• 4 Posts
  • 239 Comments
Joined 3 years ago
cake
Cake day: June 22nd, 2023

help-circle












  • The nginx rce relied an a series of requirements that affect almost nobody. You had to be using a very specific module and processing a specific type of data reverse proxy was not affected.

    But regardless I get your point that anything can have an RCE. However as you say at the end in principle that does not mean you should just give up and expect external projects to handle your security. VPN is a great way to access your services and it is good defense and depth, but for the sake of being a successful project to the masses? It’s basically a dead end Road


  • I am aware that an rce is the worst possibility I’m saying it shouldn’t be. The web portion is already its own isolated binary that you have to install but it’s designed with seemingly very little attention to security.

    To the point that jellyfin has already had several major RCE and despite having full support for running over the web with http developers are basically just like you should not be using this without a VPN which is overall a pretty pathetic stance for a media server


  • This is the most hilarious lie I think I’ve seen in a while from open source on here. To be clear I use it as my daily driver, I switched off Plex a long time ago when I saw the writing on the wall.

    But I still have issues with media matching to this day, issues where subtitles on certain devices just refuse to display no matter what you do. And the server still loves to randomly take up absolutely massive amounts of memory for seemingly no reason whatsoever I ended up making a strip to just forcibly kill it and restart it every 12 hours to prevent it from eating the entire system’s memory.

    And no my file naming is not the media issue everything I do is properly named exactly as jelly fin documentation says it wants by sonarr. Not to mention you are expected to maintain a VPN system just for accessing your media away from home as the web interface is so hilariously unsecured as to be a constant source of major system vulnerability.

    It’s usable, but it’s not as just works as Plex I have thousands of TV shows, anime, and movies as in thousands of each of those categories and Plex never once failed to match to the correct media, never had a problem just playing subtitles on any client, and I think only ever had one major issue with the web interface in terms of security? There’s been lots of minor ones that would give people essentially just access to Plex but not the underlying system


  • The fact that’s needed at all is the problem. Developers need to stop making monolithic structures that have access to everything ever and putting it on the user to maintain to maintain a VPN network for security.

    There’s no reason I should not be able to just use an nginx reverse proxy for remote access to my jellyfin and have that be safe. It should at worst give people a copy of my media if there’s a security issue.

    Personally I went out of my way to make this be the case, i have my instance locked into an unprivileged lxc whitelist only on syscalls which took a while to figure out the minimum needed for function but I got there. The host System is using the hardened kernel from Upstream and a series of sysctl lockdowns for example P Trace is not allowed even if you are the root user.

    So I do indeed just nginx reverse proxy my instant because the worst case scenario even if they got complete shell access to the system they would be locked into an unprivileged container that had no access to any files other than my media files but the fact that I have to go to this level is already ridiculous