- cross-posted to:
- piracy@lemmy.dbzer0.com
- jellyfin@lemmy.ml
- jellyfin@lemmy.ml
- cross-posted to:
- piracy@lemmy.dbzer0.com
- jellyfin@lemmy.ml
- jellyfin@lemmy.ml
You must log in or # to comment.
Don’t expose jellyfin to the internet is a golden rule.
Kinda defeats the purpose of a media server built to be used by multiple people
Use a VPN, it’s not ideal but it’s secure.
Somehow difficult to install on a TV though.
That’s why you do it at your router or gateway and then set a route for the Jellyfin server through the VPN adapter. That way any device on your network will flow through the tunnel to the Jellyfin server including TVs
Which again implies that you have a router that allows you to do so. It’s not always the case. For tech enthusiast people that’s the case. But not for everyone.
I tried to do the same thing at first, but it was a pain, there were tons of issues.
Don’t reverse proxies like pangolin just do the job? Does it have to be VPN in this particular concept? VPN isn’t like immune to vulnerabilities.
Reverse proxy doesn’t really get you much security. If there is an application level issue a reverse proxy will not help
Hmmm, I’m a bit rusty on this but can’t one put an auth gate in front of the application, handled by the reverse proxy?
You can, that would actually give you security. Not sure how many people do that. I assumed a straight reverse proxy without any auth
I think that’s one of the major reasons to use pangolin over something like nginx - built in auth and support for oidc.
Of course, the native jellyfin apps don’t like the auth layer so idk if it helps if you’re trying to install it on your dad’s tv
I see thanks. I’ll think about it more.
well, at least you are not depending on the application to do TLS properly, and you may be able to set up some access restrictions that your clients may support
Reverse proxy will let anyone connect to it. VPN, you can create keys/logins for your intended users only. Having said that, from what I could see, nothing in the security fixes were to do with authentication. I think (just from a cursory look), they could only be exploited, if at all from an authenticated user session.
But personally, something like jellyfin where the number of people I want to be able to access it is very limited, stays behind a VPN. Better to limit your potential attack surface as much as you can.
Reverse proxies like the one specifically mentioned, pangolin, have auth and user access rules.
Pangolin is based off of Traefik if I’m not mistaken, should be able to use Traefiks IPAllowlist middleware to blacklist all IP addresses and only whitelisting the known few, that way you can expose your application to the internet knowing you have that restriction in place for those who connect to your service.
If the people you want to have access have static, exclusive ip addresses. Which is pretty unusual, these days.
Oh yeah I’m aware, if people don’t want to use a VPN then I suggest this but give them the advisory warning.
Actually, recently I’ve been using a fork of IPAllowList which accepts DDNS addresses, but that usually is for more technical folk who would probably rather use a VPN then purchase a domain and associate it with their network.
deleted by creator
This attitude is why Plex remains popular.
Easy for me but not my aunts, cousins or father in law to setup and use.
they are not setting up the Jellyfin server either, why would they need to bother with the VPN?
They’re connecting to it.
yeah, it’s the operator’s job to help setting that up
deleted by creator
I’d rather just not use it at that point
deleted by creator
The difference is that my friends get a lot of value out of my server, as they don’t need to use any technology they’re unfamiliar with.
you are better just closing up shop then, because it’s not like the other services you are hosting are much better. vulnerabilities being discovered don’t mean they don’t exist, it just means the software is not popular enough or too complex for someone to look into it
lol the whole internet better shut down right? Too vulnerable
much of the internet is run on simpler software or by full time employees tasked to deal with all this. but sure, ignorance is bliss, what you don’t see does not exist, etc etc, keep running your Jellyfin exposed to the internet. you wouldnt even get to know when your system is compromised. but you know what? you could even remove your password for extra convenience. who would want to log in to a random jellyfin account anyway! surely no one! just don’t recommend these practices to anyone, because you are putting them at risk.
I mean I do this stuff for a living but okay go off king
That’s never made sense to me; why build an authn frontend instead of just clicking your user if the security is just an illusion anyways. “Use a VPN” is fine for a mainframe, but an active project in 2026 should aspire to be better.
