+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: Troubleshooting (https://forum.jellyfin.org/f-troubleshooting)
+---- Forum: Networking & Access (https://forum.jellyfin.org/f-networking-access)
+---- Thread: Question on HTTPS setup and secutity (its working already, nothing broken) (/t-question-on-https-setup-and-secutity-its-working-already-nothing-broken)
Question on HTTPS setup and secutity (its working already, nothing broken) - miso117 - 2024-03-05
Hi all, recent PLEX convert here. I know the popular solution is to use reverse proxy with caddy / letsencrypt... That being said, I have this working already but want to make sure its really secure. Windows host machine/server using build 10.8.13, I was able to set up DDNS with a generated SSL certtificate (part of a DDNS package I was already paying for so I figured why not), I got the cert generated and imported into Jellyfin and everything is working. I can connect to my Jellyfin server externally over HTTPS in a browser and it shows secure. I have ports on my router open on 443, 80, and 8920 which all point back to the Jellyfin server. In the Jellyfin server's networking settings have "Enable HTTPS" and "Require HTTPS" (the section where the cert is imported into) both checked off. I have not removed the HTTP port number (8096) from the sections where that is listed. I assumed it was not necessary because HTTPS is forced/required in the options above.
I CAN navigate to the server locally via browser/local IP and login when trying to connect using port 8920, but there is the site not secure warning. Accessing via HTTP/8096 redirects me to the login page/HTTPS. Not too concerned about this.
I CAN navigate to the server via external IP addres and port 8920. It allows me to log in, but again there is the site not secure warning. Trying to navigate to the external IP with HTTP/8096 refuses the connection. This is concerning to me.
My assumption is when someone connects to me externally, via URL, it is a secure connection and no ISPs can see what theyre watching off me. Am I correct?
My second question is for the external connection by IP, if someone got the IP address and HTTPS port number and connected to that, would that be an insecure connection? How is the server letting a login happen? Is encryption not taking place anymore? Is there something wrong in the settings I should take a look at?
I get that its a strech anyone would connect to me via direct IP, and have the login credentials to connect and stream something. I just worry about if there is a client/software connecting non-securely and an ISP being able to see the stream.
Thanks all for the time, and for helping a Jellyfin noob out!
RE: Question on HTTPS setup and secutity (its working already, nothing broken) - TheDreadPirate - 2024-03-07
You are getting the warning on LAN because the cert is for the domain, but you are entering the LAN IP so there is a mismatch. This is fine.
It is highly recommended that you setup a reverse proxy to handle HTTPS due to how simple Jellyfin's HTTPS setup is. It is not hardened and is vulnerable to attacks that weaken HTTPS.
But from a mid-point sniffer, your connection is secure.
RE: Question on HTTPS setup and secutity (its working already, nothing broken) - miso117 - 2024-03-08
Thank you for the answer. If I go ahead and set up a reverse proxy, will that invalidate what I have in place now? Would I essentially be starting from scratch with the domain you would navigate to, cert generation, etc? I am assuming YES.
RE: Question on HTTPS setup and secutity (its working already, nothing broken) - TheDreadPirate - 2024-03-09
The domain and cert can be used with the reverse proxy. Having said that, Caddy significantly automates the process of acquiring and installing the cert. You would also TURN OFF HTTPS in Jellyfin since the reverse proxy would be handling HTTPs.
https://jellyfin.org/docs/general/networking/caddy/