Proxies for Plex and Jellyfin: sharing media with friends

```html

You have set up a home media server on Plex or Jellyfin, filled it with movies, series, and music — and want to give access to friends or family. But opening router ports is scary: it creates a direct hole into your home network. A proxy server elegantly solves this problem: it acts as an intermediary between your server and viewers, hiding the real IP and not requiring dangerous router settings.

Why you can't just open a port: risks of a home server

The most obvious way to give a friend access to Plex or Jellyfin is to forward a port on the router. For example, open port 32400 (Plex) or 8096 (Jellyfin) and send your friend a link like http://your-IP:32400. Technically, this works. But from a security standpoint — it’s a disaster.

Here’s what happens when you open a port on your home router to the internet:

Your home IP becomes public. Anyone who knows your server's address knows your real home IP. This includes geolocation, provider, and your address down to the neighborhood.
Bot scanners will find you within hours. Shodan, Censys, and thousands of automated scanners constantly crawl the entire internet. An open Plex or Jellyfin port will be discovered and will start receiving hacking attempts within hours of being opened.
Software vulnerabilities = network breach. Plex and Jellyfin are complex software with a history of vulnerabilities. If your version has an unpatched hole, an attacker can not only access the media server but also your entire home network: laptops, NAS, smart devices.
DDoS and abuse complaints. Your home provider is not obligated to protect you from DDoS attacks. In the event of a massive attack, you will simply be disconnected.
Dynamic IP. Most home users have changing IPs. Each time you will have to inform friends of the new address or set up a DDNS service.

The conclusion is obvious: an open port is not a solution for a home media server that connects to outsiders. You need an intermediary that accepts requests from viewers and forwards them to your server without revealing your real IP and without creating holes in your home network.

How a proxy helps share media: the working scheme

A proxy in the context of a home media server works as an intermediary point. Your friends connect not directly to your home IP, but to the IP of the proxy server. The proxy accepts the request, forwards it to your server, receives a response (video stream, metadata, covers), and sends it back to the viewer.

The scheme looks like this:

    Friend (viewer) → Proxy server (public IP) → Your home Plex/Jellyfin server

    Your home server → Proxy server → Friend (viewer)

What does this provide in practice:

Your home IP is hidden. Viewers only see the IP of the proxy server. Even if a friend shares the link with someone else — they will not be able to attack your home network directly.
No need to open router ports. Your server initiates an outgoing connection to the proxy (or tunnel). Incoming connections from the internet to your network do not occur.
A single stable address. The proxy server has a fixed IP. Even if your home IP changes — viewers will not know about it.
SSL encryption. The proxy can terminate HTTPS, providing encryption of traffic between the viewer and the proxy.
Access control. At the proxy level, you can restrict who can connect to the server at all.

It is important to understand the difference between two scenarios for using a proxy for a media server. The first scenario — you rent a proxy server (or VPS) and set up a reverse proxy on it: nginx, Caddy, or Traefik. This server accepts viewer requests and proxies them to your home server. The second scenario — you use a commercial proxy service as a tunnel or intermediary node to anonymize outgoing requests from your server.

In this article, we will consider both approaches, but the main focus will be on practical setup that allows your friends to watch content from your server without technical difficulties on their part.

Which type of proxy is suitable for Plex and Jellyfin

Not all types of proxies are equally suitable for video streaming. Here is a comparative table considering the specifics of home media servers:

Proxy Type	Speed	Stability	Suitable for Streaming	Note
Datacenter Proxies	★★★★★	★★★★★	✅ Excellent	High bandwidth, stable ping. Ideal for tunneling streams.
Residential Proxies	★★★☆☆	★★★☆☆	⚠️ Limited	Suitable for bypassing geo-restrictions when accessing external services from Plex. Unstable for streaming.
Mobile Proxies	★★★☆☆	★★★☆☆	❌ Not recommended	High traffic costs, unstable speed. Not optimal for video streams.
Reverse Proxy (nginx/Caddy on VPS)	★★★★★	★★★★★	✅ Ideal	The most correct approach for permanent use. Requires renting a VPS.

