Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?
Assuming the user will not be connecting over vpn, but is both remote and non-technical, how would you expose Jellyfin to them securely?
If client certificates and basic auth is not supported by jellyfin:
1-3 make random scanners unable to find your service, 4&5 even hide it from your ISP. Dot/doh service will still know your subdomain, so be your own dot/doh ! :D
Throw in port knocking for good measure.
You telling me jellyfin Clients can’t handle client certs but can port knock?
My proposal is for maxing ux on the client side while being properly hidden.
No you port knock first to open the ports. Then connect the client.
usually port knocking opens the relevant port to the client IP that is knocking. So it makes a lot of sense to have the knocking done by the requesting client. In many situations knocking from your mobile while behind the same NAT as your jellyfin client will do the trick, but if you have different IPv6 on those devices etc, it won’t.
Also: if you assume your DNS lookups are sniffed - so are your port knocks. If you don’t, spare the extra work. But then, if you like port knocking - keep knocking, nothing wrong about it :D
Could always get super complicated and rotate your port knocking so no replay attacks. But now we’re just getting silly :)
I’m no expert, but an unguessible URL path is similar but not visible to DNS. Could do both.
If jellyfin Clients can do URLs, sure