Edit: or make note of that on their several pages with reverse proxy configuration.
Examples dating back over six years https://github.com/jellyfin/jellyfin/issues/5415
I mean I’m sure they’d like to just ship safe code in the first place. But if that’s not their expertise and they demonstrate that repeatedly, we gotta take steps ourselves. Secure is obviously best, but I’d rather have insecure Jellyfin behind a VPN than no Jellyfin at all.
It’s not this or that. Security comes in layers. So while I would assume that the Jellyfin developers do their best to secure their application, I acknowledge the fact that bugs do exist and that Jellyfin is developed in and for hobbyist contexts, and thus not scrutinised and pentested for vulnerabilities in the way software meant for professional environments would be. Therefore I’ll add an extra layer of security by putting it behind a VPN that only whitelisted clients can access. If a vulnerability is detected, I can be sure it hasn’t already been exploited to compromise my server because we’re all “among friends” there.
Lol you shouldn’t make such assumptions when they so obviously place sefiroty last
there is just too much place in the codebase for vulnerabilities, and also, most projects like this are maintained by volunteers in their free time for free.
I guess if you set up an IP whitelist in the reverse proxy, or a client TLS certificate requirement, it’s fine to open it to the internet, but otherwise no.
If I say I custom rolled my own crypto and it’s designed to be deployed to the open web, and you inspect it and don’t see anything wrong, should you do it?
Jellyfin is young and still in heavy development. As time goes on, more eyes have seen it, and it’s been battle hardened, the security naturally gets stronger and the risk lower. I don’t agree that no one should ever host a public jellyfin server for all time, but for right now, it should be clear that you’re assuming obvious risk.
Technically there’s no real problem here. Just like with any vulnerability in any service that’s exposed in some way, as long as you update right now you’re (probably) fine. I just don’t want staying on top of it to be a full time job, so I limit my attack surface by using a VPN.
Young.
The original ticket is 2019. That’s 7 years ago.
Technically there’s no real problem here.
It responds to and serves content to unauthenticated requests. That’s sorta table stakes if you’re creating an authenticated web service and providing guides to set it up with a reverse proxy.
Ok, I misread what you were linking to. Yeah, that’s pretty bad to allow actual streaming of content to unauthed users. I agree they should not be encouraging anyone to set this up to be publicly accessible until those are fixed. Or at least add a warning.
Unfortunately, not everyone is tech-literate enough nowadays to understand how a VPN works, nor do they want to
Isn’t it easier to set up a VPN than expose it to the internet?
and then you are giving access to your lan to people whose computer you don’t control and might be full of malware.
Tbh I forgot about giving access to others, my homelab is for me only lol
Oh absolutely, difference being that you only need to expose the service once, versus helping however many people set up VPNs to access the service on your LAN
I know way too many people who won’t remember to toggle it on, or just won’t deal with it
It’s just not convenient enough
I know way too many people who won’t remember to toggle it on, or just won’t deal with it
they need a VPN app that toggles automatically. turn off when they happen to connect to your network, otherwise on, and only forward jellyfin and such apps through it.
I know way too many people who won’t remember to toggle it on, or just won’t deal with it
they need a VPN app that toggles automatically. turn off when they happen to connect to your network, otherwise on, and only forward jellyfin and such apps through it.
They’ve stated that they have no intention of ever fixing some of the biggest “anyone can access your media without a login” vulnerabilities, because it would require completely divesting from the Kodi branch that they initially used to start the entire project. And they never plan on rebuilding that from scratch, so those vulnerabilities will never be fixed.
Y’all are assuming the security issue is something exploitable without authentication or has something to do with auth.
But it it could be a supply chain issue which a VPN won’t protect you from.
to be fair, Jellyfin had multiple unauthenticated vulnerabilities in the past so it makes sense to talk about it
The design of Jellyfin is really insecure
It isn’t a supply chain attack. If it was they would’ve disclosed it mmediately instead of waiting.
Yeah, i have my 30 docker containers behind Headscale (Tailscale).
