Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla…
Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla…
I’m not smart, can you tell me if having it behind a reverse proxy with certs and everything fixes any of these flaws?
Many of the issues are related to unauthenticated requests. Even though your reverse proxy provides SSL, Jellyfin still won’t know the difference between you and a random internet user. So, no, your setup doesn’t mitigate the security risks much at all.
I’m also an absolute dumbfuck. And I can confidently tell you, as a matter of fact, that I don’t know.
I’m running SWAG reverse proxy, my DNS is not tunneled, I share my Jellyfin with others outside my network.
My primary concern is my server gets hacked, or I get charged with distributing ‘public domain movies’
Hacking, even on an insecure system, would be illegal. Any copyright troll trying to sue a single user for having a private jellyfin instance which they hacked to find out about would probably have a hard time actually making a case.
“Yeah, this one guy was distributing films to himself and a few friends. I know because I hacked him” doesn’t seem like a good case.
Nothing about this is hacking. They’re not defeating any authentication mechanism to scan your system. That’s the whole problem here. Nothing illegal about running a crawler/scanner service.
The fact that you have their content publicly accessible is not a “bad case” at all. Open FTP sites were sued plenty. It may be a bit harder to prove distribution intentions… but wouldn’t be hard to make a case that you violated copyright for the content they could enumerate.
It’s not publicly accessible, though. An account is clearly needed.
No… that’s the point of this thread. There is no requirement to login in order to manually access endpoints. Up to and including pulling video data.
Not unless the reverse proxy adds some layer of authentication as well. Something like HTTP basic auth, or mTLS (AKA 2-way TLS AKA client certificates)
For nginx: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
so if I add a user ”john” with password “mypassword” to video.example.com, you can try adding the login as: “https://john:mypassword@video.example.com”/
Most HTTP clients (e.g. browsers) support adding login like that. I don’t know what other jellyfin clients do that.
The other option is to set up a VPN (I recommend wireguard)
You can’t do that with jellyfin.
Basic auth doesn’t work with jellyfin. Its a bug. Enable it on your reverse proxy, and jellyfin breaks. Devs closed it as wontfix
That sucks, good to know.
Looks like creating a VPN is the only option for securing jellyfin.
This is correct. However I’d want to add, that this will break EVERY app-based access of jellyfin which defeats the purpose for a lot of people. Adding auth in front of jellyfin will work and allow you to use the web client only.
You kind of touched on it… I wanted to make it clear.
VPN would be a better more interoperable answer for most cases, you’ll still be stuck on devices like WebOS on LG tvs, or roku devices, or others that don’t have the ability to install vpn clients.
This is misinformation. It breaks the web app too.
You can’t use basic auth with jellyfin at all. Its a bug. Jellyfin closed the bug as won’t fix because, it seems, they dont care about security.
Oh, sure enough. Basic auth breaks the login function. I didn’t test it myself and didn’t think that it wouldn’t work for basic auth. I’ve put other auths in front of it and it works. So It’s not completely “misinformation”. Just annoying that the easiest most basic form of auth won’t work.
What other auths can you put in front of it?
The problem is that they’re (ab)using the Auth header, which causes a colission and you can’t load many required assets.
I was testing a 2fa based one the other weak and jellyfin was the service I decided to test with. Ultimately didnt like it so I rolled ot back.I’d have to go look it up to get you a name.