Jellyfin local IP detection with Cloudflare

[nodiink]

Hi all,
I have a little annoying problem and I'm hoping someone can help me out.
I have a server on which Jellyfin is mounted and I wanted to make it accessible to the outside, so as a first step I configured a proxy with nginx, fail2ban, opened my ports and used Cloudflare to have some additional protection. Then as a second option I opted for tunnels instead, so I have the cloudflared daemon installed on the Jellyfin server and so I was able to close the doors, which were causing me some concern.
The problem with both ways is that it annoying to constantly change the hostname on my mobile devices based on whether I'm home or not.
Jellyfin seems to have a feature to understand if the accessed IP is local, but it doesn't work like Plex, and in my case it never sees me at home, because I go through Cloudflare and the IP it receives is its own. I found a way to get the "real" IP but it's still the public one.
And I can't add the public domain into my DNS and point it to the local IP, because it gives me error with missing certificate, and it's not possible to get the one Cloudflare uses outward.
I already know that I could solve it by removing Cloudflare from the equation (and maybe using Let's Encrypt), but not being an expert in security I would prefer to keep Cloudflare which makes me feel a little more secure.
Does anyone know how I could solve this problem?

[TheDreadPirate]

The functionality you want, not having to change URLs to get local access, is incompatible with using cloudflared tunnels.

If you DID NOT have cloudflared, many routers support a capability called "NAT Hairpin" or "NAT Loopback". If an outgoing requests resolves to your WAN IP, your router will keep the traffic local instead of going out to the web and then come back.

Because your public facing access is through the cloudflared tunnel, with your domain pointing to cloudflare, any requests to that domain HAVE to go out to cloudflare before coming back.

It sounds like you are already not using https. Even with cloudflared, your access to your jellyfin is only secure between your home and cloudflare. After it leaves cloudflare it is unencrypted.

To get the functionality you want, you will need to stop using cloudflared.

1) First determine if your router supports NAT hairpin/loopback. Without it, this isn't possible anyway.
2) Get a cert, setup https in nginx.
3) Turn off cloudflared and point your domain to your router's WAN IP.

[bitmap]

To add to this, using Cloudflare tunnels for a purpose like Jellyfin is against the Cloudflare TOS supposedly.

[nodiink]

The functionality you want, not having to change URLs to get local access, is incompatible with using cloudflared tunnels.

Sadly, not the answer I wanted but the one I expected, I've been searching online for days

1)  First determine if your router supports NAT hairpin/loopback.  Without it, this isn't possible anyway.

I'm using pihole, and the idea was to put an A (or CNAME) record in the DNS settings. It's enough?

---

To add to this, using Cloudflare tunnels for a purpose like Jellyfin is against the Cloudflare TOS supposedly.

I have read various information on this point, and I have removed some features that should be problematic, such as page caching.
Are you referring to this? Or are you referring to the use of jellyfin as a type of service?

[TheDreadPirate]

I'm using pihole, and the idea was to put an A (or CNAME) record in the DNS settings. It's enough?

That might work.  Give it a try.  Worst that can happen is that you have to revert.

To add to this, using Cloudflare tunnels for a purpose like Jellyfin is against the Cloudflare TOS supposedly.

I have read various information on this point, and I have removed some features that should be problematic, such as page caching.
Are you referring to this? Or are you referring to the use of jellyfin as a type of service?

Video streaming through a cloudflare tunnel on a non-streaming tier is against their TOS.  It is rarely enforced, but we don't recommend risking it especially if you also have your domain registered with cloudflare.

[nodiink]

I'm using pihole, and the idea was to put an A (or CNAME) record in the DNS settings. It's enough?

That might work.  Give it a try.  Worst that can happen is that you have to revert.

To add to this, using Cloudflare tunnels for a purpose like Jellyfin is against the Cloudflare TOS supposedly.

I have read various information on this point, and I have removed some features that should be problematic, such as page caching.
Are you referring to this? Or are you referring to the use of jellyfin as a type of service?

Video streaming through a cloudflare tunnel on a non-streaming tier is against their TOS.  It is rarely enforced, but we don't recommend risking it especially if you also have your domain registered with cloudflare.

tyvm for the support

Since my concern is security, besides a well-configured ssl-enabled reverse proxy and fail2ban, is there anything else that can easily be done to have more protection?

[TheDreadPirate]

Using a non-standard port helps hide your server from script kiddies and port scanning. Instead of using port 80 or 443, use something like 50443. Low effort script kiddies and port scanners will only scan common service ports and won't bother scanning EVERY port.

Also, hiding available users from the Jellyfin login screen reduces the likely-hood of an attacker locking an account before fail2ban triggers.

[nodiink]

Using a non-standard port helps hide your server from script kiddies and port scanning.  Instead of using port 80 or 443, use something like 50443.  Low effort script kiddies and port scanners will only scan common service ports and won't bother scanning EVERY port.

Also, hiding available users from the Jellyfin login screen reduces the likely-hood of an attacker locking an account before fail2ban triggers.

again, tyvm for your suggestions