NetBird is coming for you
I have been planning to check out Netbird for couple of days. Is it a good alternative for headscale and pangolin?
It depends if you’re using Pangolin for private access or public exposure.
NetBird is a clean replacement for headscale/tailscale, but if your using pangolin specifically for its public tunnel feature then you’d need to keep pangolin.
Mainly use pangolin for public access, I’m looking for something/somehow add authentication for pangolin while trying to access endpoint in apps where it’s not exactly possible to directly authenticate in pangolin
So don’t use it outside your house? Pass
Nothing stops you from using it outside of your house.
I just love it when people post one sentence rebuttals without actually including any usable information what they are talking about.
The solution is mentioned already - use vpn, it will solve 90% of the problems that you can encounter. Also you can serve multiple other services this way without exposing them.
Tailscale is a super easy vpn that gives you access to your home network from anywhere. And it’s free.
the usable information is information that’s so widely talked about in this community that they probably expected anyone who is reading this to know what they’re talking about.
clearly there are still people who have no experience self-hosting whatsoever that we should be considerate of.
The thing is, if you have non-technical users, you have to set up the VPN connection on the client site yourself, maybe on multiple machines and more than once, if they decide to upgrade or even just reset their devices.
The problem here - it’s not me who requires access to my library, if someone isn’t willing or able to do it, I’m sorry but that’s just how it is. People should stop infantilize non-technical people, absolute majority of them is capable of navigating our world without much problems and I’m willing to help them if help is asked.
If my 60 y.o. mother with close to zero technical skills can do it with limited help (due to distance and other constraints) I’m pretty sure that majority of people with sound mind can.
Or you can not be arrogant towards your friends and family who have probably helped you on lots of occasions and will probably keep being there for you in the future.
Idk man, unconditional sharing feels pretty good, tbh. Making them jump through hoops isn’t really my jam. To me this kinda all plays into making a stronger bond with people that are close to me, so maybe we have different reasons for why we are sharing our stuff.Inb4 “we are not the same” meme
I’m not arrogant, just don’t assume that people are dumb and inept. If they can’t or don’t want to give a bit of time to setup it, well how can someone be forced to use free service that causes momentarily inconvenience once to use. 😔
Idk man, unconditional sharing feels pretty good
Pass. Users cause complexities. Complexities cause issues.
Users cause issues. Programs cause issues. Connecting it to the internet causes issues. Having a computer causes issues. Better turn your laptop off and throw it on the garbage.
The difference being, I can control computers, laptops, servers, etc. I cannot control users.
idk man, I wont keep my front gate unlocked just so my friends can come in without keys. either they accept having to carry an additional key, or they won’t have access without me, but I’m not going to compromise on reasonable security. oh the burden I know.
I’ll help them set it up if they want it, they are not on their own. but zero effort won’t work.
This. And for everyone you just can’t figure it out on their own, there’s RustDesk for remote assistance. It, too, can be self-hosted.
So use a reverse proxy with authentiacation before access to Jellyfin is allowed. I use Caddy forward_auth with Authelia for this. Unless you also want to use the apps without VPN, this works great.
Does that work for the Android and Android TV apps?
No. As I said, apps don’t work. I cobbled together an API key service that let’s you have an API key (password) in the server URL in Rust for myself. This works with Apps, but it is a bit too messy and single purpose for me to open source it right now. Maybe one day.
Got instructions or a site to point to on setting something like that up?
Honestly, I may have to write one at some point. I just used the documentation of those two tools to set it up.
Don’t ever shit in your own house, either.
Just in case they’re watching.
I shit in my toilet
Just did a cursory read of the commits related to security for this release, and my assumpion based solely on the changes, is that it’s not a remote-access vulnerability, but a supply-chain-esque vulnerability where a video you downloaded from a questionable source might trigger code embedded in the metadata to be run by jellyfin.
If only they would fix the htaccess bug
or use the ldap auth plugin with your source of truth, put it behind a reverse proxy, protect it with fail2ban and anubis. there are ways of exposing it safely.
