We are also changing how remote playback works for streaming personal media (that is, playback when not on the same local network as the server). The reality is that we need more resources to continue putting forth the best personal media experience, and as a result, we will no longer offer remote playback as a free feature. This—alongside the new Plex Pass pricing—will help provide those resources. This change will apply to the future release of our new Plex experience for mobile and other platforms.


I would go for a reverse proxy to get ssl running.
https://jellyfin.org/docs/general/networking/#running-jellyfin-behind-a-reverse-proxy
Handling users with forgotten passwords is, sadly, a manual chore for the administrator.
https://jellyfin.org/docs/general/server/users/adding-managing-users#profile
If I reverse proxy does the video stream itself travel via the proxy too?
Yeah, the reverse proxy will need to be able to handle the network bandwidth of your video stream too.
https://en.wikipedia.org/wiki/Reverse_proxy
In case this helps as a reference point, I use a $5 digital ocean droplet as my Plex and Jellyfin reverse proxy and it seems to handle the traffic of 3-5 simultaneous streams just fine. I use Haproxy in tcp mode (so no http interpreting, just passing packets) in an attempt to keep the CPU load minimal and just make it a pure I/O task.
i’m fairly familiar with reverse proxies and how to set them up, but I’m mostly worried about the monthly bandwidth limits here. especially with hetzner’s recently lowered limits. since I have a life time plex pass i might be able to hold off from switching until I figure something else out, at least.
Gotcha, I’ve never actually considered the bandwidth limits. It looks like digitalocean includes 1TB per month and I used 242GB last month. If I ever get close to the limit I will just spin up another droplet. I don’t think I would even need to load balance unless the first one is struggling since the bandwidth allowance across all droplets is pooled together.
If you aren’t already using a reverse proxy, then do you currently just port forward or use the Plex relay? The only reason I use one is because of CGNAT. Before I moved to a place with only CGNAT I port forwarded for both Plex and Jellyfin.
I just port forward right now, so Plex’s system is basically an overpowered dynamic dns. I guess my next option is to self host a dynamic dns on a numbered xyz domain (yk the $1/yr ones)
You can connect Jellyfin to an SSO provider. It still needs work, and client support is lacking. Ideally I think it maybe should be built in rather than a plug-in (would definitely encourage more client support). But it exists.
https://github.com/9p4/jellyfin-plugin-sso
Feature request for oidc/sso:
https://features.jellyfin.org/posts/230/support-for-oidc-oauth-sso
As it stands, you could enable both the SSO and LDAP plugins, and let users do password resets entirely through your auth provider.
Basically, this is all stuff that comes with Plex out-of-the-box, but you sort of have to glue it together yourself with Jellyfin, and it’s not yet in an ideal state. Plex is much much easier to configure. I wouldn’t allow yourself to believe that Plex doing all this for you will make you totally secure through – there’s been multiple incidents with their auth, and IIRC the LastPass attacker pivoted from a weak Plex install. Just food for thought.
Ah, that’s good to know!
My jellyfin server is only available over vpn (and locally) so I haven’t much looked into beefing up the security on the jellyfin server itself.