Jellyfin over the internet

Nginx in front of it, open ports for https (and ssh), nothing more. Let's encrypt certificate and you're good to go.

I would not publicly expose ssh. Your home IP will get scanned all the time and external machines will try to connect to your ssh port.
- fail2ban with endlessh and abuseipdb as actions
  Anything that's not specifically my username or git gets instantly blocked. Same with correct users but trying to use passwords or failing authentication in any way.
- They can try all they like, man. They're not gonna guess a username, key and password.
- Sorry, misunderstanding here, I'd never open SSH to the internet, I meant it as "don't block it via your server's firewall."
- So? Pubkey login only and fail2ban to take care of resource abuse.
- i have ssh on a random port and only get so many scan, so low that fail2ban never banned anyone that was not myself (accidentally).
- Ssh has nothing to do with scanning. Your IP and everyone else up is being scanned constantly. In ipv4 space at least.
- Change the port it runs on to be stupid high and they won't bother.
Cool if I understand only some of things that you have said. So you have a beginner guide I could follow?
- Take a look at Nginx Proxy Manager and how to set it up. But you'll need a domain for that. And preferably use a firewall of some sort on your server and only allow said ports.
Why would you need to expose SSH for everyday use? Or does Jellyfin require it to function?
Maybe leave that behind some VPN access.
- I agree, but SSH is more secure than Jellyfin. it shouldn't be exposed like that, others in the comments already pointed out why
- https://lemmy.world/post/32059264/17905111
Also run the reverse proxy on a dedicated box for it in the DMZ
- Honestly you can usually just static ip the reverse proxy and open up a 1:1 port mapping directly to that box for 80/443. Generally not relevant to roll a whole DMZ for home use and port mapping will be supported by a higher % of home routing infrastructure than DMZs.
- In a perfect world, yes. But not as a beginner, I guess?

Wireguard.

and a local reverse proxy that can route through wireguard when you want to watch on a smart tv.
its not as complicated as it sounds, it's just a wireguard client, and a reverse proxy like on the main server.
it can even be your laptop, without hdmi cables
- You can also use a router that can run wireguard/openvpn and have that run the tunnel back to home for you. I've got a portable GL-Inet router with OpenWRT that I use for this when I'm on the road
- How would you do this off network?
- lemm.ee :'''(

I just expose my local machine to the internet, unsecured

Thanks stranger over the internet seems like the best option.
This is absolutely unhinged but god damn it, I respect you.
Yea same I don’t even care.
It’s an old laptop, I have a backup. Go ahead, fuck it up.
- Do you at least have it on a VLAN?

I think my approach is probably the most insane one, reading this thread…

So the only thing I expose to the public internet is a homemade reverse proxy application which supports both form based and basic authentication. The only thing anonymous users have access to is the form login page. I’m on top of security updates with its dependencies and thus far I haven’t had any issues, ever. It runs in a docker container, on a VM, on Proxmox. My Jellyfin instance is in k8s.

My mum wanted to watch some stuff on my Jellyfin instance on her Chromecast With Google TV, plugged into her ancient Dumb TV. There is a Jellyfin Android TV app. I couldn’t think of a nice way to run a VPN on Android TV or on any of her (non-existent) network infra.

So instead I forked the Jellyfin Android TV app codebase. I found all the places where the API calls are made to the backend (there are multiple). I slapped in basic auth credentials. Recompiled the app. Deployed it to her Chromecast via developer mode.

Solid af so far. I haven’t updated Jellyfin since then (6 months), but when I need to, I’ll update the fork and redeploy it on her Chromecast.

What an absolute gigachad XD
Clever, but very hands on
- VERY hands on, wouldn’t recommend it haha.
  But that’s the beauty of open source. You CAN do it

Jellyfin isn't secure and is full of holes.

That said, here's how to host it anyway.

Wireguard tunnel, be it tailscale, netbird, innernet, whatever
A vps with a proxy on it, I like Caddy
A PC at home with Jellyfin running on a port, sure, 8096

If you aren't using Tailscale, make your VPS your main hub for whatever you choose, pihole, wg-easy, etc. Connect the proxy to Jellyfin through your chosen tunnel, with ssl, Caddy makes it easy.

Since Jellyfin isn't exactly secure, secure it. Give it its own user and make sure your media isn't writable by the user. Inconvenient for deleting movies in the app, but better for security.

more...

