702
Don't expose jellyfin to the internet is a golden rule.
Kinda defeats the purpose of a media server built to be used by multiple people
Use a VPN, it's not ideal but it's secure.
Somehow difficult to install on a TV though.
That’s why you do it at your router or gateway and then set a route for the Jellyfin server through the VPN adapter. That way any device on your network will flow through the tunnel to the Jellyfin server including TVs
Which again implies that you have a router that allows you to do so. It's not always the case. For tech enthusiast people that's the case. But not for everyone.
I tried to do the same thing at first, but it was a pain, there were tons of issues.
Oh yes, the routers and gateways that most people have that are isp provided that may not actually have open VPN or wireguard support.
Those ones?
Also putting a VPN in someone else's house so that all their Network traffic goes through your gateway is pretty damn extreme.
load more comments
(1 replies)
Don’t reverse proxies like pangolin just do the job? Does it have to be VPN in this particular concept? VPN isn’t like immune to vulnerabilities.
Reverse proxy doesn't really get you much security. If there is an application level issue a reverse proxy will not help
load more comments
(5 replies)
Reverse proxy will let anyone connect to it. VPN, you can create keys/logins for your intended users only. Having said that, from what I could see, nothing in the security fixes were to do with authentication. I think (just from a cursory look), they could only be exploited, if at all from an authenticated user session.
But personally, something like jellyfin where the number of people I want to be able to access it is very limited, stays behind a VPN. Better to limit your potential attack surface as much as you can.
load more comments
(1 replies)
load more comments
(3 replies)
load more comments
(1 replies)
That’s never made sense to me; why build an authn frontend instead of just clicking your user if the security is just an illusion anyways. “Use a VPN” is fine for a mainframe, but an active project in 2026 should aspire to be better.
Edit: or make note of that on their several pages with reverse proxy configuration.
Examples dating back over six years https://github.com/jellyfin/jellyfin/issues/5415
I mean I'm sure they'd like to just ship safe code in the first place. But if that's not their expertise and they demonstrate that repeatedly, we gotta take steps ourselves. Secure is obviously best, but I'd rather have insecure Jellyfin behind a VPN than no Jellyfin at all.
It's not this or that. Security comes in layers. So while I would assume that the Jellyfin developers do their best to secure their application, I acknowledge the fact that bugs do exist and that Jellyfin is developed in and for hobbyist contexts, and thus not scrutinised and pentested for vulnerabilities in the way software meant for professional environments would be. Therefore I'll add an extra layer of security by putting it behind a VPN that only whitelisted clients can access. If a vulnerability is detected, I can be sure it hasn't already been exploited to compromise my server because we're all "among friends" there.
load more comments
(1 replies)
load more comments
(25 replies)
Y'all are assuming the security issue is something exploitable without authentication or has something to do with auth.
But it it could be a supply chain issue which a VPN won't protect you from.
load more comments
(3 replies)
Yeah, i have my 30 docker containers behind Headscale (Tailscale).
load more comments
(4 replies)
The thing is, if you have non-technical users, you have to set up the VPN connection on the client site yourself, maybe on multiple machines and more than once, if they decide to upgrade or even just reset their devices.
The problem here - it's not me who requires access to my library, if someone isn't willing or able to do it, I'm sorry but that's just how it is. People should stop infantilize non-technical people, absolute majority of them is capable of navigating our world without much problems and I'm willing to help them if help is asked.
If my 60 y.o. mother with close to zero technical skills can do it with limited help (due to distance and other constraints) I'm pretty sure that majority of people with sound mind can.
Or you can not be arrogant towards your friends and family who have probably helped you on lots of occasions and will probably keep being there for you in the future.
Idk man, unconditional sharing feels pretty good, tbh. Making them jump through hoops isn't really my jam. To me this kinda all plays into making a stronger bond with people that are close to me, so maybe we have different reasons for why we are sharing our stuff.
Inb4 "we are not the same" meme
load more comments
(5 replies)
load more comments
(1 replies)
load more comments
(5 replies)
load more comments
(27 replies)
Thank you for posting this. I tend to get a lot of my opensource project info from Lemmy so people who take the time to post it are awesome.
Just updated my home instance. Can confirm that 10.11.7 is available in the Debian repos and the update went perfect. I got a new kernel in the same update : D
load more comments
(9 replies)
I forgot that it's April first, and was wondering what catasthropic event had happend in order that it had to be stated in the title that its not a joke
Wonder if it's the Axios one. Sounds like it isn't from their description though hmm
I don't think so, the previous release 10.11.6 is a few months old and the axios supply chain attack happened yesterday.
So lets hope this 10.11.7 is not subject to the axios one. :)
Diff agrees, not likely. Might be permisson related, elevation of privileges.
From a cursory look at just the security commits. Looks like the following:
- GHSA-j2hf-x4q5-47j3: Checks if a media shortcut is empty, and checks if it is remote and stores the remote protocol if so. Also prevent strm files (these are meant to contain links to a stream) from referencing local files. Indeed this might have been used to reference files jellyfin couldn't usually see?
- GHSA-8fw7-f233-ffr8: Seems to be similar, except for M3U file link validation and limiting allowed protocols. It also changes the default permissions for live TV management to false.
- GHSA-v2jv-54xj-h76w: When creating a structure there should be a limit of 200 characters for a string which was not enforced.
- GHSA-jh22-fw8w-2v9x: Not really completely sure here. They change regex to regexstr in a lot of places and it looks like some extra validation around choosing transcoding settings.
I'm not really sure how serious any of these are, or how they could be exploited however. Well aside from the local file in stream files one.
load more comments
(3 replies)
load more comments
(6 replies)
Pretty flawless update from the apt repo on my end.
Server version 10.11.7
load more comments
(4 replies)
There is a good reason I only have Jellyfin and other services accessible via valid Client Certificate.
Does it work with android and TV apps?
I tried long ago and failed.
No, we only use Jellyfin via browser. Unfortunately even with imported Client Cert, Android apps won't work.
Edit: Client Certs need to be implemented per App. There is a feature request from 2022 https://features.jellyfin.org/posts/1461/capability-to-specify-client-certificate-for-android-client
load more comments
(1 replies)
load more comments
(2 replies)
Is it standard practice to release the security updates on GitHub?
I am a very amateur self hoster and wouldn't go on the github of projects on my own unless I wanted to read the "read me" for install instructions. I am realizing that I got aware I needed to update my Jellyfin container ASAP only thanks to this post. I would have never checked the GitHub.
Is it standard practice to release the security updates on GitHub?
Yes.
And then the maintainers of the package on the package repository you use will release the patch there. Completely standard operation.
I recommend younto read up on package repositories on Linux and package maintainers etc.
load more comments
(22 replies)
You can always tell who does real IT work in these threads lol
In the raspian repos, just updated, thanks.
load more comments
(1 replies)
Good thing my Jellyfin is behind Wireguard.
Consider doing the same if your usecase permits.
view more: next ›
this post was submitted on 01 Apr 2026
702 points (99.0% liked)
Selfhosted
58695 readers
283 users here now
A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.
Rules:
-
Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.
-
No spam posting.
-
Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.
-
Don't duplicate the full text of your blog or github here. Just post the link for folks to click.
-
Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).
-
No trolling.
-
No low-effort posts. This is subjective and will largely be determined by the community member reports.
Resources:
- selfh.st Newsletter and index of selfhosted software and apps
- awesome-selfhosted software
- awesome-sysadmin resources
- Self-Hosted Podcast from Jupiter Broadcasting
Any issues on the community? Report it using the report flag.
Questions? DM the mods!
founded 2 years ago
MODERATORS