The nginx rce relied an a series of requirements that affect almost nobody. You had to be using a very specific module and processing a specific type of data reverse proxy was not affected.

But regardless I get your point that anything can have an RCE. However as you say at the end in principle that does not mean you should just give up and expect external projects to handle your security. VPN is a great way to access your services and it is good defense and depth, but for the sake of being a successful project to the masses? It’s basically a dead end Road

Actually, i mentioned the memory leaks as it’s been a consistent issue for years now. Again normal people cant and won’t setup special containers with memory limits as a crappy work around.

You may not like that i don’t blindly glaze jellyfin because it’s open source. However I’m just being realistic about what it needs to actually be a viable replacement for plex for the masses.

It needs to be able to match media properly, it still struggles with this even when you go out of your way to make sure the media is named in the exact manner the documentation dictates. It needs to be able to be used remotely simply through the web, having to set up a VPN is not a viable approach, it needs to be able to function long-term without eating up all the system’s memory and requiring regular restarts to prevent it from going out of control. Subtitles need to work on all clients, as it stands right now Roku subtitles are non-functional like 80% of the time no matter what you do, some TV browsers struggle with it as well.

I am sorry that that upsets you, but it is the reality and it is the reason the projects like these tend to mostly be used by the technically inclined. Including myself, I was able to put it in an unprivileged secured lxc container, so that I could use it through the web and set memory limits, but most people cannot and will not do that. I would prefer to see it be successful and be able to tell everyone never touch Plex again, but I know that telling people it’s ready to go while it has a myriad of basic issues is not helpful.

I am right there with you on the docker hate I get the idea but the docker system itself is a huge problem. The amount of people that do not realize it completely bypasses system firewalls is very sad and unfortunate and leaves a lot of people vulnerable.

I personally try to use lxc containers that I set up myself for containerizing services and install them natively within the container

Ok? I will take it like it is. Jellyfin is a flawed product not currently suitable to replace Plex for the average person and is only particularly usable by technically inclined users capable of protecting themselves through VPN or other means. As well as dealing with things like failed matched media and memory leaks that are frequent.

That is how it is, and that’s how I’ve been taking it from the start.

Once? No jellyfin has had about 4 major RCE issues since the fork. At least 4 that I’m aware of. Blaming it on the previous code only makes sense if the split is recent. They have had time to completely rewrite if they really want.

I’d like to see plex die entirely, but I know too many less technical people that use it . They are not going to set up a VPN , end of story end of discussion. And I’m not going to tell them to use jellyfin when it will likely continue to have major security issues and could compromise their systems. I have no doubt that Plex leadership is fully aware of this, they know that even with them pushing more subscriptions and higher costs they are going to continue to have users because the alternatives are just not able to keep up and are not viable for the average person just the technical users which they would have lost to alternatives regardless

That would be the case, however the devs official stance is it’s unsafe and should not be used other than over vpn. So they also agree

It has had a pretty high number of RCE exploits including one recently the architecture of the web service is just very poor and leads to a lot of basic problems.

Personally I am not a fan of the language they chose, and I think it directly leads to a lot of these problems but that’s just like my opinion man.

The server itself also has tons of issues like the constant memory leaks that cause it to eat up endless amounts of memory that they don’t seem interested in fixing and basically once again push it to the users to deal with and a bunch of the boot lickers are like yeah you just need to put it in a Docker and limit its maximum memory as if that’s just normal and expected to need to do

I am aware that an rce is the worst possibility I’m saying it shouldn’t be. The web portion is already its own isolated binary that you have to install but it’s designed with seemingly very little attention to security.

To the point that jellyfin has already had several major RCE and despite having full support for running over the web with http developers are basically just like you should not be using this without a VPN which is overall a pretty pathetic stance for a media server

This is the most hilarious lie I think I’ve seen in a while from open source on here. To be clear I use it as my daily driver, I switched off Plex a long time ago when I saw the writing on the wall.

But I still have issues with media matching to this day, issues where subtitles on certain devices just refuse to display no matter what you do. And the server still loves to randomly take up absolutely massive amounts of memory for seemingly no reason whatsoever I ended up making a strip to just forcibly kill it and restart it every 12 hours to prevent it from eating the entire system’s memory.

And no my file naming is not the media issue everything I do is properly named exactly as jelly fin documentation says it wants by sonarr. Not to mention you are expected to maintain a VPN system just for accessing your media away from home as the web interface is so hilariously unsecured as to be a constant source of major system vulnerability.

It’s usable, but it’s not as just works as Plex I have thousands of TV shows, anime, and movies as in thousands of each of those categories and Plex never once failed to match to the correct media, never had a problem just playing subtitles on any client, and I think only ever had one major issue with the web interface in terms of security? There’s been lots of minor ones that would give people essentially just access to Plex but not the underlying system

The fact that’s needed at all is the problem. Developers need to stop making monolithic structures that have access to everything ever and putting it on the user to maintain to maintain a VPN network for security.

There’s no reason I should not be able to just use an nginx reverse proxy for remote access to my jellyfin and have that be safe. It should at worst give people a copy of my media if there’s a security issue.

Personally I went out of my way to make this be the case, i have my instance locked into an unprivileged lxc whitelist only on syscalls which took a while to figure out the minimum needed for function but I got there. The host System is using the hardened kernel from Upstream and a series of sysctl lockdowns for example P Trace is not allowed even if you are the root user.

So I do indeed just nginx reverse proxy my instant because the worst case scenario even if they got complete shell access to the system they would be locked into an unprivileged container that had no access to any files other than my media files but the fact that I have to go to this level is already ridiculous

I mean some may be offering that but it means you can just rent a cheap. VPS and host your own

You won’t have to. Bitwarden is FOSS. The server is able to be self hosted so “migration” will just be you moving their account to the self hosted one if things go south

Bitwarden is completely FOSS, both client and server

Ah yeah, that’s how I handle piping audio in the Discord as well it is unfortunate that it can’t remember the connection

Your looking for easy effects. It plumbs into the system audio amd creates both a virtual out and input and has every filter you could dream of. I use it both for APO curves on my headphones and then noise removal, gate, and dessing on mic

Because propaganda has convinced people that a car is useless if it can’t go 300+mi AND only take a few minutes to be ready to do it again. Range anxiety, even though they only fill up maybe once a week and could easily charge an ev at home with just a standard outlet not even a special charger and keep up with their actual real daily use

Eh, i just use pubkey only Auth config (so password entirely disabled as an option) and put ssh on a non standard port to reduce script kid noise. (and no 2222 is not non-standard it may as well be the default)

Fail2ban triggers false too often for my taste in a high traffic environment.

If you ran nginx as a non privileged user it wouldn’t be able to bind to 80/443 as those are privileged ports. So you would need to use iptables to forward them to an unprivlaged port

I mean it WOULD work you would just need a von on every device you wanted to use.

The REAL answer is never host them DIRECTLY, always use a reverse proxy like nginx. Many projects (i believe jellyfin is one of them) explicitly recommend this for better security. Which it looks like you did so congrats

For extra bonus points you can setup nginx to run as a non privileged user and use iptables to forward the lower ports (80/443). A pain but closes out a large chunk of nginx as a risk.

https://spartanhost.org/ owner is super chill will make custom spec deployments and they actually have a really nice management panels with nice easy custom iso support