Use fail2ban to stop intruders after failed login attempts, you can force fail2ban to listen in on jellyfin's host for failures and block ips automatically.

More!

Use Anubis and yes, I can confirm Anubis doesn't intrude Jellyfin connectivity and just works, connect it to fail2ban and you can cook your own ddos protection.

MORE!

SELinux. Lock Jellyfin down. Lock the system down. It's work but it's worth it.

I SAID MORE!

There's a GeoIP blocking plugin for Caddy that you can use to limit Jellyfin's access to your city, state, hemisphere, etc. You can also look into whitelisting in Caddy if everyone's IP is static. If not, ddns-server and a script to update Caddy every round? It can get deep.

Again, don't do any of this and just use Jellyfin over wireguard like everyone else does(they don't).

Wow, a "for dummies" guide for doing all this would be great 😊 know of any?
- If you aren’t already familiarized with the Docker Engine - you can use Play With Docker to fiddle around, spin up a container or two using the docker run command, once you get comfortable with the command structure you can move into Docker Compose which makes handling multiple containers easy using .yml files.
  Once you’re comfortable with compose I suggest working into Reverse Proxying with something like SWAG or Traefik which let you put an domain behind the IP, ssl certificates and offer plugins that give you more control on how requests are handled.
  There really is no “guide for dummies” here, you’ve got to rely on the documentation provided by these services.
- I figured infodump style was a bit easier for me at the time so anyone could take anything I namedropped and go search to their heart's content.
show me those “holes” this is just fear mongering
- Here, since you can't use a search engine: https://www.cvedetails.com/vulnerability-list/vendor_id-22884/product_id-81332/Jellyfin-Jellyfin.html
  More, because I've been around this lap before, you'll ask for more and not believe that one, here's another: https://www.cvedetails.com/vulnerability-list/vendor_id-22884/product_id-81332/Jellyfin-Jellyfin.html
  Do what you want. Idgaf about your install, just mine.
- I've recently been working on my own server and a lot of this stuff can be accomplished by just chatting with chatgpt/gemini or any ai agent of your choosing. One thing to note tho is that they have some outdated information due to their training data so you might have to cross reference with the documentation.
  Use docker as much as you can, this will isolate the process so even if somehow you get hacked, the visibility the hackers get into your server is limited to the docker container.

My go to secure method is just putting it behind Cloudflare so people can’t see my IP, same as every other service. Nobody is gonna bother wasting time hacking into your home server in the hopes that your media library isn’t shit, when they can just pirate any media they want to watch themselves with no effort.

Nobody is gonna bother wasting time hacking into your home server
They absolutely will lol. It’s happening to you right now in fact. It’s not to consume your media, it’s just a matter of course when you expose something to the internet publicly.
- No, people are probing it right now. But looking at the logs, nobody has ever made it through. And I run a pretty basic setup, just Cloudflare and Authelia hooking into an LDAP server, which powers Jellyfin. Somebody who invests a little more time than me is probably a lot safer. Tailscale is nice, but it’s overkill for most people, and the majority of setups I see posted here are secure enough to stop any random scanning that happens across them, if not dedicated attention.
- What a bunch of B's. Sure your up gets probed it's happening to every ipv4 address all the time. But that is not hacking.
- And this is the start of the longest crypto nerd fight I've seen on Lemmy. Well done, people!

I host it publicly accessible behind a proper firewall and reverse proxy setup.

If you are only ever using Jellyfin from your own, wireguard configured phone, then that's great; but there's nothing wrong with hosting Jellyfin publicly.

I think one of these days I need to make a "myth-busting" post about this topic.

Please do so, it'll be very useful
Same for me. But according to everyone I should be destroyed.

I used to do all the things mentioned here. Now, I just use Wireguard. If a family member wants to use a service, they need Wireguard. If they don't want to install it, they dont get the service.

I started my homelab with a couple exposed services, but frankly the security upkeep and networking headaches weren't worth the effort when 99% of this server's usage is at home anyway.
I've considered going the Pangolin route to expose a handful of things for family but even that's just way too much effort for very little added value (plus moving my reverse proxy to a VPS doesn't sound ideal in case the internet here goes down).
Getting 2 or 3 extra folks on to wireguard as necessary is just much easier.
Came here to say this. I use wireguard and it simply works.
Pangolin could be a solution

I see everyone in this thread recommending a VPN or reverse proxy for accessing Jellyfin from outside the LAN. While I generally agree, I don't see a realistic risk in exposing Jellyfin directly to the internet. ~~It supports HTTPS and certificates nowadays, so there’s no need for outside SSL termination anymore.~~ (See Edit 2)

In my setup, which I've been running for some time, I've port-forwarded only Jellyfin's HTTPS port to eliminate the possibility of someone ending up on pure HTTP and sending credentials unencrypted. I've also changed the Jellyfin's default port to a non-standard one to avoid basic port-scanning bots spamming login attempts. I fully understand that this falls into the security through obscurity category, but no harm in it either.

