First things first, the setup is currently up and running. but i would like to modify it to use a reverse proxy through my personal domain.
Currently, i’m using an old pc with Truenas and a jail with jellyfin in it. i’m connecting to it with the free Fritz!Box VPN service.
but that’s stupid and slow. so i’ve bought a domain at godaddy.com. but i don’t understand the principle of whatever is managing the domain knowing the public IP-adress of my server. i’ve heard of Caddy, but it’s also running locally, so i don’t understand how i connect the pc to the domain.
if anyone could simplify this down for me, it’d be very helpful.
i don’t understand how i connect the pc to the domain.
Yeah, that’s the part where I think there’s some misunderstanding. You don’t “connect” the server to your domain. Instead, there is a Nameserver (most run by your registrar, GoDaddy) that hosts a list of DNS records, that you can edit, which point to IPs. So you need to edit those to point to your public IP (or set up stuff like DynDNS if your IP isn’t static) and once that’s doneand the port forwarding is also set up properly in the Fritz!Box you should be able to connect.
That said, what’s wrong with VPN? Particularly if you’re using Wireguard VPN, which was recently added to Fritz!Box, there shouldn’t be any performance differences. Plus, it would be safer than exposing services to the whole internet, doubly so if you’re not a networking expert.
I‘m trying to set it up so i don‘t have to switch VPNs on my phone all the time. Also my Company IPad doesn‘t allow me to set up my own VPN connection.
I am not sure you should be connecting from a Company ipad to a Jellyfin server anyway. Well, unless its your own company I guess. Company IT may monitor what you are doing on it.
IT here. Confirming this is a bad idea, and we don’t like it.
Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:
Fewer Letters More Letters CGNAT Carrier-Grade NAT DNS Domain Name Service/System HTTP Hypertext Transfer Protocol, the Web HTTPS HTTP over SSL IP Internet Protocol NAT Network Address Translation SSL Secure Sockets Layer, for transparent encryption VPN Virtual Private Network nginx Popular HTTP server
[Thread #241 for this sub, first seen 25th Oct 2023, 10:45] [FAQ] [Full list] [Contact] [Source code]
There’s plenty of reasons why you would not want to have a Jellyfin server be publicly available (even behind authentication). It’s simply not a well-secured system at this point (and may not get there for a long time, because it’s not a focus).
I strongly suggest keeping it accessed via VPN.
But note that VPN access is not necessarily any slower than “publicly” serving the HTTPs directly, at least not by much.
If you don’t already use Wireguard as the protocol, then maybe consider running a wireguard VPN instead, that tends to be quicker than classic OpenVPN.
And last but not least: a major restricting factor in performance of media servers from afar is the upload speed of your ISP connection, which is very often much lower than your download (100Mbit/10Mbit are common here, for example, so only 10% of the speed up than down).
There’s a nice explanation of how caddy reverse proxies work here. https://caddy.community/t/using-caddy-as-a-reverse-proxy-in-a-home-network/9427
Essentially you setup your router to port forward any new incoming connections to Caddy, which then decides what to do with them according to the configuration (Caddyfile).
Even simpler: Your local network is like a castle, inside is a safe and secure place where your devices communicate freely. Your router is a firewall around the castle, by default it blocks incoming connections. This is good because the internet is scary. By port forwarding you allow a door in the firewall which leads to Caddy, which is like a guard. Caddy asks them what they want, and if they say e.g. jellyfin.example.com, then it sets up an encrypted connection with https to your local jellyfin server. If they want anything else they aren’t allowed in.
To connect your domain to your IP use godaddy website, it should have a section where you can configure a dns entry, you can specify an IP address (your public IP) and, after a while, every device on the internet connecting to YOURDOMAIN.COM will be send to your home. If godaddy doesn’t offer a dns service you have to buy it somewhere else like on cloudflare, here I think you will need to prove that you own YOURDOMAIN.COM and then setup your IP in the dns. If you don’t have a static IP you need a DDNS (Dynamic DNS). After that you open the port number 443 on your home router so that https requests will be send to a device of your choice, this device will host your reverse proxy, the reverse proxy binds a domain name (the one you brought) or a sub domain to a service of you choice on your local network, doing this you don’t expose the local server directly and you need to open a single port only.
I bought a domain on namecheap.com and it has a configurable dns built in so I hope that godaddy has one too. I use Caddy as a reverse proxy for my jellyfin instance instead of Nginex, I think that they are both valid, another thing other people said in the comment is to access jellyfin via wireguard tunnel and I confirm that is the best choice if you don’t have specific needs, let me explain. The reverse proxy automatically generates ssl certificates using let’s encrypt allowing you to cast from an android phone to a Google chromecast (this seems to be the only way to do it and works very well for me). I also configured other services on caddy, in my setup I block every request to the reverse proxy that doesn’t arrive from inside my local network (except jellyfin so I can use it remotely), I know that it’s not the intended use of a reverse proxy but it makes some things possible that otherwise will need more configuration:
- I have two separate networks in my home, my reverse proxy has a double interface so I can easily access all services from devices on the main network.
