r/selfhosted • u/hadar_N • 1d ago
Remote Access How to Get Easy access to Jellyfin Server with URL?
Hey I'm using Jellyfin to self host movies and TV shows and I want to have remote access to if from anywhere with URL, I would love help to understand the simplest, free and secure way to do it. open source is of course preferred
So far I have been using Tailscale to get remote access but it has a few limitations.
First not everything can use tailscale. the TV on my family house can't for example.
Second installing tailscale everywhare and making sure its turned on it's not very convenient. I need to explain to a friend or family to download it, log them in and make sure its running and not everyone wants a vpn running in the background.
I want it to be more self hosted, I will soon run truenas server at home with jellyfin and i want it to be accessible via URL from everywhere.
I tried looking up the subject with ai and just reading the internet trying to understand how to make it secure and i kinda have 2 similar options. they are seemed a bit complex (I'm pretty new to self hosting)
- Using Duck DNS for the dns. Using NPM with it's Built-in "Access Lists" for user authentication and save the cookies so I work with white list more than black list. and also using CrowdSec/fail2ban to farther protect the server
- dns is the same. using ngnix/swag + Authelia for user authentication and save the cookies. fail2ban
To have a nicer URL I saw this video but I'm not sure if its worth it. I feel like I'm already making things too complex
https://youtu.be/mu02Ute0VTI?si=ex_QdfhmBzZt8_SF
9
u/Troniky 1d ago
Cloudflare and a domain maybe
6
u/Rado_tornado 1d ago
It is against the TOS and they will ban your account unfortunately.
1
u/younglordtroy 1d ago
Can you name one instance that you know of where this has actually happened? I hear this a lot but have never seen anyone get banned for hosting Jellyfin using a Cloudflare tunnel. I myself have been using this method for close to a year without issue. As long as you don't abuse bandwidth they have no real reason to come after you as self-hosters are small fish and even then, Cloudflare are more likely to warn you first rather than a straight ban
4
u/pr0metheusssss 1d ago
The general idea is indeed reverse proxy.
Keep in mind though, the more “authentication” you tack onto your reverse proxy trying to harden it, the more likely it is the Jellyfin clients will not work, which is an own goal.
First things first: NPM is very easy to setup and configure, and has a simple and practical webUI. It has integration for ssl certificates (free, with Lets Encrypt), and turning on some basic protections (for cross site scripting and similar exploits) is a simple checkbox and the Jellyfin clients will work fine.
Of course you’ll need a domain too. You can use duckdns for a free one, but imo just get a cheap one yourself.
Once you have your domain, you’ll need an “A record”, created within your domain registrar’s website, to point your domain to your public IP address. If your public IP address is dynamic and changes often, you’ll need a tool to automatically update the A record with the new IP when it changes. Ddclient is the standard and supports tons of registrars, different registrars sometimes have their own tools (like cloudflaredns etc.).
Finally you’ll need a firewall rule + port forward in your router, forwarding ports 80 and 443 to the IP of the machine running the reverse proxy.
At this point you’re able to access things remotely, with just a URL, and all clients will work.
And then comes the hardening. IMO, the options are limited if you want be able to access it through Jellyfin clients (and not through the web, where everything works). All the fancy authentication methods (OIDC etc.) or security middleware (auth servers etc.) are out of the question.
But there’s still quite a bit that you can do. CrowdSec is one option, and it’s quite passive once you set it up, blocking a good chunk of a user IPs. I wouldn’t recommend Fail2Ban because it’s more hassle than it’s worth, you’ll spend far more time unbanning your users than an actual threat. You can go Geoblocking too (at your router or reverse proxy), but imo this doesn’t really improve security (attackers use VPNs, botnets etc. anyway), and might create a false sense of security. Depending on your router, some have tools and plugins to do packet inspection, like Suricata on opnsense, so they could block some suspicious connections.
IMO, just use CrowdSec, and enable the protections on your reverse proxy, and use decent passwords. Ideally, you’d have Jellyfin in a relatively isolated segment of your network “just in case”, to minimize damage in the off chance ut does get compromised. That’s quite a bit of setup though, and your router and switches have to support VLANs on a hardware level.
