Same problem regarding security because if you leave it up to jellyfin to do auth you are betting on the wrong horse. With pangolin auth in front of it you have the same problem as before. Clients can’t handle the additional auth.
Or am I misunderstanding the concept of tunnels wrong? I am using pangolin as a reverse proxy with nice VPN management included. How do you the tail scale style “connect this client to this network that has the jellyfin server on it” thingy?
You have a VPS that relays the pangolin tunnel and a reverse proxy serving the tunnel through a cloudfare + fail2ban protected domain. It should be really cheap since the vps only really runs for the initial auth and connection, and once in a while to update the tunnel IPs. You just give people a domain and a credential for the client.
It sounds complicated but isn’t really. I did it once but then returned to plain tailscale since I don’t really share my server with many people.
I’m still not seeing how this solves the issue. You either use Cloudflare or your reverse proxy as the auth, which is secure but then people can only use your Jellyfin server through a web browser, or you publish actual Jellyfin and use its auth, but now you rely on its poor security.
Are you saying you integrate fail to ban with Jellyfin’s auth? If so that’s alright, but won’t stop anyone from using an exploit, just brute force attacks. I’m still also not sure why the VPS is required at all.
I am aware how it works but have trouble to set my pangolin up just Like the tail scale app to create this kind of network instead of just serving the content as a vps via an URL
When setup with tunnels, cloudflare doesn’t see any media traffic. Cloudflare only needs to serve the auth and handshakes. The actual traffic is IP to IP, TLS encrypted if you setup a domain correctly. Or just use something like tailscale that sets up the certificates and domains for you.
What about exposing through Pangolin tunnel, Cloudflare Tunnel, Tailscale Funnel approach? Would that allow proper client access?
Same problem regarding security because if you leave it up to jellyfin to do auth you are betting on the wrong horse. With pangolin auth in front of it you have the same problem as before. Clients can’t handle the additional auth.
Or am I misunderstanding the concept of tunnels wrong? I am using pangolin as a reverse proxy with nice VPN management included. How do you the tail scale style “connect this client to this network that has the jellyfin server on it” thingy?
You have a VPS that relays the pangolin tunnel and a reverse proxy serving the tunnel through a cloudfare + fail2ban protected domain. It should be really cheap since the vps only really runs for the initial auth and connection, and once in a while to update the tunnel IPs. You just give people a domain and a credential for the client.
It sounds complicated but isn’t really. I did it once but then returned to plain tailscale since I don’t really share my server with many people.
I’m still not seeing how this solves the issue. You either use Cloudflare or your reverse proxy as the auth, which is secure but then people can only use your Jellyfin server through a web browser, or you publish actual Jellyfin and use its auth, but now you rely on its poor security.
Are you saying you integrate fail to ban with Jellyfin’s auth? If so that’s alright, but won’t stop anyone from using an exploit, just brute force attacks. I’m still also not sure why the VPS is required at all.
I am aware how it works but have trouble to set my pangolin up just Like the tail scale app to create this kind of network instead of just serving the content as a vps via an URL
Cloudflare doesn’t allow streaming large quantities of data through their tunnels. At least it’s against their ToS.
When setup with tunnels, cloudflare doesn’t see any media traffic. Cloudflare only needs to serve the auth and handshakes. The actual traffic is IP to IP, TLS encrypted if you setup a domain correctly. Or just use something like tailscale that sets up the certificates and domains for you.