Most cameras do not do the heavy lifting of face/person detection on hardware, they send the streams to some cloud for processing. Just be aware of that.

Mine too. And I appreciates that.

No, I understand the nature of the unencrypted transport. I understand that the credentials are exchanged unencrypted (although the passwd isnt in plaintext, even on jellyfin). I also understand what is on the trusted network, my kid’s subnet.

The mitigations are the following:

• creds are unique to that user, and don’t coincide with any other creds
• IP is filtered at firewall level and also by acl policy at the threshold of the storage and data networks, so only the one single remote public IP is allowed to connect, and even then is approved for access only to jellyfin.
• jellyfin has read-only access to media, so no user, including admin, can delete media.
• jellyfin’s watched state data is backed up every 30 min with fim watching for over 20% changes. If a massive change happens where suddenly it appears that someone marked 45 hours of shows watched or unwatched, I am notified.

Anybody who can see the Jellyfin login page can use the Jellyfin server’s permissions to play media directly from your media library.

Correct, that’s the idea and that’s why the IP is filtered. When my kid’s IP changes, his PC posts a notice to me about it, and I change the the fw rule. This happens once a year on average.

Your Jellyfin server is either available to the Internet or not available to the Internet.

Also correct, it is available to the internet, which from jellyfin’s point of view is one single /32.

There is a body of suggested action to take in the interest of security that is repeated here and in other self-hosted spaces, and what you’re saying is valid and sound advice. I want to acknowledge that I don’t take your comment as wrong, it’s very prudent for someone just getting into managing their own stuff.

However, security is my job, and I do take it seriously. And there are more ways than one to get it done.

I keep my data back ends on encrypted channels, backups on another, and I control very tightly what has access to everything else. The model I use is something like “zero trust”, where I assume the clients even on my own network are malicious. In that context, extending my lan to a single remote lan on a single port isn’t really much different than allowing an iot device I don’t trust on my actual lan; it sees no other hosts but a gateway and whatever my acls allow it to.

So in the end, what can a device do at large on the internet to my jellyfin “network”? Nothing. What can a pwned device do on my kid’s network with jellyfin? It can watch TV and movies, because the api calls from jellyfin clients to jellyfin front end are nondestructive.

Calm down breh.

Nah.

What the hell.

This is self hosted and you’re screaming about not having an easy button.

As I mentioned, jellyfin is not an auth platform, nor a reverse proxy. And they will never be. Build your own, there are many products out there. Or hire someone, Christ.

Either way, quit bitching, put on your adult pants and either add auth to jellyfin, use Plex, or shut the fuck up.

Port forward, filter ips, take reasonable precautions on the trust of networks.

It’s not rocket science, as you mentioned in your other vitriol.

“Fans like you”?

Fuck off.

You should not expose a Jellyfin server to the open internet.

You should not expose a Jellyfin server to the open internet if you don’t know what you’re doing.

FTFY

HDR, hardware transcoding, remote access.

This is a good illustration of the tradeoff of free software.

Jellyfin is core software, its mission is serving media, not providing auth or secure access. Those can be handled by other projects.

When you say “the devs can’t be arsed”, I think you’re misunderstanding that they won’t ever work on this, because that isnt the model.

The tradeoff with “free” (both in terms of free speech and free beer) is that work you need to do yourself to connect those pieces.

We’ve seen other companies pull this move by saying “lifetime” only applies to X version.