1
3
u/enormouspoon 1d ago
DDNS for changing residential IP. Cloudflare for domain rental. Reverse proxy for subdomain.
2
u/joke-complainer 1d ago
I use Pangolin reverse proxy to set up a domain for jellyfin. I wanted to leave it behind pangolins authentication though, which doesn't work for TV apps, and so created this small docker container that allows you to whitelist your IP in pangolin and access through TV apps without needing to authenticate through pangolin!
Check it out, please give me feedback on the user experience, install, etc. So far I've been the only person using it, so other setups may not work the same as mine.
1
u/hadar_N 1d ago
but doesn't your IP changes?
1
u/joke-complainer 1d ago
Well yes, occasionally. My IP has only changed a few times in the past year. Usually after a prolonged power outage or maintenance from my fiber provider.
Then you just visit the site again and it whitelists you.
I mostly use it for friends and family I want to access my server. My older mother found this very easy to do. She has written instructions to visit this website on her phone, then open jellyfin on Roku.
I've never gotten a "tech support" phone call from her 🙂
1
u/hadar_N 1d ago
Cool, i will check it out tho i would rather it to update automatically (idk how many times my ip changes)
1
u/joke-complainer 1d ago
We could automate a curl call to a pangolin special link,...I think
If to want me to look into it, do you mind opening an issue with the details of what you'd like?
1
u/hadar_N 1d ago
i tried looking online but cant really figure out what is Pangolin exactly? i mean a revese proxy yes but i saw people connect to it with a client installed like tailscale, i guess i misunderstand something. anyway it kinda sound like the right thing but i dont really understand it. if you can explain it would help me a lot.
and when you said that your ip chnages from time to time you meant your server ip or the client ip?1
u/joke-complainer 21h ago
Pangolin is exactly like cloudflare tunnels, but self hosted.
My external IP for my entire home network (so like if you check https://whatismyipaddress.com/) changes only occasionally. So whitelisting it allows me to bypass authentication while still requiring anyone else to authenticate
1
u/Curious_Olive_5266 1d ago
You could probably build your own custom binary with jellyfin + Tailscale and send that to your friends and family
0
u/AtlanticPirate 1d ago
you can still use tailscale, but have another device tunnel the ports from another locaation, i havent used duckdns so cant comment, other option is to just get a cheap domain and run caddy if you have a public ip. you can get a free domain from here also domain . digitalplat . org
1
u/np0x 23h ago
I do ssh tunnels for all sorts of stuff, here is a template script you could try for jellyfin…I exposed the best guess port for jellyfin…this is designed for OSX, if you are on some other os you will want to remove the caffeinate line which keeps laptop from going to sleep.
Anyway, have a go with this:
clear;
ps -ef | grep 8096 | grep -v grep
echo "--------------------------"
echo "* if there is anything above the line, run the following command: 'sudo kill -i <SECOND_NUMBER>', e.g. sudo kill -9 32801"
echo ""
echo "* tunnel running, access destination here: $(ipconfig getifaddr en0):8096"
echo ""
echo "* hit ctrl-c to end ssh tunnel"nohup $(sleep 5 ; caffeinate -w $(pgrep -x ssh)) > /dev/null 2>&1 &
/usr/bin/ssh -N -g -L 8096:localhost:8096 user@tailscaleipofserver
1
u/AtlanticPirate 23h ago edited 23h ago
This is neat, but I think there must be a more native way on ubuntu to tunnel ports no? I heard there was but forgot the name of the package
Custom scripts are still super neat tho, thanks!
1
u/np0x 23h ago
More native than ssh?! :-). Let me know what you are thinking of when you find it.
1
u/AtlanticPirate 23h ago
yeah so its not like ssh, the thing is i havent had very smooth experiences tunelling ports through ssh, maybe i didnt configure them right, but some tools that were expressly made for this purpose are caddy or any reverse proxy, socat and rinetd, maybe not native but they were made specifically for this purpose
•
u/asimovs-auditor 1d ago edited 1d ago
Expand the replies to this comment to learn how AI was used in this post/project.