Oh yeah I’m aware, if people don’t want to use a VPN then I suggest this but give them the advisory warning.

Actually, recently I’ve been using a fork of IPAllowList which accepts DDNS addresses, but that usually is for more technical folk who would probably rather use a VPN then purchase a domain and associate it with their network.

Which again implies that you have a router that allows you to do so. It's not always the case. For tech enthusiast people that's the case. But not for everyone.

I tried to do the same thing at first, but it was a pain, there were tons of issues.

Oh yes, the routers and gateways that most people have that are isp provided that may not actually have open VPN or wireguard support.

Those ones?

Also putting a VPN in someone else's house so that all their Network traffic goes through your gateway is pretty damn extreme.

What? No, you can do a tiny reverse proxy/vpn on a stick with something like a RPi. Configure it and give it to them. Then they point their Jellyfin client on their device to the IP of the RPi instance on their network and that creates the tunnel back to your VPN endpoint and server.

And for VPNs at a router level you can inject routes and leave th default route going out through your ISP, you don’t need to, nor want to, have all traffic going through it.

wow not just totally unprofessional, but even downvoting the calling out the lack of credible security! you can be ashamed of yourself, and hope that your clients never find out you are a contrarian

I really doubt your work has anything to do with computers

You're hilarious. I haven't downvoted you, others are reading these threads as well.

Talking about security... Have you heard of intrusion detection, process isolation, or principle of least privilege?

Talking about security... Have you heard of intrusion detection, process isolation, or principle of least privilege?

are you aware that the very popular official docker image for jellyfin still runs the jellyfin process as root? or that most people just mount their media libraries as a read-write volume because they don't know better?

I would also be very interested about statistics on how many jellyfin admins run intrusion detection software on their system, if you have any.

"if I don't have to". and, is your jellyfin running as root? or are you running it a different way, e.g. from apt package (where I believe it's sensible by default)? I smell doubt.

but in either case it does not matter how do you run jellyfin. what I care is how many other people are running jellyfin exposed to the internet because they think its safe, because people on forums told them so, with the popular docker image where it is being ran as root.

I'm not moving goalposts. I'm still firmly besides my point that for the general jellyfin admin exposing jellyfin to the wide internet is unsafe and irresponsible. and seeing all the downvotes but no one else telling their opinion, it seems no one knows better either and they are just angry I pointed this out.
again, I don't care how are you running Jellyfin. I don't want to convince you on that, you do whats best for you, it seems you might have done some precautions. what I care is to not recommend these practices to others (without the full picture), because they are unsafe, especially without further precautions like running a(n unofficial) rootless jellyfin docker image and an intrusion detection system, which I guarantee most people won't have.

the usable information is information that's so widely talked about in this community that they probably expected anyone who is reading this to know what they're talking about.

clearly there are still people who have no experience self-hosting whatsoever that we should be considerate of.

Oh absolutely, difference being that you only need to expose the service once, versus helping however many people set up VPNs to access the service on your LAN

I know way too many people who won't remember to toggle it on, or just won't deal with it

It's just not convenient enough