this post was submitted on 19 May 2026
365 points (96.9% liked)

Selfhosted

50711 readers
611 users here now

A place to share alternatives to popular online services that can be self-hosted without giving up privacy or locking you into a service you don't control.

Rules:

  1. Be civil: we're here to support and learn from one another. Insults won't be tolerated. Flame wars are frowned upon.

  2. No spam posting.

  3. Posts have to be centered around self-hosting. There are other communities for discussing hardware or home computing. If it's not obvious why your post topic revolves around selfhosting, please include details to make it clear.

  4. Don't duplicate the full text of your blog or github here. Just post the link for folks to click.

  5. Submission headline should match the article title (don’t cherry-pick information from the title to fit your agenda).

  6. No trolling.

  7. No low-effort posts. This is subjective and will largely be determined by the community member reports.

Resources:

Any issues on the community? Report it using the report flag.

Questions? DM the mods!

founded 3 years ago
MODERATORS
ruud@lemmy.world
Loki@lemmy.world
CannaVet@lemmy.world
devve@lemmy.world
HybridSarcasm@lemmy.world
HybridSarcasm@lemmy.hybridsarcasm.xyz
365
Plex Announces Massive Price Hike on Lifetime Subscription Plans (www.ign.com)
submitted 2 days ago by inclementimmigrant@lemmy.world to c/selfhosted@lemmy.world
216 comments fedilink hide all child comments
 

Plex has announced a massive price increase on the service's Lifetime Plex Pass. On July 1, the lifetime subscription option will go from $249.99 to $749.99, an increase of 200%. The price hike will only apply to new subscribers, with no changes to monthly or annual subscription pricing.

you are viewing a single comment's thread
view the rest of the comments
[–] spizzat2@lemmy.zip 14 points 2 days ago (2 children)

Are you accessing your media from outside of your network?

I have heard that you need to set up a VPN for Jellyfin to securely use your media library remotely. Plex handles all of that for me so that I don't need to deal with it.

[–] electric_nan@lemmy.ml 4 points 2 days ago (3 children)

I have a jellyfin server set up that you access like this:

https://my.servername/jellyfin

Username and password is all you need aside from that. Apps for most platforms or access in a web browser.

[–] mic_check_one_two@lemmy.dbzer0.com 3 points 1 day ago* (last edited 1 day ago) (1 children)

Username and password is all you need aside from that.

The sad reality is that Jellyfin’s authentication system is insecure, and there are “anyone can view your content without a valid login” exploits that are not going to be patched. The only way to stop someone would be to include a secondary username+password on your reverse proxy, to prevent attackers from even reaching your Jellyfin login page. Because if you can reach Jellyfin’s login page, you can exploit it without logging in. But that would break basically everything except for web browsers, because none of the various apps have support for more than Jellyfin’s authentication.

[–] electric_nan@lemmy.ml 1 points 1 day ago (1 children)

I mean, that's not great, but it's also not very concerning to me. Like the risk of someone doing that, and the potential harm resulting seems minimal to me.

[–] mic_check_one_two@lemmy.dbzer0.com 2 points 1 day ago (1 children)

The problem is that every single person uses the Trash Guide to set up their system. And the guide includes instructions on how to set up your file names.

You’re correct that in isolation the risk is minimal. But nearly every setup is using the trash guide’s suggested naming scheme, which makes guessing it dead simple.

[–] electric_nan@lemmy.ml 3 points 1 day ago* (last edited 1 day ago) (1 children)

I'm not familiar with the trash guide. I set mine up with swizzin community edition.

Edit: either way though, what is the real risk? Someone streams your media without your permission?

[–] FauxLiving@lemmy.world 2 points 19 hours ago

either way though, what is the real risk? Someone streams your media without your permission?

I am outraged that someone would commit piracy on my pirated content!

Honestly, if someone is going through all that trouble then they've earned it... and it saves me the effort of needing to create them an account.

[–] Nibodhika@lemmy.world 8 points 2 days ago (3 children)

You do know that there are security issues with that, right? For example, if someone can guess your media files they can watch them https://github.com/jellyfin/jellyfin/issues/5415

[–] electric_nan@lemmy.ml 4 points 1 day ago (1 children)

Some of those aren't great, but I don't consider any of them critical in terms of risk. I understand that others may feel differently.

[–] Nibodhika@lemmy.world 2 points 1 day ago

Agree, I don't consider most of them a risk, but I do like to bring this to the attention of people who are exposing Jellyfin to the web so they can make an informed decision.

