I think my approach is probably the most insane one, reading this thread…
So the only thing I expose to the public internet is a homemade reverse proxy application which supports both form based and basic authentication. I’m on top of security updates with its dependencies and thus far I haven’t had any issues, ever. It runs in a docker container, on a VM, on Proxmox.
My mum wanted to watch some stuff on my Jellyfin instance on her Chromecast With Google TV, plugged into her ancient Dumb TV. There is a Jellyfin Android TV app. I couldn’t think of a nice way to run a VPN on Android TV or on any of her (non-existent) network infra.
So instead I forked the Jellyfin Android TV app codebase. I found all the places where the API calls are made to the backend (there are multiple). I slapped in basic auth credentials. Recompiled the app. Deployed it to her Chromecast via developer mode.
Solid af so far. I haven’t updated Jellyfin since then (6 months), but when I need to, I’ll update the fork and redeploy it on her Chromecast.
VERY hands on, wouldn’t recommend it haha.
But that’s the beauty of open source. You CAN do it