cross-posted from: https://poptalk.scrubbles.tech/post/2333639
I was just forwarded this someone in my household who watches our server. That’s it folks. I’ve been a hold out for a long time, but this is honestly it.
They want me to pay to stream content that I bought from my hardware transcoded also on my hardware.
I’ll say it. As of today, I say Plex is dead. Luckily I’ve been setting up Jellyfin, I guess it’s time to make it production ready.
Edit: I have a Plex Pass. More comments saying “Just buy a plex pass” are seriously not getting it. I have a Plex Pass and my users are still getting this.
And for the thousandth person who wants to say the same things to me:
- YES I know I’m unaffected as a Plex Pass owner.
- My users were immediately angry at it, which made me angry. Our users don’t understand what plex pass is, and they shouldn’t have to, that’s why I had it. The fact that they were pinged even though it should have kept working is horribly sloppy
- Plex is still removing functionality.  I don’t care that “People should pay their fair share”.  If Plex wants to put every new feature behind a paywall, that’s completely okay.  They are removing functionality.
- “But they have cloud costs”. Remote streaming is negligible to them. It’s a dynamic DNS service. Plex client logs in, asks where server is, plex cloud responds with the IP and port of where server is located. That’s it.
- “Good luck finding another remote streaming” - Again, Plex just opens up an IP and port. Jellyfin also just opens up an IP and port (Hold on jellyfin folks I know, security, that’s a separate conversation). All “remote streaming” is is their dynamic dns. Literal pennies to them. Know what actually is costing them money? Hosting all of that ad-supported “free” content that they’re probably losing money on.
 
In short, I don’t care how you justify it. Plex is doing something shitty. They’re removing functionality that has been free for years. I’m not responding to any more of your comments repeating the same arguments over and over.


Jellyfin has some security issues that, depending on who you ask, are either critical vulnerabilities that make it completely unsafe to expose to the Internet or largely unconcerning for regular users.
I’m not overly concerned about my instance running behind a reverse proxy. Perhaps I am just naive…
Honestly yeah. The Jellyfin Backend is basically unauthenticated for a large part, allowing anyone to map and stream your content as soon as they guessed the ids, which isn’t that hard, since they are based on the paths on your device. So if your movie sits in /mnt/media/movies/the_bee_movie that is pretty esay to guess and calculate the id from, allowing anyone to stream that content from your server
if you reverse proxy (w/ proper headers etc.) into a VPN this isn’t an issue
The magic bullet in that sentence is VPN not reverse proxy
im aware, but the inconvenience of all users connecting to the VPN was mentioned. that’s unnecessary this way
And apart from an undesirable bandwidth usage resulting from someone guessing their way to my file structure, how can this be used to compromise my server?
They can stream content from your server or map out what you have on there by using a rainbow table. Depending on the country you live in they can and will use that combined with your IP to start litigating you
My question is, where are you posting the address to your jellyfin server that someone who finds it will go through the trouble of even doing this?
Also how could they start litigating you based on the content you have? If I had illegal content on my server, I would be really dumb to expose it on the internet on a public jellyfin server. Otherwise my movies, tv, etc are my paid for content…
You don’t need to post it. Bots are scanning every ip, 24/7, looking for servers to infect, endpoints to abuse and data to extract.
Go set up a ssh tarpit on your server and watch the flies drown in it. I will not expose anything on my server that has so many known vulnerabilities
Your content might be legitimate, but the vast majority use Plex and Jellyfin as a media Server for pirated content and still want to share it with their friends or family. And just FYI, most blurays and DVDs also forbid this kind of sharing in their license
I find it hard to believe that there are bots scanning for jellyfin exploits, since as far as I’m aware, the exploit is for viewing content without auth. 99% of bots are scanning for old instances of wordpress or other outdated software to exploit.
If my content on Jellyfin was illegitimate, the person scanning for my files would have to prove that before they can sue, no? I don’t think this makes sense for anyone to do.
p.s. I won’t argue that YOU should setup software that you dont want to, just that this particular reason not to may be a bit farfetched.
You are very, very naive and uneducated on what bad actors do on the internet then. Basically any popular service that exposes a port to the internet WILL have bots scanning for that port specifically.
And this has actually happened before?