- I don’t need to configure local dns rewrites to my services neither I have to add exceptions for dns rebind inside my router, I simply add a new rule to caddy and it just work.
- I have https for every service on my network without annoying messages on the browser.
If you think this lazy use of the reverse proxy could be a problem please tell me your thoughts!
It depends on what all you want to proxy in, if it’s just that one thing then it’s pretty simple to point a port inbound to a secure interface and call it a day.
For a more complete thing, an inbound proxy will take the requested domain coming into your front door and translate it to an IP/port combo on the inside. That way you can have several services behind the single IP. If you have a full gateway server setup in frontt of things something like HAProxy or squid can work and do SSL offloading for you. For a single server setup you might look at ‘nginx proxy manager’ (NPM) which gives an easy way to set up an inbound proxy plus it’ll manage getting certificates from let’s encrypt automatically.
I could help more fully but need a good bit more details to give some specific ideas.
If I wanted to access my Jellyfin at home from a smart TV elsewhere, is that possible (securely)? Or would I need something that can run a vpn?
With the caveat that I’m presuming Jellyfin has a HTTPS interface, or you have a proxy in front of it to make one for it (I use Emby myself but I believe Jellyfin was a fork of it at some point) then yes, if the TV has an app for it you should be fine. HTTPS is as good on your server as anywhere else so long as it doesn’t have some implementation flaw. In fact it’s probably better to not have a VPN when streaming video just to avoid the extra overhead bandwidth a VPN tends to add on.
My only thought against having it on the public web would be the potential for brute force attempts on the login page. If it has a 2 factor option then great, or even if there’s some kind of lockout/throttling after too many wrong guesses. Even barring that though, a decent long pass should be good enough to dissuade anyone from wasting too much time trying to remotely get into a video box, not exactly a crown jewel target after all.
I just recently set up a reverse proxy with Nginx Reverse Proxy, and Cloudflare. I pointed my domain to my home address with Cloudflare (they have dynamic DNS capability), then set up NRP, to forward traffic by subdomain. The nice thing about the reverse proxy it is I can bind a subdomain to an ip:port on my local network. Like “music.!MYIP!.com” goes to my Navidrome instance “LOCALIP:4553”. This allows me to close unnecessary outbound ports.
i may have figured something out, godaddy doesn’t support ddns, but you can change the ip of an A record via the API. and i have found a program that runs under linux as a service that does exactly that. problem is, where in my nas do i run it? do i try to install it in truenas? or jellyfin? or do i create a new jail with the sole purpose of running said program?
Definitely ditch godaddy asap they are one of the worst companies to deal with.
I suggest https://njal.la/
It should work from just about anywhere in your network. Most of those DDNS clients end up using an external IP lookup service to get their public address and then send that reply to home base to update the record.
I suspect you can have GoDaddy use a CNAME record which points to a DDNS entry (which has an A record). I have done that with different services before.
Depending on how many people you want connected, could try something like tailscale or zerotier. I been using tailscale and I think it is easier.
I assume you have a dynamic ip. what I did for that scenario: setup a dyndns hostname somewhere, configure a subdomain (e.g. jellyfin.example.com) with a cname dns record pointing to the dyndns hostname. you will have to setup updating of the dyndns hostname, this can be done in the fritz box and port forwarding to your jellyfin pc.
IPv6 may also “just work” nowadays, too, especially if the aim is to connect from mobile or other consumer networks. Corporate environments are still hit & mostly miss.
you mean without a dynamic hostname in between? but then you would still need to know about a changed prefix, wouldn’t you?
Dynamic DNS is probably still required, unless his ISP issues dedicated or very long term IPv6 leases.
is the free vpn service the wireguard one? if yes and it is slow, than it won’t be any faster when using your own domain and exposing the server directly to the internet, because wireguard should be as fast as any direct connection. if it is not the wireguard vpn from the fritz box i’d recommend switching to it. this can be done by tge server jellyfin is running on if your box does not support wireguard.
Your basic requirements are:
- Some kind of domain / subdomain payed or free;
- Home ISP that has provides public IP addresses - No CGNAT BS;
- A dynamic DNS service such as https://freedns.afraid.org/;
- Configure your router to forward your jellyfin port to the server.
The working principle is: your home has a dynamic IP address that might change at any time. You’re going to use a dynamic DNS service do to have a domain name that always points to the correct IP. To accomplish this you’ll be required to install a small tool in your server that monitors your public IP and whenever it changes calls the dynamic DNS service with the update. The best part is that you don’t even need to own a domain for that.