Plex has announced a massive price increase on the service’s Lifetime Plex Pass. On July 1, the lifetime subscription option will go from $249.99 to $749.99, an increase of 200%. The price hike will only apply to new subscribers, with no changes to monthly or annual subscription pricing.
I wish jellyfin and the apps could ship with something like wireguard setup by default so people that use the jellyfin apps could instantly watch media outside their house without learning what wireguard/tailscale is
The fact that’s needed at all is the problem. Developers need to stop making monolithic structures that have access to everything ever and putting it on the user to maintain to maintain a VPN network for security.
There’s no reason I should not be able to just use an nginx reverse proxy for remote access to my jellyfin and have that be safe. It should at worst give people a copy of my media if there’s a security issue.
Personally I went out of my way to make this be the case, i have my instance locked into an unprivileged lxc whitelist only on syscalls which took a while to figure out the minimum needed for function but I got there. The host System is using the hardened kernel from Upstream and a series of sysctl lockdowns for example P Trace is not allowed even if you are the root user.
So I do indeed just nginx reverse proxy my instant because the worst case scenario even if they got complete shell access to the system they would be locked into an unprivileged container that had no access to any files other than my media files but the fact that I have to go to this level is already ridiculous
It should at worst give people a copy of my media if there’s a security issue.
that’s not the worst possibility. the worst possibility is an RCE into your server.
Personally I went out of my way to make this be the case, i have my instance locked into an unprivileged lxc whitelist only on syscalls which took a while to figure out the minimum needed for function but
that’s a pretty exotic setup. Exciting, but for most people learning to manage a VPN is easier
It should at worst give people a copy of my media if there’s a security issue.
that’s not the worst possibility. the worst possibility is an RCE into your server.
Personally I went out of my way to make this be the case, i have my instance locked into an unprivileged lxc whitelist only on syscalls which took a while to figure out the minimum needed for function but
that’s a pretty exotic setup. Exciting, but for most people learning to manage a VPN is easier
I am aware that an rce is the worst possibility I’m saying it shouldn’t be. The web portion is already its own isolated binary that you have to install but it’s designed with seemingly very little attention to security.
To the point that jellyfin has already had several major RCE and despite having full support for running over the web with http developers are basically just like you should not be using this without a VPN which is overall a pretty pathetic stance for a media server
Recently nginx had an RCE, so if your web server interface has an RCE, it doesn’t matter if jellyfin code is top-notch, if you happen to use a proxy with RCE in front of it. Wireguard has never had an RCE and I’m relatively certain it never will, because I believe you must be in possession of some keys to go very deep in the wireguard code, which in itself is not very large piece of code.
But yes, in principle I agree that we should code securely instead of depending on VPN to solve it for us, unfortunately it’s not the reality today. Memory safe programming languages help, but don’t completely protect against logic errors. VPN is general is pretty good for defence-in-depth.
The nginx rce relied an a series of requirements that affect almost nobody. You had to be using a very specific module and processing a specific type of data reverse proxy was not affected.
But regardless I get your point that anything can have an RCE. However as you say at the end in principle that does not mean you should just give up and expect external projects to handle your security. VPN is a great way to access your services and it is good defense and depth, but for the sake of being a successful project to the masses? It’s basically a dead end Road
there are a lot of us still on Plex that hadn’t reached the threshold of issues vs effort that would motivate us to migrate to something like jellyfin.
looks like we’ve arrived.
Why not run both? That’s what I do, then if Plex is an issue for someone I can make them a Jellyfin account
I have the lifetime pass, bought it for like $80 many moons ago.
looks like we’ve arrived.
Agreed, this is the tipping point. This is where we will see Plex start to abandon the lifetime pass in favor of “imaginary money line go up forever” subscriptions.
I already have a lifetime Plex pass so this isn’t an issue for me. 6 months from now when Plex decides my lifetime pass has a new expiry, then I’ll be motivated.
this exactly. I got a lifetime pass in the before times (pre-pandemic) back when they were $100 bucks ish, but I know it’s only a matter of time before they come for us grandfathered-in fools.
Never used Plex. Jellyfin has always met my needs, so I never bothered to try it.
Plex has been around quite a while longer than JF. Before JF, the only way to really have a “self-hosted Netflix” was with Plex, so there are a lot of us who built our long-standing media setups around that.
That said, I have a JF instance running and matched almost 1:1 with Plex specifically for this situation, so I’m going to start pivoting everyone to that as I wind Plex down.