Conclusion on types: for permanent streaming of media content, the optimal choice is a reverse proxy on a rented VPS or datacenter proxies with high bandwidth. Residential proxies are useful in another scenario: when Plex or Jellyfin accesses external metadata sources or plugins that block server IPs.

💡 Important point

Plex has its own cloud relay service (Plex Relay), which works as a built-in proxy through Plex Inc. servers. It is free but limits speed to ~2 Mbps, which is insufficient for 1080p. For normal quality, you need either a direct connection (with an open port) or your own proxy.

Setting up a proxy for Plex Media Server: step by step

Let's consider the most practical scenario: you have a home server with Plex, and you want to give access to friends through a reverse proxy on a VPS. This provides a stable URL, an SSL certificate, and hides your home IP.

What you will need:

A home PC or NAS with Plex Media Server installed
A VPS (any, even the cheapest — 1 vCPU, 1 GB RAM is enough for proxying)
A domain (can be free: DuckDNS, FreeDNS)
About 30-60 minutes of time

Step 1. Set up Plex on your home server

Open Plex Web on your home server. Go to Settings → Remote Access. Make sure the "Allow remote access" option is enabled. Remember the port — by default, it is 32400. For now, DO NOT open this port on the router — we will do everything through the proxy.

Step 2. Install Nginx on the VPS

Connect to the VPS via SSH. Install Nginx and Certbot for SSL:

sudo apt update
sudo apt install nginx certbot python3-certbot-nginx -y

Step 3. Set up a tunnel from the VPS to the home server

This is a key point. We need the VPS to be able to reach your home Plex. There are two ways:

Method A (easier): SSH tunnel from the home server to the VPS. On your home server, execute the command that creates a permanent tunnel — forwarding port 32400 of the home Plex to port 32400 of the VPS:

ssh -N -R 32400:localhost:32400 user@YOUR_VPS_IP

To keep the tunnel running constantly, add it to systemd or use autossh for automatic reconnection on disconnection.

Method B (more reliable): Tailscale or WireGuard VPN between the home server and the VPS. This creates a permanent encrypted tunnel without the need to forward ports. More details can be found in the alternatives section.

Step 4. Configure Nginx as a reverse proxy

Create a configuration for your domain. Create a file /etc/nginx/sites-available/plex:

server {
    listen 80;
    server_name plex.your-domain.com;

    location / {
        proxy_pass http://localhost:32400;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # Important for video streaming:
        proxy_buffering off;
        proxy_read_timeout 36000s;
        proxy_send_timeout 36000s;
        client_max_body_size 0;
    }
}

Step 5. Obtain an SSL certificate

sudo certbot --nginx -d plex.your-domain.com

Certbot will automatically update the Nginx configuration and add HTTPS. After that, your friends will be able to access https://plex.your-domain.com — and see your Plex with SSL encryption.

Step 6. Specify the proxy URL in Plex settings

In Plex Media Server, go to Settings → Network. In the "Custom server URLs" field, specify your domain: https://plex.your-domain.com:443. This tells Plex that clients should connect through this address rather than looking for a direct path.

Setting up a proxy for Jellyfin: step by step

Jellyfin is a completely free and open alternative to Plex. Setting up a reverse proxy for Jellyfin is slightly different, but the logic is the same. Jellyfin by default operates on port 8096 (HTTP) and 8920 (HTTPS).

Step 1. Configure Jellyfin to work behind a proxy

Open the Jellyfin dashboard. Go to Dashboard → Network. Find the "Base URL" field and leave it empty (if Jellyfin will be at the root path). Make sure the "Allow remote connections" option is enabled.

