I tried testing a movie from my home server in plex through firefox and repeatedly got this message, even after reloading.
I knew that they had paywalled the apps on mobile and streaming from outside the network but now they have also blocked watching your own movies through your own hardware.
I do get the point that making software should be able to sustain people but I dont see the move of plex as a fair thing to do. Yes, they have made great software but taking your home server hostage feels like the wrong move.
Even a pop up that says "we need you to donate please" would have been fine. make it pop up before every movie, play donation ads before any movie but straight up disabling the app is kinda cruel.
Anyway, i have switched to jellyfin and it is insanely good. please give it a try. you can run it alongside plex with not issues (at least i had none) and compare the two.
In any case, good luck. Let me know if you need help.
It's pretty rare that a company starts taking away free features and doesn't end up fucking payers in the end.
The biggest bar to Jellyfin is TV clients, the second biggest is security.
TV clients can be fixed with a one-time purchase of a $20 android TV stick. If viewing your familys ARR content isn't worth $20 you probably don't need to do it anyway.
Security for remote streaming is a harder thing to handle. Most people are capable of port forwarding, But just hanging a smallish public project out there in the open is always a dicey proposition. It honestly needs real fail2ban, probably SSL, 2FA and password complexity requirements.
We could probably make a jellyfin helper container to handle some of this. Walk people through Let's Encrypt, dynDNS, port forwarding tests, add fail2ban with a firewall, maybe even slap suricata in it.
We need to convince the project to add 2FA and password complexity requirements.
I don't know guys what do you think is it crazy? does it make sense? Would anybody actually use it?
I access my stuff via VPN. As for sharing with others, I simply don't do that. VPN is still an option though. Or temporary client whitelisting, etc.
Yeaaah ! Most people anyway have some kind of VPN installed on their device... Just slap in a wireguard VPN config to tunnel your traffic home... bOOm jellyfin everywhere and 99% secure !
Now that's an interesting thought.
A web page with Authelia, login and a firewall.
If you're not logged in, All you get is a login page. If you are logged in, It passes you straight through to jellyfin.
So any device and client would be able to access it without issue once a phone or computer on the network had logged in just once.
The web page modifies the HA proxy ACL and forces a reload.
This will work fine over the web, but won’t work with clients.
They have instructions on jellyfin forums on setting up HAProxy, that part totally works.
But you don't put 2FA on the jellyfin server, for that you just deny all IPs except whitelisted.
You did the 2FA on the whitelister only using path-based routing.
You don't have access to the root site, you go to a path and login to a separate database to whitelist yourself then your client should work from that IP.
They have instructions on jellyfin forums on setting up HAProxy, that part totally works.
But you don’t put 2FA on the jellyfin server, for that you just deny all IPs except whitelisted.
You did the 2FA on the whitelister only using path-based routing.
You don’t have access to the root site, you go to a path and login to a separate database to whitelist yourself then your client should work from that IP.
edit:
I just tried it, it appears to work so far.
I can send websocket traffic inbound to 8096: to the JF server and it loads on web, Android and Roku clients with an ACL limiter on originating ips. and send 8096/whitelist to another server altogether with no ACL limits.
On that process, I'd load nginx, authelia, fail2ban and what flask? Surely someone has a python longin/admin framework that I could hijack for this. Then have that app reack over in shared container storage to twiddle the haproxy config to add some ip's and reload it?
I wonder if I could do something to the haproxy side to detect non-use of an IP and remove it.
You can address the 2fa by putting it behind something like authelia, but still, the project needs to step it up
Authelia is super easy, if the clients can handle it
I thought that you can still access media directly via the URL without any authentication, how would authelia change that?
Yes! You just have to set up your reverse proxy to send everything through it and it'll block the unauthenticated access.
The downside is that apps stop working since they don't have a way to authenticate with authelia. I've installed it as a PWA on my phone and use an old laptop with the TV interface on my TV, but it's not perfect
Are you sure that works? I'm pretty sure they mentioned that reverse proxies are an unsupported (and not working) use case with Jellyfin, but I might have to look into authelia some time then.
I just put it behind an HAProxy a few minutes ago, It appears to be fine. You just need something capable enough to handle web sockets. I've made it all the way through an episode of The real monsters without any problems.
Again, you're not going to be able to 2FA it that way, what I'm looking at doing is IP whitelisting it in HAProxy using a small web helper that is 2FA, accessed via the same port but on a separate path.
Maybe I was thinking of this from back in 2024?
https://github.com/jellyfin/jellyfin-android/issues/123
"Hacking around with a reverse proxy is strongly discouraged and we won't provide any support for it."
