Fair, but self hosting stuff has that part of self. It is difficult to make it easy for everyone since everyone has a different setup, as such it is mostly directed towards people who are expert in doing this kinds of things or who will dedicate the time to learn how to do it.
The good thing is after you spent a couple days trying to figure out how to make it work, it will work in the future and you already know how to setup more stuff.
It’s not directed towards people who are experts. I’m an expert and can’t secure Jellyfin properly because Jellyfin doesn’t support proper secure authentication.
I would rather just properly secure it like every other selfhosted service I have, and not have to manage a VPN client for every user who wants to connect to Jellyfin.
A security focused authentication service would be the most successful, straightforward, and simple to implement solution.
Unfortunately Jellyfin, nearly alone amongst its FOSS peers has not implemented support for these services. It’s the only one of my many dozens of selfhosted services that I can’t properly secure.
There are plugins for SSO.
There are 3rd party plugins for OIDC and I think LDAP is even first party.
The issue comes when intercepting the signin-progress with 1st party clients. Jellyfin (to my knowledge) doesnt support redirects/callbacks like a homeassistant companion app does.
And how many media servers are there? The 2 other major offerings (Plex and Emby) don’t support OIDC either.
Plex does it’s own sauce and Emby doesnt support it. Authentik has a guide to implement it via LDAP.
And Jellyfin has a tech-debt history being forked from emby.
Stark contrast to newly developed projects which were started when SSO and OIDC wasbstarting to become popular.
Yeah, natively Jellyfin supports LDAP (1st party plug-in anyway), which means I can use my personal IdP to centrally manage accounts and it works across all their apps I’ve tried (as oppose to the OIDC plugin which seems to still break their apps).
I actually love when I run into an issue like that get an error. Researching that stuff is fun for me, but I think trying to get the average person to do it is a non-starter
Tailscale could probably be easier but I wanted to make it easy for my parents.
I was trying to set it up via Reverse Proxy in Caddy. My stupid NAS has proprietary software and the only way to do it is in Docker but their version of docker has some wonky issues with ports.
It’s been a few weeks since I’ve tinkered with it but I plan on pulling it up today. If I remember right, it works fine if I launch it as a singular container by itself, but if I launch it inside a container with multiple apps, it says the ports are in use. I verified that no other app is using the ports. I checked in the CLI and it says containers is using the port. Very weird.
Following tutorials and researching online had been helpful by my NAS uses QNAP’s QTS operating system. It locks you out of many basic functions. I can’t install apps outside of its App Store unless it’s in a docker container, for example.
Many command line functions have also been removed so when I’m troubleshooting or looking for alternate fixes, I’m blocked out.
I can use docker compose. I need them on the same container so they can see the other apps exist and direct traffic there. Or that I as my understanding.
I tried setting up Caddy on a separate container as Jellyfin but that didn’t work.
I need them on the same container so they can see the other apps exist and direct traffic there.
That’s only by default, since all apps in a container share a network. I got this working with my *arr stack using multiple containers by manually creating a shared network in the console, then adding that network to each compose file. Works like a dream.
It’s not easy trying to set up VPN or a reverse proxy, dynamic DNS and so on if you want secure access for more than yourself l, that is true. I hope they can figure out a way to make that process a lot easier.
Actually, using an LLM to walk you through the process of setting up jellyfin inside a docker container (and setting up the arr stack) and all of that makes things a lot easier than trying to figure it all out on your own.
That was a big reason I went with Emby. Not open source, but wasn’t necessary to me, and I wanted a cloud connect function that it handled well. And not all devices have a Jellyfin app that’s easy to install. My TV would require it to be rooted.
Setting up Jellyfin to be accessible outside of my home network has been a huge pain in the ass.
Not Jellyfin’s fault tho. I wish there was an easier way
Fair, but self hosting stuff has that part of self. It is difficult to make it easy for everyone since everyone has a different setup, as such it is mostly directed towards people who are expert in doing this kinds of things or who will dedicate the time to learn how to do it.
The good thing is after you spent a couple days trying to figure out how to make it work, it will work in the future and you already know how to setup more stuff.
It’s not directed towards people who are experts. I’m an expert and can’t secure Jellyfin properly because Jellyfin doesn’t support proper secure authentication.
Which authentication method are you wanting for it? I wouldn’t call myself an expert but my job stuck senior in front of my title a few years back.