I still wouldn’t do it personally
deleted by creator
you totally can use ldap or oidc it just requires more setup. you just ensure jellyfin and your source of truth talk on their own subnet, docker can manage it all for you. ldap can be setup to be ldaps with ssl and never even leave the docker subnet anyways.
and yes I suppose you could rely on whitelists, but you’d have to manually add to the whitelist for every user, and god forbid if someone is traveling.
that’s nonsense. I do it myself and it works flawlessly, including on TVs.
Utilize authelia perhaps?
Doesn’t work with TVs
ldap auth will work on tvs
But that’s basically using the same built-in auth. If there’s an auth bypass I don’t think it makes a difference.
not really. you can disable the default jellyfin login and force it to use ONLY ldap.
…which still uses Jellyfin for authentication. The only difference is that instead of checking your password locally it is sent over the network via LDAP
Thank you for posting this. I tend to get a lot of my opensource project info from Lemmy so people who take the time to post it are awesome.
Just updated my home instance. Can confirm that 10.11.7 is available in the Debian repos and the update went perfect. I got a new kernel in the same update : D
Hi!
So I installed jellyfin on Bazzite as per this video.
But he didn’t explain how to update the server. Could you maybe tell me how you did it with your server? Maybe it could help me figure out how to update mine as well.
The video uses quadlets, which afaik, is just using systemd units to run containers via podman. Therefore, you can just run
podman stop jellyfin (podman ps to get the actual name of the jellyfin container)
podman rm jellyfin
podman pull docker.io/jellyfin/jellyfin:latest
systemctl restart jellyfin.container (or whatever you called your unit when you set it up)
Quick google says you can setup auto updates if you want: https://major.io/p/podman-quadlet-automatic-updates/
Caveat: I am a docker compose user, I may have missed something due to lack of familiarity with quadlets/podman
You’re correct.
The only time I can think of that this approach wouldn’t work is if the quadlet config file specified a tag/version on the
imagesetting besideslatest. That is, if the quadlet file specified something likeImage=docker.io/jellyfin/jellyfin:a_old_version. I usually stick withlateston mine.EG:
Image=docker.io/jellyfin/jellyfin:latestIt worked! Thanks so much!
I suppose I’ll start looking into docker/containers/quadlets etc, so I actually understand what I am using lol
You can always tell who does real IT work in these threads lol
I forgot that it’s April first, and was wondering what catasthropic event had happend in order that it had to be stated in the title that its not a joke
Good thing my Jellyfin is behind Wireguard.
Consider doing the same if your usecase permits.
Just a reminder that you should never expose Jellyfin to the internet
yeah okay let me just connect grandma’s tv to a vpn.
edit: gas is $5/gal ya’ll, I’m not driving to a different state each time a new family member wants to watch something from my server!
There are plenty of ways around this
A cheap thin client minipc is only like 20-40 USD and would solve the problem overnight
I can set it up, and you can set it up, but for the average user?
The average user isn’t using Jellyfin
All you need is a little Linux knowledge in order to setup Netbird with Caddy
I’m talking average enough to see an article, or hear about it from a friend/coworker, then follow the insanely easy setup directions for Windows. I know plenty of people who aren’t really “computer people” but know enough to open a port because they had to to get a game working at some point or another. Those people probably wouldnt notice “hey this thing is going to http maybe i should rethink this…”
These are going to be the people who think it’s smart to just open up RDP and SSH to the wide web though…they shouldn’t be forwarding ports…they should use a VPN.
I had to explain to one of them why RDP is a bad idea lol. Thats kind of my point - average people tend to only know enough to be dangerous, not to do things safely. Or as Shakespeare said - "The fool doth think he is wise, but the wise man knows himself to be a fool.”
Setup a VPN gateway at Grandma’s house. Works fine for me.
I think you’re missing the point - that’s neither simple nor easy for most people. I’m a network engineer and I don’t wanna deal with setting up and (being responsible for troubleshooting) a bunch of VPNs! Nevermind the additional power/CPU usage from the tunnels. My parents just got fiber and they don’t even have a public address (ipv4 or v6) which just adds another layer of headache. thanks west virginia…
I’d much rather deal with setting up a few VPN gateways which is trivial at most…than securing a public web service. I deal with that crap enough at work.
