I'm running a Linux PC with Kubernetes, and I've deployed multiple apps on it, including Jellyfin. Here's my current setup for exposing Jellyfin to the internet: I'm using Cloudflare DNS (I bought a domain) leading to my router's public IP. In my router settings, I've set up port forwarding for 443, which then forwards to 192.x.x.x:30443. The 30443 port is the NodePort for my Traefik ingress controller, configured to only allow HTTPS connections. I'm also using an ingress resource with TLS (via cert-manager with Cloudflare DNS-01) to connect to the Jellyfin ClusterIP Service. Is this setup secure from a security standpoint? Thanks for any insights!
4 Answers
You might want to check out Cloudflare Tunnels as a safer alternative to port forwarding. This way, you're not exposing your router directly.
Yeah, their terms mention no media streaming over tunnels. They don't strictly enforce it but they could crack down and make it paid, which is a downside. Opting for direct port forwarding keeps you safe from that.
Your setup looks pretty solid! Using TLS termination at Traefik with cert-manager is a good move, and Cloudflare's DNS-01 challenge means your certificates will auto-renew. Just make sure that Jellyfin is configured to allow connections only through the ingress, preventing direct access from your cluster network. It’s also wise to add some rate limiting rules in your Traefik config for sensitive endpoints since Jellyfin can be a target for brute force attacks. Don’t forget to check out Cloudflare’s extra security features like bot protection to beef up your defenses, especially if you're concerned about exposure.
Thanks for the advice! I’ll definitely look into that. Just to clarify, why should Jellyfin only be accessibly through the ingress and not directly from the cluster? Isn't it safer to access it via NodePort when I'm on my LAN?
It’s about minimizing attack vectors. If Jellyfin is only accessible via the ingress, you limit exposure and can control access better. But if it's directly reachable, there could be vulnerabilities that expose your setup.
Why expose Jellyfin to the internet at all? Have you considered using Tailscale instead? It provides a more secure way to access your services without opening up ports externally.
Security is all about balance. Your current protections mainly include TLS and Jellyfin's authentication. It’s important to evaluate if you really need it accessible from the internet. Might be worth considering how essential it is to be exposed externally.
I was going to suggest that too! But I've heard the Cloudflare tunnel has a 100mb upload limit, which isn't great for things like media uploads. Does this method allow for that or does OP's setup get around this?