- cross-posted to:
- [email protected]
- cross-posted to:
- [email protected]
cross-posted from: https://poptalk.scrubbles.tech/post/2333639
I was just forwarded this someone in my household who watches our server. That’s it folks. I’ve been a hold out for a long time, but this is honestly it.
They want me to pay to stream content that I bought from my hardware transcoded also on my hardware.
I’ll say it. As of today, I say Plex is dead. Luckily I’ve been setting up Jellyfin, I guess it’s time to make it production ready.
Edit: I have a Plex Pass. More comments saying “Just buy a plex pass” are seriously not getting it. I have a Plex Pass and my users are still getting this.
And for the thousandth person who wants to say the same things to me:
- YES I know I’m unaffected as a Plex Pass owner.
- My users were immediately angry at it, which made me angry. Our users don’t understand what plex pass is, and they shouldn’t have to, that’s why I had it. The fact that they were pinged even though it should have kept working is horribly sloppy
- Plex is still removing functionality.  I don’t care that “People should pay their fair share”.  If Plex wants to put every new feature behind a paywall, that’s completely okay.  They are removing functionality.
- “But they have cloud costs”. Remote streaming is negligible to them. It’s a dynamic DNS service. Plex client logs in, asks where server is, plex cloud responds with the IP and port of where server is located. That’s it.
- “Good luck finding another remote streaming” - Again, Plex just opens up an IP and port. Jellyfin also just opens up an IP and port (Hold on jellyfin folks I know, security, that’s a separate conversation). All “remote streaming” is is their dynamic dns. Literal pennies to them. Know what actually is costing them money? Hosting all of that ad-supported “free” content that they’re probably losing money on.
 
In short, I don’t care how you justify it. Plex is doing something shitty. They’re removing functionality that has been free for years. I’m not responding to any more of your comments repeating the same arguments over and over.


Doesn’t jellyfin just not do this at all? Like if you want to stream remotely you need to figure out a vpn solution to do it?
You can stream remotely via jellyfin if you expose your server to the internet. VPN is safer but not the only option.
Yeah, no way. Jellyfins Backend is like an open barn door. And with the kind of content most of us here offer through either Jellyfin or Plex, I wouldn’t want to open up like that.
Anecdotal but I’ve run Jellyfin publicly without any issues for around 5 years. It even has its own domain name.
Isn’t there an assumption it would be behind a reverse proxy… At least I hope that’s the assumption.
Doesn’t do shit when large parts of the Backend are not authenticated
What kids of things?
I’ve never worried that much because it’s not critical data and it’s containerised in Docker, but I am curious about specifics because large numbers of people expose it to the internet (through reverse proxies).
https://github.com/jellyfin/jellyfin/issues/5415
Cheers for that. Many of these issues allow an authenticated user to do admin actions if they do the right things, so it seems you should never allow a user that you don’t fully trust to have an account.
But outside of this, there isn’t anything in there that on its own worries me given the nature of the platform (that is, that if it all burnt down I could retrieve all data from other sources). I’m no expert but a cursory look shows a bunch of potential issues that may be layered with other issues but no clear attack path except with prior knowledge.
These should obviously be fixed but there’s nothing that makes me want to rip my server off the open internet in a hurry.
Seems trivial to me for someone to guess file paths and use those to confirm if specific content is on a jellyfin server. With how prevalent things like docker and sonarr are, filepaths are pretty standardized these days. I wouldn’t trust JF without a VPN
Very easy:
Or
Also Wireguard, which is what Tailscale uses.
Yeah, they both do. That’s a lot more manual though.
“Very easy” assuming you aren’t trying to share with non-technical people or your elderly parents.
I’ve walked them through using tailscale. You install it once and forget it.
How do I install it on my mom’s Chromecast or my sister’s LG TV?
Dude how the hell am I supposed to walk my mom through setting up tailscale on her Roku?
And what if you have multiple friends all sharing each others libraries?
This is not a feasible solution let alone a “very easy” one.
I was thinking a computer! Multiple people can connect to your tailscale and jellyfin at once. That’s not so much an issue. Other than that, there’s not so much more than installing the app and signing in with email or Google then sending them a link. I use a shared email and pass to speed up the process.
You completely ignored his question, Tailscale is not a valid solution for your mom’s Roku
Completely unreasonable to need to walk people through this. It’s OK to say jellyfin can’t do remote access.
Well, I never said it did out of the box. I was giving people the example of how I did it, in case they wanted an easy option for PCs. No offence meant, my friend.
You’re replying to a message that literally says that, so it makes you sound like you think Tailscale is somewhat integrated into Jellyfin, because the message originally said exactly that you needed a third party app to solve this issue in Jellyfin
Mate chill, I already implied I misunderstood and apologised. I’m human and allowed to make mistakes.
I used a reverse proxy just fine.
You’re 100% correct. I always find it funny how hardcore some people are with jellyfin vs Plex. I’ll probably end up getting downvotes on this but imo Plex is way simpler to setup and keep running, and as a lifetime pass owner, I’ve very rarely felt like my experience has been deteriorated by any of the changes that the jellyfin crowd freaks out about. Plus plexamp is honestly such a great music player. I’ll happily keep running Plex for the foreseeable future.
