPN” is fine for a mainframe, but an active project in 2026 should aspire to be better.
If I say I custom rolled my own crypto and it’s designed to be deployed to the open web, and you inspect it and don’t see anything wrong, should you do it?
Jellyfin is young and still in heavy development. As time goes on, more eyes have seen it, and it’s been battle hardened, the security naturally gets stronger and the risk lower. I don’t agree that no one should ever host a public jellyfin server for all time, but for right now, it should be clear that you’re assuming obvious risk.
Technically there’s no real problem here. Just like with any vulnerability in any service that’s exposed in some way, as long as you update right now you’re (probably) fine. I just don’t want staying on top of it to be a full time job, so I limit my attack surface by using a VPN.
Young.
The original ticket is 2019. That’s 7 years ago.
Technically there’s no real problem here.
It responds to and serves content to unauthenticated requests. That’s sorta table stakes if you’re creating an authenticated web service and providing guides to set it up with a reverse proxy.
Ok, I misread what you were linking to. Yeah, that’s pretty bad to allow actual streaming of content to unauthed users. I agree they should not be encouraging anyone to set this up to be publicly accessible until those are fixed. Or at least add a warning.
I don’t care if someone finds my instance and manages to guess a random number to stream some random movie. Good for them I guess it would be easier to just download it themselves.
Biggest worry is someone finding an uncaught RCE.
Of course plugins also have surface area.
We know they can anon pull video. You can sandbox it to limit exposure.
But if they modify the web client with an RCE, then you hit your own server as a trusted site and that delivers a payload…
I mean I’m sure they’d like to just ship safe code in the first place. But if that’s not their expertise and they demonstrate that repeatedly, we gotta take steps ourselves. Secure is obviously best, but I’d rather have insecure Jellyfin behind a VPN than no Jellyfin at all.
It’s not this or that. Security comes in layers. So while I would assume that the Jellyfin developers do their best to secure their application, I acknowledge the fact that bugs do exist and that Jellyfin is developed in and for hobbyist contexts, and thus not scrutinised and pentested for vulnerabilities in the way software meant for professional environments would be. Therefore I’ll add an extra layer of security by putting it behind a VPN that only whitelisted clients can access. If a vulnerability is detected, I can be sure it hasn’t already been exploited to compromise my server because we’re all “among friends” there.
Unfortunately, not everyone is tech-literate enough nowadays to understand how a VPN works, nor do they want to
Yes, not everyone. My grandmother would struggle setting up a VPN, for example.
However, a community member of the selfhosted community is perfectly capable of reading a manual and learning the software.
That’s how you become tech literate in the first place, and you’re already on that path if you’re commenting/reading here.
Yes, not everyone. My grandmother would struggle setting up a VPN, for example.
that’s a weird take. your grandmother doesn’t need to set up a VPN. It’s not like this is where they would get stuck, they would have problems much sooner with running their own Jellyfin. that’s why you are hosting it for them, and why you go there and set the VPN up yourself.
Agreed, was more so referring to others. I apologize if it seemed like I was referring to myself
I’m already well and truly deep into this, myself. Two Proxmox nodes running the *Arr stack and Jellyfin in LXC containers. Bare metal TrueNAS, with scheduled LTO backups every two weeks. A few other bits and bobs, like some game servers and home automation for family.
Will need to re-map everything eventually, it’s kind of grown out of hand
Isn’t it easier to set up a VPN than expose it to the internet?
Oh absolutely, difference being that you only need to expose the service once, versus helping however many people set up VPNs to access the service on your LAN
I know way too many people who won’t remember to toggle it on, or just won’t deal with it
It’s just not convenient enough
and then you are giving access to your lan to people whose computer you don’t control and might be full of malware.
Tbh I forgot about giving access to others, my homelab is for me only lol
You only have to give them access to a specific port on a specific machine, not your entire LAN.
My VPN has a ‘media’ usergroup who can only access the, read-only, NFS exports of my media library.