Anyone wanna yell at me for being an idiot and doing everything wrong? I'm genuinely curious, as the sentiment online seems to be that at least a reverse proxy is almost mandatory for this kind of setup, and I'm not entirely sure why.

Edit: Thank you everyone for your responses. While I don't agree with everything, the new insight is appreciated.

Edit 2: I've been informed that infact the support for HTTPS will be removed in a future version. From v10.11 release notes:

Deprecation Notice: Jellyfin’s internal handling of TLS/SSL certificates and configuration in the web server will be removed in a future version. No changes to the current system have been made in 10.11, however future versions will remove the current system and instead will provide advanced instructions to configure the Kestrel webserver directly for this relatively niche usecase. We strongly advise anyone using the current TLS options to use a Reverse Proxy for TLS termination instead if at all possible, as this provides a number of benefits

It feels like everything is a tradeoff and I think a setup like this reduces the complexity for people you share with.
If you added fail2ban along with alert email/notifications you could have a chance to react if you were ever targeted for a brute force attempt. Jellyfin docs talk about setting this up for anyone interested.
Blocking IP segments based on geography of countries you don't expect connections from adds the cost of a VPN for malicious actors in those areas.
Giving Jellyfin its own VLAN on your network could help limit exposure to your other services and devices if you experience a 0day or are otherwise compromised.
- Fail2ban isn't going to help you when jellyfin has vulnerable endpoints that need no authentication at all.
Anyone wanna yell at me for being an idiot and doing everything wrong?
Not yell, but: Jellyfin is dropping HTTPS support with a future update so you might want to read up on reverse proxies before then.
Additionally, you might want to check if Shodan has your Jellyfin instance listed: https://www.shodan.io/
- Jellyfin is dropping HTTPS support with a future update[...]
  What's the source for this? I wasn't able to find anything with a quick google search
Nah, setting non-standard ports is sound advice in security circles.
People misunderstand the "no security through obscurity" phrase. If you build security as a chain, where the chain is only as good as the weakest link, then it's bad. But if you build security in layers, like a castle, then it can only help. It's OK for a layer to be weak when there are other layers behind it.
Even better, non-standard ports will make 99% of threats go away. They automate scans that are just looking for anything they can break. If they don't see the open ports, they move on. Won't stop a determined attacker, of course, but that's what other layers are for.
As long as there's real security otherwise (TLS, good passwords, etc), it's fine.
If anyone says "that's a false sense of security", ignore them. They've replaced thinking with a cliche.
- People misunderstand the "no security through obscurity" phrase. If you build security as a chain, where the chain is only as good as the weakest link, then it's bad. But if you build security in layers, like a castle, then it can only help. It's OK for a layer to be weak when there are other layers behind it.
  And this is what should be sung from the hills and mountaintops. There’s some old infosec advice that you should have two or three honeypots, buried successively deeper behind your security, and only start to worry when the second or third gets hit; The first one getting hit simply means they’re sniffing around with automated port scanners and bots. They’re just throwing common vulnerabilities at the wall to see if any of them stick. The first one is usually enough for them to go “ah shit I guess I hit a honeypot. They must be looking for me now. Never mind.” The second is when you know they’re actually targeting you specifically. And the third is when you need to start considering pulling plugs.
It's difficult to say exactly what all a reverse proxy adds to the security conversation for a handful of reasons, so I won't touch on that, but the realistic risk of exposing your jellyfin instance to the internet is about the same as handing your jellyfin api over to every stranger globally without giving them your user account or password and letting them do whatever they'd like for as long as they'd like. This means any undiscovered or unintentional vulnerability in the api implementation could easily allow for security bypass or full rce (remote code execution, real examples of this can be found by looking at the history of WordPress), but by siloing it behind a vpn you're far far far more secure because the internet at large cannot access the apis even if there is a known vulnerability. I'm not saying exposing jellyfin to the raw web is so risky it shouldn't be done, but don't buy into the misconception that it's even nearly as secure as running a vpn. They're entirely different classes of security posture and it should be acknowledged that if you don't have actual use for internet level access to jellyfin (external users, etc, etc) a vpn like tailscale or zero tier is 100% best practice.
The issue is not encryption, it's the unauthenticated API. People can interact with your server without an account.