[–] mic_check_one_two@lemmy.dbzer0.com 1 points 1 day ago (1 children)

Thanks for this. There is a lot of apologia in the FOSS community, and Jellyfin fans are some of the worst. I have 100% seen comments along the lines of “lol I’ve had my Jellyfin port forwarded for years and I’ve been fine” as if it’s a valid security audit. The unfortunate fact is that Jellyfin is not secure, and the devs have openly stated that they have no intention of ever fixing these vulnerabilities. Because fixing them would require completely divesting from the Emby fork that the entire project was originally built on.

Jellyfin should never be available externally. And that means anything incapable of running a VPN will be incapable of connecting.

[–] Nibodhika@lemmy.world 1 points 1 day ago

Yup, but all that being said I still run Jellyfin and have no intention of switching to Plex. And while I would like to see them fix these issues, I understand (in part) why they won't and I'm okay with my tail scale setup. Also the vast majority of issues are very minor, but the ability to watch any media without login is so major that I think it's worth bringing up every time someone mentions exposing Jellyfin online.

[–] MaggiWuerze@feddit.org -3 points 2 days ago (1 children)

You should not expose a Jellyfin server to the open internet.

[–] non_burglar@lemmy.world 0 points 1 day ago (1 children)

~~You should not expose a Jellyfin server to the open internet.~~

You should not expose a Jellyfin server to the open internet if you don't know what you're doing.

FTFY

[–] MaggiWuerze@feddit.org 1 points 1 day ago (1 children)

Please tell me, oh wise one, how do you fix the glaring security issues that are the reason even Jellyfin Stans admit that you should use a VPN?

[–] non_burglar@lemmy.world 1 points 1 day ago (2 children)

Port forward, filter ips, take reasonable precautions on the trust of networks.

It's not rocket science, as you mentioned in your other vitriol.

[–] FauxLiving@lemmy.world 3 points 19 hours ago (1 children)

I think you don't understand the nature of the exploit.

Anybody who can see the Jellyfin login page can use the Jellyfin server's permissions to play media directly from your media library.

Port forwarding doesn't matter. Jellyfin hosts on port 80/443 which you have to allow for the service to function. Most clients are on dynamic IPs or CGNATs so unless you're going to manually change the IP filter for every single user every few days, IP filters are not a reasonable solution.

'Take reasonable precautions on the trust of networks' doesn't even make sense. Your Jellyfin server is either available to the Internet or not available to the Internet. If you choose not to trust the Internet (the actual mitigation) then you obtain access to your Jellyfin server through a VPN.

[–] non_burglar@lemmy.world 1 points 15 hours ago* (last edited 15 hours ago) (1 children)

No, I understand the nature of the unencrypted transport. I understand that the credentials are exchanged unencrypted (although the passwd isnt in plaintext, even on jellyfin). I also understand what is on the trusted network, my kid's subnet.

The mitigations are the following:

  • creds are unique to that user, and don't coincide with any other creds
  • IP is filtered at firewall level and also by acl policy at the threshold of the storage and data networks, so only the one single remote public IP is allowed to connect, and even then is approved for access only to jellyfin.
  • jellyfin has read-only access to media, so no user, including admin, can delete media.
  • jellyfin's watched state data is backed up every 30 min with fim watching for over 20% changes. If a massive change happens where suddenly it appears that someone marked 45 hours of shows watched or unwatched, I am notified.

Anybody who can see the Jellyfin login page can use the Jellyfin server's permissions to play media directly from your media library.

Correct, that's the idea and that's why the IP is filtered. When my kid's IP changes, his PC posts a notice to me about it, and I change the the fw rule. This happens once a year on average.

Your Jellyfin server is either available to the Internet or not available to the Internet.

Also correct, it is available to the internet, which from jellyfin's point of view is one single /32.

There is a body of suggested action to take in the interest of security that is repeated here and in other self-hosted spaces, and what you're saying is valid and sound advice. I want to acknowledge that I don't take your comment as wrong, it's very prudent for someone just getting into managing their own stuff.

However, security is my job, and I do take it seriously. And there are more ways than one to get it done.

I keep my data back ends on encrypted channels, backups on another, and I control very tightly what has access to everything else. The model I use is something like "zero trust", where I assume the clients even on my own network are malicious. In that context, extending my lan to a single remote lan on a single port isn't really much different than allowing an iot device I don't trust on my actual lan; it sees no other hosts but a gateway and whatever my acls allow it to.

So in the end, what can a device do at large on the internet to my jellyfin "network"? Nothing. What can a pwned device do on my kid's network with jellyfin? It can watch TV and movies, because the api calls from jellyfin clients to jellyfin front end are nondestructive.

