When I see this sort of thing, and other people are trying to do it, a reverse proxy or vpn is always mentioned. Heres my question:
How Dangerous is it to just open the port for it on my router and access it like that?
Lets say i want to access jellyfin from Kodi on my xbox or something outside my network, the vpn solution wouldnt work for this i would think.
My issue with reverse proxies, and why im asking, is it seems less secure? I mean Im well aware that an IP is easy to get, i guess. But how likely is someone to look for something on my network specifically? With reverse proxies it seems like i would be broadcasting my server to the internet in a way its easier to happen across, than someone being interested in a random residential IP.
I run a minecraft server for friends on my main computer anyway, and i know tons of people do that, theoretically thats the same level of danger as opening my network for jellyfin specifically.
VPN isnt an option because of this xbox stuff i mentioned and people in my family who have 0 chance of understanding it regardless.
So what is the better option, going through this reverse proxy ( which im actually also unsure would work with kodi) or rawdog the server on my network. I guess leaving the server exposed? or every device even.
Not only is it likely, it’s pretty much guaranteed that a bot will scrap your network if it’s opened to the public.
Just put jellyfin and tailscale on an old windows computer and it’s setup in less than 10 minutes.
+1 on tailscale. I used to push it through cloudflare but with tailscale has been much simpler and doesn’t run afoul of cloudflare’s TOS
Tailscale is a vpn no? Dont think i would be able to connect to it from an xbox or, my family who is even less technologically inclined than I am would be able to figure it out on other devices.
I believe it can be done on xbox possibly through nodes but it is very easy for family to setup on their devices!
Look into setting up mesh networks. Opening up a port will work, but it’s insecure, while tools like netbird or tailscale still allow you connect to it remotely, but only allow YOU and the people YOU want to allow to connect to it, not the entire world
Maybe consider Zerotier as well
How Dangerous is it to just open the port for it on my router and access it like that?
It would probably be fine
Lets say i want to access jellyfin from Kodi on my xbox or something outside my network, the vpn solution wouldnt work for this i would think.
Depending how you set things up it will. Connect your computer to your VPN and it will have access. Set up a router as a VPN gateway (basically it would connect to the public/untrusted network and makes another network that routes its traffic through the VPN, as a bonus this also prevents snooping on the part of the untrusted network operator). Something like this could also be done in a more permanent way on remote networks, a VPN gateway to an IP range elsewhere. Only issue there would likely be for family members when they travel.
My issue with reverse proxies, and why im asking, is it seems less secure? I mean Im well aware that an IP is easy to get, i guess. But how likely is someone to look for something on my network specifically? With reverse proxies it seems like i would be broadcasting my server to the internet in a way its easier to happen across, than someone being interested in a random residential IP.
You seem to not exactly understand what a reverse proxy is, and seem to be confusing it with a domain name or something, while also not fully understanding how those work either.
A reverse proxy is a piece of software designed to accept HTTP(s) requests and “proxy” that request to the proper server. Reverse proxies are usually hardened against attacks better than application servers, and it is usually a good idea to put one in front of any application you are exposing to the internet. There is no “broadcasting” involved, basically you would port forward to the proxy as a middle-man of sorts instead of to jellyfin directly. It is also easy to set up SSL on the reverse proxy, regardless of whether you choose to encrypt your internal traffic between the reverse proxy and backend service. Nginx, Traefik, and Caddy are all popular options for reverse proxies and relatively easy to get set up.
With a domain name you purchase some name and can have that point at your IP address so you can use a memorable name rather than some random numbers. It also lets you update where the domain points so that when your IP changes (which does happen on most residential connections, even if only after something like an extended power/router outage).
Domain names also doesn’t involve announcing your IP anywhere other than your DNS provider, instead DNS is a convoluted system that basically lets someone querying for what the IP address associated with, say,
example.com
can figure out where your DNS server is and ask it what IP it should talk to.When combined this a reverse proxy can be used to decide what to do with traffic based on which domain name (
example.com
vsjellyfin.example.com
) someone is accessing, all on the same IP. You can do all sorts of neat things for every different domain your reverse proxy handles, like requiring authentication, using IP whitelists, and more.I run a minecraft server for friends on my main computer anyway, and i know tons of people do that, theoretically thats the same level of danger as opening my network for jellyfin specifically.
