Are you okay?

I didn’t compare mine to yours at all. You’re the one that said your 28 USD service was a better deal. YOU made the comparison. YOU asked for the details.

Yup the old one… here’s the new one too… still unaddressed

https://github.com/jellyfin/jellyfin/issues/13983

Not without additional context it’s not… Is your service 8gbps? Do you have SLAs in place? Will your ISP send you hate mail after using a mere 10TB of data?

And yet most people will just type “facebook” into the omnibar in their browser and click the first result that google gives them.

Yes… A LOT, and I do mean a significantly plurality… have no fucking clue what a URL is.

Last time someone was worried about the security it was about knowing filenames of the stuff you host by brute forcing iirc

Knowing (guessing) the file path allows them to access and stream the content. Meaning worst case scenario… Sony (the people known for putting malicious stuff on CDs) can probe your server, and prove the content is there because your server will return the movie file itself.

$165/mo. Under business contract.

Edit: No caps either… Last 30 days 11TB download, 175TB upload.

https://blog.cloudflare.com/updated-tos

The proxy will auto-CDN content. You need to disable CDN in order to stay in line with TOS. You can use one of the available rules to “fix” this… but this will already be even more above the general person’s head that it’s just better to tell people to not proxy the plex/jellyfin domain at all.

Feels good not being American.

Weird, I live in America, have 8gbps symmetrical and am not CGnatted. Odd for you to so blindly exclaim what you did.

setting it up with cloudflare

don’t proxy the jellyfin domain through cloudflare. They don’t like transiting video and will kill your account for it, especially if you’re just a free user.

I guess it is! Never saw that there… Bunch of clicks to get to it though. A link to a page is much simpler IMO…

My phone has that too… but only for the signed in network. Not for other networks that are saved on the device. I have a guest network that I shove guests on that have some restrictions (blocked from homelab network for the most part). I would need to swap to that network myself then click share…

You pull it up on another phone.

The owner pulls it up on THEIR phone, so you can just have the guest scan the QR code.

Edit: or my usecase would be to put it on a tablet that I have on a stand near the front door.

The endpoint issue exists in all builds. It would just have a different path in windows because paths in windows start with drive letter.

https://github.com/jellyfin/jellyfin/issues/5415

The biggest issue is that the video stream endpoint is not auth’d. Meaning that if someone guesses the MD5 hash for a file in your library it will play. Sounds at first glance like it’s unlikely to matter. Except that MD5 is generated based on the file’s filepath. So if you use standard naming conventions on paths that are common (/movies/Big Bucks Bunny(2008)/Big Bucks Bunny.mkv for example being simple and easy), eg defaults for a docker container using *arr suites. Then it’s possible for a precompiled hash list to check for file against your server.

So now add a company like Sony, they can generate all their library as a hash list, hit your server with millions of requests over the course of a couple of hours and map out how much of their content you have on your server. If any of it has never had a physical release (since you’re allowed to backup your own content) you’re completely fucked, and now will have to prove in court that you own ALL the content. And possibly… since it’s open endpoint, it could be argued that you’re even distributing openly (though unlikely argument… but do you really want to chance that?).

Ultimately if your setup is “Standard” you’re asking for a lawsuit.

Answers to “fix” this:

Map your paths in weird folders. instead of /movies/<movie> add in a folder like a GUID, so /eH4i67ZwByjLao3z7nHWKdS5ogysm68x/movies/<movie>. Make sure this occurs INSIDE your docker container if you’re using docker. Will break any precompiled hashes… though possible to hit a collision and still be “found”.

Setup fail2ban or other brute force blocking technology on your reverse proxy.

Use a private network setup… whether VPN, SDN, whatever… tailscale, zerotier, etc… (This will break TVs that don’t have vpn capabilities)

Add another auth in front of Jellyfin. (This breaks ALL Jellyfin apps)

The real answer would be the developers closing the unauth endpoints… But it’s been an issue for over 4 years now… They’re not going to fix it anytime soon as they don’t want to “break compatibility”, which is a pretty dumb excuse IMO.

There’s another issue where you shouldn’t give accounts to people you don’t trust as one user can attack another user AFTER login. So make sure you trust everyone you let have access… they can screw with your profile and do stuff you might not expect.

You assume that those links would work. Kids machines have DNS whitelists.

I’m not worried.

Oh man. I have an open minecraft server for my kids and their friends. Every few weeks I have someone show up to the server leaving notes or interacting with us trying to educate me on whitelisting.

I get more “educators” than i do bots. It’s actually quite annoying. I dont know what accounts these kids login with, you’re not educating me. The server is literally for 6-8 year olds. It’s been wiped 100s of times. I don’t care. Stop. The server is grief resistant anyway. And my ban list is long (and getting at least one longer). /little rant

LMFAO. And when I tell people to take care about leaving Jellyfin public with their open API endpoint issues… Yeah Sony WILL abuse your shit… They already do it.

I just want to point out one contradiction…

You mathed out how to maintain exactly a 1.0. But you asserted, “A closed group of users can all have a seed ratio above 1.0”

You didn’t show how this is possible.

I’ve only ever played borderlands solo…

Assuming I am from the US?

I mean… I’d like to see any law that can be construed that directly accessing a URL that’s unprotected is illegal. I’m not an expert in EU law on this for sure… but I’ve read many things pertaining to EU law and never found one that would lead me to believe otherwise.