- Specifically these issues: https://github.com/jellyfin/jellyfin/issues/5415
  The big one is that video/audio playing endpoints can be used without authentication. However, you have to guess a UUID. If Jellyfin is using UUIDv4 (fully random), then this shouldn't be an issue; the search space is too big. However, many of the other types of UUIDs could hypothetically be enumerated through brute force. I'm not sure what Jellyfin uses for UUIDs.
You remember when LastPass had a massive leak and it out of their production source code which demonstrated that their encryption security was horrible? That was a Plex vulnerability. All it takes is a zero day and one of the packages they're using and you're a prime target for ransomware.
You can see from the number of unauthenticated processes in their security backlog that security really has been an afterthought.
Unless you're running in a non-privileged container with read only media, I definitely would not put that out on the open network.
I think the reason why its generally suggested to use a VPN is because it reduces the risk of intrusion to almost zero. Folks that are not network/sys admin savy would feel safer with the lowest risk solution. Using the port forward method, there could be configuration mistakes made which would unintentionally expose a different service or parts of their home network they don't want exposed. And then there's the possibility of application vulnerabilities which is less of an issue when only VPN users can access the application. That being said, I do expose some services via port forwarding but that's only because I'm comfortable with ensuring its secure.
Reverse proxy is really useful when you have more than one service to expose to the internet because you only have to expose one port. It also automates the certificate creation & simplifies firewall rules inside the home network
Jellyfin has a whole host of unresolved and unmitigated security vulnerabilities that make exposing it to the internet. A pretty poor choice.
https://github.com/jellyfin/jellyfin/issues/5415
- And which one of those are actually vulnerabilities that are exploitable? First, yes ofc unauthenticated endpoints should be fixed, but with those there is no real damage to be done.
  If you know the media path then you can request a playback, and if you get the user ids then you can get all users. That's more or less it.
  Good? No. But far from making it a poor choice exposing it.
Reverse proxies can be useful for hiding your IP if you do something like host it in a VPS and tunnel the traffic back to your self hosted service. There's also a lot of documentation on attaching things like fail2ban or crowd sec which can be helpful in reducing the threat from attacks. if you're running lots of services it can reduce the risk of two apps using the same ports as ultimately everything will go through ports 80 and 443 on the public facing side. Finally again if you're hosting several services having a central place to manage and deal with cert from can save a lot of time rather than having to wrangle it per service/ server.
Imo that's perfectly fine and not idiotic if you have a static IP, no ISP blocked ports / don't care about using alt ports, and don't mind people who find your domain knowing your IP.
I did basically that when I had a fiber line but then I added a local haproxy in front to handle additional subdomains. I feel like people gravitate towards recommending that because it works regardless of the answers to the other questions, even their security tolerance if recommending access only over VPN.
I have CGNAT now so reverse proxy in the cloud is my only option, but at least I'm free to reconfigure my LAN or uproot everything and plant it on any other LAN and it'll all be fine.
I don't disagree, and I am one of the VPN advocates you mention. Generally there is no issue with exposing jellyfin via proxy to the internet.
The original question seemed to imply an over-secure solution so a lot of over-secure solutions exist. There is good cause to operate services, like jellyfin, via some permanent VPN.

for me the easiest option was to set up tailscale on the server or network where jellyfin runs and then on the client/router where you want to watch the stream.

This is also what I do, however, each user creates their own tailnet, not an account on mine and I share the server to them.
This way I keep my 3 free users for me, and other people still get to see jellyfin.
Tailscale and jellyfin in docker, add server to tailnet and share it out to your users emails. They have to install tailscale client in a device, login, then connect to your jellyfin. My users use Walmart Onn $30 streaming boxes. They work great.
I struggled for a few weeks to get it all working, there's a million people saying "I use this" but never "this is how to do it". YouTube is useless because it's filled with "jellyfin vs Plex SHOWDOWN DEATH FIGHT DE GOOGLE UR TOILET".
- For the users you have using Onn TVs, is Tailscale just installed on a device on the network or on the Onn TVs?
This is what I do as well. Works super well

Tailscale with self hosted headscale

Any helpful tips or links to tutorials for this method?
- Easiest method is Docker, but it heavily depends on your network and tech stacks.