Wouldn’t it be nice to just be able to tell your friends to connect to
minecraft.example.com
, and not even have to worry about telling them a port or anything? That’s another neat thing you can do when you have control over DNS. You can even make a page for your minecraft server that works in a web browser with instructions, links to things (mod downloads, discord, etc), a community forum, or whatever else you want.VPN isnt an option because of this xbox stuff i mentioned and people in my family who have 0 chance of understanding it regardless.
So what is the better option, going through this reverse proxy ( which im actually also unsure would work with kodi) or rawdog the server on my network. I guess leaving the server exposed? or every device even.
I would absolutely run a reverse proxy. I would suggest buying a domain name (Usually like ~$15 a year or something, depending on the domain and registrar you go with. I am a fan of Cloudflare).
Regardless what you go with, best of luck in your self-hosing journey! LMK if you have any questions about reverse proxies or domains/DNS.
Edited to add: Attackers are totally interested in random residential IPs. They are constantly running port scans to find vulnerable software/devices/whatever that they can attack. Sometimes it’s just to add them to a botnet, other times it can be a vector to scan and decide to further exploit your network. Some of the biggest DDoS attacks ever have been via insecure cameras or other devices that people have just port forwarded to put them on the internet. In some cases a reverse proxy could have saved them. Also, “security through obscurity” can work (just shouldn’t be relied on). Unless someone specifically thinks to check whether your server responds to
camera.example.com
, they would never even know you are exposing a potentially vulnerable device.So I have jellyfin deployed to my kubernetes home lab, router port forwarded to the ingress controller (essentially a reverse proxy) on the cluster. So exposed to the internet. Everything on it has authentication, either built in to the application or using an oauth proxy. All applications also have valid SSL configurations thanks to the reverse proxy. I also use cloudflare DNS with their proxy enabled to access it and have firewall rules to drop traffic that hits port 80/443 that doesn’t originate from those cloudflare proxy ips (required some scripting to automate). It drops a lot of traffic every day. I have other secuirty measures in place as well, but those are the big ones.
So yeah, if you expose your router to the internet, its gonna get pinged a lot by bots and someone might try to get in. Using a VPN is a very simple way to do this securely without exposing yourself and I’d suggest going that route unless you know what you’re doing.
So the reason you’d want a reverse proxy is because it handles security and would do a much better job of it than an exposed jellyfin port.
Public FQDN -> your home IP -> your router allows 443/whatever to your reverse proxy -> it handles SSL and being hit by the internet (look into nginx security and even fail2ban) -> proxy serves up whatever insecure site/app you’d like.
A reverse proxy does not magically make an insecure app secure.
That’s where nginx security options and other tools like fail2ban come into play. I could’ve mentioned it better in my first sentence but a reverse proxy gives the capability to make it more secure than any options jellyfin will give you.
I’d rather put nginx with modsecurity in front of jellyfin than not.
Any suggestions on where to read more about properly securing my home network? Most of what I find Googling is just basics.
If you’re a beginner or just for most use cases, using cloudflare with proxied dns records along with Nginx Proxy Manager will provide a good amount of coverage for your homelab.
Thanks a bunch. I’ll dig into these.
Hey,
I have a very particular setup, I’m not sure if Nginx Proxy Manager might work for my setup so I figure I’d ask you in case you might have an idea if it’d work:
Basically, I am thinking of using Nginx Proxy Manager to help manage a reverse proxy for some self-hosted web apps like a lemmy instance, a mastodon instance, etc with a public VPS OpenVPN setup forwarding requests to my local server.
Right now, I have a setup with a rented public VPS running OpenVPN server and a local seedbox server running in my basement which connects to the OpenVPN server as an OpenVPN client. On my public VPS, I have an iptables prerouting DNAT rule to forward inbound traffic on a specific port to my OpenVPN client (my local seedbox server) which allows my seedbox (with qbittorrent-nox listening on tun0 interface) to be fully connectable via my public VPS IP. My setup works perfectly for me currently without exposing my home IP.