There are a lot less variables to contend with with a single VPN endpoint which undergoes considerably more security auditing than N public web services. Many of which I don’t have the time to review myself and mitigate if they decide to suck at coding.
Edit: I share my services with less than 5 households though.
Edit2: I’m not sure what public ipv4 or ipv6 has to do with this. My remote sites use starlink ipv4. I haven’t setup ipv6 on those internally at all. They all tunnel via wireguard to my homesite.
When I set up wireguard it was just more complicated when one side didn’t have a public IP. Whyyyy can’t we adopt ipv6 already.
also fyi starlink has public ipv6 available if you DO wan’t to set it up. been hosting a minecraft server off a starlink connection lol.
At my remote site it has little value. At my home I have IPv6 setup on Starlink as my secondary backup internet. I use Fiber as the primary that has a public IPv4 and IPv6.
Could just use a VPS though I guess if you want.
If you have the skills to setup a Jellyfin server you also have the skills to setup wireguard.
My parents just got fiber and they don’t even have a public address (ipv4 or v6) which just adds another layer of headache. thanks west virginia…
That’s a very specific use case.
If you have the skills to setup a Jellyfin server you also have the skills to setup wireguard.
They appear to offer a guided installation for windows users.
The worst part of enthusiast threads are the “I am very smart” takes like this
You objectively shouldn’t expose Jellyfin to the internet. It has a rather large attack surface and isn’t designed with security in mind.
Pretending everything is fine won’t solve the problem
Sounds like a great reason to use Plex instead!
edit: to add something constructive to my snarky comment, what kind of attack surface are we talkin here? Multiple ports? Lots of separate services running? No authentication?
There has been a known “anyone can access your media without authentication” vulnerability for seven years and counting, and the Jellyfin devs have openly stated that they have no intentions of fixing it. Because fixing it would require completely divesting from the Enby branch that the entire program is built upon. And they never plan on refactoring that entire thing, so they never plan on fixing the vulnerabilities.
The “don’t expose it to the internet” people aren’t just screaming at clouds. Jellyfin is objectively insecure, and shouldn’t be exposed.
Jeez, so it’s meant to be a literal home media server. Able, but not designed, to be used for sharing.
Exactly. And that’s honestly why I doubt it will ever truly contend with Plex. It’s fine for sharing with friends who can figure out how to connect via VPN, but it’ll never be robust enough to share with your tech-illiterate grandparents on the open internet. Plex wins handily in that regard, because their sign in process is basically the same as Netflix, HBO, Hulu, etc…
Plex has problems of its own, but (at least as of me writing this) it doesn’t have any major known security vulnerabilities. They had some level 10.0 vulnerability last year, but they followed standard CVE protocols and patched it before the vulnerability was actually released.
Ahh bummer. It works so well as a home media server… kind of calls out for sharing.
Plex has its own set of problems
Sure, but being mostly secure by default isn’t one of them. One advantage of running a service that offers optional subscription services is that they can offer security features like built-in SSL and AAA that just work. Any average user can install it and have a reasonably secure service running. Hell, until a few months ago you didn’t even need to open a port to have remote access to your content, whether you paid or not. Now they’ve made that a paid feature though.
Perhaps “behind” pangolin?
Is it standard practice to release the security updates on GitHub?
I am a very amateur self hoster and wouldn’t go on the github of projects on my own unless I wanted to read the “read me” for install instructions. I am realizing that I got aware I needed to update my Jellyfin container ASAP only thanks to this post. I would have never checked the GitHub.
Is it standard practice to release the security updates on GitHub?
Yes.
And then the maintainers of the package on the package repository you use will release the patch there. Completely standard operation.
I recommend younto read up on package repositories on Linux and package maintainers etc.
Not really.
Depending on how you install things, the package maintainers usually deal with this, so your next
apt update/pacman -Syuvor … whatever Fedora does… would capture it.If you’ve installed this as a container… dunno… whatever the container update process is (I don’t use them)
Unattended upgrades set to security only and never worry
It’s difficult to do security-only updates when the fix is contained within a package update.
