-
-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Remove "Add Server" Option from Login Screen on Public Facing Address #201
Comments
It's a new feature. You can use the UI to connect to any compatible server |
Can this be set as an option and be disabled by default? As of currently I see this a security issue, having anyone use my jellyfin system to connect to a possible rouge emby/jellyfin server from my server. |
As of my understanding there are no “server-to-server” connections involved. The only thing that connects to the Server is the WebUI like any other Jellyfin/Emby Apps do. I guess there is a misunderstanding on your side. 🙂 |
That is correct. |
So, let me get this straight. Change server option allows anyone to use my jellyfin instance webUI to connect to any other jellyfin server on another domain from my domain, essentially connect to a remote jellyfin server and watch content using my jellyfin webUI? Why is this not an option to have the ability to disable. Why would I ( or anyone) want someone connecting to their jellyfin instance from my jellyfin WebUI. from my Domain? I must be missing a point. I don't understand what prompted this change. |
Your domain is used only as a thing that served static files, then they see their content, not yours. They're not connecting "from your domain", they're connecting from where they opened your site. No requests are made to your server after initial web ui is got. So I'm still failing to see why this is a problem, but we probably can make this configurable. @dkanada - thoughts? |
The WebUI and the Backend are per se uncoupled. Think about the webUI like any other app. Its a frontend with which u can connect to any backend offering the needed features.
Basically this is because no one thought its needed i guess. I still dont see why this is a problem.
Cant answer that for sure as i havent been part in a discussion about it. This allows e.g. some sort if Library Share like Plex does but decentralized. So you can just enter your friends jellyfin info and access his Libraries (if you able to authenticate on his server, ofc). |
@JustAMan is right, this doesn't affect your server at all. However, we were planning on adding an option to disable it from the administration settings soon, probably in the General section? The feature was enabled because it works well for people who want to connect to multiple servers from one website, so now friends or other acquaintances can share their libraries. It always existed, it was just permanently disabled unless the device specifically enabled it, which wasn't ideal. |
Well, @dkanada and @fruhnow, I would love this to be an option to disable. I see this being an issue when anyone can use my jellyfin web app that I'm hosting to access their own server from my domain. is there a way I can remove it? modify something to get it removed? As of right now, I'm having to VPN into my network to access jellyfin server. |
I would recommend having the front end perform a redirect once "connect" is selected from "Select Server" screen. currently I can go to jellyfin.mydomain.com and add emby.mydomain.com as a server and connect and things work... but it shows the Jellyfin header and the jellyfin address in the URL... Changing those two items would probably cut down on a bit of confusion with the feature. For clarification of the issue: It is possible for a user to connect to "your" jellyfin instance and use the add server option to then connect to their own instance. Certain static assets are loaded from the first ("your") instance. This does open the possibility for bandwidth and to a much lesser extent, cpu/etc resource "stealing"/hijacking. You can observe this behavior by adding a second server to the login interface of a jellyfin instance and watching the traffic in Chrome's network tab of the developer console. Certain theme/etc resources are loaded from the first/host jellyfin instance. It's a convenient feature but i think a proper redirect on "connect" would be beneficial. |
So right now this feature is of limited developing use, we should probably disable it with a comment, so it's easy to uncomment for developing. cc @dkanada |
Yeah that sounds fine for now, I will add that tonight. It seems like we might want an internal configuration page for the web interface to allow admins to selectively enable features. |
would be really cool! |
Hi just checking in if there is an update to this, latest version 10.2.2 does not hide the add server option. Wondering if there is a place in the code I can manually modify to remove this. |
Describe the bug
Either it was me and did not notice, or latest update changed this. I now see a "Change Server" Option on the login screen when the server is public facing or private internal access. I do use Nginx as a reverse proxy, and not sure if jellyfin is seeing the reverse proxy server and things it's on the local network thus giving this option. What's odd, is it also gives the option to add additional servers from the same page, does not have to be my own jelly fin, I can add any other jellyfin public facing server to the list.
To Reproduce
setup nginx as reverse proxy to jellyfin, and use public facing web address to access jellyfin
Expected behavior
Only provide Login Screen, and no "Change Server" Option.
Logs
Screenshots
System (please complete the following information):
Additional context
The text was updated successfully, but these errors were encountered: