+- Jellyfin Forum (https://forum.jellyfin.org)
+-- Forum: Support (https://forum.jellyfin.org/f-support)
+--- Forum: General Questions (https://forum.jellyfin.org/f-general-questions)
+--- Thread: I need help understanding port 80 security (/t-i-need-help-understanding-port-80-security)
I need help understanding port 80 security - NotReadyForThisJelly - 2024-03-25
Hi all,
I'm making the switch from Plex to Jellyfin. I've been getting up to speed for a few days now on public access security. It's the same story that's all over this and other forums, I share my media with direct family members outside of the home (who are not tech savvy enough/use devices that don't work with simple VPN tunneling)
I followed this guide https://www.reddit.com/r/jellyfin/comments/gdwe0s/windows_and_caddy_v2_reverse_proxy_guide/
And everything is working fine. I'm reasonably confident that I'm set up correctly and understand the general theory of placing the reverse proxy in front of my Jellyfin server so that communication is public-->https data-->reverse proxy-->http data only accessible internally -->Jellyfin
Except for the following two questions:
In my router, I've forwarded port 80 (http) and port 443 (https) to Caddy.
Question 1: What keeps someone from connecting to Caddy through port 80 on an unsecured connection? In my mind this would create this situation: Public Port 80 --> http data accessible anywhere --> reverse proxy --> http data only accessible internally --> jellyfin
Won't the Caddy reverse proxy be sending publicly available unencrypted potentially vulnerable Jellyfin information?
Question 2: Is there a problem with closing port 80?
Since I only want to allow secure connections anyway, after I finished setup I went back into my router and deleted the rule forwarding port 80, and only left port 443 open. I checked this with a port checker tool to make sure it had taken effect, and then I used an offsite computer to connect to Jellyfin and it still functioned correctly using my duckdns domain, defaulting to https://mydomain.duckdns.org.
Since it's working I'm tempted to leave it closed but I suspect that this might eventually cause issues with my LetsEncrypt certificate, but I'm a neophite when it comes to needing https certificates so I just have no idea.
Thank you for any insights you can provide,
RE: I need help understanding port 80 security - TheDreadPirate - 2024-03-25
(2024-03-25, 06:12 PM)NotReadyForThisJelly Wrote: Except for the following two questions:
In my router, I've forwarded port 80 (http) and port 443 (https) to Caddy.
Question 1: What keeps someone from connecting to Caddy through port 80 on an unsecured connection? In my mind this would create this situation: Public Port 80 --> http data accessible anywhere --> reverse proxy --> http data only accessible internally --> jellyfin
Won't the Caddy reverse proxy be sending publicly available unencrypted potentially vulnerable Jellyfin information?
According to Caddy's docs, it automatically redirects http requests on 80 to https requests on 443 when https is active.
https://caddyserver.com/docs/automatic-https#overview
So that shouldn't be a concern.
(2024-03-25, 06:12 PM)NotReadyForThisJelly Wrote: Question 2: Is there a problem with closing port 80?
Since I only want to allow secure connections anyway, after I finished setup I went back into my router and deleted the rule forwarding port 80, and only left port 443 open. I checked this with a port checker tool to make sure it had taken effect, and then I used an offsite computer to connect to Jellyfin and it still functioned correctly using my duckdns domain, defaulting to https://mydomain.duckdns.org.
Since it's working I'm tempted to leave it closed but I suspect that this might eventually cause issues with my LetsEncrypt certificate, but I'm a neophite when it comes to needing https certificates so I just have no idea.
Thank you for any insights you can provide,
The "challenge" during the cert request/renewal process has to occur on port 80. No way around that. If you close port 80 you would have to remember to open it before your 90 day cert expires, renew your cert, then close it again. Repeat 80-90 days later.
RE: I need help understanding port 80 security - NotReadyForThisJelly - 2024-03-25
Thanks for the clarity of your response DreadPirate, and all your many responses on these forums. You've been a tremendous help to me even before this response.
I suspected that was probably the case about the certification renewal.
Good to know about the Caddy redirect. I'll do some "peace of mind" testing about that to make sure it redirects consistently and then most likely reopen port 80 permanently to avoid the hassle of manually reopening every few months.
Thanks again.