starred/jellyfin
1
0
Fork 0
mirror of https://github.com/jellyfin/jellyfin.git synced 2026-05-04 18:09:12 +03:00
Code Issues 822 Packages Projects Releases 10 Wiki Activity

Server is advertising Remote IP #2249

New Issue
Closed
opened 2026-02-06 21:53:59 +03:00 by OVERLORD · 4 comments
OVERLORD commented 2026-02-06 21:53:59 +03:00
Owner
Copy Link

Originally created by @Anan5a on GitHub (Nov 8, 2020).

Describe the bug
Right now anyone can see my server origin IP like this
Screenshot_20201108_200935
by requesting http://example.com/system/info/public
This is bad for security, the server should advertise 127.0.0.1 instead

System (please complete the following information):

  • OS: Debian
  • Virtualization: -
  • Clients: Browser
  • Browser: Firefox
  • Jellyfin Version: 10.6.4
  • Playback: -
  • Installed Plugins: -
  • Reverse Proxy: nginx
  • Base URL: -
  • Networking: Host
  • Storage: local

To Reproduce

Any standard installation should yield same result!

Expected behavior

Logs

Screenshots

Additional context

How can I change so that it only reports 127.0.0.1 ?
If I disable remote access to the server, the reverse proxy does not work as well!

Originally created by @Anan5a on GitHub (Nov 8, 2020). **Describe the bug** Right now anyone can see my server origin IP like this ![Screenshot_20201108_200935](https://user-images.githubusercontent.com/16373480/98467407-469cf280-21ff-11eb-801e-8f6abcac321a.png) by requesting ```http://example.com/system/info/public``` This is bad for security, the server should advertise ```127.0.0.1``` instead **System (please complete the following information):** - OS: Debian - Virtualization: - - Clients: Browser - Browser: Firefox - Jellyfin Version: 10.6.4 - Playback: - - Installed Plugins: - - Reverse Proxy: nginx - Base URL: - - Networking: Host - Storage: local **To Reproduce** <!-- Steps to reproduce the behavior: --> Any standard installation should yield same result! **Expected behavior** <!-- A clear and concise description of what you expected to happen. --> **Logs** <!-- Please paste any log errors. --> **Screenshots** <!-- If applicable, add screenshots to help explain your problem. --> **Additional context** <!-- Add any other context about the problem here. --> How can I change so that it only reports 127.0.0.1 ? If I disable remote access to the server, the reverse proxy does not work as well!
OVERLORD added the bug label 2026-02-06 21:53:59 +03:00
OVERLORD commented 2026-02-06 21:54:02 +03:00
Author
Owner
Copy Link

@BaronGreenback commented on GitHub (Nov 10, 2020):

Could you explain more, as I'm not exactly sure what you're getting at? If i know the url to the server - I can just do a lookup to get your IP.

@BaronGreenback commented on GitHub (Nov 10, 2020): Could you explain more, as I'm not exactly sure what you're getting at? If i know the url to the server - I can just do a lookup to get your IP.
OVERLORD commented 2026-02-06 21:54:04 +03:00
Author
Owner
Copy Link

@Anan5a commented on GitHub (Nov 10, 2020):

@BaronGreenback no you cannot if the server is behind a reverse proxy, like cloudflare

BTW closing this, because updating bind address in Dashboard>Network solved this leak, but jellyfin should not expose the IP by default

@Anan5a commented on GitHub (Nov 10, 2020): @BaronGreenback no you cannot if the server is behind a reverse proxy, like ```cloudflare``` BTW closing this, because updating bind address in Dashboard>Network solved this leak, but jellyfin should not expose the IP by default
OVERLORD commented 2026-02-06 21:54:05 +03:00
Author
Owner
Copy Link

@Anan5a commented on GitHub (Jul 6, 2021):

@BaronGreenback Reopening, Since version 10.7.6 it reappeared

ananta@sayem:~$ curl https://ms.example.com/system/info/public
{"LocalAddress":"http://xx.xx.xx.233:8096","ServerName":"ms.example.com","Version":"10.7.6","ProductName":"Jellyfin Server","OperatingSystem":"Linux","Id":"32ef5c80303b468b8e4059b93749b771","StartupWizardCompleted":true}
ananta@sayem:~$
@Anan5a commented on GitHub (Jul 6, 2021): @BaronGreenback Reopening, Since version `10.7.6 ` it reappeared ```bash ananta@sayem:~$ curl https://ms.example.com/system/info/public {"LocalAddress":"http://xx.xx.xx.233:8096","ServerName":"ms.example.com","Version":"10.7.6","ProductName":"Jellyfin Server","OperatingSystem":"Linux","Id":"32ef5c80303b468b8e4059b93749b771","StartupWizardCompleted":true} ananta@sayem:~$ ```
OVERLORD commented 2026-02-06 21:54:06 +03:00
Author
Owner
Copy Link

@genofire commented on GitHub (Jul 18, 2022):

Same Problem with an caddy proxy -> this LocalAddress is not accessible ...

@genofire commented on GitHub (Jul 18, 2022): Same Problem with an caddy proxy -> this LocalAddress is not accessible ...
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
EFjellyfin.db
area:database
awaiting-feedback
backend
blocked
breaking change: web api
bug
build
ci
confirmed
discussion needed
dotnet future
downstream
duplicate
enhancement
feature
future
github-actions
good first issue
hdr
help wanted
invalid
investigation
librarydb
live-tv
lyrics
media playback
music
needs testing
nuget
performance
platform
pull-request
Mirrored from GitHub Pull Request
 question
regression
release critical
requires-web
roadmap
security
security
stale
support
syncplay
ui & ux
upstream
wontfix
No Label bug
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
OVERLORD
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: starred/jellyfin#2249
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?