First things first, the setup is currently up and running. but i would like to modify it to use a reverse proxy through my personal domain.

Currently, i’m using an old pc with Truenas and a jail with jellyfin in it. i’m connecting to it with the free Fritz!Box VPN service.

but that’s stupid and slow. so i’ve bought a domain at godaddy.com. but i don’t understand the principle of whatever is managing the domain knowing the public IP-adress of my server. i’ve heard of Caddy, but it’s also running locally, so i don’t understand how i connect the pc to the domain.

if anyone could simplify this down for me, it’d be very helpful.

15 points
*

i don’t understand how i connect the pc to the domain.

Yeah, that’s the part where I think there’s some misunderstanding. You don’t “connect” the server to your domain. Instead, there is a Nameserver (most run by your registrar, GoDaddy) that hosts a list of DNS records, that you can edit, which point to IPs. So you need to edit those to point to your public IP (or set up stuff like DynDNS if your IP isn’t static) and once that’s doneand the port forwarding is also set up properly in the Fritz!Box you should be able to connect.

That said, what’s wrong with VPN? Particularly if you’re using Wireguard VPN, which was recently added to Fritz!Box, there shouldn’t be any performance differences. Plus, it would be safer than exposing services to the whole internet, doubly so if you’re not a networking expert.

permalink
report
reply
1 point

I‘m trying to set it up so i don‘t have to switch VPNs on my phone all the time. Also my Company IPad doesn‘t allow me to set up my own VPN connection.

permalink
report
parent
reply
9 points

I am not sure you should be connecting from a Company ipad to a Jellyfin server anyway. Well, unless its your own company I guess. Company IT may monitor what you are doing on it.

permalink
report
parent
reply
10 points

IT here. Confirming this is a bad idea, and we don’t like it.

permalink
report
parent
reply
8 points
*

Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

Fewer Letters More Letters
CGNAT Carrier-Grade NAT
DNS Domain Name Service/System
HTTP Hypertext Transfer Protocol, the Web
HTTPS HTTP over SSL
IP Internet Protocol
NAT Network Address Translation
SSL Secure Sockets Layer, for transparent encryption
VPN Virtual Private Network
nginx Popular HTTP server

[Thread #241 for this sub, first seen 25th Oct 2023, 10:45] [FAQ] [Full list] [Contact] [Source code]

permalink
report
reply
4 points

There’s plenty of reasons why you would not want to have a Jellyfin server be publicly available (even behind authentication). It’s simply not a well-secured system at this point (and may not get there for a long time, because it’s not a focus).

I strongly suggest keeping it accessed via VPN.

But note that VPN access is not necessarily any slower than “publicly” serving the HTTPs directly, at least not by much.

If you don’t already use Wireguard as the protocol, then maybe consider running a wireguard VPN instead, that tends to be quicker than classic OpenVPN.

And last but not least: a major restricting factor in performance of media servers from afar is the upload speed of your ISP connection, which is very often much lower than your download (100Mbit/10Mbit are common here, for example, so only 10% of the speed up than down).

permalink
report
reply
3 points

There’s a nice explanation of how caddy reverse proxies work here. https://caddy.community/t/using-caddy-as-a-reverse-proxy-in-a-home-network/9427

Essentially you setup your router to port forward any new incoming connections to Caddy, which then decides what to do with them according to the configuration (Caddyfile).

Even simpler: Your local network is like a castle, inside is a safe and secure place where your devices communicate freely. Your router is a firewall around the castle, by default it blocks incoming connections. This is good because the internet is scary. By port forwarding you allow a door in the firewall which leads to Caddy, which is like a guard. Caddy asks them what they want, and if they say e.g. jellyfin.example.com, then it sets up an encrypted connection with https to your local jellyfin server. If they want anything else they aren’t allowed in.

permalink
report
reply

It depends on what all you want to proxy in, if it’s just that one thing then it’s pretty simple to point a port inbound to a secure interface and call it a day.

For a more complete thing, an inbound proxy will take the requested domain coming into your front door and translate it to an IP/port combo on the inside. That way you can have several services behind the single IP. If you have a full gateway server setup in frontt of things something like HAProxy or squid can work and do SSL offloading for you. For a single server setup you might look at ‘nginx proxy manager’ (NPM) which gives an easy way to set up an inbound proxy plus it’ll manage getting certificates from let’s encrypt automatically.

I could help more fully but need a good bit more details to give some specific ideas.

permalink
report
reply
1 point

If I wanted to access my Jellyfin at home from a smart TV elsewhere, is that possible (securely)? Or would I need something that can run a vpn?

permalink
report
parent
reply
2 points
*

With the caveat that I’m presuming Jellyfin has a HTTPS interface, or you have a proxy in front of it to make one for it (I use Emby myself but I believe Jellyfin was a fork of it at some point) then yes, if the TV has an app for it you should be fine. HTTPS is as good on your server as anywhere else so long as it doesn’t have some implementation flaw. In fact it’s probably better to not have a VPN when streaming video just to avoid the extra overhead bandwidth a VPN tends to add on.

My only thought against having it on the public web would be the potential for brute force attempts on the login page. If it has a 2 factor option then great, or even if there’s some kind of lockout/throttling after too many wrong guesses. Even barring that though, a decent long pass should be good enough to dissuade anyone from wasting too much time trying to remotely get into a video box, not exactly a crown jewel target after all.

permalink
report
parent
reply

Selfhosted

!selfhosted@lemmy.world

Create post

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don’t control.

Rules:

  1. Be civil: we’re here to support and learn from one another. Insults won’t be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it’s not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don’t duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

Community stats

  • 4.2K

    Monthly active users

  • 3.7K

    Posts

  • 79K

    Comments