when reading through the jellyfin with chromecast guide i realized that it would probably be less effort to just let the casting api be public, with the added bonus that i could then cast my library to any device that supports it. but that seems like it would paint a giant target on the server.
what’s the recommended way of doing stuff like this? ideally i want to be able to go to someone’s house and just play some of my media on their tv.
not that any of this is doable in the near future, since i’m behind cgnat and won’t get my colocated bounce server up until spring.
In all likelihood a targeted attack would never come your way but when hosting community made software like immich for example there is a very large attack surface with no security researchers poking at it to find vulnerabilities of which there are likely many. Exposing something like nginx or Wireguard is likely very safe if properly secured because it’s been battle hardened over the decades with millions of eyes on it trying to break it at every turn. So what matters most is your threat model, what you’re deploying, and how you’re deploying it.
Fail2ban will protect you from brute force but just this week there was a maximum risk vulnerability found in react allowing remote code execution, this is one of the most used frameworks on the web developed by some of the most talented engineers in tech over a decade ago and it still has issues that could lead to malicious takeover of your system.
React2Shell is exactly the shitshow situation yes. Suddenly we are all at risk. But in this case, I’m sorry to say that my cats’ pictures are worthless.
Your point on nginx/wireguard makes me think that it might be better to htaccess through a reverse proxy than relying on a built in login system. For exemple, I should deactivate jellyfin’s login and put it behind an htaccess at the proxy’s level. Is that completely dumb?
Anyway, I clearly need to research “threat models” and cyber/infosec more. Thank you very much!