Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?
Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?
Throw in port knocking for good measure.
You telling me jellyfin Clients can’t handle client certs but can port knock?
My proposal is for maxing ux on the client side while being properly hidden.
No you port knock first to open the ports. Then connect the client.
usually port knocking opens the relevant port to the client IP that is knocking. So it makes a lot of sense to have the knocking done by the requesting client. In many situations knocking from your mobile while behind the same NAT as your jellyfin client will do the trick, but if you have different IPv6 on those devices etc, it won’t.
Also: if you assume your DNS lookups are sniffed - so are your port knocks. If you don’t, spare the extra work. But then, if you like port knocking - keep knocking, nothing wrong about it :D
Could always get super complicated and rotate your port knocking so no replay attacks. But now we’re just getting silly :)