I am in love with my Jellyfin server (running in a Docker container) - it feels so nice to take back control over my media consumption again, after more than a decade in the land of streaming. So much, that I want to share this with my family.
So I was thinking of setting up a reverse proxy (Nginx Proxy Manager is what I have used before) and expose my Jellyfin-instance through that. However, I've seen several people be skeptical about this solution, instead opting for access through a VPN (I don't think that would be a good solution for some of my family members).
What are the potential pitfalls of setting it up this way, that makes people skeptical? Where could I go wrong, and what dangers would I expose myself to? As I understand it, this would only expose one port to the internet, direct all that traffic to the Nginx Proxy Manager, which then forwards traffic to specific ports internally on my home network, which sounds safe in my mind. Is it misconfiguration of the proxy manager I should be wary of? Or some exploits in the proxy manager?
Web applications may have vulnerabilities that allow an attacker to run code on the host system (Remote Code Execution). Famous example would be the log4shell vulnerability.
If you want to expose your server to the internet, you have to make sure you are not suffering damage if an attack like this occurs.
- Give the server application minimum privileges on your system. Use either containerization, sandboxing or systemd hardening to prevent the app from running commands on your system or access important data. Jellyfin for example only needs to read your media library, so if you are using docker, mount it read-only.
- Keep both the reverse proxy and the application up-to-date. For a docker setup you can use watchtower.
- Make backups of both your media collection and the Jellyfin database in case you need to restore your system. You should also have a script or at least some written notes on how you set up everything.
- Ideally isolate the media server from the rest of your network. If someone manages to put malware on your server, they should not be able to access the rest of your network (PCs, smart home devices, cameras, etc). This requires a more advanced firewall than most consumer routers have, so I currently do not do it on my home setup.
If you run something like Authelia or something like that, it may break the access between Client apps and server.
Web-UI will most likely workI was not planning on it. I would prefer them to use clients that can stream directly, so my poor server wouldn't need to do much transcoding, so I will keep that in mind.
I use tailscale for this. On my phone, I setup the work profile and use it in there with my work profile jellyfin app. So when I'm remote I can hit my media using that.
If you are opening it up for others I would still recommend a VPN like solution. Yeah it's more work, but worth it for the safety of your NAS and home network.