If you’re just installing Wireguard and enabling IP forwarding, yeah it would not be secure. But using a mesh VPN, like Tailscale/Headscale, gives you A LOT more tools to control access.
yeah but even with plain wireguard the peers can be limited. you just have to figure out the firewall rules, or use opnsense as your wireguard server because it figures the harder part out for you.
it’s not that it cannot be done. the issue is that something as simple as acceding a service should not require to configure wire guard and routing rules. plenty of FOSS projects are safe to expose through a simple reverse proxy
there is just too much place in the codebase for vulnerabilities, and also, most projects like this are maintained by volunteers in their free time for free.
I guess if you set up an IP whitelist in the reverse proxy, or a client TLS certificate requirement, it’s fine to open it to the internet, but otherwise no.
They’ve stated that they have no intention of ever fixing some of the biggest “anyone can access your media without a login” vulnerabilities, because it would require completely divesting from the Kodi branch that they initially used to start the entire project. And they never plan on rebuilding that from scratch, so those vulnerabilities will never be fixed.
They didn’t start the project from Kodi. It is a fork of Emby.
The thing is, if you have non-technical users, you have to set up the VPN connection on the client site yourself, maybe on multiple machines and more than once, if they decide to upgrade or even just reset their devices.
So use a reverse proxy with authentiacation before access to Jellyfin is allowed. I use Caddy forward_auth with Authelia for this. Unless you also want to use the apps without VPN, this works great.
Got instructions or a site to point to on setting something like that up?
Does that work for the Android and Android TV apps?
No. As I said, apps don’t work. I cobbled together an API key service that let’s you have an API key (password) in the server URL in Rust for myself. This works with Apps, but it is a bit too messy and single purpose for me to open source it right now. Maybe one day.
The problem here - it’s not me who requires access to my library, if someone isn’t willing or able to do it, I’m sorry but that’s just how it is. People should stop infantilize non-technical people, absolute majority of them is capable of navigating our world without much problems and I’m willing to help them if help is asked.
If my 60 y.o. mother with close to zero technical skills can do it with limited help (due to distance and other constraints) I’m pretty sure that majority of people with sound mind can.
Or you can not be arrogant towards your friends and family who have probably helped you on lots of occasions and will probably keep being there for you in the future.
Idk man, unconditional sharing feels pretty good, tbh. Making them jump through hoops isn’t really my jam. To me this kinda all plays into making a stronger bond with people that are close to me, so maybe we have different reasons for why we are sharing our stuff.Inb4 “we are not the same” meme
I’m not arrogant, just don’t assume that people are dumb and inept. If they can’t or don’t want to give a bit of time to setup it, well how can someone be forced to use free service that causes momentarily inconvenience once to use. 😔
Idk man, unconditional sharing feels pretty good
Pass. Users cause complexities. Complexities cause issues.
Users cause issues. Programs cause issues. Connecting it to the internet causes issues. Having a computer causes issues. Better turn your laptop off and throw it on the garbage.
This. And for everyone you just can’t figure it out on their own, there’s RustDesk for remote assistance. It, too, can be self-hosted.
Y’all are assuming the security issue is something exploitable without authentication or has something to do with auth.
But it sounds like a supply chain issue which a VPN won’t protect you from.
It isn’t a supply chain attack. If it was they would’ve disclosed it mmediately instead of waiting.
to be fair, Jellyfin had multiple unauthenticated vulnerabilities in the past so it makes sense to talk about it
The design of Jellyfin is really insecure
Utilize authelia perhaps?
Doesn’t work with TVs
ldap auth will work on tvs
But that’s basically using the same built-in auth. If there’s an auth bypass I don’t think it makes a difference.
not really. you can disable the default jellyfin login and force it to use ONLY ldap.
…which still uses Jellyfin for authentication. The only difference is that instead of checking your password locally it is sent over the network via LDAP
If only they would fix the htaccess bug
You’ve piqued my interest. Where can I read about it?
I did a quick search on their github and came up empty. Maybe no one mentioned “htaccess” in the issue.
Search for “basic auth”
Its the only software project I know of that you can’t put behind http basic auth. They mark this bug as “wontfix” every time someone points it out to them
Basic auth? The insecure authentication method?
Ok, I’ll look it up anyway. Under the jellyfin repository, there were eight results, none of which seemed to describe what you meant, and under the jellyfin-web repository, there were none. Using a web crawler search, I was able to find Issue #123 for jellyfin-android
Is that it?
Basic auth is very secure.