Meh, I’ve used dlna with PS2 over 20 years ago. Not exactly the same, but for my needs essentially the same.
That’s an interesting method. I actually have a PS2 myself, running PSBBN. Maybe I’ll try that out.
There’s a great project called WatchState that allows you to sync show progress between JF and Plex. Highly recommend it for while you’re switching over.
Jellyfin isn’t great, but it sure doesn’t have this problem.
A gentle reminder that Jellyfin exists to those thinking of alternatives.
A gentle reminder that Jellyin more or less requires you to set up a reverse proxy and a secure VPN to use it outside of your home.
Why would you not do that anyway?
Because if I’m watching locally I dont need them, and if I’m watching remotely Plex already offers secure remote viewing 'out of the box`. They give every user an SSL certificate and a public accessible URL at app.plex.tv. They also handle secure user authentication. The new price is stupid, but Jellyfin is not a 1:1 replacement.
For free (FOSS), and is way better than Plex
If you use it weekly it shouldn’t be free to you, certainly if you use it more frequently than that. Give money to the projects you depend on or they will disappear.
You find a place on jellyfin.org where they take donations? I was looking last night and only found a link where you could contribute your time.
If you click through some of the options on this page: https://jellyfin.org/contribute/
It links to a donation option here: https://opencollective.com/jellyfin
Thanks!
Supporting software that you use by paying for it?
Ew.
/kidding
I’m a very happy lifetime membership owner and have zero problem with them removing features from the free version. Free doesn’t pay the bills unless you want to become the product.
If you ignore the mostly horrendous UI, the security problems, the worse transcoding performance, the harder setup, the difficulty to access it remotely in a safe way,… Yeah sure, way better
Plex doesn't have hardware transcoding unless you pay almost 800 euro
I, and I assume everyone on this forum who has one, paid around 50-100€ for their lifetime pass. My hardware encoding works great and doesn’t need me to tell it about each and ever codec in existence and how to handle each one.
The new price is insane, but that was not the topic of this thread.
You are right,. that is fair. You can also pay 230 euro currently for it.
The ui can be improved with community addons like moonfin but i agree it would be nice if they improved these out of the box
I couldn’t care less about the client design, since you have free choice there. If only the devs could be arsed to fix the issues that prevent me from just putting it behind a reverse proxy. If I could let people use it without exposing what is essentially an open door or forcing them to install a vpn, I would probably do that and slowly ween off Plex
This is a good illustration of the tradeoff of free software.
Jellyfin is core software, its mission is serving media, not providing auth or secure access. Those can be handled by other projects.
When you say “the devs can’t be arsed”, I think you’re misunderstanding that they won’t ever work on this, because that isnt the model.
The tradeoff with “free” (both in terms of free speech and free beer) is that work you need to do yourself to connect those pieces.
Lol, what an insane take. EVERY project that exposes an API is responsible for securing that. Its not rocket science, its server software 101.
Being free is not an excuse, especially when there are perfectly valid migration strategies, that don’t force them to abandon legacy clients.
Fans like you are the reason they get away with disregarding their basic responsibility
“Fans like you”?
Fuck off.
How are other projects going to handle using the Jellyfin app to log into Jellyfin? I don’t understand this. I see sentiments like this pretending Jellyfin is perfect like they don’t understand why people use Plex. I want to give my mom a URL that she can login to (or even better she gives me a code) after she downloads an app. What is the point of Jellyfin itself not handling this? It’s pointless. If I’m going to have a half baked server app, I might as well just use Kodi. They can be as stubborn as they want with this but people need these very basic things. I’d actually donate money to the project if they didn’t stubbornly REFUSE to do the main thing every Plex user wants. Other projects don’t need to do this. The Jellyfin developers need to. I first tried Jellyfin 6 years ago and this is STILL an issue and so I just stay on Plex because I’ve already got lifetime. I WANT to move to Jellyfin but I need to give normies access to my stuff and apparently that’s a wontfix for them?? I can host all this shit myself. I just need it all built in and for the apps to support it. I don’t think anyone is crazy to want this right?
You just give those people the name of the app your recommend (Jellyfin, Moonfin etc) and give them the URL and their username, then they create a password.
It’s not that difficult for most and if it is you help them once with it.
What the hell.
This is self hosted and you’re screaming about not having an easy button.