Native OIDC/SSO support, allowing users to offload the authentication to a purpose built software.
Then don’t and do VPN?
I would rather just properly secure it like every other selfhosted service I have, and not have to manage a VPN client for every user who wants to connect to Jellyfin.
A security focused service vs a media consumption service competing for max security…
I wonder what would be the most successful at this task…
A security focused authentication service would be the most successful, straightforward, and simple to implement solution.
Unfortunately Jellyfin, nearly alone amongst its FOSS peers has not implemented support for these services. It’s the only one of my many dozens of selfhosted services that I can’t properly secure.
There are plugins for SSO.
There are 3rd party plugins for OIDC and I think LDAP is even first party.
The issue comes when intercepting the signin-progress with 1st party clients. Jellyfin (to my knowledge) doesnt support redirects/callbacks like a homeassistant companion app does.
And how many media servers are there? The 2 other major offerings (Plex and Emby) don’t support OIDC either.
Plex does it’s own sauce and Emby doesnt support it. Authentik has a guide to implement it via LDAP.
And Jellyfin has a tech-debt history being forked from emby. Stark contrast to newly developed projects which were started when SSO and OIDC wasbstarting to become popular.
Yeah, natively Jellyfin supports LDAP (1st party plug-in anyway), which means I can use my personal IdP to centrally manage accounts and it works across all their apps I’ve tried (as oppose to the OIDC plugin which seems to still break their apps).
Plugins for SSO and OIDC are not a solution as they will only work with the web clients, so that’s a non-starter.
Jellyfin can blame it on the tech debt all they want but implementing it really wouldn’t be that hard, they just haven’t prioritized it, simple as.
I actually love when I run into an issue like that get an error. Researching that stuff is fun for me, but I think trying to get the average person to do it is a non-starter
It is Jellyfins fault and there is an easier way, the Jellyfin team just hasn’t prioritized it.
I don’t mind paying a seedbox company to provide me with a box with qbittorrent and emby and other stuff I don’t use
I use tailscale and NPM to reverse proxy.
When I want to watch, I turn on the VPN and go to the app. Easy peazy
Tailscale could probably be easier but I wanted to make it easy for my parents.
I was trying to set it up via Reverse Proxy in Caddy. My stupid NAS has proprietary software and the only way to do it is in Docker but their version of docker has some wonky issues with ports.
Oh, I use caddy too. What gave you trouble?
It’s been a few weeks since I’ve tinkered with it but I plan on pulling it up today. If I remember right, it works fine if I launch it as a singular container by itself, but if I launch it inside a container with multiple apps, it says the ports are in use. I verified that no other app is using the ports. I checked in the CLI and it says containers is using the port. Very weird.
Following tutorials and researching online had been helpful by my NAS uses QNAP’s QTS operating system. It locks you out of many basic functions. I can’t install apps outside of its App Store unless it’s in a docker container, for example.
Many command line functions have also been removed so when I’m troubleshooting or looking for alternate fixes, I’m blocked out.
You nas doesn’t support docker compose? Its kind of the only reason why you’d want to have several processes on the same container.
Ps.: can you ssh in?
I can use docker compose. I need them on the same container so they can see the other apps exist and direct traffic there. Or that I as my understanding.
I tried setting up Caddy on a separate container as Jellyfin but that didn’t work.
That’s only by default, since all apps in a container share a network. I got this working with my *arr stack using multiple containers by manually creating a shared network in the console, then adding that network to each compose file. Works like a dream.
Would a docker-compose.yaml like this one work? https://privatebin.net/?1d1d30a1e92a974a#JDwvxcmJyjwmhir4YFvVrRGhn7fUJNqgTbrmgBYe1etC I just basically ripped that off my working setup. This sets up two containers that can see each other
It’s not easy trying to set up VPN or a reverse proxy, dynamic DNS and so on if you want secure access for more than yourself l, that is true. I hope they can figure out a way to make that process a lot easier.
Actually, using an LLM to walk you through the process of setting up jellyfin inside a docker container (and setting up the arr stack) and all of that makes things a lot easier than trying to figure it all out on your own.
Have to agree. I hate LLM but this is a good use for it.
Happy cake day! Thanks for the info!
That was a big reason I went with Emby. Not open source, but wasn’t necessary to me, and I wanted a cloud connect function that it handled well. And not all devices have a Jellyfin app that’s easy to install. My TV would require it to be rooted.