How to secure Jellyfin hosted over the internet?

λλλ · 3 days ago

How to secure Jellyfin hosted over the internet?

@skoell13@feddit.org · edit-2 2 days ago

My setup: Locally (all in docker):

JF for managing and local access
JF with read only mounted volumes that uses the network of my Wireguard client container
Wireguard client opening a tunnel to Wireguard server on VPS ** Ping container regularly doing pings to Wireguard Server so the connection stays up (didn’t manage it otherwise)

VPS (Oracle Cloud free tier, also everything in docker):

Caddy as a reverse proxy with https enabled and geolocking (only certain countries are allowed to connect to)
fail2ban to block IPs that try to bruteforce credentials
Wireguard server

Usernames are not shown in the frontend and have to be entered. Passwords are generated by a password manager and can’t be changed by the user.

So my clients just get the URL of my reverse proxy and can access the read only JF through my Wireguard tunnel. Didn’t have to open any ports on my side. If someone is interested I can share the docker compose files later.

Edit: Here the link to the setup description. Please tell me if something is not clear or you find an error. https://codeberg.org/skjalli/jellyfin-vps-setup

Escalation · 3 days ago

I am interested in your docker compose

@skoell13@feddit.org · 3 days ago

Will share this evening after work.

@skoell13@feddit.org · 2 days ago

https://codeberg.org/skjalli/jellyfin-vps-setup here you go, took me longer than expected and I hope it’s helpful, might contain a few errors since I had to remove some settings but I guess this should work.

@shaserlark@sh.itjust.works · 1 day ago

This is honestly awesome! I was thinking about a similar setup for a long time but wasn’t sure how to do this exactly, this seems exactly like the setup I was looking for. Thank you!

@skoell13@feddit.org · 1 day ago

You’re welcome, happy that I can help. I also just updated it a bit. In case you find any issues or have questions please let me know. It was mostly trial and error until it ran…

λλλ · 3 days ago

I’m more interested in the fail2ban setup. How did you do that for Jellyfin? Is it through a plugin?

@skoell13@feddit.org · 3 days ago

It’s a separate container, currently in the process of writing everything up, will update once done

λλλ · 3 days ago

Thanks!

@skoell13@feddit.org · 2 days ago

https://codeberg.org/skjalli/jellyfin-vps-setup here you go, took me longer than expected and I hope it’s helpful, might contain a few errors since I had to remove some settings but I guess this should work.

λλλ · 2 days ago

Thanks! I’ll read more through it when I have the chance!

@Enceladus@lemmy.ca · 3 days ago

This seems like a developer/infrastructure level job, any dumb down step by step procedure to recommend?

@skoell13@feddit.org · 2 days ago

https://codeberg.org/skjalli/jellyfin-vps-setup here you go, took me longer than expected and I hope it’s helpful, might contain a few errors since I had to remove some settings but I guess this should work.

@Enceladus@lemmy.ca · 2 days ago

Thank you! Impressive documentation work, looks like I have to learn docker first.

@skoell13@feddit.org · 2 days ago

It’s a steep learning curve for sure but once you get the basics it’s straight forward until you hit very specific problems.

Are you a Windows or Linux user? They often want to push their Docker UI application but in my opinion docker engine with docker compose is enough. There are probably a lot of great tutorials out there and I can recommend https://www.linuxserver.io/ for images.

@skoell13@feddit.org · 3 days ago

I am currently in the ptocess to document my docker fioes and upload them to codeberg with a readme, it takes a bit, will let you know once I am done