cross-posted from: https://poptalk.scrubbles.tech/post/2333639
I was just forwarded this someone in my household who watches our server. That's it folks. I've been a hold out for a long time, but this is honestly it.
They want me to pay to stream content that I bought from my hardware transcoded also on my hardware.
I'll say it. As of today, I say Plex is dead. Luckily I've been setting up Jellyfin, I guess it's time to make it production ready.
Edit: I have a Plex Pass. More comments saying “Just buy a plex pass” are seriously not getting it. I have a Plex Pass and my users are still getting this.
And for the thousandth person who wants to say the same things to me:
- YES I know I'm unaffected as a Plex Pass owner.
- My users were immediately angry at it, which made me angry. Our users don't understand what plex pass is, and they shouldn't have to, that's why I had it. The fact that they were pinged even though it should have kept working is horribly sloppy
- Plex is still removing functionality. I don't care that "People should pay their fair share". If Plex wants to put every new feature behind a paywall, that's completely okay. They are removing functionality.
- "But they have cloud costs". Remote streaming is negligible to them. It's a dynamic DNS service. Plex client logs in, asks where server is, plex cloud responds with the IP and port of where server is located. That's it.
- "Good luck finding another remote streaming" - Again, Plex just opens up an IP and port. Jellyfin also just opens up an IP and port (Hold on jellyfin folks I know, security, that's a separate conversation). All "remote streaming" is is their dynamic dns. Literal pennies to them. Know what actually is costing them money? Hosting all of that ad-supported "free" content that they're probably losing money on.
In short, I don't care how you justify it. Plex is doing something shitty. They're removing functionality that has been free for years. I'm not responding to any more of your comments repeating the same arguments over and over.
You have a plex pass though, so nothing changed for you - you just got all angry because you didn't read the email properly.
Your users are going to be much worse off now than they were, and you will absolutely lose a bunch of them who don't want to (or can't) have to connect to a VPN every time they want to stream from your library.
Why would they need to connect to a VPN every time they connect to Jellyfin?
Jellyfin has some security issues that, depending on who you ask, are either critical vulnerabilities that make it completely unsafe to expose to the Internet or largely unconcerning for regular users.
I'm not overly concerned about my instance running behind a reverse proxy. Perhaps I am just naive...
Honestly yeah. The Jellyfin Backend is basically unauthenticated for a large part, allowing anyone to map and stream your content as soon as they guessed the ids, which isn't that hard, since they are based on the paths on your device. So if your movie sits in /mnt/media/movies/the_bee_movie that is pretty esay to guess and calculate the id from, allowing anyone to stream that content from your server
if you reverse proxy (w/ proper headers etc.) into a VPN this isn't an issue
The magic bullet in that sentence is VPN not reverse proxy
im aware, but the inconvenience of all users connecting to the VPN was mentioned. that's unnecessary this way
And apart from an undesirable bandwidth usage resulting from someone guessing their way to my file structure, how can this be used to compromise my server?
They can stream content from your server or map out what you have on there by using a rainbow table. Depending on the country you live in they can and will use that combined with your IP to start litigating you
My question is, where are you posting the address to your jellyfin server that someone who finds it will go through the trouble of even doing this?
Also how could they start litigating you based on the content you have? If I had illegal content on my server, I would be really dumb to expose it on the internet on a public jellyfin server. Otherwise my movies, tv, etc are my paid for content..
You don't need to post it. Bots are scanning every ip, 24/7, looking for servers to infect, endpoints to abuse and data to extract.
Go set up a ssh tarpit on your server and watch the flies drown in it. I will not expose anything on my server that has so many known vulnerabilities
Your content might be legitimate, but the vast majority use Plex and Jellyfin as a media Server for pirated content and still want to share it with their friends or family. And just FYI, most blurays and DVDs also forbid this kind of sharing in their license
I find it hard to believe that there are bots scanning for jellyfin exploits, since as far as I'm aware, the exploit is for viewing content without auth. 99% of bots are scanning for old instances of wordpress or other outdated software to exploit.
If my content on Jellyfin was illegitimate, the person scanning for my files would have to prove that before they can sue, no? I don't think this makes sense for anyone to do.
p.s. I won't argue that YOU should setup software that you dont want to, just that this particular reason not to may be a bit farfetched.
You are very, very naive and uneducated on what bad actors do on the internet then. Basically any popular service that exposes a port to the internet WILL have bots scanning for that port specifically.
Yes, you are right, but I think my point was missed.
Theres not much reward for hackers to hack private jellyfin hosts (unless there is some big exploit that gives remote code execution that im unaware of), sure the bots will scan and try exploits on open ports, but are they specifically targetting jellyfin?
There is always a risk, but in my opinion, the chances of being hacked through jellyfin are way too low to bother with over-bearing measures, like a required vpn connection.
Running jellyfin in a secure manner (without root, only access to your content, etc) reduces the risk of much harm too.
And this has actually happened before?
I always see this and I have to ask: why do you care?
They likely aren't paid customers of yours, if they don't follow your rules and the software you like to use, then they are free to use any other method of consuming media.
Have to agree with the other comment that asks why do you need to use a vpn. Fax
Because OP is scared of losing their users because of their incorrect thinking that Plex was requiring them all to buy a remote streaming pass, so clearly OPs goal is to not lose their users, right?
OP asked, we're answering. That's kinda the whole point of this thing called Lemmy. We don't care per se, we're just telling OP our opinions and thoughts on their questions and proposed solutions.
If you don't use a VPN you're putting yourself at risk. There's no real way around it with Jellyfin, as others have said.
Sorry, I wasn't clear. When I said "why do you care?", I didn't mean YOU specifically with OPs potential problem of losing users.
I meant why do people in general, who self-host software for friends/family, care if their friends/family stop using the software.
E.g. I have friends on Plex, but for whatever reason, I decide I want to move to Jellyfin. My friends stop streaming my media because they dont like jellyfin for whatever their own reasons may be. I personally wouldn't care about losing them as "users", because it's not like they are paying customers. I let them access my instance for free, if they aren't bothered enough to use it, then thats on them, not me to cater to their needs by keeping Plex around.
Hope that cleared up my meaning. I wasn't attacking you for caring with your original response.
p.s. you are at risk by hosting Plex too, just in different ways. Plex still requires your server is open to the internet, right? Even if only Plex's servers can access it, who's to say Plex themselves don't get hacked. Always a risk/reward type deal with hosting software, in my opinion, either are fine to expose.
It sounds like OP is charging users to stream from his server, that’s why he freaked out.