Step 2. Nginx configuration for Jellyfin

The Nginx configuration for Jellyfin is a bit more complex since the server uses WebSocket for synchronization:

server {
    listen 80;
    server_name jellyfin.your-domain.com;

    location / {
        proxy_pass http://localhost:8096;
        proxy_set_header Host $host;
        proxy_set_header X-Real-IP $remote_addr;
        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
        proxy_set_header X-Forwarded-Proto $scheme;

        # WebSocket support (important for Jellyfin!)
        proxy_http_version 1.1;
        proxy_set_header Upgrade $http_upgrade;
        proxy_set_header Connection "upgrade";

        # Streaming without buffering
        proxy_buffering off;
        proxy_read_timeout 36000s;
    }
}

Alternative: Caddy instead of Nginx

If you don't want to deal with Nginx, try Caddy — it automatically obtains SSL certificates and has a simpler configuration syntax. The config for Jellyfin in Caddy looks like this:

jellyfin.your-domain.com {
    reverse_proxy localhost:8096
}

Yes, it’s literally two lines. Caddy will automatically set up HTTPS, obtain a Let's Encrypt certificate, and renew it automatically. For most home users, Caddy is a more convenient choice.

Step 3. Set up a tunnel (similar to Plex)

Use the same SSH tunnel or VPN approach described in the Plex section, but with port 8096:

ssh -N -R 8096:localhost:8096 user@YOUR_VPS_IP

💡 Security tip

After setting up the proxy, ensure that Jellyfin listens only on localhost (127.0.0.1), not on all interfaces (0.0.0.0). This will prevent direct access to the server bypassing the proxy. In Jellyfin settings → Network → "Bind to local address," specify 127.0.0.1.

Alternatives: Tailscale, Cloudflare Tunnel, and proxies — comparison

Besides the classic reverse proxy through a VPS, there are more modern solutions. Let's break down their pros and cons:

Tailscale (and Headscale)

Tailscale is a VPN based on WireGuard that creates a private network between your devices. You install Tailscale on your home server and on your friends' devices — and they get direct encrypted access to the server through a virtual network.

Pros: very easy to set up, maximum security, no latency from the proxy, free for up to 3 users
Cons: friends need to install the Tailscale client, dependency on Tailscale Inc. servers, harder to scale to a large number of viewers
When to choose: if you have 2-5 tech-savvy friends who don’t mind installing the app

Cloudflare Tunnel (formerly Argo Tunnel)

Cloudflare Tunnel allows you to publish your home server to the internet through Cloudflare's infrastructure without opening ports. You install cloudflared on your home server, which creates an outgoing tunnel to Cloudflare, and your server becomes accessible via your domain through the Cloudflare CDN.

Pros: free, no VPS needed, DDoS protection from Cloudflare, SSL automatically
Cons: Cloudflare prohibits the use of the free plan for video streaming in its ToS. For large traffic volumes, a paid plan is required. Also, Cloudflare sees all your traffic.
When to choose: for testing or infrequent access to Jellyfin/Plex

Comparison table of solutions

Solution	Complexity	Cost	Speed	Viewer Requirements
Nginx/Caddy on VPS	Medium	~$3-5/month (VPS)	★★★★★	Browser or Plex/Jellyfin client only
Tailscale	Low	Free (up to 3 users)	★★★★★	Install Tailscale
Cloudflare Tunnel	Low	Free / from $20/month	★★★☆☆	Browser or client only
Plex Relay (built-in)	Zero	Free	★★☆☆☆	Plex client only

Speed and quality of streaming through a proxy: what affects it

The main question when using a proxy for a media server is whether the video quality will drop. Let's break down what really affects streaming speed through a proxy.

Home internet bandwidth

This is the most important limitation. All video streams go through your home internet channel (upload). Typical upload speed requirements:

SD quality (480p): ~2-4 Mbps per viewer
HD quality (720p): ~5-8 Mbps per viewer
Full HD (1080p): ~8-15 Mbps per viewer
4K HDR: ~25-40 Mbps per viewer

If you have a home plan with 50 Mbps upload, you can simultaneously support 3-4 viewers at 1080p. The proxy does not create additional limitations here — it merely redirects traffic.

Transcoding vs direct streaming

Plex and Jellyfin can transcode video on the fly — converting the format to suit the capabilities of the client device. Transcoding puts a load on the home server's CPU, but is not related to the proxy. If the client device supports direct playback (Direct Play) — the load is minimal.