Even Microsoft’s security updates are a mix with secuirity updates containing feature changes and vice versa.
I usually do an update on 1 random device / VM and if that was ok (inc. watching for any
.pacnewfiles) and then kick Ansible into action for the rest.Why does unattended upgrades with security only setting not fix this?
This is literally why Debian has distinct repos for security updates.
Let me know which repo this update appears in.
The jellyfin repo
I indeed use a container. Wasn’t familiar with the update process for containers but now know how to do it.
There’s a lot of good container management solutions out there that are worth investigating. They do things like monitor availability, resource management, as well as altering on versioning.
If you haven’t already, I recommend Watchtower (nickfedor fork—the original is unmaintained) which automatically pulls updates to Docker containers and restarts them. Make sure to track latest, although for security updates, these should be backported to any supported versions so it’s fine to track an older supported version too.
Thank you. Will look into it.
Lol it’s already insecure then. Don’t bother.
Implying you have access to some major Docker 0-day exploit, or just talking out of your ass? Because a container is no more or less secure than the machine it runs on. At least if a container gets compromised, it only has access to the volumes you have specifically given it access to. It can’t just run rampant on your entire system, because you haven’t (or at least shouldn’t have) given it access to your entire system.
Docker is known insecure. It doesn’t verify any layers it pulls cryptography. The devs are aware. The tickets remain open.
I don’t know if I remember correctly but I could not install Jellyfin on the latest Ubuntu server version. I had to use docker to get Jellyfin running.
Jellyfin has a Debian repo. Worked fine on Debian 12 and 13.
If that is indeed true it would only mean that the docker container is vulnerable to a supply chain attack. You are not any more vulnerable to a vulnerability in the codebase.
If you’re using the ghcr image, to post malicious code there, the attack would have already had to compromise their github infra … which would likely result in the attacker being able to push malicious code to git or publish malicious releases. Their linux distro packages are self published via a ppa/install script, which I would assume just pull from their github releases, so a bad github release would immediately be pulled as an update by users just as fast as a container.
No, it’s also vulnerable to a targeted mitm attack. Github can be unaffected and you can get a malicious version on your server.
Insane way of thinking.
The Jellyfin has an official Telegram channel which I use as the newsletter.
Besides that, the selfh.st newsletter usually highlights the more popular projects if such an issue arises.I am realizing that I got aware
I don’t run the arr stack, but this is key. You really should do your due diligence before you update anything. Personally, I wait unless it’s a security issue, and use all the early adopters as beta testers.
Wait a minute, best security practice is to use the latest version -1?
Wonder if it’s the Axios one. Sounds like it isn’t from their description though hmm
I don’t think so, the previous release 10.11.6 is a few months old and the axios supply chain attack happened yesterday.
So lets hope this 10.11.7 is not subject to the axios one. :)
Diff agrees, not likely. Might be permisson related, elevation of privileges.
From a cursory look at just the security commits. Looks like the following:
- GHSA-j2hf-x4q5-47j3: Checks if a media shortcut is empty, and checks if it is remote and stores the remote protocol if so. Also prevent strm files (these are meant to contain links to a stream) from referencing local files. Indeed this might have been used to reference files jellyfin couldn’t usually see?
- GHSA-8fw7-f233-ffr8: Seems to be similar, except for M3U file link validation and limiting allowed protocols. It also changes the default permissions for live TV management to false.
- GHSA-v2jv-54xj-h76w: When creating a structure there should be a limit of 200 characters for a string which was not enforced.
- GHSA-jh22-fw8w-2v9x: Not really completely sure here. They change regex to regexstr in a lot of places and it looks like some extra validation around choosing transcoding settings.
I’m not really sure how serious any of these are, or how they could be exploited however. Well aside from the local file in stream files one.
Yeah, the key seems to be in the comments from one of the changes: https://github.com/jellyfin/jellyfin/commit/0581cd661021752e5063e338c718f211c8929310#diff-bcc2125e56d5738b4778802ac650ca47719845aeee582f3b5c9b46af82ea9979R1176-R1180
It seems there was the potential risk that insufficient validation could allow reading arbitrary server files, which indeed poses a security risk.