[–] FauxLiving@lemmy.world 1 points 7 hours ago (1 children)

I work in security as well.

If you only have a single user that accesses via a single static IP then it isn't much of an issue to manually maintain an IP whitelist.

Allowing access to multiple users across many different networks, means that you're going to have to deal with their IP changing frequently often multiple times per day. You'd have to be available full-time to update your whitelist if done manually.

If you're going to run software on those machines to check for their public IP and report it to you (or a script you run) in order to update your firewall's whitelist then you could just as easily (or, I'd argue, more easily) run a Tailscale client on their machine and only give them access to Jellyfin via Tailscale's ACL.

I just mean that you can't simply put Jellyfin behind a reverse proxy and alter some port forwarding rules to protect against the argument injection vulnerability, since it executes the ffmpeg command as the Jellyfin's service account so it would have access to any file that that account could access (which should be limited to the container, but some people run it bare metal still).

Using a VPN is just easier to deal with, to me, than trying to allow any access from Internet IPs. The firewall can simply block everything from the Internet that isn't VPN traffic. This is especially true if you control all of the devices that will be connecting to your network.

All of my traffic, even LAN traffic, is on one VPN or another. Everything is done 'locally' on the VPNs regardless of where the device is located.

[–] non_burglar@lemmy.world 1 points 3 hours ago

I think we're arguing two sides of the same coin.

[–] MaggiWuerze@feddit.org 3 points 1 day ago

What? How is port forwarding adding anything to security? How does blocking IP ranges help prevent attacks on the unsecured backend?

[–] savvywolf@pawb.social 4 points 2 days ago (1 children)

I do not, and don't plan to. Probably wouldn't be that hard to set up though as someone familiar with nginx.

I guess Plex uses their own VPN under the hood then to make it more convenient?

[–] BakedCatboy@lemmy.ml 10 points 2 days ago (1 children)

Yep, and it generally has fewer sharp corners. Like last time I checked, in order to set up quick sync, you have to manually check each codec you want to offload to hardware. And if you select one that isn't supported by your hardware, you find out when you try to play that. So it means carefully cross-referencing with the Wikipedia page for your quick sync version. Plex just has an enable hardware transcoding check box and it figures it out for you.

There's also some features like smart playlists that I remember needing to set up plugins for whereas Plex supports it out of the box.

Of course ther are other things where jellyfin comes out ahead, like surround to stereo down mixing - I could never get the center channel (dialog) to be at a good volume when down mixed to stereo on my TV, but it just works and produces the correct volume in jellyfin.

But ultimately I think what causes all my users to prefer Plex is that the official app is polished and consistent across all platforms. The official jellyfin one looks like a programmer put it together with bootstrap components, and my favorite alternatives (like findroid) are in active development (I do donate on a reoccurring basis though in hopes that it reaches a level of polish matching Plex)

[–] Grapho@lemmy.ml 7 points 2 days ago (2 children)

I don't think transcoding is that difficult if you've already set up your own server. Like, that's only a thing the admin would have to figure out and it's a quick lookup.

I do agree with the client UI issue tho, and would like to add that the lack of a per-user watchlist is a pretty baffling decision given that it's been widely requested for years and years and it would make it enormously more comfortable.

[–] foggenbooty@lemmy.world 5 points 1 day ago (1 children)

Wait, Jellyfin doesn't have per user watch lists? Forget making it externally available to other people, this is something I need within my own household. I haven't installed Jellyfin yet, but I had not anticipated this feature being absent. How do you work around it?

[–] Grapho@lemmy.ml 1 points 1 day ago* (last edited 1 day ago)

Roku app has a watchlist, but mostly I don't bother to get around it or put it in a collection which is clunky as shit

[–] BakedCatboy@lemmy.ml 5 points 1 day ago* (last edited 1 day ago)

It's not, and I didn't say it was hard. Just that it's a sharp corner that jellyfin should fix if they want to make it as one click as Plex is. It's another part of the setup where you have to pay attention and get every check box right or it'll not work as intended. I found it annoying to have to look it up and I've been in software for 15 years. I don't doubt that any newb would find it frustrating. I remember seeing that it was planned to have hardware transcoding codec support auto detected but IDK if that has happened yet.

It's especially annoying because jellyfin doesn't just copy the support matrix into their docs, and the one on Wikipedia is by processor generation codename, so you have to look up your processor and get the codename, then reference the Wikipedia table and go down each codec and not make a mistake. Even though it's "not hard" I still go back to that section because I second guess that I checked everything right thinking that I've caused some issues with a mistake. It's additional cognitive load that isn't worth defending if you want jellyfin to be good.