As I mentioned, jellyfin is not an auth platform, nor a reverse proxy. And they will never be. Build your own, there are many products out there. Or hire someone, Christ.
Either way, quit bitching, put on your adult pants and either add auth to jellyfin, use Plex, or shut the fuck up.
It’s not better in any way other than cost. That cost comes with massive drawbacks.
As someone who picked up lifetime for like $45 or whatever it was (I think a 50% off sale?) what must have been 15 years ago…
I run jellyfin. Its just a better experience IMO.
I’m sorry but you can hate Plex and prefer jellyfin all you want, but you don’t have to lie. Nothing about jellyfin is a “better experience” than Plex.
What are some examples?
Jellyfin is easy to prove you are the owner off. While Plex has issues with that on systems like TrueNas when you don’t have full access to the server
It doesn’t cost $750.
…to stream your own media, hosted on your own server 😅
Neither does Plex.
No you are right, it is 800 euro.
Don’t have to make an account, for starters. Gives you more detailed control of transcoding options, audio playback and whatnot.
The UI is worse, that much is true, but that’s not the end all be all of user experience.
Making an account is what allows the easy library sharing and remote streaming, something that Plex is significantly better than JellyFin at.
What transcoding options does it have that Plex doesn’t?
How is Plex significantly better than Jellyfin at those things? I can just create a user in 2 seconds on the admin dashboard for Jellyfin, set a temporary password and my friend can log in and change it to whatever they want.
I can even limit the streaming bitrate to the account if I need to avoid bandwidth issues.
Unless your user comes and logs in on your network, and only streams when they’re at your house, then you’ve just opened your server to the world.
Plex has bandwidth controls.
Tailscale and IP whitelisting are both viable options
They mentioned remote streaming which jellyfin doesn’t have a secure way to do by itself
Does Plex? Have they ever been security audited or are we just taking the word of closed source software because they make it easier? Like Microsoft who just got caught adding backdoors into billions of computers and (pick one) closed source software company who has had major security breaches in the last decade.
No, but that’s easy to setup with Tailscale or a myriad of other solutions for free.
My old kodi setup just works, year after year, and will work 10 years from now too…
Jellyfin has lots and lots of tutorials, fyi. it’s not as intimidating as it seems once you get going with it.
And Plex doesn’t require any. It’s okay to accept that one product can be more polished than the other, and Plex has a lot of stuff that “just works”
I install Jellyfin using docker, go to the web address, make the credentials for it and I am up and running.
For Plex you need to do that whole gain ownership song and dance which is a pain if you don’t have full console and file access like on TrueNas.
Jellyfin also „just works“. Getting it going is just as simple as plex.
Have you tried Jellyfin?
This is the most hilarious lie I think I’ve seen in a while from open source on here. To be clear I use it as my daily driver, I switched off Plex a long time ago when I saw the writing on the wall.
But I still have issues with media matching to this day, issues where subtitles on certain devices just refuse to display no matter what you do. And the server still loves to randomly take up absolutely massive amounts of memory for seemingly no reason whatsoever I ended up making a strip to just forcibly kill it and restart it every 12 hours to prevent it from eating the entire system’s memory.
And no my file naming is not the media issue everything I do is properly named exactly as jelly fin documentation says it wants by sonarr. Not to mention you are expected to maintain a VPN system just for accessing your media away from home as the web interface is so hilariously unsecured as to be a constant source of major system vulnerability.
It’s usable, but it’s not as just works as Plex I have thousands of TV shows, anime, and movies as in thousands of each of those categories and Plex never once failed to match to the correct media, never had a problem just playing subtitles on any client, and I think only ever had one major issue with the web interface in terms of security? There’s been lots of minor ones that would give people essentially just access to Plex but not the underlying system
Plex doesn’t “just work” I have lost access to my install more time than I can coun’t due to their weird prove you are the owner system.
I’ll admit I haven’t really looked into it, but how is the Jellyfin web interface insecure? I don’t currently, but in the past I’ve used ssh reverse port forwarding to my VPS and then used an Apache proxy and letsencrypt for ssl on a subdomain. Maybe I was just lucky, but I never had any problems.
It has had a pretty high number of RCE exploits including one recently the architecture of the web service is just very poor and leads to a lot of basic problems.
Personally I am not a fan of the language they chose, and I think it directly leads to a lot of these problems but that’s just like my opinion man.
