When I see this sort of thing, and other people are trying to do it, a reverse proxy or vpn is always mentioned. Heres my question:
How Dangerous is it to just open the port for it on my router and access it like that?
Lets say i want to access jellyfin from Kodi on my xbox or something outside my network, the vpn solution wouldnt work for this i would think.
My issue with reverse proxies, and why im asking, is it seems less secure? I mean Im well aware that an IP is easy to get, i guess. But how likely is someone to look for something on my network specifically? With reverse proxies it seems like i would be broadcasting my server to the internet in a way its easier to happen across, than someone being interested in a random residential IP.
I run a minecraft server for friends on my main computer anyway, and i know tons of people do that, theoretically thats the same level of danger as opening my network for jellyfin specifically.
VPN isnt an option because of this xbox stuff i mentioned and people in my family who have 0 chance of understanding it regardless.
So what is the better option, going through this reverse proxy ( which im actually also unsure would work with kodi) or rawdog the server on my network. I guess leaving the server exposed? or every device even.
Strong suggestion for Tailscale here. It is incredibly easy to use and very easy to set up with multiple users. Opening ports directly to the internet is a thing of the past for me now, ever since I started.
I opted for ZeroTier - this way I can connect many devices outside home network to any device inside …
Someone may have commented this already but my recommendation is to set up an overlay network like tailscale or twingate.
Doesn’t require you to open any ports on your firewall, and Tailscale at least is very performant since it uses Wireguard as it’s underlying protocol. (I have yet to test Twingate but I’ve heard positive things.)
It will require a little more setup per device but it’s honestly incredibly simple and more than secure enough for a home network.
Tailscale also has something called a subnet router which you can use to get incompatible devices onto the tailnet.
So the reason you’d want a reverse proxy is because it handles security and would do a much better job of it than an exposed jellyfin port.
Public FQDN -> your home IP -> your router allows 443/whatever to your reverse proxy -> it handles SSL and being hit by the internet (look into nginx security and even fail2ban) -> proxy serves up whatever insecure site/app you’d like.
A reverse proxy does not magically make an insecure app secure.
I use a reverse proxy so I can just use a hostname and not need a port. I run Jellyfin that way no problem, function-wise.
Additionally, not having a domain won’t necessarily protect you since you do have people out there scanning for ports and when they see 8096, they’re going to immediately know it’s a Jellyfin/Emby server and any vulnerabilities associated with those. If you use a reverse proxy, they only see 443 which is…pretty much every other site on the internet. That’s security through obscurity, I know, but it will help mitigate some of the easier attacks.
I’ll say that everything I have to have a port open for (mostly game servers) gets targeted by the internet at large despite the fact that I’ve published the address and port absolutely nowhere online and only shared it with close friends. I almost never get anyone trying to log in to my other services.
Okay, so can people just find that shit on google? And also what are the odds of certain companies and agencies being perturbed by me essentially broadcasting copyrighted content? Even if i own it. I shpuldnt expect FBI or worse, Viacom hitmen right? Especially of the content is behond a log in?
Take a look at shodan to see just how much everyone knows about what’s open on the internet.
As for DMCA they don’t know what you have behind your login. Make sure you reverse proxy over SSL and you’ll be ok…ish.