Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla…
Collection of potential security issues in Jellyfin This is a non exhaustive list of potential security issues found in Jellyfin. Some of these might cause controversy. Some of these are design fla…
I’m not smart, can you tell me if having it behind a reverse proxy with certs and everything fixes any of these flaws?
Not unless the reverse proxy adds some layer of authentication as well. Something like HTTP basic auth, or mTLS (AKA 2-way TLS AKA client certificates)
For nginx: https://docs.nginx.com/nginx/admin-guide/security-controls/configuring-http-basic-authentication/
so if I add a user ”john” with password “mypassword” to video.example.com, you can try adding the login as: “https://john:[email protected]”/
Most HTTP clients (e.g. browsers) support adding login like that. I don’t know what other jellyfin clients do that.
The other option is to set up a VPN (I recommend wireguard)
You can’t do that with jellyfin.
Basic auth doesn’t work with jellyfin. Its a bug. Enable it on your reverse proxy, and jellyfin breaks. Devs closed it as wontfix
That sucks, good to know.
Looks like creating a VPN is the only option for securing jellyfin.