I just use tailscale. I am thinking about external share options but for me and my closests just plain simple tailscale

Over the top for security would be to setup a personal VPN and only watch it over the VPN. If you are enabling other users and you don't want them on your network; using a proxy like nginx is the way.

Being new to this I would look into how to set these things up in docker using docker-compose.

Is putting it behind an Oauth2 proxy and running the server in a rootless container enough?

Jellyfin through a traefik proxy, with a WAF as middleware and brute force login protected by fail2ban

I have had Jellyfin directly open to the Internet with a reverse proxy for years. No problems.

Synology worked for me. They have built in reverse proxy. As well as good documentation to install it on their machine. Just gotta configure your wifi router to port forward your device and bam you're ready to rock and roll

An $11/yr domain pointed at my IP. Port 443 is open to nginx, which proxies to the desired service depending on subdomain. (and explicitly drops any connection that uses my raw ip or an unrecognized name to connect, without responding at all)

ACME.sh automatically refreshes my free ssl certificate every ~2months via DNS-01 verification and letsencrypt.

And finally, I've got a dynamic IP, so DDClient keeps my domain pointed at the correct IP when/if it changes.

There's also pihole on the local network, replacing the WAN IP from external DNS, with the servers local IP, for LAN devices to use. But that's very much optional, especially if your router performs NAT Hairpinning.

This setup covers all ~24 of the services/web applications I host, though most other services have some additional configuration to make them only accessible from LAN/VPN despite using the same ports and nginx service. I can go into that if there's interest.

Only Emby/Jellyfin, Ombi, and Filebrowser are made accessible from WAN; so I can easily share those with friends/family without having to guide them through/restrict them to a vpn connection.

VPN or Tailscale

Personally I use twingate, free for 5 users and relatively straightforward to set up.

OpenVPN into my router

I don't use jellyfin but my general approach is either:

1. Expose it over a VPN only. I usually use Tailscale for this so that I can expose individual machines but you do you
2. Cloudflare tunnel that exposes a single port on a single internal machine to a subdomain I own

There are obviously ways to do this all on your own but... if you are asking this question you probably want to use one of those to roll it. Because you can leave yourself ridiculously vulnerable if you do it yourself.

for me i just needed a basic system so my family could share so I have it on my pc, then I registered a subdomain and pointed it to my existing ec2 server with apache using a proxy which points to my local ip and port then I opened the jellyfin port on my router

and I have certbot for my domain on ec2 :)

Tailscale + Caddy (automatic certificates FTW).

SWAG reverse proxy with a custom domain+subdomain, protected by authentik and fail2ban. Easy access from anywhere once it's set up. No vpn required, just type in the short subdomain.domain.com and sign in (or the app keeps me signed in)

Nobody here with a tailscale funnel?? It's such a simple way to get https access from anywhere without being on the tailnet.

For my travel devices, I use Tailscale to talk to the server. For raw internet, I use their funnel feature to expose the service over HTTPS. Then just have fail2ban watching the port to make sure no shenanigans or have the entire service offlined until I can check it.

OpenVPN into my own LAN. Stream from there to my device.