Here’s my proposed configuration:
- OrangePi Zero 3 running DietPi
- Jellyfin with media libraries on an external hard drive
- Dynamic DNS from DuckDNS to access server remotely via Finamp
Is there anything I’m missing? Do I need Lets Encrypt or fail2ban?
Don’t expose Jellyfin to the internet
Instead, add some sort of additional security layer like a Mesh VPN
I would secure it behind a good reverse proxy with letsancrypt https certificates…
Check here https://wiki.gardiol.org/doku.php?id=services%3Ajellyfin the NGINX section.
Yes, you need TLS
Thank you! What is the most beginner-friendly way to do that?
I’ve been trying to figure this all out for so long, but it feels like every time I overturn one stone I discover there’s another setting or program I need to configure that I didn’t know about
Install caddy. Check that it works. Get to know what a firewall is. How it works. Forward your ports from router to the machine. (I use cockpit (preinstalled on fedora) to configure my firewall)
Use a caddyfile with the content
sub.domain.com { reverse_proxy 192.168.178.192:8080 }Replace 192.168.178.192 with the ip. And 8080 with the port and your domain obviously.
That’s it.
Seconding caddy, it’s extremely simple.
Nginx Proxy Manager is the most user friendly way in my opinion :)
Nothing beats caddy for simplicity, IMO.
Well I do not have to touch any configuration files with npm and it has a relatively fancy UI
Being able to manage it through a gui web interface is definitely nice. I love how simple it is to work with.
Caddy is much faster though. I don’t like trying to navigate a UI when you can just write 3 lines in a config.
If it’s on the Internet, yes.
Given the state of the Internet, you should keep a healthy level of paranoia. I always recommend exposing as little as possible, and that means using only a VPN and not putting jellyfin itself on the Internet.
Oh, the healthy paranoia isn’t the issue haha
I just want to be able to figure out how to configure my system to be able to safely expose a single service for my use away from home. Because I’d like to eventually expand from Jellyfin to Nextcloud and Vaultwarden as well, but I know I’m not there yet
Remote access doesn’t mean opening it up to everyone
Correct. I’d like to make it available to myself and any family members or friends I share it with, but not the wider world
Have you checked out Netbird?
I have not. What is it?
It is a overlay VPN that creates a virtual IP network that devices are in regardless of where they are on the internet. (You don’t even need to open up your Firewall)
I would only expose a port to the Internet if users other than myself would be needing access to it. Otherwise, I just keep everything inside a tailscale network so I can access remotely. Usually I believe people put a reverse proxy in front of the Jellyfin server and configure your certificates from there. So Jellyfin to proxy is insecure and then proxy to internet is secure. Lets Encrypt is an easy way to do that. And if you are going to expose a port you definitely want fail2ban monitoring that port.
If using tailscale funnels, you can technically skip the certificate part as that’s done for you, but that would take away from the learning experience of setting up a proxy.
To add to the idea of using tailscale. I’ve been using tsdproxy for a while now and it’s outrageously easy to set up.
The reason I’ve gone this route is that I feel like it gives me a bit more control over who is in my network and what they can get to.
Each service gets a funny name address and I get to share that specific service with other people who also have tailscale. Then if they get on my nerves or something, I can stop sharing that specific service and they can figure it out on their own.
