I would bet that the problem is with Plex being inside docker. Might be one of those situations where being more experienced causes issues because I’m trying to do things “right” and not run the service on my server directly or with root or on network host mode.

But being inside a container causes these many issues I can’t even begin to imagine how it would be to get it to do more complex stuff like be accessible through Tailscale or being behind authorization.

Nope, Jellyfin works directly same as always has

Even though they’re both on the same LAN? That sounds stupid, why would I need my videos to travel half across the globe to go from one room to the next?

Some of it yes, the claim for example, but the rest is still pretty bad UX (and even that is stupid, I shouldn’t need a claim to watch locally), I’m an experienced self hosing person and I’m getting frustrated every step of the way, imagine someone who doesn’t know their way around docker or is not familiar with stuff… Jellyfin might be less polished as some claim, but setting it up is a breeze, never had to look at documentation to do it.

Jellyfin has an app for fire stick, it works flawlessly

It’s curious that I’m almost in the opposite boat, have been using Jellyfin without issues for around 5 years, but recently was considering trying Plex because Jellyfin is becoming too slow on certain screens (probably because I have too much stuff, but it shouldn’t be this slow).

Edit: this made me want to check in Plex, so I’ll leave my story for people amusement:

My experience with Plex:

• Write the docket compose
• leave out the claim because it’s optional and I have no idea what it is
• launch it
• asks me to create an account
• not really comfortable creating an external account to access my local server, but okay.
• discovered I already had an account. Huh? I wonder why I don’t remember ever running Plex then.
• login to that account
• shows me a bunch of stuff
• find it weird that it already scanned everything, especially because I didn’t pointed it to my media
• proceed to try to watch something
• can’t play due to DRM
• WAT?
• go back and discover there’s a bunch of content that’s not in my library
• ok, so this must be some free content
• how do I configure my local library?
• spend 15 min navigating the UI trying to find it
• open the docs, they say to click the settings icon
• that icon is nowhere to be seen
• click a similar one
• can’t find anything the docs say I should
• maybe I’m not on the right site? site is <IP>:<port>/web/yaddayaddayadda so it seems correct
• try to go to <IP>:<port> get to the same page
• look at the docs on how to access the web app says to go to <IP>:<port>/web
• try that, get a message about not being authorized
• WAT?
• read some more docs discover I need that claim
• spend some time trying to find that in the UI
• google it up, find the link
• go to that page, grab the claim, set it up on the server and restart the server
• I’m able to get to the web app now
• Do you want to access it from the internet? If this works it would be great, so yes!
• setup my library
• let it scan and try to watch something from it
• UX sucks, video plays in a sort of popup in landscape on my phone.
• Ah, dumb of me, I probably have my browser set to desktop mode
• No, I don’t.
• Ok, so the web is maybe only expected to be used on desktop, let me install the app
• Install the app, login to my account, only have the Plex provided content
• Look around trying to find the media I scanned, find a thing saying my server is disconnected
• WAT?
• Go back to the web app via IP, try to look into settings
• “You are not connected directly to the server”
• WAT?
• everything else seems okay, I even enabled remote access there and it says it’s working
• Every few minutes the page says my server is not available for a few seconds then comes back
• It’s now been 1 hour and I haven’t been able to watch anything.

It’s now been 1 hour of trying to set this up and I give up. Jellyfin is much more easy to setup, and even if Plex was instantaneous I could have loaded my TV library hundreds of times in the 1h I just wasted trying to get this to work. Probably every other time I tried I got similar results which is why I have an account there even though I don’t remember ever using Plex.

