Jellyfin is amazing for a lot of things, but it shouldn’t be available externally. There are a few critical security concerns that devs have openly stated will never be patched. And that makes it a non-starter for sharing with people who can’t figure out how to use a personal VPN connection. It may be fine for me and my household… But there’s no way I’m going to be able to walk my tech-illiterate grandmother through it over the phone.
In contrast, Plex makes sharing server access very easy. Since they run a centralized server to handle all of the “which servers do I have access to, and where are they located” automatic discovery traffic, sharing content is as simple as sending an invite link. That centralization flies in the face of what Jennyfin stands for, so they won’t ever implement it. I even have a burner Plex account that already has access to my server, which I can use to sign into TVs when I don’t want to bother with the whole account setup process. Handy for things like parties, because I have a few “just hit play and drunk people will enjoy it” types of playlists ready to go.
Basically, Jellyfin for yourself and your household. Plex for everyone else. Luckily, the two will happily run side-by-side without any issues.
I’m not confident enough in my knowledge to ever open up my server externally, even after reading some methods that are allegedly safe (or relatively safe). I’d just rather not take the risk of me misunderstanding something or failing to keep current with vulnerabilities.
I suppose I see the appeal if Plex handles that without hassle, but man… not for $750. Lol
This is a concern if you just port forward through a router. This isn’t a problem if you simply use a reverse proxy, which is standard and normal and expected and not difficult at all.
It’s a concern even with a reverse proxy. The reverse proxy encrypts your connection from A to B, but does nothing to stop the various security concerns that have been noted. Because those concerns don’t rely on intercepting unencrypted traffic. If you can reach Jellyfin’s main log in page, you can exploit it. Full stop.
The only way a reverse proxy would stop someone from being able to exploit it is to include a separate login on your reverse proxy, meaning attackers wouldn’t even be able to hit Jellyfin’s landing page unless they know your proxy’s password. But notably, this breaks basically everything except for browsers. All of your smart TVs, mobile apps, etc would stop functioning, because they’d bounce off of that reverse proxy login page.
I don’t proxy the port, I proxy the routes needed for auth and interface. This isn’t that hard.
EDIT: ah I see what you’re saying, you’re talking about the app surface rather than the raw admin API. The risk is small enough with the remaining attack surface that I’m not particularly worried, though obviously I’d like it to be better.
Jellyfin is amazing for a lot of things, but it shouldn’t be available externally. There are a few critical security concerns that devs have openly stated will never be patched. And that makes it a non-starter for sharing with people who can’t figure out how to use a personal VPN connection. It may be fine for me and my household… But there’s no way I’m going to be able to walk my tech-illiterate grandmother through it over the phone.
In contrast, Plex makes sharing server access very easy. Since they run a centralized server to handle all of the “which servers do I have access to, and where are they located” automatic discovery traffic, sharing content is as simple as sending an invite link. That centralization flies in the face of what Jennyfin stands for, so they won’t ever implement it. I even have a burner Plex account that already has access to my server, which I can use to sign into TVs when I don’t want to bother with the whole account setup process. Handy for things like parties, because I have a few “just hit play and drunk people will enjoy it” types of playlists ready to go.
Basically, Jellyfin for yourself and your household. Plex for everyone else. Luckily, the two will happily run side-by-side without any issues.
I’m not confident enough in my knowledge to ever open up my server externally, even after reading some methods that are allegedly safe (or relatively safe). I’d just rather not take the risk of me misunderstanding something or failing to keep current with vulnerabilities.
I suppose I see the appeal if Plex handles that without hassle, but man… not for $750. Lol
This is a concern if you just port forward through a router. This isn’t a problem if you simply use a reverse proxy, which is standard and normal and expected and not difficult at all.
It’s a concern even with a reverse proxy. The reverse proxy encrypts your connection from A to B, but does nothing to stop the various security concerns that have been noted. Because those concerns don’t rely on intercepting unencrypted traffic. If you can reach Jellyfin’s main log in page, you can exploit it. Full stop.
The only way a reverse proxy would stop someone from being able to exploit it is to include a separate login on your reverse proxy, meaning attackers wouldn’t even be able to hit Jellyfin’s landing page unless they know your proxy’s password. But notably, this breaks basically everything except for browsers. All of your smart TVs, mobile apps, etc would stop functioning, because they’d bounce off of that reverse proxy login page.
I don’t proxy the port, I proxy the routes needed for auth and interface. This isn’t that hard.
EDIT: ah I see what you’re saying, you’re talking about the app surface rather than the raw admin API. The risk is small enough with the remaining attack surface that I’m not particularly worried, though obviously I’d like it to be better.