The server itself also has tons of issues like the constant memory leaks that cause it to eat up endless amounts of memory that they don’t seem interested in fixing and basically once again push it to the users to deal with and a bunch of the boot lickers are like yeah you just need to put it in a Docker and limit its maximum memory as if that’s just normal and expected to need to do
Ah, yeah, guess I never realized it’s a .NET program. Never understood why an open source dev would choose .NET, but what can you do.
Also despise Docker (especially the modern over-reliance on it), but that always gets me into trouble when I admit that publicly.
I am right there with you on the docker hate I get the idea but the docker system itself is a huge problem. The amount of people that do not realize it completely bypasses system firewalls is very sad and unfortunate and leaves a lot of people vulnerable.
I personally try to use lxc containers that I set up myself for containerizing services and install them natively within the container
It has had a pretty high number of RCE exploits including one recently the architecture of the web service is just very poor and leads to a lot of basic problems.
So they had an RCE that got fixed therefore the software is bad and insecure. Therefore every OS and basically any enterprise software that was ever used is insecure.
Got it.
That would be the case, however the devs official stance is it’s unsafe and should not be used other than over vpn. So they also agree
I have it running in parallel with Plex to keep an eye on its progress. There is a lot of things that do not just work. Hardware Encoding for example, or safe remote access
People who dont know a lot of tech stuff cant set it up to access while outside the house so i wouldnt say it “just works”
And Plex doesn’t require any. It’s okay to accept that one product can be more polished than the other, and Plex has a lot of stuff that “just works”
And it is ok to accept that Plex is getting worse and worse. Only reason why ppl use it these days is because they still have an old lifetime pass. As soon as they take it away or introduce a new tier of features or even removing features of it, they will swarming away from Plex.
And they will!
OC never said anything to do with your comment, you seem to be really offended by recommending an alternative to a tool that you use.
My comment wasn’t for you then, it’s for people curious in an alternative but may be hesitant. Some people enjoy learning new things.
Probably going to get hate for this. But I have easily gotten 750 dollars worth of value out of my lifetime subscription. I’m sure they are doing this to drive down lifetime subscriptions and increase month to month. But I legit think 750 over 20 years it’s still a legit price.
About $3/mo. But for a lifetime deal you’re also buying the risk. If they go bankrupt, stop honoring the lifetime deal, or any variation thereof tomorrow, you’re out $750 - lifetime deals, where they exist are often heavily discounted compared to normal rates due to this. 20 years is though quite a long time. Plex is only 16 years old.
In a perfect world a company would limit the amount of lifetime deals available and only have them in the beginning to get some quick cash allowing them to scale. I don’t think Plex is running a very good business, which also devalues the lifetime deal.
It;'s probably about 800 euro, but that is still 800 euro more than Emby/Kodi/Jellyfin or whatever other altnerative. I had a lot of issues with Plex due to them requiring that proof of ownership thing which didn’t really work on TrueNas core I think it was?
Jellyfin is way easier imo
The Jellyfin vs Plex thing always struck me as odd. As in - why are we holding JF to a different standard to (say) Immich, Syncthing, Pi-hole or any one of a thousand different programs people self host?
Yes, JF ships multi-user accounts and client apps etc. I get it, “multi-use” is implied, so the comparison isn’t totally unfair. But there’s a difference between ‘this feature exists’ and ‘this is the primary purpose of the tool’.
The fact that you CAN share it externally doesn’t mean everyone running JF is doing that, or that it should be the benchmark the whole project is judged by.
To me, self host means “I host it, myself” not “I host it and then pretend to be Netflix for family and friends”. If that’s the use case, then of course, Plex away.
It’s cool that you CAN share JF externally, and it’s cool that Plex does that differently / better. We shouldn’t hold one to the standards of the other.
I’ve gotten my money’s worth out of the $74.99 I paid for Plex Pass Lifetime several years ago. If they ever get rid of my Plex Pass and try to say “Lifetime didn’t actually mean Lifetime”, I’ll be gone.
We’ve seen other companies pull this move by saying “lifetime” only applies to X version.
Except when I bought my lifetime it meant lifetime for the SERVICE, not the app…
Did it. I don’t remember it saying that. And I bought it around the same time as you since I paid the same price.
Sure, but that doesn’t mean Plex will do it.
While that’s true, it is in the standard VC playbook to make that move. Since they seem to be using that playbook, there will come a point in the monetization program where the lifetime membership becomes a blocker, which is overcome by diluting the lifetime account to increase the appeal of the subscription by comparison.