Ditto to all of this, except I don’t know anything about plexamp
If you have music on your server, I’d strongly recommend checking it out. I believe it was started as a side project by the Plex devs and it’s a way better music player than the one built into the Plex apps.
I appreciate this recommendation. I’ve been trying it out for like 5 minutes and I’m very impressed! This could be life-changing and lead to me axing Spotify. Thank you kind stranger!
Plex is more polished, but I love Jellyfin’s subtitle search; it blows Plex’s socks away.
Also, Jellyfin doesn’t nag me every effing time to enable DRM in Firefox for some unfathomable reason.
But Plex definitely wins on performance, IMO.
Set up Bazarr.
That’s correct
That is not correct. A VPN would be one method but you can also just expose the service to the internet in a number of ways and accomplish the same thing Plex provides.
You probably shouldn’t just expose jellyfin to the internet quite yet though. There are some ongoing efforts to fix unauthenticated endpoint problems.
‘Ongoing efforts’ is a funny way to phrase ‘refuse to fix’
To be fair, there has been very slow progress toward securing some endpoints. But yeah, I was probably being too charitable; the project places way too much emphasis on “backward compatibility” and not enough on security.
Not to be “achtuallying” bit VPN is not a way to remote stream, it’s a way to bring remote clients in the local network.
Likewise exposing services on the internet…not really going to happen esepcially for people - like me - that run plex/jellyfin on their NAS.
I don’t have a horse in this race, i don’t use remote streaming, I only ever streamed from my nas to my 2 TVs, and I am experimenting with jellyfin. But for those who do need remote streaming, jellyfin is going to be problematic.
That’s correct
Not necessarily a VPN but you’re 100% on your own for security. When i used to run Emby, I had a white-list IPs but this doesn’t work great since most ISPs rotate IPs over time and if you’re on wireless it could change all the time.
Yeah a VPN isn’t “necessary”, but it’s the most straightforward way. Unfortunately it’s not really at all feasible for many people who currently play from other peoples plex libraries.
I use a non-rooted docker, reverse proxy, and cloudfare domain. I know Jellyfin has some API security issues but I’m still unconvinced that any of them can be used to escalate to any level that would threaten my server (or even my instance of Jellyfin).
They are not about escalating permissions but about unauthorized access to your library. As some living in a country with professional piracy lawyers, that go out and try to catch people in the act, I won’t open my server to that kind of risk.
I like Jellyfin being open source and all, but the maintainers made it clear that they prefer backwards compatibility with clients over fixing these issues.
Oh yeah I don’t buy the backwards compat stuff because you can version an API to preserve backwards compatibility to sensible ends.
I’d be very interested to see cases of streaming or copyright lawyers essentially hacking users to litigate them. The only stuff Ive ever seen on snooping by corps on pirates it’s usually collecting PII from public sources like torrent clients without VPN coverage.
The alternative is that dey just don’t care or are not capable of fixing it, despite numerous suggestions in the github thread. Both don’t bode well for the project, especially seeing as that ticket has veen open and discussed for almost 5 years
No. You have to expose your server to the internet in some way bit you don’t have to set up some sort of VPN. There are plenty of people who will tell you how awful of an idea it is but if you make smart choices it’s not a big deal.
Well, as an application it has a huge attack surface, it’s also able to download stuff from internet (e.g., subs) and many people run it on NAS. I run jellyfin in docker, I didn’t do a security assessment yet, but for sure it needs volume mounts, not sure about what capabilities it runs with (surely NET_BIND, and I think DAC_READ_SEARCH to avoid file ownership issues with downloaders?). Either way, I would never expose a service like that on the internet.
This is also true about Plex which must also be exposed to the internet
No that’s the thing. Plex can also use their infra as a tunneling system. You can have remote streaming without exposing Plex publicly and without VPN. It is slow though.
Plex doesn’t even work properly unless you set it up with network mode host, otherwise it always considers your service to be remote because they’re not on the same network as anything you try to watch it from. Jellyfin requires lots less access, and you’re so worried about it you can add a Tailscale mod to the container and isolate it completely so it’s only accessible via Tailscale similarly to what you think Plex is doing (which doesn’t harden security as much as you think)
I presume you mean running Plex in host namespace. I don’t do that as I run the synology package, but I can totally see the issue you mean.
Running in host namespace is bad, not terrible, especially because my NAS in on a separate VLAN, so besides being able to reach other NAS local services, cannot do do much. Much much much less risk than exposing the service on the internet (which I also don’t).
Also, this all is not a problem for me, I don’t use remote streaming at all, hence why I am also experimenting with jellyfin. If I were though, I would have only 2 options: expose jellyfin on the internet, maybe with some hacky IP whitelist, or expect my mom to understand VPNs for her TV.
Would be nice to elaborate this. I think it reduces a lot of risk, compared to exposing the service publicly. Any vulnerability of the software can’t be directly exploited because the Plex server is not reachable, you need an intermediate point of compromise. Maybe Plex infra can be exploited, but that’s a massively different type of attack compared to the opportunities and no-cost “run shodab to check exposed Plex instances” attack.
Incorrect.