Selfhosted

I use a wire guard tunnel into my Fritz box and from there I just log in because I'm in my local network.

Full guide to setting up Jellyfin with Reverse Proxy using Caddy and DuckDNS

I followed this video and modified some things like ports

for me i just needed a basic system so my family could share so I have it on my pc, then I registered a subdomain and pointed it to my existing ec2 server with apache using a proxy which points to my local ip and port then I opened the jellyfin port on my router

and I have certbot for my domain on ec2 :)

Jellyfin through a traefik proxy, with a WAF as middleware and brute force login protected by fail2ban

I don't host my media outside my local network but, if I did, I would use my go to method of SWAG with Authentik. This is what I have done for my other self-hosted items.

I don't use jellyfin but my general approach is either:

1. Expose it over a VPN only. I usually use Tailscale for this so that I can expose individual machines but you do you
2. Cloudflare tunnel that exposes a single port on a single internal machine to a subdomain I own

There are obviously ways to do this all on your own but... if you are asking this question you probably want to use one of those to roll it. Because you can leave yourself ridiculously vulnerable if you do it yourself.

Nobody here with a tailscale funnel?? It's such a simple way to get https access from anywhere without being on the tailnet.

I have had Jellyfin directly open to the Internet with a reverse proxy for years. No problems.

This is my setup.

collapsed inline media

Read more, here.

SWAG reverse proxy with a custom domain+subdomain, protected by authentik and fail2ban. Easy access from anywhere once it's set up. No vpn required, just type in the short subdomain.domain.com and sign in (or the app keeps me signed in)

For my travel devices, I use Tailscale to talk to the server. For raw internet, I use their funnel feature to expose the service over HTTPS. Then just have fail2ban watching the port to make sure no shenanigans or have the entire service offlined until I can check it.

I'm using a cheap VPS that connects over Tailscale to my home server. The VPS runs Nginx Proxy Manager, has a firewall and the provider offers DDOS protection and that's it.

I'm using jf on unraid. I'm allowing remote https only access with Nginx Proxy Manager in a docker container.

Synology worked for me. They have built in reverse proxy. As well as good documentation to install it on their machine. Just gotta configure your wifi router to port forward your device and bam you're ready to rock and roll

Tailscale + Caddy (automatic certificates FTW).

Is putting it behind an Oauth2 proxy and running the server in a rootless container enough?

VPN or Tailscale

We have it open to the public, behind a load balancer URL filtering incomming connection, https proxied through cloudflare with a country filter in place

Unifi teleport. A zero configuration VPN to my home network.

Synology with Emby (do not use the connect service they offer) running behind my fortinet firewall. DDNS with my own domain name and ssl cert. Open 1 custom port (not 443) for it, and that's it. Geoblock every country but my own, which basically eliminated all random traffic that was hitting hit. I've been running it this way for 5 years now and have no issues to report.

My go to secure method is just putting it behind Cloudflare so people can’t see my IP, same as every other service. Nobody is gonna bother wasting time hacking into your home server in the hopes that your media library isn’t shit, when they can just pirate any media they want to watch themselves with no effort.