So, while nobody in here is named Nostradamus, it does not take a clairvoyance to see the future in this case. Countless other companies have followed this same program, with only minor variation, to extract revenue from the product like a strip mine. If I see 100 companies perform a 15-or-so step monetization spiral, it is not a leap of logic to think Plex is going to do steps 9-15 since we’ve just seen them do steps 1-8.
The lifetime membership will never be a blocked thanks to this price update.
I’ve never had a lifetime license be taken away other than the company going out of business.
No, they can’t just breach the contract you have with them, of course, but the VC playbook has a play for that.
What they will do is create a different service tier that does not include the same features as the standard or lifetime plans have. That tier will initially have some “value adds” that are of little interest to most users. Then, slowly, features will disappear from the other tiers, and a greater percentage of users will be drawn to that one because the “standard” one is increasingly lacking.
Eventually, Plex Standard will be quite anemic, with at least a couple must-have features available to only GigaPlex members. Because you’re a “valued lifetime customer”, you’ll get the option to convert your lifetime membership into 90-365 days of free GigaPlex.
So, Plex wins their game. The lifetime members practically all either switch to monthly premium service or leave, both of which are outcomes that are to their benefit. Nobody took away your lifetime membership, they just transformed it to garbage.
Its not every company, but it is every company owned by venture capital.
I like to think I got my money out of mine as well, even though I only used it for like a year or two before switching to jellyfin.
I know that whales exist, but seriously… Who is into self hosting but also into dropping $750 on a service that can end on a whim?
They dont want you to buy lifetime they want you yo pay month to month.
I think it is safer to say they don’t prefer it. If they didn’t want you to buy it at all, they could discontinue the offering today.
Its like when a contractor quotes you a ridiculous price because they dont want to do the work. They assume you are going to say no, they dont want to do it. But if you say yes to their absurb price they are happy to take your money.
I “defend” plex against silly complaints, but jesus christ that is one giant leap for no gain. That’s stupid, no one will pay that - though I tend to think that’s the whole point.
I got this on Black Friday many years ago for ~70 and despite the pass I am slowly moving over to Jellyfin. I really don’t see how they came up with this valuation, seems like a last money squeeze before abandoning ship.
Everything changed when they signed that A24 deal, and its not even the good movies, its the shitty also-rans. They want revenue now.
I wish them luck, but it seems despite all the data collection they failed to understand who their customers are. Idgaf about their content, I block and remove it where I can. Instead now we have content that will not convince anyone to cancel their Netflix or HBO to move to them and I have a home server that barely runs anymore because the software is so bloated.
They don’t want lifetime licenses to sell, they want monthly subscriptions from everyone.
The company’s blog post also described a number of improvements they plan to make
After you pay: “oops, we won’t”
As a lifetime owner, the number of features they’ve deprecated is probably the worst part.
- Photo support (luckily Immich came along)
- Tidal integration (no idea if that was Plex or Tidal’s decision)
- Plugins (god forbid anyone add the functionality they keep removing)
It’s close between that and the last app overhaul that removed a bunch of functionality.
Watch Together isn’t removed, but it’s been deprecated and has stopped working on at least one platform (Chromecast).
Really shitty move to be removing/deprecating functionality and then asking for more money.
Fucks sake, when did that happen?
https://support.plex.tv/articles/watch-together/
February of 2025, looks like.
Just out of interest as someone who has recently set up a Jellyfin server - what’s the main “value add” of using Plex compared to Jellyfin?
It seems to do everything I want, so I’m not sure why people would pay for Plex over the FOSS version.
HDR, hardware transcoding, remote access.
My Jellyfin has all of these things.
Mine too. And I appreciates that.
Realistically the only advantage of Plex is being able to watch it over the internet without a VPN. Which means it makes it easier to get friends and family access to your server or to access it yourself from random smart tvs outside your house.
If you only watch at home or have a fire stick that you take with you to watch abroad or your friends/family members have one and can setup a VPN on it it’s not needed.
For me, the killer app for Plex is Plexamp, the music client. It’s superb, and AFAIK Jellyfin doesn’t really have an equivalent (there are 3P options, but they’re lacking).
For me (Android) I have used these:
- Finamp
- Default Jellyfin App
- Symfonium
And Symfonium can do many sources and is the moat powerful.