Unlike custom implemented logins. So it’s common to use basic auth in front of custom auth implementations. So even when the app has a login vuln, you’re safe.
Yes that ticket is one of many.
Try searching the repo. Make sure to backspace out the prefix that ignores closed tickets.
Don’t ever shit in your own house, either.
Just in case they’re watching.
I shit in my toilet
or use the ldap auth plugin with your source of truth, put it behind a reverse proxy, protect it with fail2ban and anubis. there are ways of exposing it safely.
Do not rely on an OIDC/LDAP provider with Jellyfin, you cannot run these in front of your proxy otherwise Jellyfin applications will not be able to communicate with the server.
Blacklist all IP address and whitelist the known few, no need for Fail2Ban or a WAF.
you totally can use ldap or oidc it just requires more setup. you just ensure jellyfin and your source of truth talk on their own subnet, docker can manage it all for you. ldap can be setup to be ldaps with ssl and never even leave the docker subnet anyways.
and yes I suppose you could rely on whitelists, but you’d have to manually add to the whitelist for every user, and god forbid if someone is traveling.
that’s nonsense. I do it myself and it works flawlessly, including on TVs.
I still wouldn’t do it personally
samba vlc solved… you are welcome
I know you’re gatekeeping from Turd Mountain, but just for completeness, the reason I use Jellyfin besides the “pretty for my wife” reason is that it keeps track of her progress between clients. She sometimes watches things on her laptop, sometimes her phone, sometimes her tablet, and sometimes the TV, and no matter which one she uses it’ll remember which episode of her show is the next episode. It also highlights when a new episode of something has been added and cues her to watch the new episode that just came out.
But yeah, if I was alone and only had a pile of anime I’d already seen before, which I only watched from my Linux devices, Samba and VLC would do me fine 😛
But yeah, if I was alone and only had a pile of anime I’d already seen before, which I only watched from my Linux devices, Samba and VLC would do me fine 😛
Use NFS for your sanity. Linux samba/CIFS is annoying to deal with.
Also, mpv
Honestly, I’m not a big fan if Microsoft generally, but I found NFS to be surprisingly not great for non-permanent infrastructure, whereas SMB took a few minutes and works great, at least in my use cases. Maybe I’m just a loser, though.
Nah, if it works for you then use it. There are no rules here!
Nope? how about fancy stuff GUI and plot?
IMDB on your phone I guess…Am I having a stroke?
Do you smell burning fish?
At the time off writing you made a few more comments, so either “no” or “yes but your life is Lemmy”.
Pretty flawless update from the apt repo on my end.
Server version 10.11.7Yeah, I think what went wrong and now everything is installed through Docker.
Docker feels like a huge security problem to me.
Why?
Docker makes everything so much easier
I know, but your security then depends on the package maintainer to keep the image up to date
I forgot that it’s April first, and was wondering what catasthropic event had happend in order that it had to be stated in the title that its not a joke
Im on fedora and I have installed through dnf, no updates with the dnf update… should I wait?
I depends a bit on your threat model. If you have Jellyfin exposed to the internet I would shut it down immediately. If you are running locally and rely on it, let it run maybe? If behind a tailnet or some other VPN, I would deactivate it as well. If it is an Axios like vulnerability it may be possible your secrets are in danger, dependent on how well they are secured. Not a security expert, but I would handle this a little more conservative…
It’s on my home, which is not 24/7 open. Will see check later.
No need to shut it down if it’s not exposed to the internet. Tailnet/VPN is fine.
If it’s a supply chain compromise shutting it down wouldn’t matter. The damage is already done.
I don’t believe it a supply chain compromise
If only 10.11 were usable for me at all.
What’s the issue?
In addition to the other comment, it currently has some pretty rough performance issues with big libraries.
There was a regression that caused Jellyfin to be a LOT more restrictive regarding the structured filesystem format. But this could be something else
It’s probably database performance related. There’s a massive PR undergoing round after round of reviews that, when merged, will be a change to 10.12 and will resolve all of the new database performance issues experienced in certain edge cases (book libraries, large music libraries, large collections, etc)
I don’t have books, moved music to navidrome, and have a relatively small library and it just will not play nice. Library scans lasting for days kind of nasty. RAM and CPU domination.