However, my understanding is that this could be exploited only by authenticated users with permission to add new media. Not like that’s a risk to ignore, but it’s not like it could be exploited by anyone on the Internet.
However, my understanding is that this could be exploited only by authenticated users with permission to add new media. Not like that’s a risk to ignore, but it’s not like it could be exploited by anyone on the Internet.
I wonder if that’s the reason for setting the default live TV management permission to false. Since that permission might well the the route to adding your own malicious m3u link for that second change.
deleted by creator
Axios is a Javascript library and Jellyfin is written in C#.
True, but there is a web frontend. Possible it could be using npm and axios somewhere in there.
I still doubt it. But it could happen.
The web server is in C#. It’s open source lol, I’m looking at the code and there’s no JavaScript.
Look better https://github.com/jellyfin/jellyfin-web
That’s awkward. I didn’t know that was in a separate repo.
deleted by creator
Pretty flawless update from the apt repo on my end.
Server version 10.11.7Yeah, I think what went wrong and now everything is installed through Docker.
Docker feels like a huge security problem to me.
Why?
Docker makes everything so much easier
I know, but your security then depends on the package maintainer to keep the image up to date
Am officially maintained Docker image is no less a security concern than an officially maintained apt repo. Depending on how you set up a container stack it can even be more secure. An attacker gaining root access to a container that you’ve given extremely selective access to the host machine is far better than them gaining root access to your actual system.
There is a good reason I only have Jellyfin and other services accessible via valid Client Certificate.
Does it work with android and TV apps?
I tried long ago and failed.
No, we only use Jellyfin via browser. Unfortunately even with imported Client Cert, Android apps won’t work.
Edit: Client Certs need to be implemented per App. There is a feature request from 2022 https://features.jellyfin.org/posts/1461/capability-to-specify-client-certificate-for-android-client
Also interested how this works for mobile apps. I self host a number of services through caddy as my reverse proxy but each application is just dependent on it’s own authentication. If I exposed all my services to the internet, that’s a huge attack vector. If anyone else has some ideas I’d be happy to listen.
If you are the only user and don’t need to use those apps in devices you don’t own a vpn is the way to go.
If not. Depending the number of users you could do some heavy ip geoblocking to at least reduce the exposed surface.
There are a few services I have just like 3 IPs allowed to get a response from caddy, any other ip gets 403 error.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters Git Popular version control system, primarily for code HTTP Hypertext Transfer Protocol, the Web IP Internet Protocol NFS Network File System, a Unix-based file-sharing protocol known for performance and efficiency Plex Brand of media server package RPi Raspberry Pi brand of SBC SBC Single-Board Computer SMB Server Message Block protocol for file and printer sharing; Windows-native SSH Secure Shell for remote terminal access SSL Secure Sockets Layer, for transparent encryption TLS Transport Layer Security, supersedes SSL VPN Virtual Private Network VPS Virtual Private Server (opposed to shared hosting) nginx Popular HTTP server
12 acronyms in this thread; the most compressed thread commented on today has 7 acronyms.
[Thread #203 for this comm, first seen 1st Apr 2026, 09:50] [FAQ] [Full list] [Contact] [Source code]
In the raspian repos, just updated, thanks.
also in the docker repository.
Thanks for this post, i would have updated mine next semester…
That changelog just screams AI lol. All the emojis
Three. Three emojis, used in headings as a bullet point.
It is perfectly plausable for someone whos job is to write technical documentation and promotional material would punch it up with a couple 'mojis.
https://github.com/jellyfin/jellyfin/releases
Every single release uses the same format with the same 3 emojis. You’d know that if you’d clicked “releases” and had even a modicum of curiosity.
No worries. We’ve been communicating with pictures since ancient cave men scrawled pictographs on cave walls with a piece of burnt firewood.
It isn’t, not that I would care anyways
please tell me it doesn’t expose itself onto public web by default