Yeah part of doing this is keeping a ci pipeline up and unit testing against rcs and telling them exactly what's failing. The report in that ticket gave them absolutely no choice but to try to set up an entire system to reproduce whatever the user did which they obviously don't want to do.
WebSocket relays are poorly implemented in a lot of proxies, Even cloudflare has its fair share of issues.
The downside of using HA is reinventing the let's encrypt pipeline for the 40th time, the upside is it's dead simple, web sockets go in, web sockets go out, The logs are good, it's easy to debug it with TCP dump If things start to get sketchy.
How can you debug it with a TCP dump if it's encrypted?
You are doing the https unwrapping in tf/HA proxy. It's clear text between the proxy process and the JF server
You can do a dump off the entire network stream when it's working, install the release candidate and do another dump of the network stream with it not working. Sift through to find the changes.
When the person posted that there was a problem with the RC, It was probably a web socket being mishandled by the proxy due to some change. You can't just go oh there's a problem with my third party middleware. They're going to need to know which of their changes broke the problem. Why it breaks it, and what should be done instead if you expect them to make any kind of changes.
The alternative is you ask them to support traffic or HA or NPM, and on a volunteer project I could see that being a bridge too far
Both jellyfin and authelia support reverse proxies.
Here's jellyfin's guide: https://jellyfin.org/docs/general/post-install/networking/reverse-proxy/
And here's authelia's: https://www.authelia.com/integration/proxies/introduction/
There's some restrictions (like websocket support) but it's not too bad to set up.
Still, if you don't need to expose it to the internet, put it behind a vpn.
The problem with putting it behind a VPN is then all your users have to be on VPN.
Self-service IP whitelisting would be easy and let all clients work without trying to hack in a separate VPN client.
The only thing that would suck would be if you were on a mobile link while moving and swapping towers your IP would change so you constantly get kicked off.
But if you were so inclined you could VPN to your own house and your IP would stay the same.
Maybe I was thinking of this from back in 2024?
https://github.com/jellyfin/jellyfin-android/issues/123
"Hacking around with a reverse proxy is strongly discouraged and we won't provide any support for it."
Yeah.
It's tough because I get they're an open-source project, and they're volunteers, but at the same time, security is something that should be the highest priority.
Though, you could just make it so that it's not accessible via WAN and instead has to go through a VPN, though that'd make it harder to share with others.
That's what I do myself but in a lot of cases VPN is beyond the grasp of the grasp of the friends and family that are being shared with.
Tailscale is somewhat approachable for this, there are a number of streaming devices that support TS clients. But then tailscale will eventually enshittify their free offering. Wrapping headscale into this will add yet another layer of complication. VPN is far more secure but I think it makes it unapproachably complicated for many.
As someone who is … lazy and took advantage of some Amazon Black Friday Fire TV stick deals, and who doesn’t want to drop the $200 for a Shield:
Any Android sticks/players you might recommend?
Bittorrent joined the room.
The Onn dongles from Walmart are probably the cheapest. The firestick should work fine and there are also Chromecasts from Google.
Basic functionality, I've heard good things about the crappy Walmart ONN branded ones.
I know there are Alibaba options, But I'm awfully afraid of a lot of those have worst security issues than opening up jellyfin.
+1 for Walmart Onn, very easy to debloat and degoogle, supports SmartTubeNext, S0undTV (Twitch), Jellyfin, Plex, whatever else you want.
Thanks- was hoping there was something out there that’s a bit less tied into some large Amazon-y or Google-y type anything
For all their lack of privacy, the Fire Sticks perform pretty well
I think you make a hugely important point and I would definitely use it and I might even be able to help making it.
Current Idea:
Traefik does most of this through plugins, except the whitelist modifier,
Whitelisted?
Not Whitelisted?
Whitelisted or Not whitelisted?
*TLS
SSL has been deprecated for a decade at this point
Would you consider this a particularly constructive comment?
What's wrong with it?
SSL or the comment? The comment is annoying because people use TLS and SLL interchangeably in colloquial speak.
The term SSL has been colloquially used for the last decade, and it would be difficult, if not impossible, to confuse the two and issue the wrong type of security at this point. Are there even packages that old available to Docker?
We're having an informal discussion here about how to make Jellyfin security less daunting to the average user. Taldan is apparently knowledgeable about the situation and could lend a conceptual hand to the process, but I suspect they chose instead to nitpick terminology that's still used in common parlance. Since I have some doubts, but don't wish to assume, I asked a simple question.