Selfhosted

If you’re a beginner and you’re looking for the most secure way with least amount of effort, just VPN into your home network using something like WireGuard, or use an off the shelf mesh vpn like Tailscale to connect directly to your JF server. You can give access to your VPN to other people to use. Tailscale would be the easiest to do this with, but if you want to go full self-hosted you can do it with WireGuard if you’re willing to put in a little extra leg work.

What I’ve done in the past is run a reverse proxy on a cloud VPS and tunnel that to the JF server. The cloud VPS acts as a reverse proxy and a web application firewall which blocks common exploits, failed connection attempts etc. you can take it one step beyond that if you want people to authenticate BEFORE they reach your server by using an oauth provider and whatever forward Auth your reverse proxy software supports.

I access it through a reverse proxy (nginx). I guess the only weak point is if someone finds out the domain for it and starts spamming the login screen. But I've restricted access to the domain for most of the world anyway. Wireguard would probably be more secure but its not always possible if like on vacation and want to use it on the TV there..

If it’s just so you personally can access it away from home, use tailscale. Less risky than running a publicly exposed server.

We have it open to the public, behind a load balancer URL filtering incomming connection, https proxied through cloudflare with a country filter in place

Tailscale, with nginx for https.

Very easy, very simple, just works, and i can share my jellyfin server with my friends

I don't host my media outside my local network but, if I did, I would use my go to method of SWAG with Authentik. This is what I have done for my other self-hosted items.

I'm just using caddy and a cheap $2 a year .top domain with a $4 a month VPS. Works for my users, I only have 3 users on my server.

I use a wire guard tunnel into my Fritz box and from there I just log in because I'm in my local network.

“Technically” my jellyfin is exposed to the internet however, I have Fail2Ban setup blocking every public IP and only whitelisting IP’s that I’ve verified.

I use GeoBlock for the services I want exposed to the internet however, I should also setup Authelia or something along those lines for further verification.

Reverse proxy is Traefik.

Cloudflare. No public exposure to the internet.

Tailscale - funnel

Just that

I use a cloudflare tunnel, ISP won't give me a static IP and I wanna keep my firewall locked down tight.

Cheap VPS with Pangolin for Wireguard and reverse proving through the tunnel.

I just install tailscale at family houses. The limit is 100 machines.

Over the top for security would be to setup a personal VPN and only watch it over the VPN. If you are enabling other users and you don't want them on your network; using a proxy like nginx is the way.

Being new to this I would look into how to set these things up in docker using docker-compose.

Full guide to setting up Jellyfin with Reverse Proxy using Caddy and DuckDNS

I followed this video and modified some things like ports

This is my setup.

Read more, here.