However, since I want to run web apps, I’d like to have Nginx in a Docker container, and then some other web apps like lemmy and mastodon each in its own Docker container, then have Nginx basically act as a reverse proxy, so when accessing the domain in my web browser the traffic would go to my public VPS on port 80/443, then iptables prerouting DNAT rules would then forward the traffic to my local server with whatever port Nginx is running in a Docker container, then Nginx would forward the traffic to the appropriate Docker container for whatever web app the request would be for.
Does it sound like this might be possible with Nginx Proxy Manager?
Thanks for reading this, sorry it’s a bit of a long post.
Depending on your routers you might me able to set up a “site-to-site” VPN which means your Xbox could connect directly to your Jellyfins local IP
Strong suggestion for Tailscale here. It is incredibly easy to use and very easy to set up with multiple users. Opening ports directly to the internet is a thing of the past for me now, ever since I started.
I opted for ZeroTier - this way I can connect many devices outside home network to any device inside …
I use a reverse proxy so I can just use a hostname and not need a port. I run Jellyfin that way no problem, function-wise.
Additionally, not having a domain won’t necessarily protect you since you do have people out there scanning for ports and when they see 8096, they’re going to immediately know it’s a Jellyfin/Emby server and any vulnerabilities associated with those. If you use a reverse proxy, they only see 443 which is…pretty much every other site on the internet. That’s security through obscurity, I know, but it will help mitigate some of the easier attacks.
I’ll say that everything I have to have a port open for (mostly game servers) gets targeted by the internet at large despite the fact that I’ve published the address and port absolutely nowhere online and only shared it with close friends. I almost never get anyone trying to log in to my other services.
Okay, so can people just find that shit on google? And also what are the odds of certain companies and agencies being perturbed by me essentially broadcasting copyrighted content? Even if i own it. I shpuldnt expect FBI or worse, Viacom hitmen right? Especially of the content is behond a log in?
Removed by mod
Not even Google, they just go through every ip and port number and record if something responds
Not only are people doing regular scans, there are companies with dedicated infrastructure to do the scans for them, and making result easily searchable.
Check out https://www.shodan.io . Put your (or any other) IP address in the search bar and I guarantee the most of the services running there are already scraped, indexed and categorized. Sometimes it will even recognize a specific app or framework it’s build upon.
Not only you can search for a specific IPs, but can easily look for, let’s say all jellyfin instances in a certain country.
I used to search for open tvheadend instances to watch certain TV channels for free. There was a guy who not only published his tvheadend on the internet, but there was an active VNC server on his mediacenter, running kodi. Controllable by anyone without a password.
I wouldn’t say this is security through obscurity, as you don’t hide how asystem works, but what it is in general. On the forefront, IT security is a game about information retrieval, and you’re making it easier than necessary for attackers if you give away details about what services you run for free. ;)
Someone may have commented this already but my recommendation is to set up an overlay network like tailscale or twingate.
Doesn’t require you to open any ports on your firewall, and Tailscale at least is very performant since it uses Wireguard as it’s underlying protocol. (I have yet to test Twingate but I’ve heard positive things.)
It will require a little more setup per device but it’s honestly incredibly simple and more than secure enough for a home network.
Tailscale also has something called a subnet router which you can use to get incompatible devices onto the tailnet.
I went about this in a pretty noob way. Synology + Jellyfin and I followed some online guides. Synology gives you a free DDNS hostname so you can access your NAS away from home. I don’t have to VPN or anything. I have to warn that using this method will result in having slow transfer speeds if you’re uploading large files. I use it to stream movies and shows so it seems to be fine for this purpose.
Just set up a Wireguard server, for example on Oracle’s Always Free tier, and have every server and client join the VPN and then let Jellyfin and whatever only listen on the VPN interface. No need to open your router and you get strongly encrypted traffic.