I'm kinda disappointed with this thread, I'm in a similar position to OP, but all the responses are just like "use a reverse proxy and make your URL hard to guess" and other measures which are not very secure. \

It seems like that's about as good as you can get at the moment, because the mobile apps barf if you try to add in auth in front of the reverse proxy, but a lot of people seem to be providing this advice like it's good enough rather than as good as you can get.

Cloudflare. Just make sure to disable caching

My use cases are:

• Connect from multiple devices on the same home network (with the application)
• Connect from a phone device on the internet (with the application)
• Connect from some PC's and devices on the internet (with the application and from web browser)

For home networked devices, I don't care about security that much. I try to lock it down on the router level and by using VLANs for less secure devices. I connect via IP directly (or .local domain).

Jellyfin runs under its own user with read access to a media library.

For devices on the internet, I have jellyfin exposed on a specific url path of my domain - through a reverse proxy all through 443. A bit of security through obscurity here. I'm proxied through cloudflare on the DNS side with very restrictive IP rules.
I think this is enough for the security flaws jellyfin does have. I'd sleep better at night if it had client certificate support, but Its not a big deal imo. If security flaws allowing remote code execution are found, I'll shut it down and allow access through wireguard only and lose access from some devices on the internet where I cant use VPNs. Not a bit deal either.

If client certificates and basic auth is not supported by jellyfin:

• reverse proxy
• strong random subdomain
• wildcard certificate
• tls1.3 only
• doh/dot only

1-3 make random scanners unable to find your service, 4&5 even hide it from your ISP. Dot/doh service will still know your subdomain, so be your own dot/doh ! :D

As others have mentioned, a reverse proxy, like nginx or caddy. These are web servers, so you need to configure it or an app that runs in it. May I shill: Nginx Proxy Manager (NPM).

A reverse proxy is what you are looking for. I recommend Caddy.

You’ll also need a domain, but they can be had for very cheap.

Another way:

Expose using caddy. Use basic auth for the web UI only. This exempts the Jellyfin app clients from basic auth that they don’t support but requires it before anyone even gets to the Jellyfin UI. This obfuscates the fact that your endpoint is even a Jellyfin end point.

Run the jellyfin in a container that only has read privileges to the videos ( make sure you can't get out to your whole NAS from there), put that behind a Cloudflaired tunnel.

It's not technically secure, but if they can't get a foothold in your network and the only thing they can access is your video catalog, that's a reasonable amount of risk.

Ask them to visit https://ipv4.icanhazip.com/ and give you back the number, then whitelist in your webserver, as well as your LAN/VPN range, deny rest. Explain they can only reach jellyfin from their home internet. Repeat if they get 403 forbidden after they get a new WAN IP.

That or VPN like openziti, wireguard but gets more complicated.

Tailscale

Perhaps (and I know I might be weird) running pangolin on something like hetzner? (Which I do)

If anyone has any tips for getting Tailscale running via Docker on my Openmediavault machine, I'm open to it. Everyone lauds it for being dead simple and I cannot for the life of me get it running on the machine it needs to be. Not sure my wife can/will handle anything more complicated.