Finamp is neat but couldnt do casting to my soundbar via google castSymfonium with Jellyfin all the way!
I have a navidrome server. Nothing, really nothing comes close to Plexamp and its features … sadly … but they all ain’t bad and got the basic stuff right
What features do you like? Not trying to convince you, I’m just curious.
Sonic Analysis and the amount of radios like style or mood radio for example.
I quote Plex here just because I’m lazy:
“Your Plex Media Server can perform a “sonic analysis” of your local music files to catalog detailed characteristics about the actual music itself. That data can then be used in a variety of ways, allowing you to see sonically similar artists/albums/tracks, play a Track Radio, or even suggest specific mixes for you, based on what you’ve already listened to.
It’s a powerful tool, allowing you to explore your music library in Plex like never before!”
It works quite impressive for my library.
Not the same person, but Plexamp uses plexs data / algorithms and had a way to create playlists and selected good songs. Hard to beat when not collecting data.
Are you accessing your media from outside of your network?
I have heard that you need to set up a VPN for Jellyfin to securely use your media library remotely. Plex handles all of that for me so that I don’t need to deal with it.
I have a jellyfin server set up that you access like this:
https://my.servername/jellyfin
Username and password is all you need aside from that. Apps for most platforms or access in a web browser.
Username and password is all you need aside from that.
The sad reality is that Jellyfin’s authentication system is insecure, and there are “anyone can view your content without a valid login” exploits that are not going to be patched. The only way to stop someone would be to include a secondary username+password on your reverse proxy, to prevent attackers from even reaching your Jellyfin login page. Because if you can reach Jellyfin’s login page, you can exploit it without logging in. But that would break basically everything except for web browsers, because none of the various apps have support for more than Jellyfin’s authentication.
I mean, that’s not great, but it’s also not very concerning to me. Like the risk of someone doing that, and the potential harm resulting seems minimal to me.
The problem is that every single person uses the Trash Guide to set up their system. And the guide includes instructions on how to set up your file names.
You’re correct that in isolation the risk is minimal. But nearly every setup is using the trash guide’s suggested naming scheme, which makes guessing it dead simple.
I’m not familiar with the trash guide. I set mine up with swizzin community edition.
Edit: either way though, what is the real risk? Someone streams your media without your permission?
either way though, what is the real risk? Someone streams your media without your permission?
I am outraged that someone would commit piracy on my pirated content!
Honestly, if someone is going through all that trouble then they’ve earned it… and it saves me the effort of needing to create them an account.
You do know that there are security issues with that, right? For example, if someone can guess your media files they can watch them https://github.com/jellyfin/jellyfin/issues/5415
deleted by creator
Some of those aren’t great, but I don’t consider any of them critical in terms of risk. I understand that others may feel differently.
Agree, I don’t consider most of them a risk, but I do like to bring this to the attention of people who are exposing Jellyfin to the web so they can make an informed decision.
Thanks for this. There is a lot of apologia in the FOSS community, and Jellyfin fans are some of the worst. I have 100% seen comments along the lines of “lol I’ve had my Jellyfin port forwarded for years and I’ve been fine” as if it’s a valid security audit. The unfortunate fact is that Jellyfin is not secure, and the devs have openly stated that they have no intention of ever fixing these vulnerabilities. Because fixing them would require completely divesting from the Emby fork that the entire project was originally built on.
Jellyfin should never be available externally. And that means anything incapable of running a VPN will be incapable of connecting.
Yup, but all that being said I still run Jellyfin and have no intention of switching to Plex. And while I would like to see them fix these issues, I understand (in part) why they won’t and I’m okay with my tail scale setup. Also the vast majority of issues are very minor, but the ability to watch any media without login is so major that I think it’s worth bringing up every time someone mentions exposing Jellyfin online.
You should not expose a Jellyfin server to the open internet.
You should not expose a Jellyfin server to the open internet.You should not expose a Jellyfin server to the open internet if you don’t know what you’re doing.
FTFY
Please tell me, oh wise one, how do you fix the glaring security issues that are the reason even Jellyfin Stans admit that you should use a VPN?
Port forward, filter ips, take reasonable precautions on the trust of networks.
It’s not rocket science, as you mentioned in your other vitriol.
I think you don’t understand the nature of the exploit.
Anybody who can see the Jellyfin login page can use the Jellyfin server’s permissions to play media directly from your media library.
