Progress so far - https://mander.xyz/post/47833580

My next objective is configuring Jellyfin for secure external access. It is fully operational on my LAN and is performing significantly better than the Windows instance I previously ran.

I have installed Tailscale on the Proxmox VE host shell to enable remote access and have also enabled multi-factor authentication on my proxmox account. While everything appears to be functioning properly, I am still relatively new to Tailscale and want to ensure I am implementing this securely.

My initial assumption was that I would also need to install Tailscale within the Jellyfin LXC container. However, I have encountered conflicting information suggesting this may introduce security concerns, particularly when dealing with container privileges and root access. As a result, I am uncertain whether this is the appropriate approach.

What is the recommended and secure method to provide external access to Jellyfin in this setup?

  • Decronym@lemmy.decronym.xyzBEnglish
    1·
    3 hours ago

    Acronyms, initialisms, abbreviations, contractions, and other phrases which expand to something larger, that I’ve seen in this thread:

    Fewer Letters More Letters
    DNS Domain Name Service/System
    LXC Linux Containers
    SSL Secure Sockets Layer, for transparent encryption
    TLS Transport Layer Security, supersedes SSL

    3 acronyms in this thread; the most compressed thread commented on today has 12 acronyms.

    [Thread #133 for this comm, first seen 4th Mar 2026, 10:50] [FAQ] [Full list] [Contact] [Source code]

  • baner@lemmy.zipEnglish
    1·
    11 hours ago

    You have 2 options:

    1 - Open up Jellyfin port (8093) in your router if you are not behind a cgnat and add a reverse proxy

    2 - Get a small vps and a domain, install a reverse proxy and use tailscale to connect the vps with your home server, point your domain to the vps and forward traffic to jellyfin.

    • NastyNative@mander.xyzOPEnglish
      1·
      6 hours ago

      I can open the required port without issue. However, I would like to further educate myself on reverse proxy configurations, as I believe this would be the most secure and appropriate approach. Thank you!

  • rtxn@lemmy.worldEnglish
    2·
    23 hours ago

    external access

    Do you want the Jellyfin server to be accessible from only within your tailnet, or anywhere from the internet?

      • rtxn@lemmy.worldEnglish
        2·
        22 hours ago

        Tailscale Funnel will let you expose a host to everyone on the internet. You’ll need the Tailscale client running on either the Jellyfin host or a reverse proxy pointing to it. Tailscale itself will act as a reverse proxy with TLS encryption, plus a DNS server.

        Exposing a service to the internet will always present some risk. You should definitely run your LXCs as unprivileged, unless needed otherwise, to mitigate the potential damage if an attacker escapes the container, or put the services in full virtual machines.

        • baner@lemmy.zipEnglish
          2·
          3 hours ago

          Just remember that using funnel for streamimg servicies it is against the toss.