Can you easily use your services on mobile devices that way? I currently reverse proxy every service I need through nginx, but I kinda feel like this isn't enough security-wise. I did blacklist most countries and don't expose any port other than 80+443.
Does it require you to run a VPN app on your phone constantly and does that cause troubles?
Yes you would need the Wireguard app on your phone, and certainly for me it works beautifully (I use Android - I can't speak for the iOS app but there is one). I don't actually remotely host Jellyfin, but I do use a range of other things like Bitwarden, Nextcloud, Dovecot/Postfix, and some small web apps, and it's really smooth. The only public port on the server is the VPN.
iOS etc have wireguard clients, but I personally have found it much easier to configure a long random path as part of the server URL and use that as a "password". (https://server.com/$randomPath/
It's not ideal, since the password's obviously saved in any user's browser history, but it's less of a pain than dealing with a VPN, especially since I let friends use the server, and it's secure enough for my threat model.
The trouble with that is that you still have to make 80/443 public, which means you have to trust that your web server will stand up to 24/7 probing. I guess I'm a bit more paranoid than I really need to be but if the port isn't open then the chances of a bad guy getting in that way because of a zero-day or because I forgot something should be zero.
Hopefully you at least have something like fail2ban installed?
If someone is going around popping up-to-date nginx servers, then they have much bigger targets than my media server, and I also have much bigger problems.
My threat model does not include someone using an nginx zero-day to find out what movies I'm watching.
You don't need to be targetted deliberately; there's a whole load of automated scanning that happens. If they get in then it's more likely they'll be interested in using your server to DDoS someone else, or serve up objectionable and/or illegal content. Protecting yourself is not just about your data.
I understand that, but my point is that an nginx config to just allow one path is easy to get right, and so for someone to get in, it wouldn't be automated scanning but rather a targeted attack with an nginx zero-day..... and if you have such an attack, there are a ton of banks and other companies you'd go after first.
If you don't have the confidence to open up port 443, that's fine of course, but I have the confidence in my abilities and setup to open up 443 and know that it's secure enough for my threat model.
Like, the nginx config is a single location block with a 30-character-plus random string in the path as the password, it's running on nixos with an automated `nix flake update` bot that updates and redeploys the server every week so nginx and linux get updated over time, I get an email if the `nixos-rebuild build` fails after the automated update so I know to fix it.
I'm not particular worried about automated scanners.
It's exactly the automated scanners that I'm scared of. But there I feel the same: an up to date nginx server, Serving some pages over port 80/443 doesn't feel like a huge target on my back.
Does it require you to run a VPN app on your phone constantly and does that cause troubles?