Recommendation: set the Plex/Jellyfin client applications to maximum quality and direct playback — this will reduce the load on the server and eliminate transcoding delays.

Proxy latency

The proxy adds an additional "hop" in the route. For video streaming, a latency of 20-50 ms is virtually unnoticeable — the video player's buffering compensates for it. It is critical to choose a VPS in a region close to your viewers: if friends are in Moscow — get a VPS in Moscow or Europe, not in the USA.

Practical optimization tips

Disable buffering in Nginx (proxy_buffering off) — this is critical for video streaming
Increase timeouts (proxy_read_timeout 36000s) — otherwise, long movies will be interrupted
Enable HTTP/2 in Nginx — reduces overhead for multiple parallel requests
Use gzip only for text responses (metadata, API), but not for video streams
Set up caching for covers and metadata at the proxy level — this will reduce the load on the home server

Security: how to protect the server and user data

By setting up a proxy, you have already significantly improved security compared to an open port. But there are still several important measures worth implementing.

Authentication at the proxy level

Add basic HTTP authentication at the Nginx level as an additional barrier. Even if someone finds your URL — without a username and password, they will not see the Plex/Jellyfin interface. Create a password file:

sudo htpasswd -c /etc/nginx/.htpasswd username

However, keep in mind: basic Nginx authentication may conflict with the Plex/Jellyfin API. It’s better to rely entirely on the built-in authentication of these services — it is reliable enough.

IP Whitelisting

If your friends have static IPs (or they are willing to inform you of their IPs when they change) — add a whitelist in Nginx:

location / {
    allow 1.2.3.4;   # Friend's IP 1
    allow 5.6.7.8;   # Friend's IP 2
    deny all;
    proxy_pass http://localhost:32400;
}

Fail2ban against brute force

Install Fail2ban on the VPS — it automatically blocks IP addresses that make too many failed login attempts. This will protect both Nginx and SSH on the VPS itself:

sudo apt install fail2ban -y
sudo systemctl enable fail2ban

Regular updates

Regularly update Plex/Jellyfin, Nginx, and the VPS operating system. Most media server hacks occur through known vulnerabilities in outdated software versions. Set up automatic security updates on the VPS:

sudo apt install unattended-upgrades -y
sudo dpkg-reconfigure unattended-upgrades

Monitoring and logs

Set up log viewing for Nginx to monitor suspicious activity. The command to view the latest requests in real-time:

sudo tail -f /var/log/nginx/access.log

Pay attention to requests with unusual User-Agent, mass requests to /admin, /wp-admin, and other standard paths — these are signs of automated scanning.

Home media server security checklist

✅ Proxy hides the real home IP
✅ SSL certificate is installed and auto-renewed
✅ Plex/Jellyfin ports are NOT opened on the router directly
✅ Plex/Jellyfin listens only on localhost
✅ Fail2ban is installed on the VPS
✅ SSH on the VPS works only with keys (not with password)
✅ Security auto-updates are enabled
✅ A separate account in Plex/Jellyfin is created for each viewer
✅ Access to the administration section is restricted

Conclusion and recommendations

Setting up a proxy for a home media server Plex or Jellyfin is a balance between convenience, security, and speed. An open router port provides maximum speed but creates real risks for the entire home network. A proxy solves this problem, adding minimal latency while ensuring proper protection.

The best choice for most home users is a reverse proxy on a cheap VPS using Caddy (easier) or Nginx (more flexible) in conjunction with an SSH tunnel or WireGuard/Tailscale. This provides a stable URL, SSL encryption, and full control over who and how connects to your server.

If you use Plex or Jellyfin not only to share content with friends but also to access external sources of metadata, trailers, or plugins that block server IPs — residential proxies are excellent for these requests: they mimic the traffic of an ordinary home user and do not raise suspicions with external services.

For those who want maximum streaming speed with minimal latency, consider datacenter proxies — they provide high bandwidth and stable uptime, which is critical for uninterrupted streaming in Full HD and 4K.

```

Proxies for Home Plex and Jellyfin Server: How to Safely Share Media Content with Friends