Edit2: after some nore more fiddling managed to get it working, not sure what I changed, so now:

• Open the app, see my content there
• Try to watch something
• “You’re watching in indirect mode, quality might be bad”
• Ok, so it’s not connecting directly to my server, anyways, let’s ignore this for now, maybe it’s getting confused because it’s in a docker container
• “Activate Plex”
• Ah, ok, it’s the “pay or not now” screen, not now
• No subtitles play
• Try different subtitles
• Still nothing
• Plus quality seems shit
• Confirmed, it’s reproducing at 720x300 even though it’s a 4K video
• Look at docs, figure out the direct play is about converting the video
• Select maximum quality which according to docs should use the original file
• Still get a 300p video
• Figure out maybe it’s the android app that’s the problem, go to the TV, install Plex and connect to it
• Video takes forever to load
• Give up again after a couple of minutes waiting for the movie to load

First of all let me make this absolutely clear, docker is not expected to be secure to that level. While they try to make it hard for someone to escape a container, it’s not their main concern so expect that there are vulnerabilities that would allow an attacker to escape.

Now the second thing, the Overseer login screen might be secure enough for your case, the problem is that login is hard to do right, and Overseer are doing several other stuff as well, so they might not give it enough emphasis, and even if they do, maybe Immich devs don’t, or any one of the dozens of other services, so there are dozen of possible points of failure. Things like Authelia or Google OAuth are focused on authentication, so they do that absolutely right, and then they become the only point of failure for authentication.

To be fair, if you keep things updated it’s unlikely not having auth would be a problem. Mostly because most hackers won’t even know of your server to begin with. And most systems are secure enough for most casual hacks. But it’s an investment worth the time if you plan on making something available to the internet.

O have a very similar setup but have a couple of questions if you don’t mind me asking, what did you used for OAuth? and where is it running? I tried athelia on the VPS but had some problems I can’t remember now and decided it wasn’t worth the time at the time, but probably should set it up.

I’ll try to ELI5, if there’s something you don’t understand ask me.

Op has a home server where he’s running immich, that’s only accessible when he’s at home via the IP, so something like http://192.168.0.3:3000/, so he installed Tailscale on that server. Tailscale is a VPN (Virtual Private Network) that allows you to connect to your stuff remotely, it’s a nice way to do it because it is P2P (peer-to-peer) which means that in theory only he can access that network, whereas if he were using one of the many VPNs people use for other reasons, other people on the same VPN could access his server.

Ok, so now he can access his immich instance away from home, all he has to do is connect to the VPN on his phone or laptop and he’ll be able to access it with something like http://my_server:3000 since Tailscale adds a DNS (Domain Name System) which resolves the hostnames to whatever IP they have on the Tailscale network.

But if you want to give your family access it’s hard to explain to them that they need to connect to this VPN, so he rented a VPS (Virtual Private Server) on some company like DigitalOcean or Vultr and connected that machine to the Tailscale network. He probably also got a domain name from somewhere like namecheap, and pointed that domain name to his VPS. Só now he can access his VPS by using ssh user@myserver.com. Now all he needs to do is have something on the VPS which redirects everything that comes to a certain address into the Tailscale machine, Caddy is a nice way to do this, but the more traditional approach is ngnix, so if he puts Caddy on that VPS a config like this:

immich.myserver.com {
    handle {
        reverse_proxy my_server.tailscale.network.name:3000
    }
}

Then any requests that come to https://immich.myserver.com/ will get redirected to the home server via Tailscale.

It is a really nice setup, plus OP also added authentication and some other stuff to make it a bit more secure against attacks directly on immich.

It’s not required, but probably OP has a home server with Immich and a VPS which exposes it to the internet. In that setup you need Tailscale for the VPS to access your home server. Sometimes you can’t directly expose your home server for different reasons, e.g. ISP doesn’t give you an external IP directly (I’ve had this, where my router would get a 10.x IP so I couldn’t port forward because the internet IP was being shared between multiple houses), or the ISP gives you a dynamic IP so there’s no guarantee that your IP won’t change next time you reset the router, etc.

Also it provides an extra layer of separation, so for example a DDOS would hit the VPS which probably has automatic countermeasures, and even if someone were to gain access to the VPS they still need an extra jump to get to the home server (obviously if they exploit something on immich they would get direct access to the home server).