2024-01-17, 06:14 PM
(This post was last modified: 2024-01-17, 06:14 PM by TheDreadPirate.)
(2024-01-17, 04:15 PM)SKECHER9 Wrote: I am trying to understand the ssl/tls process. It is new to me and if I get something wrong I'd appreciate being corrected.
Question 1: If I'm reading this right, your guide tells HAproxy plugin on the PFsense router to pass-through the whole request of "https://YOURJFDOMAIN.com" to the JF server, and the JF server handles everything for the TLS handshake?
I'd seen people give examples of having the reverse proxy service caddy and nginx (no clue if haproxy has similar function) in order to force proper security.
Reverse proxies, in general, handle the TLS handshake and pass the usually unencrypted request to the "upstream" server.
(1970-01-20, 05:45 PM)SKECHER9 Wrote: Question 2: Are there more benefits beyond forcing a more secure TLS handshake with HAproxy handling the tls handshake, or would there be other security concerns on the back end to the JF server?
Jellyfin is not hardened. It makes no claims at being secure.
The reason for using a reverse proxy is because there are exploits and attacks that target the TLS handshake process. Not necessarily Jellyfin itself. And the majority of proper reverse proxies/http servers are hardened against these handshake attacks. Additionally, Jellyfin provides no way to restrict what TLS/SSL protocols are allowed, what ciphers are allowed, or many many other TLS/SSL properties. But nginx/haproxy/apache/caddy allow you to restrict, for example, the version of TLS to 1.2 or newer. Or to only use ciphers that aren't vulnerable to attacks that weaken them. Or ciphers that are resistant to hypothetical future quantum computers.
The wiki for TLS has a section about security that provides some examples of security issues that Jellyfin has no way to mitigate without a reverse proxy.
https://en.wikipedia.org/wiki/Transport_...y#Security
Additionally, I wrote a guide to configure Apache and Nginx to only use the strongest, most secure, available encryption ciphers and protocols.
https://forum.jellyfin.org/t-apache-ngin...ls-ciphers
Jellyfin 10.10.3 (Docker)
Ubuntu 24.04 LTS
Intel i3 12100
Intel Arc A380
OS drive - SK Hynix P41 1TB
Storage
3x WD Red Pro 6TB CMR in RAIDZ1 (JF Library)
![[Image: GitHub%20Sponsors-grey?logo=github]](https://img.shields.io/badge/GitHub%20Sponsors-grey?logo=github)
Ubuntu 24.04 LTS
Intel i3 12100
Intel Arc A380
OS drive - SK Hynix P41 1TB
Storage
3x WD Red Pro 6TB CMR in RAIDZ1 (JF Library)