Yeah this is unfortunate news for me as well. I have a primary container I use for videos, and then a 10.10 server for music. 10.11 is borderline unusable for music for me, and I’ve tried everything for rescanning to completely redoing the server set up (rip accidentally deleting all my music playlists).
But i shall kill off the 10.10 container and hope a performance fix is in the works.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters HTTP Hypertext Transfer Protocol, the Web VPN Virtual Private Network nginx Popular HTTP server
[Thread #203 for this comm, first seen 1st Apr 2026, 09:50] [FAQ] [Full list] [Contact] [Source code]
thanks for posting this!
Thanks for this post, i would have updated mine next semester…
That changelog just screams AI lol. All the emojis
Three. Three emojis, used in headings as a bullet point.
It is perfectly plausable for someone whos job is to write technical documentation and promotional material would punch it up with a couple 'mojis.
https://github.com/jellyfin/jellyfin/releases
Every single release uses the same format with the same 3 emojis. You’d know that if you’d clicked “releases” and had even a modicum of curiosity.
It isn’t, not that I would care anyways
No worries. We’ve been communicating with pictures since ancient cave men scrawled pictographs on cave walls with a piece of burnt firewood.
Just updated, thanks for the info <3
Is it standard practice to release the security updates on GitHub?
I am a very amateur self hoster and wouldn’t go on the github of projects on my own unless I wanted to read the “read me” for install instructions. I am realizing that I got aware I needed to update my Jellyfin container ASAP only thanks to this post. I would have never checked the GitHub.
I am realizing that I got aware
I don’t run the arr stack, but this is key. You really should do your due diligence before you update anything. Personally, I wait unless it’s a security issue, and use all the early adopters as beta testers.
Is it standard practice to release the security updates on GitHub?
Yes.
And then the maintainers of the package on the package repository you use will release the patch there. Completely standard operation.
I recommend younto read up on package repositories on Linux and package maintainers etc.
Not really.
Depending on how you install things, the package maintainers usually deal with this, so your next
apt update/pacman -Syuvor … whatever Fedora does… would capture it.If you’ve installed this as a container… dunno… whatever the container update process is (I don’t use them)
Unattended upgrades set to security only and never worry
It’s difficult to do security-only updates when the fix is contained within a package update.
Even Microsoft’s security updates are a mix with secuirity updates containing feature changes and vice versa.
I usually do an update on 1 random device / VM and if that was ok (inc. watching for any
.pacnewfiles) and then kick Ansible into action for the rest.Why does unattended upgrades with security only setting not fix this?
This is literally why Debian has distinct repos for security updates.
Let me know which repo this update appears in.
I indeed use a container. Wasn’t familiar with the update process for containers but now know how to do it.
Lol it’s already insecure then. Don’t bother.
Insane way of thinking.
Implying you have access to some major Docker 0-day exploit, or just talking out of your ass? Because a container is no more or less secure than the machine it runs on. At least if a container gets compromised, it only has access to the volumes you have specifically given it access to. It can’t just run rampant on your entire system, because you haven’t (or at least shouldn’t have) given it access to your entire system.
Docker is known insecure. It doesn’t verify any layers it pulls cryptography. The devs are aware. The tickets remain open.
If that is indeed true it would only mean that the docker container is vulnerable to a supply chain attack. You are not any more vulnerable to a vulnerability in the codebase.
If you’re using the ghcr image, to post malicious code there, the attack would have already had to compromise their github infra … which would likely result in the attacker being able to push malicious code to git or publish malicious releases. Their linux distro packages are self published via a ppa/install script, which I would assume just pull from their github releases, so a bad github release would immediately be pulled as an update by users just as fast as a container.
I don’t know if I remember correctly but I could not install Jellyfin on the latest Ubuntu server version. I had to use docker to get Jellyfin running.
There’s a lot of good container management solutions out there that are worth investigating. They do things like monitor availability, resource management, as well as altering on versioning.
If you haven’t already, I recommend Watchtower (nickfedor fork—the original is unmaintained) which automatically pulls updates to Docker containers and restarts them. Make sure to track latest, although for security updates, these should be backported to any supported versions so it’s fine to track an older supported version too.
The Jellyfin has an official Telegram channel which I use as the newsletter.
Besides that, the selfh.st newsletter usually highlights the more popular projects if such an issue arises.
