this post was submitted on 01 Apr 2026
703 points (98.9% liked)

Selfhosted

60253 readers
494 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

Detailed Rules Post

  1. Be civil.

  2. No spam.

  3. Posts are to be related to self-hosting.

  4. Don't duplicate the full text of your blog or readme if you're providing a link.

  5. Submission headline should match the article title.

  6. No trolling.

  7. Promotion posts require active participation, with an account that is at least 30 days old. F/LOSS without a paywall has exceptions, with requirements. See the rules link for details.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
ayyy@sh.itjust.works
curbstickle@anarchist.nexus
curbstickle_lw@lemmy.world
703
Jellyfin critical security update - This is not a joke (github.com)
submitted 3 months ago by Mubelotix@jlai.lu to c/selfhosted@lemmy.world
260 comments fedilink hide all child comments
you are viewing a single comment's thread
view the rest of the comments
[–] varnia@lemmy.blahaj.zone 28 points 3 months ago (2 children)

There is a good reason I only have Jellyfin and other services accessible via valid Client Certificate.

[–] daniskarma@lemmy.dbzer0.com 8 points 3 months ago (1 children)

Does it work with android and TV apps?

I tried long ago and failed.

[–] varnia@lemmy.blahaj.zone 14 points 3 months ago* (last edited 3 months ago) (1 children)

No, we only use Jellyfin via browser. Unfortunately even with imported Client Cert, Android apps won't work.

Edit: Client Certs need to be implemented per App. There is a feature request from 2022 https://features.jellyfin.org/posts/1461/capability-to-specify-client-certificate-for-android-client

[–] sudoMakeUser@sh.itjust.works 2 points 3 months ago (1 children)

Also interested how this works for mobile apps. I self host a number of services through caddy as my reverse proxy but each application is just dependent on it's own authentication. If I exposed all my services to the internet, that's a huge attack vector. If anyone else has some ideas I'd be happy to listen.

[–] daniskarma@lemmy.dbzer0.com 2 points 2 months ago

If you are the only user and don't need to use those apps in devices you don't own a vpn is the way to go.

If not. Depending the number of users you could do some heavy ip geoblocking to at least reduce the exposed surface.

There are a few services I have just like 3 IPs allowed to get a response from caddy, any other ip gets 403 error.