Port forwarding doesn’t matter. Jellyfin hosts on port 80/443 which you have to allow for the service to function. Most clients are on dynamic IPs or CGNATs so unless you’re going to manually change the IP filter for every single user every few days, IP filters are not a reasonable solution.
‘Take reasonable precautions on the trust of networks’ doesn’t even make sense. Your Jellyfin server is either available to the Internet or not available to the Internet. If you choose not to trust the Internet (the actual mitigation) then you obtain access to your Jellyfin server through a VPN.
What? How is port forwarding adding anything to security? How does blocking IP ranges help prevent attacks on the unsecured backend?
I do not, and don’t plan to. Probably wouldn’t be that hard to set up though as someone familiar with nginx.
I guess Plex uses their own VPN under the hood then to make it more convenient?
Yep, and it generally has fewer sharp corners. Like last time I checked, in order to set up quick sync, you have to manually check each codec you want to offload to hardware. And if you select one that isn’t supported by your hardware, you find out when you try to play that. So it means carefully cross-referencing with the Wikipedia page for your quick sync version. Plex just has an enable hardware transcoding check box and it figures it out for you.
There’s also some features like smart playlists that I remember needing to set up plugins for whereas Plex supports it out of the box.
Of course ther are other things where jellyfin comes out ahead, like surround to stereo down mixing - I could never get the center channel (dialog) to be at a good volume when down mixed to stereo on my TV, but it just works and produces the correct volume in jellyfin.
But ultimately I think what causes all my users to prefer Plex is that the official app is polished and consistent across all platforms. The official jellyfin one looks like a programmer put it together with bootstrap components, and my favorite alternatives (like findroid) are in active development (I do donate on a reoccurring basis though in hopes that it reaches a level of polish matching Plex)
I don’t think transcoding is that difficult if you’ve already set up your own server. Like, that’s only a thing the admin would have to figure out and it’s a quick lookup.
I do agree with the client UI issue tho, and would like to add that the lack of a per-user watchlist is a pretty baffling decision given that it’s been widely requested for years and years and it would make it enormously more comfortable.
Wait, Jellyfin doesn’t have per user watch lists? Forget making it externally available to other people, this is something I need within my own household. I haven’t installed Jellyfin yet, but I had not anticipated this feature being absent. How do you work around it?
Roku app has a watchlist, but mostly I don’t bother to get around it or put it in a collection which is clunky as shit
It’s not, and I didn’t say it was hard. Just that it’s a sharp corner that jellyfin should fix if they want to make it as one click as Plex is. It’s another part of the setup where you have to pay attention and get every check box right or it’ll not work as intended. I found it annoying to have to look it up and I’ve been in software for 15 years. I don’t doubt that any newb would find it frustrating. I remember seeing that it was planned to have hardware transcoding codec support auto detected but IDK if that has happened yet.
It’s especially annoying because jellyfin doesn’t just copy the support matrix into their docs, and the one on Wikipedia is by processor generation codename, so you have to look up your processor and get the codename, then reference the Wikipedia table and go down each codec and not make a mistake. Even though it’s “not hard” I still go back to that section because I second guess that I checked everything right thinking that I’ve caused some issues with a mistake. It’s additional cognitive load that isn’t worth defending if you want jellyfin to be good.
Plexamp is just far superior for music. It doesn’t even come close sadly … since I only use it for my music collection I simply prefer Plex … but only because I got lifetime a long time ago for 60 bucks or something …
Ease of use, and actual secure and usable external access.
Friends/family make an account and tell you their account name or email address, you invite them to your library and that’s it, they can watch/listen to your media on pretty much any device they have. No vpn needed.
Jellyfin is not meant to be exposed to the internet for remote viewing. It also doesn’t have a client on most devices people use to watch tv/movies.
Huge disagree on the last part. Jellyfin has a bunch of Android, Roku, Google tv and PC clients. I struggle to think of a device me or my friends use that has a Plex client but not a Jellyfin one.
I’ve got a bunch of friends accessing my jellyfin server. It has clients for most devices now.
I didn’t say it’s not possible, I said it’s not secure and/or easy.
It’s definitely easy, and the secure part is debatable.
Doing it insecurely is easy.
The secure part isn’t debatable. Even the devs will tell you it’s not secure.
Secure isn’t a binary. Depending on your threat model, using Plex is impossible to use securely!
I was Osama bin Laden and I can confirm that this is true.