Use a reverse proxy (caddy or nginx proxy manager) with a subdomain, like myservice.mydomain.com (maybe even configure a subdir too, so …domain.com/guessthis/). Don’t put anything on the main domain / root dir / the IP address.

If you’re still unsure setup Knockd to whitelist only IP addresses that touch certain one or two random ports first.

So security through obscurity :) But good luck for the bots to figure all that out.

VPN is of course the actually secure option, I’d vote for Tailscale.

I kept the main domain open, but redirected it to a rickroll
- Nice, but the bots may not understand the joke.
  And not only that but they will tag the domain with ”there is something here”, and maybe some day someone will take a closer look and see if you are all up-to-date or would there maybe be a way in. So better to just drop everything and maybe also ban the IP if they happen to try poke some commonly scanned things (like /wp-admin, /git, port 22 etc.) GoAccess is a pretty nice tool to show you what they are after.
Look pretty interesting. Do you have guide I could follow ?
- Not at hand no, but I’m sure any of the LLMs can guide you through the setup if googling does not give anything good.
  Nothing very special about all this, well maybe the subdir does require some extra spells to reverse proxy config.

I rent a cheap $5/mo VPS and use it to run a wireguard server with wgeasy and nginx proxy manager. Everything else runs on my home server connected by wireguard.

Is Nginx Proxy Manager running on the VPS itself and then the proxy routes across the wireguard to your home server? Or is the VPS just port forwarding to your home server which runs the proxy?
- My goal was to have no ports exposed on my home network so the proxy is on the VPS. My home server connects over wireguad to the vps, then all the traffic is routed over wireguard to the home server which only listens on wireguard.
- I also would like to know
I was just trying to get a setup like this going yesterday. I used standard Wiregaurd and got that working between the VPS and home server, but I was trying to set up Caddy as a reverse proxy to direct the incoming traffic through the WG VPN to my services. I wasnt able to figure it out yesterday. Everyone online says Caddy is so simple, but I'm such a noob I just have no idea what it's doing or how to troubleshoot.
- You should try pangolin. It uses Traefik instead of Caddy under the hood but it automates approximately 80 % of setup. It's what I use for my setup.
  https://fossorial.io/
- I havent tried with caddy but i might be able to help you get it working if you wanna chat some time. My contact info is on my website.
- I've also really struggled with Caddy despite everyone saying its so simple. I'm pretty new to all this, but I had better luck with Traefik - I now actually have a reverse proxy up and running correctly, which I haven't been able replicate with Caddy.
  Traefik labels make sense to me in a way Caddy does not.
This is 99% my setup, just with a traefik container attached to my wifeguard container.
Can recommend especially because I can move apartments any time, not care about CGNAT (my current situation which I predicted would be the case), and easily switch to any backup by sticking my boxes on any network with DHCP that can reach the Internet (like a 4G hotspot or a nanobeam pointed at a public wifi down the road) in a pinch without reconfiguring anything.

Tailscale

I access it through a reverse proxy (nginx). I guess the only weak point is if someone finds out the domain for it and starts spamming the login screen. But I've restricted access to the domain for most of the world anyway. Wireguard would probably be more secure but its not always possible if like on vacation and want to use it on the TV there..

It is possible if you get something like an nvidia shield tho. But of course not everyone has it or the money for it
This is the biggest weakness of Jellyfin. Native OIDC support would really be a no brainer at this point.
Its very easy to deploy fail2ban for Jellyfin: https://jellyfin.org/docs/general/post-install/networking/advanced/fail2ban/
- Indeed a good recommendation. I've not set it up yet but I'm probably going to do so in the near future.

If you’re a beginner and you’re looking for the most secure way with least amount of effort, just VPN into your home network using something like WireGuard, or use an off the shelf mesh vpn like Tailscale to connect directly to your JF server. You can give access to your VPN to other people to use. Tailscale would be the easiest to do this with, but if you want to go full self-hosted you can do it with WireGuard if you’re willing to put in a little extra leg work.

What I’ve done in the past is run a reverse proxy on a cloud VPS and tunnel that to the JF server. The cloud VPS acts as a reverse proxy and a web application firewall which blocks common exploits, failed connection attempts etc. you can take it one step beyond that if you want people to authenticate BEFORE they reach your server by using an oauth provider and whatever forward Auth your reverse proxy software supports.

