Hi y’all, thanks for the help with my question yesterday. I did a bit of homework, and I think I’ve got things figured out. Here’s my revised plan:
-
configure a cron job to update DuckDNS with my IP address every 5 minutes
-
use ufw to block all incoming traffic, except to ports 80 and 443, to allow incoming traffic to reach Caddy
-
configure the Caddyfile to direct traffic from my DuckDNS subdomain to Jellyfin’s port
Does this seem right this time? Am I missing anything, or unnecessarily adding steps? Thanks in advance, I’ll get the hang of all this someday!
It’s honestly just a matter of how much risk you are comfortable with for using jellyfin on the open internet.
(If i remember correctly:) The unauthenticated routes thing can only be used for streaming your content without a login (if you can guess the contents ids on your server I believe).
In my opinion, it’s not worth the hassle of using a vpn because I don’t think this risk is worth mitigating with one.
But everyone has their own personal risk assesment of course.
P.s. Easier than a VPN, at least for logging in other users, would be to use some type of proxy authentication like Authelia. I believe jellyfin has a plugin you can use. It can be complicated to setup, but it’s an option. I believe it should protect all routes exposed by jellyfin so that solves the unauthenticated streaming issue. (I still dont think this is necessary but more choice for the risk-adverse!).
https://github.com/authelia/authelia