Wireguard vpn into my home router. Works on android so fire sticks etc can run the client.

If it’s just so you personally can access it away from home, use tailscale. Less risky than running a publicly exposed server.

We have it open to the public, behind a load balancer URL filtering incomming connection, https proxied through cloudflare with a country filter in place

Tailscale, with nginx for https.

Very easy, very simple, just works, and i can share my jellyfin server with my friends

This is the easiest way for sure.

Over the top for security would be to setup a personal VPN and only watch it over the VPN. If you are enabling other users and you don't want them on your network; using a proxy like nginx is the way.

Being new to this I would look into how to set these things up in docker using docker-compose.

I use a wire guard tunnel into my Fritz box and from there I just log in because I'm in my local network.

I don't host my media outside my local network but, if I did, I would use my go to method of SWAG with Authentik. This is what I have done for my other self-hosted items.

I'm just using caddy and a cheap $2 a year .top domain with a $4 a month VPS. Works for my users, I only have 3 users on my server.

“Technically” my jellyfin is exposed to the internet however, I have Fail2Ban setup blocking every public IP and only whitelisting IP’s that I’ve verified.

I use GeoBlock for the services I want exposed to the internet however, I should also setup Authelia or something along those lines for further verification.

Reverse proxy is Traefik.

I use a cloudflare tunnel, ISP won't give me a static IP and I wanna keep my firewall locked down tight.

I tried really hard to get a named CloudFlare tunnel working with a domain name I registered (I share my personal home videos with a non technical family member in Italy) but couldn't get it working no matter what I tried.
- I'm not sure whay the OS you use is, but on linux (debian based) they have a Curl installer that installs their Systemd service preconfigured for your account and the specific tunnel you're using.
  Once that is installed, configuration is pretty easy. Inside their ZeroTrust portal, you will find the options to configure ports.
  Always point your tunnel to https://localhost:port or http://localhost:port. You can get a TLS cert from lets-encrypt for your first one. New certifications are issued by cloudflare's partners regularly to prevent expiration. I think I have like 3 for my domain now? 1 from Lets-Encrypt and a couple from Google.
  This could be totally unrelated, but when I first configured my domain, I used DuckDNS as my DNS registrar so I could do everything over wireguard. That's is still set up and in Cloudflare I still have duckdns included in my DNS registry. Could he worth a shot to set that up and add it to your DNS registry on cloudflare.

Cheap VPS with Pangolin for Wireguard and reverse proving through the tunnel.

Cloudflare. No public exposure to the internet.

Are we not worried about their terms of service? I've been using pangolin
- I run multiple enterprise companies through it who are transferring significantly more sensitive data than me. I'm not as strict as some people here, so no, I don't really care. I think it's the best service, especially for free, so until things change, that's what I'm using.
- We are, Batman, we are.
  I VPN to my network for it.

Tailscale - funnel

Just that

I just install tailscale at family houses. The limit is 100 machines.

Full guide to setting up Jellyfin with Reverse Proxy using Caddy and DuckDNS

I followed this video and modified some things like ports

An $11/yr domain pointed at my IP. Port 443 is open to nginx, which proxies to the desired service depending on subdomain. (and explicitly drops any connection that uses my raw ip or an unrecognized name to connect, without responding at all)

ACME.sh automatically refreshes my free ssl certificate every ~2months via DNS-01 verification and letsencrypt.

And finally, I've got a dynamic IP, so DDClient keeps my domain pointed at the correct IP when/if it changes.

There's also pihole on the local network, replacing the WAN IP from external DNS, with the servers local IP, for LAN devices to use. But that's very much optional, especially if your router performs NAT Hairpinning.

This setup covers all ~24 of the services/web applications I host, though most other services have some additional configuration to make them only accessible from LAN/VPN despite using the same ports and nginx service. I can go into that if there's interest.

Only Emby/Jellyfin, Ombi, and Filebrowser are made accessible from WAN; so I can easily share those with friends/family without having to guide them through/restrict them to a vpn connection.

This is an interesting setup

For now just Tailscale but I'm working on setting up a reverse proxy and SSO through Authentik

Even more secure is having a VPS and self hosting Heascale, even better is Wireguard
- I'm trying to move away from needing a VPN to connect to make it simpler for less technically inclined family members

This is my setup.